Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
filesystems
lustre_2_15
0019-LU-0000-ldiskfs-add-suse-patches-for-SLE15...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0019-LU-0000-ldiskfs-add-suse-patches-for-SLE15-SP4.patch of Package lustre_2_15
From d3055d907ee9f4a5a1eacb50eb5188149bd46be6 Mon Sep 17 00:00:00 2001 From: Mr NeilBrown <neilb@suse.de> Date: Wed, 30 Nov 2022 16:59:52 +1100 Subject: [PATCH 19/30] LU-0000 ldiskfs: add suse patches for SLE15-SP4 This patches update from GA to latest maint. Signed-off-by: Mr NeilBrown <neilb@suse.de> Change-Id: I330c0dc0c4f5868af88b9c070f130a20a702ddb0 --- ldiskfs/kernel_patches/patches/base/ext4-delayed-iput.patch | 52 +- ldiskfs/kernel_patches/patches/patches.suse/ext4-Fix-BUG_ON-in-ext4_bread-when-write-quota-data.patch | 108 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-Fix-check-for-block-being-out-of-directory-size.patch | 35 + ldiskfs/kernel_patches/patches/patches.suse/ext4-Fix-deadlock-during-directory-rename.patch | 86 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-Fix-possible-corruption-when-moving-a-directory.patch | 59 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-Fix-reusing-stale-buffer-heads-from-last-failed.patch | 122 +++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-add-EA_INODE-checking-to-ext4_iget.patch | 179 +++++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-add-EXT4_IGET_BAD-flag-to-prevent-unexpected-ba.patch | 81 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-add-helper-to-check-quota-inums.patch | 83 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-add-inode-table-check-in-__ext4_get_inode_loc-t.patch | 89 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-add-lockdep-annotations-for-i_data_sem-for-ea_i.patch | 63 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-add-missing-validation-of-fast-commit-record-le.patch | 97 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-add-new-helper-interface-ext4_try_to_trim_range.patch | 161 ++++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-add-reserved-GDT-blocks-check.patch | 79 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-allocate-extended-attribute-value-in-vmalloc-ar.patch | 50 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-avoid-BUG_ON-when-creating-xattrs.patch | 58 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-avoid-cycles-in-directory-h-tree.patch | 86 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-avoid-deadlock-in-fs-reclaim-with-page-writebac.patch | 232 ++++++++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-avoid-trim-error-on-fs-with-small-groups.patch | 72 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-avoid-unaccounted-block-allocation-when-expandi.patch | 47 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-.patch | 36 + ldiskfs/kernel_patches/patches/patches.suse/ext4-check-if-directory-block-is-within-i_size.patch | 57 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-check-iomap-type-only-if-ext4_iomap_begin-does-.patch | 45 + ldiskfs/kernel_patches/patches/patches.suse/ext4-destroy-ext4_fc_dentry_cachep-kmemcache-on-modu.patch | 79 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-disable-fast-commit-of-encrypted-dir-operations.patch | 151 ++++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-disallow-ea_inodes-with-extended-attributes.patch | 39 + ldiskfs/kernel_patches/patches/patches.suse/ext4-don-t-allow-journal-inode-to-have-encrypt-flag.patch | 58 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-don-t-increase-iversion-counter-for-ea_inodes.patch | 49 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-don-t-set-up-encryption-key-during-jbd2-transac.patch | 158 ++++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-don-t-use-the-orphan-list-when-migrating-an-ino.patch | 88 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-ext4_read_bh_lock-should-submit-IO-if-the-buffe.patch | 81 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-f2fs-fix-readahead-of-verity-data.patch | 48 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-factor-out-ext4_fc_get_tl.patch | 148 ++++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fail-ext4_iget-if-special-inode-unallocated.patch | 76 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fast-commit-may-miss-tracking-unwritten-range-d.patch | 44 + ldiskfs/kernel_patches/patches/patches.suse/ext4-filter-out-EXT4_FC_REPLAY-from-on-disk-superblo.patch | 62 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-BUG_ON-when-directory-entry-has-invalid-rec.patch | 74 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-RENAME_WHITEOUT-handling-for-inline-directo.patch | 93 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-WARNING-in-ext4_update_inline_data.patch | 114 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-WARNING-in-mb_find_extent.patch | 135 +++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-a-possible-ABBA-deadlock-due-to-busy-PA.patch | 159 ++++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-an-use-after-free-issue-about-data-journal-.patch | 135 +++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-another-off-by-one-fsmap-error-on-1k-block-.patch | 127 +++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-bad-checksum-after-online-resize.patch | 54 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-bug_on-ext4_mb_use_inode_pa.patch | 103 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-bug_on-in-__es_tree_search-caused-by-bad-bo.patch | 102 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-bug_on-in-__es_tree_search.patch | 144 ++++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-bug_on-in-ext4_writepages.patch | 113 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-cgroup-writeback-accounting-with-fs-layer-e.patch | 71 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-corruption-when-online-resizing-a-1K-bigall.patch | 58 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-data-races-when-using-cached-status-extents.patch | 86 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-deadlock-due-to-mbcache-entry-corruption.patch | 92 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-deadlock-when-converting-an-inline-director.patch | 69 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-delayed-allocation-bug-in-ext4_clu_mapped-f.patch | 63 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-dir-corruption-when-ext4_dx_add_entry-fails.patch | 100 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-error-code-return-to-user-space-in-ext4_get.patch | 57 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-error-handling-in-ext4_fc_record_modified_i.patch | 187 ++++++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-error-handling-in-ext4_restore_inline_data.patch | 65 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-ext4_fc_stats-trace-point.patch | 136 +++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-fallocate-to-use-file_modified-to-update-pe.patch | 171 +++++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-fast-commit-may-miss-tracking-range-for-FAL.patch | 62 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-fs-corruption-when-tring-to-remove-a-non-em.patch | 163 +++++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-i_disksize-exceeding-i_size-problem-in-pari.patch | 75 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-incorrect-options-show-of-original-mount_op.patch | 109 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-incorrect-type-issue-during-replay_del_rang.patch | 42 + ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-inode-leak-in-ext4_xattr_inode_create-on-an.patch | 59 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-kernel-BUG-in-ext4_write_inline_data_end.patch | 108 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-leaking-uninitialized-memory-in-fast-commit.patch | 48 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-lockdep-warning-when-enabling-MMP.patch | 89 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-miss-release-buffer-head-in-ext4_fc_write_i.patch | 62 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-null-ptr-deref-in-__ext4_journal_ensure_cre.patch | 95 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-off-by-one-errors-in-fast-commit-block-fill.patch | 171 +++++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-overhead-calculation-to-account-for-the-res.patch | 41 + ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-possible-double-unlock-when-moving-a-direct.patch | 38 + ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-potential-memory-leak-in-ext4_fc_record_mod.patch | 50 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-potential-memory-leak-in-ext4_fc_record_reg.patch | 54 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-potential-out-of-bound-read-in-ext4_fc_repl.patch | 97 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-race-condition-between-ext4_write-and-ext4_.patch | 133 +++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-reserved-cluster-accounting-in-__es_remove_.patch | 96 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-super-block-checksum-incorrect-after-mount.patch | 78 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-symlink-file-size-not-match-to-file-content.patch | 56 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch | 97 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext.patch | 49 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-unaligned-memory-access-in-ext4_fc_reserve_.patch | 104 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-undefined-behavior-in-bit-shift-for-ext4_ch.patch | 54 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-uninititialized-value-in-ext4_evict_inode.patch | 97 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch | 106 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-use-after-free-in-ext4_orphan_cleanup.patch | 81 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-use-after-free-in-ext4_rename_dir_prepare.patch | 130 +++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-use-after-free-in-ext4_search_dir.patch | 131 +++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-use-after-free-read-in-ext4_find_extent-for.patch | 94 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-warning-in-ext4_da_release_space.patch | 108 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-warning-in-ext4_handle_inode_extension.patch | 113 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-fixup-pages-without-buffers.patch | 74 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-force-overhead-calculation-if-the-s_overhead_cl.patch | 50 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-goto-right-label-failed_mount3a.patch | 68 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-improve-error-handling-from-ext4_dirhash.patch | 163 +++++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-improve-error-recovery-code-paths-in-__ext4_rem.patch | 67 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-init-quota-for-old.inode-in-ext4_rename.patch | 83 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-initialize-err_blk-before-calling-__ext4_get_in.patch | 43 + ldiskfs/kernel_patches/patches/patches.suse/ext4-initialize-quota-before-expanding-inode-in-setp.patch | 53 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-introduce-EXT4_FC_TAG_BASE_LEN-helper.patch | 192 ++++++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-limit-length-to-bitmap_maxbytes-blocksize-in-pu.patch | 66 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-make-sure-ext4_append-always-allocates-new-bloc.patch | 63 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-make-sure-quota-gets-properly-shutdown-on-error.patch | 56 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-make-sure-to-reset-inode-lockdep-class-when-quo.patch | 55 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-make-variable-count-signed.patch | 40 + ldiskfs/kernel_patches/patches/patches.suse/ext4-mark-group-as-trimmed-only-if-it-was-fully-scan.patch | 101 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-modify-the-logic-of-ext4_mb_new_blocks_simple.patch | 79 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-move-where-set-the-MAY_INLINE_DATA-flag-is-set.patch | 61 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-only-update-i_reserved_data_blocks-on-successfu.patch | 100 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-place-buffer-head-allocation-before-handle-star.patch | 49 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-prevent-used-blocks-from-being-allocated-during.patch | 117 +++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-recover-csum-seed-of-tmp_inode-after-migrating-.patch | 77 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-refuse-to-create-ea-block-when-umounted.patch | 45 + ldiskfs/kernel_patches/patches/patches.suse/ext4-reject-the-commit-option-on-ext2-filesystems.patch | 40 + ldiskfs/kernel_patches/patches/patches.suse/ext4-remove-EA-inode-entry-from-mbcache-on-inode-evi.patch | 116 +++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-set-lockdep-subclass-for-the-ea_inode-in-ext4_x.patch | 39 + ldiskfs/kernel_patches/patches/patches.suse/ext4-silence-the-warning-when-evicting-inode-with-di.patch | 99 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-turn-quotas-off-if-mount-failed-after-enabling-.patch | 76 +++ ldiskfs/kernel_patches/patches/patches.suse/ext4-unconditionally-enable-the-i_version-counter.patch | 121 +++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-unindent-codeblock-in-ext4_xattr_block_set.patch | 123 +++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-update-s_journal_inum-if-it-changes-after-journ.patch | 53 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-update-state-fc_regions_size-after-successful-m.patch | 51 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-use-ext4_ext_remove_space-for-fast-commit-repla.patch | 66 ++ ldiskfs/kernel_patches/patches/patches.suse/ext4-use-ext4_fc_tl_mem-in-fast-commit-replay-path.patch | 143 ++++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-verify-dir-block-before-splitting-it.patch | 93 ++++ ldiskfs/kernel_patches/patches/patches.suse/ext4-zero-i_disksize-when-initializing-the-bootloade.patch | 65 ++ ldiskfs/kernel_patches/patches/patches.suse/fs-ext4-initialize-fsdata-in-pagecache_write.patch | 38 + ldiskfs/kernel_patches/patches/sles15sp4/ext4-data-in-dirent.patch | 135 ++--- ldiskfs/kernel_patches/patches/sles15sp4/ext4-pdirop.patch | 109 ++-- ldiskfs/kernel_patches/series/ldiskfs-5.14.21-sles15sp4.series | 127 +++++ 132 files changed, 11492 insertions(+), 160 deletions(-) create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-Fix-BUG_ON-in-ext4_bread-when-write-quota-data.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-Fix-check-for-block-being-out-of-directory-size.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-add-new-helper-interface-ext4_try_to_trim_range.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-add-reserved-GDT-blocks-check.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-avoid-cycles-in-directory-h-tree.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-avoid-trim-error-on-fs-with-small-groups.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-check-if-directory-block-is-within-i_size.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-destroy-ext4_fc_dentry_cachep-kmemcache-on-modu.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-don-t-use-the-orphan-list-when-migrating-an-ino.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fast-commit-may-miss-tracking-unwritten-range-d.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-filter-out-EXT4_FC_REPLAY-from-on-disk-superblo.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-a-possible-ABBA-deadlock-due-to-busy-PA.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-an-use-after-free-issue-about-data-journal-.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-bug_on-ext4_mb_use_inode_pa.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-bug_on-in-__es_tree_search.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-bug_on-in-ext4_writepages.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-error-handling-in-ext4_fc_record_modified_i.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-error-handling-in-ext4_restore_inline_data.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-ext4_fc_stats-trace-point.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-fallocate-to-use-file_modified-to-update-pe.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-fast-commit-may-miss-tracking-range-for-FAL.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-fs-corruption-when-tring-to-remove-a-non-em.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-incorrect-type-issue-during-replay_del_rang.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-null-ptr-deref-in-__ext4_journal_ensure_cre.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-overhead-calculation-to-account-for-the-res.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-race-condition-between-ext4_write-and-ext4_.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-super-block-checksum-incorrect-after-mount.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-symlink-file-size-not-match-to-file-content.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-use-after-free-in-ext4_rename_dir_prepare.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-use-after-free-in-ext4_search_dir.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-warning-in-ext4_handle_inode_extension.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-force-overhead-calculation-if-the-s_overhead_cl.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-initialize-err_blk-before-calling-__ext4_get_in.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-limit-length-to-bitmap_maxbytes-blocksize-in-pu.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-make-sure-ext4_append-always-allocates-new-bloc.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-make-sure-quota-gets-properly-shutdown-on-error.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-make-sure-to-reset-inode-lockdep-class-when-quo.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-make-variable-count-signed.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-mark-group-as-trimmed-only-if-it-was-fully-scan.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-modify-the-logic-of-ext4_mb_new_blocks_simple.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-prevent-used-blocks-from-being-allocated-during.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-recover-csum-seed-of-tmp_inode-after-migrating-.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-reject-the-commit-option-on-ext2-filesystems.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-remove-EA-inode-entry-from-mbcache-on-inode-evi.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-unindent-codeblock-in-ext4_xattr_block_set.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-use-ext4_ext_remove_space-for-fast-commit-repla.patch create mode 100644 ldiskfs/kernel_patches/patches/patches.suse/ext4-verify-dir-block-before-splitting-it.patch --- a/ldiskfs/kernel_patches/patches/base/ext4-delayed-iput.patch +++ b/ldiskfs/kernel_patches/patches/base/ext4-delayed-iput.patch @@ -1,8 +1,13 @@ -Index: b2_15_linux-4.18.0-425.3.1.el8/fs/ext4/ext4.h -=================================================================== ---- b2_15_linux-4.18.0-425.3.1.el8.orig/fs/ext4/ext4.h -+++ b2_15_linux-4.18.0-425.3.1.el8/fs/ext4/ext4.h -@@ -1534,8 +1534,11 @@ struct ext4_sb_info { +--- + fs/ext4/ext4.h | 7 +++++-- + fs/ext4/page-io.c | 2 +- + fs/ext4/super.c | 15 ++++++++------- + fs/ext4/xattr.c | 39 +++++++++++++++++++++++++++++++++++++-- + 4 files changed, 51 insertions(+), 12 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -1628,8 +1628,11 @@ struct ext4_sb_info { struct flex_groups * __rcu *s_flex_groups; ext4_group_t s_flex_groups_allocated; @@ -16,11 +21,9 @@ Index: b2_15_linux-4.18.0-425.3.1.el8/fs /* timer for periodic error stats printing */ struct timer_list s_err_report; -Index: b2_15_linux-4.18.0-425.3.1.el8/fs/ext4/page-io.c -=================================================================== ---- b2_15_linux-4.18.0-425.3.1.el8.orig/fs/ext4/page-io.c -+++ b2_15_linux-4.18.0-425.3.1.el8/fs/ext4/page-io.c -@@ -207,7 +207,7 @@ static void ext4_add_complete_io(ext4_io +--- a/fs/ext4/page-io.c ++++ b/fs/ext4/page-io.c +@@ -230,7 +230,7 @@ static void ext4_add_complete_io(ext4_io WARN_ON(!(io_end->flag & EXT4_IO_END_UNWRITTEN)); WARN_ON(!io_end->handle && sbi->s_journal); spin_lock_irqsave(&ei->i_completed_io_lock, flags); @@ -29,23 +32,22 @@ Index: b2_15_linux-4.18.0-425.3.1.el8/fs if (list_empty(&ei->i_rsv_conversion_list)) queue_work(wq, &ei->i_rsv_conversion_work); list_add_tail(&io_end->list, &ei->i_rsv_conversion_list); -Index: b2_15_linux-4.18.0-425.3.1.el8/fs/ext4/super.c -=================================================================== ---- b2_15_linux-4.18.0-425.3.1.el8.orig/fs/ext4/super.c -+++ b2_15_linux-4.18.0-425.3.1.el8/fs/ext4/super.c -@@ -1022,9 +1022,10 @@ static void ext4_put_super(struct super_ +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1171,10 +1171,11 @@ static void ext4_put_super(struct super_ int i, err; ext4_unregister_li_request(sb); + flush_workqueue(sbi->s_misc_wq); ext4_quota_off_umount(sb); + flush_work(&sbi->s_error_work); - destroy_workqueue(sbi->rsv_conversion_wq); + destroy_workqueue(sbi->s_misc_wq); /* * Unregister sysfs before destroying jbd2 journal. -@@ -4588,9 +4589,9 @@ no_journal: +@@ -5001,9 +5002,9 @@ no_journal: * The maximum number of concurrent works can be high and * concurrency isn't really necessary. Limit it to 1. */ @@ -58,7 +60,7 @@ Index: b2_15_linux-4.18.0-425.3.1.el8/fs printk(KERN_ERR "EXT4-fs: failed to create workqueue\n"); ret = -ENOMEM; goto failed_mount4; -@@ -4785,8 +4786,8 @@ failed_mount4a: +@@ -5236,8 +5237,8 @@ failed_mount4a: sb->s_root = NULL; failed_mount4: ext4_msg(sb, KERN_ERR, "mount failed"); @@ -69,7 +71,7 @@ Index: b2_15_linux-4.18.0-425.3.1.el8/fs failed_mount_wq: ext4_xattr_destroy_cache(sbi->s_ea_inode_cache); sbi->s_ea_inode_cache = NULL; -@@ -5285,7 +5286,7 @@ static int ext4_sync_fs(struct super_blo +@@ -5802,7 +5803,7 @@ static int ext4_sync_fs(struct super_blo return 0; trace_ext4_sync_fs(sb, wait); @@ -78,11 +80,9 @@ Index: b2_15_linux-4.18.0-425.3.1.el8/fs /* * Writeback quota in non-journalled quota case - journalled quota has * no dirty dquots -Index: b2_15_linux-4.18.0-425.3.1.el8/fs/ext4/xattr.c -=================================================================== ---- b2_15_linux-4.18.0-425.3.1.el8.orig/fs/ext4/xattr.c -+++ b2_15_linux-4.18.0-425.3.1.el8/fs/ext4/xattr.c -@@ -1579,6 +1579,36 @@ static int ext4_xattr_inode_lookup_creat +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1588,6 +1588,36 @@ static int ext4_xattr_inode_lookup_creat return 0; } @@ -119,7 +119,7 @@ Index: b2_15_linux-4.18.0-425.3.1.el8/fs /* * Reserve min(block_size/8, 1024) bytes for xattr entries/names if ea_inode * feature is enabled. -@@ -1596,6 +1626,7 @@ static int ext4_xattr_set_entry(struct e +@@ -1605,6 +1635,7 @@ static int ext4_xattr_set_entry(struct e int in_inode = i->in_inode; struct inode *old_ea_inode = NULL; struct inode *new_ea_inode = NULL; @@ -127,7 +127,7 @@ Index: b2_15_linux-4.18.0-425.3.1.el8/fs size_t old_size, new_size; int ret; -@@ -1672,7 +1703,11 @@ static int ext4_xattr_set_entry(struct e +@@ -1681,7 +1712,11 @@ static int ext4_xattr_set_entry(struct e * Finish that work before doing any modifications to the xattr data. */ if (!s->not_found && here->e_value_inum) { @@ -140,7 +140,7 @@ Index: b2_15_linux-4.18.0-425.3.1.el8/fs le32_to_cpu(here->e_value_inum), le32_to_cpu(here->e_hash), &old_ea_inode); -@@ -1825,7 +1860,7 @@ update_hash: +@@ -1834,7 +1869,7 @@ update_hash: ret = 0; out: --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-Fix-BUG_ON-in-ext4_bread-when-write-quota-data.patch @@ -0,0 +1,108 @@ +From 380a0091cab482489e9b19e07f2a166ad2b76d5c Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Thu, 23 Dec 2021 09:55:06 +0800 +Subject: [PATCH] ext4: Fix BUG_ON in ext4_bread when write quota data +Git-commit: 380a0091cab482489e9b19e07f2a166ad2b76d5c +Patch-mainline: v5.17-rc1 +References: bsc#1197755 + +We got issue as follows when run syzkaller: +[ 167.936972] EXT4-fs error (device loop0): __ext4_remount:6314: comm rep: Abort forced by user +[ 167.938306] EXT4-fs (loop0): Remounting filesystem read-only +[ 167.981637] Assertion failure in ext4_getblk() at fs/ext4/inode.c:847: '(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY) || handle != NULL || create == 0' +[ 167.983601] ------------[ cut here ]------------ +[ 167.984245] kernel BUG at fs/ext4/inode.c:847! +[ 167.984882] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +[ 167.985624] CPU: 7 PID: 2290 Comm: rep Tainted: G B 5.16.0-rc5-next-20211217+ #123 +[ 167.986823] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 +[ 167.988590] RIP: 0010:ext4_getblk+0x17e/0x504 +[ 167.989189] Code: c6 01 74 28 49 c7 c0 a0 a3 5c 9b b9 4f 03 00 00 48 c7 c2 80 9c 5c 9b 48 c7 c6 40 b6 5c 9b 48 c7 c7 20 a4 5c 9b e8 77 e3 fd ff <0f> 0b 8b 04 244 +[ 167.991679] RSP: 0018:ffff8881736f7398 EFLAGS: 00010282 +[ 167.992385] RAX: 0000000000000094 RBX: 1ffff1102e6dee75 RCX: 0000000000000000 +[ 167.993337] RDX: 0000000000000001 RSI: ffffffff9b6e29e0 RDI: ffffed102e6dee66 +[ 167.994292] RBP: ffff88816a076210 R08: 0000000000000094 R09: ffffed107363fa09 +[ 167.995252] R10: ffff88839b1fd047 R11: ffffed107363fa08 R12: ffff88816a0761e8 +[ 167.996205] R13: 0000000000000000 R14: 0000000000000021 R15: 0000000000000001 +[ 167.997158] FS: 00007f6a1428c740(0000) GS:ffff88839b000000(0000) knlGS:0000000000000000 +[ 167.998238] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 167.999025] CR2: 00007f6a140716c8 CR3: 0000000133216000 CR4: 00000000000006e0 +[ 167.999987] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 168.000944] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 168.001899] Call Trace: +[ 168.002235] <TASK> +[ 168.007167] ext4_bread+0xd/0x53 +[ 168.007612] ext4_quota_write+0x20c/0x5c0 +[ 168.010457] write_blk+0x100/0x220 +[ 168.010944] remove_free_dqentry+0x1c6/0x440 +[ 168.011525] free_dqentry.isra.0+0x565/0x830 +[ 168.012133] remove_tree+0x318/0x6d0 +[ 168.014744] remove_tree+0x1eb/0x6d0 +[ 168.017346] remove_tree+0x1eb/0x6d0 +[ 168.019969] remove_tree+0x1eb/0x6d0 +[ 168.022128] qtree_release_dquot+0x291/0x340 +[ 168.023297] v2_release_dquot+0xce/0x120 +[ 168.023847] dquot_release+0x197/0x3e0 +[ 168.024358] ext4_release_dquot+0x22a/0x2d0 +[ 168.024932] dqput.part.0+0x1c9/0x900 +[ 168.025430] __dquot_drop+0x120/0x190 +[ 168.025942] ext4_clear_inode+0x86/0x220 +[ 168.026472] ext4_evict_inode+0x9e8/0xa22 +[ 168.028200] evict+0x29e/0x4f0 +[ 168.028625] dispose_list+0x102/0x1f0 +[ 168.029148] evict_inodes+0x2c1/0x3e0 +[ 168.030188] generic_shutdown_super+0xa4/0x3b0 +[ 168.030817] kill_block_super+0x95/0xd0 +[ 168.031360] deactivate_locked_super+0x85/0xd0 +[ 168.031977] cleanup_mnt+0x2bc/0x480 +[ 168.033062] task_work_run+0xd1/0x170 +[ 168.033565] do_exit+0xa4f/0x2b50 +[ 168.037155] do_group_exit+0xef/0x2d0 +[ 168.037666] __x64_sys_exit_group+0x3a/0x50 +[ 168.038237] do_syscall_64+0x3b/0x90 +[ 168.038751] entry_SYSCALL_64_after_hwframe+0x44/0xae + +In order to reproduce this problem, the following conditions need to be met: +1. Ext4 filesystem with no journal; +2. Filesystem image with incorrect quota data; +3. Abort filesystem forced by user; +4. umount filesystem; + +As in ext4_quota_write: +... + if (EXT4_SB(sb)->s_journal && !handle) { + ext4_msg(sb, KERN_WARNING, "Quota write (off=%llu, len=%llu)" + " cancelled because transaction is not started", + (unsigned long long)off, (unsigned long long)len); + return -EIO; + } +... +We only check handle if NULL when filesystem has journal. There is need +check handle if NULL even when filesystem has no journal. + +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20211223015506.297766-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 499d1734818d..b72f8f6084e4 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -6940,7 +6940,7 @@ static ssize_t ext4_quota_write(struct super_block *sb, int type, + struct buffer_head *bh; + handle_t *handle = journal_current_handle(); + +- if (EXT4_SB(sb)->s_journal && !handle) { ++ if (!handle) { + ext4_msg(sb, KERN_WARNING, "Quota write (off=%llu, len=%llu)" + " cancelled because transaction is not started", + (unsigned long long)off, (unsigned long long)len); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-Fix-check-for-block-being-out-of-directory-size.patch @@ -0,0 +1,35 @@ +From 9fd3f1868e9e3bb249546edba45889c18d40bd6d Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Mon, 22 Aug 2022 13:20:59 +0200 +Subject: [PATCH] ext4: Fix check for block being out of directory size +References: bsc#1198577 CVE-2022-1184 +Patch-mainline: Submitted, Aug 22 2022 + +The check in __ext4_read_dirblock() for block being outside of directory +size was wrong because it compared block number against directory size +in bytes. Fix it. + +Fixes: 65f8ea4cd57d ("ext4: check if directory block is within i_size") +CVE: CVE-2022-1184 +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara <jack@suse.cz> +--- + fs/ext4/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 3a31b662f661..bc2e0612ec32 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -126,7 +126,7 @@ static struct buffer_head *__ext4_read_dirblock(struct inode *inode, + struct ext4_dir_entry *dirent; + int is_dx_block = 0; + +- if (block >= inode->i_size) { ++ if (block >= inode->i_size >> inode->i_blkbits) { + ext4_error_inode(inode, func, line, block, + "Attempting to read directory block (%u) that is past i_size (%llu)", + block, inode->i_size); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-Fix-deadlock-during-directory-rename.patch @@ -0,0 +1,86 @@ +From 3c92792da8506a295afb6d032b4476e46f979725 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Wed, 1 Mar 2023 15:10:04 +0100 +Subject: [PATCH] ext4: Fix deadlock during directory rename +Git-commit: 3c92792da8506a295afb6d032b4476e46f979725 +Patch-mainline: v6.3-rc2 +References: bsc#1210763 + +As lockdep properly warns, we should not be locking i_rwsem while having +transactions started as the proper lock ordering used by all directory +handling operations is i_rwsem -> transaction start. Fix the lock +ordering by moving the locking of the directory earlier in +ext4_rename(). + +Reported-by: syzbot+9d16c39efb5fade84574@syzkaller.appspotmail.com +Fixes: 0813299c586b ("ext4: Fix possible corruption when moving a directory") +Link: https://syzkaller.appspot.com/bug?extid=9d16c39efb5fade84574 +Signed-off-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230301141004.15087-1-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/namei.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index e8f429330f3c..7cc3918e2f18 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3813,10 +3813,20 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + return retval; + } + ++ /* ++ * We need to protect against old.inode directory getting converted ++ * from inline directory format into a normal one. ++ */ ++ if (S_ISDIR(old.inode->i_mode)) ++ inode_lock_nested(old.inode, I_MUTEX_NONDIR2); ++ + old.bh = ext4_find_entry(old.dir, &old.dentry->d_name, &old.de, + &old.inlined); +- if (IS_ERR(old.bh)) +- return PTR_ERR(old.bh); ++ if (IS_ERR(old.bh)) { ++ retval = PTR_ERR(old.bh); ++ goto unlock_moved_dir; ++ } ++ + /* + * Check for inode number is _not_ due to possible IO errors. + * We might rmdir the source, keep it as pwd of some process +@@ -3873,11 +3883,6 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + if (new.dir != old.dir && EXT4_DIR_LINK_MAX(new.dir)) + goto end_rename; + } +- /* +- * We need to protect against old.inode directory getting +- * converted from inline directory format into a normal one. +- */ +- inode_lock_nested(old.inode, I_MUTEX_NONDIR2); + retval = ext4_rename_dir_prepare(handle, &old); + if (retval) { + inode_unlock(old.inode); +@@ -4014,12 +4019,15 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + } else { + ext4_journal_stop(handle); + } +- if (old.dir_bh) +- inode_unlock(old.inode); + release_bh: + brelse(old.dir_bh); + brelse(old.bh); + brelse(new.bh); ++ ++unlock_moved_dir: ++ if (S_ISDIR(old.inode->i_mode)) ++ inode_unlock(old.inode); ++ + return retval; + } + +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-Fix-possible-corruption-when-moving-a-directory.patch @@ -0,0 +1,59 @@ +From 0813299c586b175d7edb25f56412c54b812d0379 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Thu, 26 Jan 2023 12:22:21 +0100 +Subject: [PATCH] ext4: Fix possible corruption when moving a directory +Git-commit: 0813299c586b175d7edb25f56412c54b812d0379 +Patch-mainline: v6.3-rc1 +References: bsc#1210763 + +When we are renaming a directory to a different directory, we need to +update '..' entry in the moved directory. However nothing prevents moved +directory from being modified and even converted from the inline format +to the normal format. When such race happens the rename code gets +confused and we crash. Fix the problem by locking the moved directory. + +Cc: stable@vger.kernel.org +Fixes: 32f7f22c0b52 ("ext4: let ext4_rename handle inline dir") +Signed-off-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230126112221.11866-1-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/namei.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index dd28453d6ea3..270fbcba75b6 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3872,9 +3872,16 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + if (new.dir != old.dir && EXT4_DIR_LINK_MAX(new.dir)) + goto end_rename; + } ++ /* ++ * We need to protect against old.inode directory getting ++ * converted from inline directory format into a normal one. ++ */ ++ inode_lock_nested(old.inode, I_MUTEX_NONDIR2); + retval = ext4_rename_dir_prepare(handle, &old); +- if (retval) ++ if (retval) { ++ inode_unlock(old.inode); + goto end_rename; ++ } + } + /* + * If we're renaming a file within an inline_data dir and adding or +@@ -4006,6 +4013,8 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + } else { + ext4_journal_stop(handle); + } ++ if (old.dir_bh) ++ inode_unlock(old.inode); + release_bh: + brelse(old.dir_bh); + brelse(old.bh); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-Fix-reusing-stale-buffer-heads-from-last-failed.patch @@ -0,0 +1,122 @@ +From 26fb5290240dc31cae99b8b4dd2af7f46dfcba6b Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng <chengzhihao1@huawei.com> +Date: Wed, 15 Mar 2023 09:31:23 +0800 +Subject: [PATCH] ext4: Fix reusing stale buffer heads from last failed + mounting +Git-commit: 26fb5290240dc31cae99b8b4dd2af7f46dfcba6b +Patch-mainline: v6.5-rc1 +References: bsc#1213020 + +Following process makes ext4 load stale buffer heads from last failed +mounting in a new mounting operation: +mount_bdev + ext4_fill_super + | ext4_load_and_init_journal + | ext4_load_journal + | jbd2_journal_load + | load_superblock + | journal_get_superblock + | set_buffer_verified(bh) // buffer head is verified + | jbd2_journal_recover // failed caused by EIO + | goto failed_mount3a // skip 'sb->s_root' initialization + deactivate_locked_super + kill_block_super + generic_shutdown_super + if (sb->s_root) + // false, skip ext4_put_super->invalidate_bdev-> + // invalidate_mapping_pages->mapping_evict_folio-> + // filemap_release_folio->try_to_free_buffers, which + // cannot drop buffer head. + blkdev_put + blkdev_put_whole + if (atomic_dec_and_test(&bdev->bd_openers)) + // false, systemd-udev happens to open the device. Then + // blkdev_flush_mapping->kill_bdev->truncate_inode_pages-> + // truncate_inode_folio->truncate_cleanup_folio-> + // folio_invalidate->block_invalidate_folio-> + // filemap_release_folio->try_to_free_buffers will be skipped, + // dropping buffer head is missed again. + +Second mount: +ext4_fill_super + ext4_load_and_init_journal + ext4_load_journal + ext4_get_journal + jbd2_journal_init_inode + journal_init_common + bh = getblk_unmovable + bh = __find_get_block // Found stale bh in last failed mounting + journal->j_sb_buffer = bh + jbd2_journal_load + load_superblock + journal_get_superblock + if (buffer_verified(bh)) + // true, skip journal->j_format_version = 2, value is 0 + jbd2_journal_recover + do_one_pass + next_log_block += count_tags(journal, bh) + // According to journal_tag_bytes(), 'tag_bytes' calculating is + // affected by jbd2_has_feature_csum3(), jbd2_has_feature_csum3() + // returns false because 'j->j_format_version >= 2' is not true, + // then we get wrong next_log_block. The do_one_pass may exit + // early whenoccuring non JBD2_MAGIC_NUMBER in 'next_log_block'. + +The filesystem is corrupted here, journal is partially replayed, and +new journal sequence number actually is already used by last mounting. + +The invalidate_bdev() can drop all buffer heads even racing with bare +reading block device(eg. systemd-udev), so we can fix it by invalidating +bdev in error handling path in __ext4_fill_super(). + +Fetch a reproducer in [Link]. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217171 +Fixes: 25ed6e8a54df ("jbd2: enable journal clients to enable v2 checksumming") +Cc: stable@vger.kernel.org # v3.5 +Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230315013128.3911115-2-chengzhihao1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1096,6 +1096,12 @@ static void ext4_blkdev_remove(struct ex + struct block_device *bdev; + bdev = sbi->s_journal_bdev; + if (bdev) { ++ /* ++ * Invalidate the journal device's buffers. We don't want them ++ * floating about in memory - the physical journal device may ++ * hotswapped, and it breaks the `ro-after' testing code. ++ */ ++ invalidate_bdev(bdev); + ext4_blkdev_put(bdev); + sbi->s_journal_bdev = NULL; + } +@@ -1233,13 +1239,7 @@ static void ext4_put_super(struct super_ + sync_blockdev(sb->s_bdev); + invalidate_bdev(sb->s_bdev); + if (sbi->s_journal_bdev && sbi->s_journal_bdev != sb->s_bdev) { +- /* +- * Invalidate the journal device's buffers. We don't want them +- * floating about in memory - the physical journal device may +- * hotswapped, and it breaks the `ro-after' testing code. +- */ + sync_blockdev(sbi->s_journal_bdev); +- invalidate_bdev(sbi->s_journal_bdev); + ext4_blkdev_remove(sbi); + } + +@@ -5256,6 +5256,7 @@ failed_mount: + brelse(bh); + ext4_blkdev_remove(sbi); + out_fail: ++ invalidate_bdev(sb->s_bdev); + sb->s_fs_info = NULL; + kfree(sbi->s_blockgroup_lock); + out_free_base: --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-add-EA_INODE-checking-to-ext4_iget.patch @@ -0,0 +1,179 @@ +From b3e6bcb94590dea45396b9481e47b809b1be4afa Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Tue, 23 May 2023 23:49:48 -0400 +Subject: [PATCH] ext4: add EA_INODE checking to ext4_iget() +Git-commit: b3e6bcb94590dea45396b9481e47b809b1be4afa +Patch-mainline: v6.4-rc5 +References: bsc#1213106 + +Add a new flag, EXT4_IGET_EA_INODE which indicates whether the inode +is expected to have the EA_INODE flag or not. If the flag is not +set/clear as expected, then fail the iget() operation and mark the +file system as corrupted. + +This commit also makes the ext4_iget() always perform the +is_bad_inode() check even when the inode is already inode cache. This +allows us to remove the is_bad_inode() check from the callers of +ext4_iget() in the ea_inode code. + +Reported-by: syzbot+cbb68193bdb95af4340a@syzkaller.appspotmail.com +Reported-by: syzbot+62120febbd1ee3c3c860@syzkaller.appspotmail.com +Reported-by: syzbot+edce54daffee36421b4c@syzkaller.appspotmail.com +Cc: stable@kernel.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Link: https://lore.kernel.org/r/20230524034951.779531-2-tytso@mit.edu +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ext4.h | 3 ++- + fs/ext4/inode.c | 31 ++++++++++++++++++++++++++----- + fs/ext4/xattr.c | 36 +++++++----------------------------- + 3 files changed, 35 insertions(+), 35 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -2976,7 +2976,8 @@ typedef enum { + EXT4_IGET_NORMAL = 0, + EXT4_IGET_SPECIAL = 0x0001, /* OK to iget a system inode */ + EXT4_IGET_HANDLE = 0x0002, /* Inode # is from a handle */ +- EXT4_IGET_BAD = 0x0004 /* Allow to iget a bad inode */ ++ EXT4_IGET_BAD = 0x0004, /* Allow to iget a bad inode */ ++ EXT4_IGET_EA_INODE = 0x0008 /* Inode should contain an EA value */ + } ext4_iget_flags; + + extern struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4635,6 +4635,21 @@ static inline u64 ext4_inode_peek_iversi + return inode_peek_iversion(inode); + } + ++static const char *check_igot_inode(struct inode *inode, ext4_iget_flags flags) ++ ++{ ++ if (flags & EXT4_IGET_EA_INODE) { ++ if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) ++ return "missing EA_INODE flag"; ++ } else { ++ if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) ++ return "unexpected EA_INODE flag"; ++ } ++ if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD)) ++ return "unexpected bad inode w/o EXT4_IGET_BAD"; ++ return NULL; ++} ++ + struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, + ext4_iget_flags flags, const char *function, + unsigned int line) +@@ -4643,6 +4658,7 @@ struct inode *__ext4_iget(struct super_b + struct ext4_inode *raw_inode; + struct ext4_inode_info *ei; + struct inode *inode; ++ const char *err_str; + journal_t *journal = EXT4_SB(sb)->s_journal; + long ret; + loff_t size; +@@ -4666,8 +4682,14 @@ struct inode *__ext4_iget(struct super_b + inode = iget_locked(sb, ino); + if (!inode) + return ERR_PTR(-ENOMEM); +- if (!(inode->i_state & I_NEW)) ++ if (!(inode->i_state & I_NEW)) { ++ if ((err_str = check_igot_inode(inode, flags)) != NULL) { ++ ext4_error_inode(inode, function, line, 0, err_str); ++ iput(inode); ++ return ERR_PTR(-EFSCORRUPTED); ++ } + return inode; ++ } + + ei = EXT4_I(inode); + iloc.bh = NULL; +@@ -4936,10 +4958,9 @@ struct inode *__ext4_iget(struct super_b + if (IS_CASEFOLDED(inode) && !ext4_has_feature_casefold(inode->i_sb)) + ext4_error_inode(inode, function, line, 0, + "casefold flag without casefold feature"); +- if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD)) { +- ext4_error_inode(inode, function, line, 0, +- "bad inode without EXT4_IGET_BAD flag"); +- ret = -EUCLEAN; ++ if ((err_str = check_igot_inode(inode, flags)) != NULL) { ++ ext4_error_inode(inode, function, line, 0, err_str); ++ ret = -EFSCORRUPTED; + goto bad_inode; + } + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -397,7 +397,7 @@ static int ext4_xattr_inode_iget(struct + return -EFSCORRUPTED; + } + +- inode = ext4_iget(parent->i_sb, ea_ino, EXT4_IGET_NORMAL); ++ inode = ext4_iget(parent->i_sb, ea_ino, EXT4_IGET_EA_INODE); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + ext4_error(parent->i_sb, +@@ -405,23 +405,6 @@ static int ext4_xattr_inode_iget(struct + err); + return err; + } +- +- if (is_bad_inode(inode)) { +- ext4_error(parent->i_sb, +- "error while reading EA inode %lu is_bad_inode", +- ea_ino); +- err = -EIO; +- goto error; +- } +- +- if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) { +- ext4_error(parent->i_sb, +- "EA inode %lu does not have EXT4_EA_INODE_FL flag", +- ea_ino); +- err = -EINVAL; +- goto error; +- } +- + ext4_xattr_inode_set_class(inode); + + /* +@@ -442,9 +425,6 @@ static int ext4_xattr_inode_iget(struct + + *ea_inode = inode; + return 0; +-error: +- iput(inode); +- return err; + } + + /* Remove entry from mbcache when EA inode is getting evicted */ +@@ -1507,11 +1487,10 @@ ext4_xattr_inode_cache_find(struct inode + + while (ce) { + ea_inode = ext4_iget(inode->i_sb, ce->e_value, +- EXT4_IGET_NORMAL); +- if (!IS_ERR(ea_inode) && +- !is_bad_inode(ea_inode) && +- (EXT4_I(ea_inode)->i_flags & EXT4_EA_INODE_FL) && +- i_size_read(ea_inode) == value_len && ++ EXT4_IGET_EA_INODE); ++ if (IS_ERR(ea_inode)) ++ goto next_entry; ++ if (i_size_read(ea_inode) == value_len && + !ext4_xattr_inode_read(ea_inode, ea_data, value_len) && + !ext4_xattr_inode_verify_hashes(ea_inode, NULL, ea_data, + value_len) && +@@ -1521,9 +1500,8 @@ ext4_xattr_inode_cache_find(struct inode + kvfree(ea_data); + return ea_inode; + } +- +- if (!IS_ERR(ea_inode)) +- iput(ea_inode); ++ iput(ea_inode); ++ next_entry: + ce = mb_cache_entry_find_next(ea_inode_cache, ce); + } + kvfree(ea_data); --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-add-EXT4_IGET_BAD-flag-to-prevent-unexpected-ba.patch @@ -0,0 +1,81 @@ +From 63b1e9bccb71fe7d7e3ddc9877dbdc85e5d2d023 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Wed, 26 Oct 2022 12:23:09 +0800 +Subject: [PATCH] ext4: add EXT4_IGET_BAD flag to prevent unexpected bad inode +Git-commit: 63b1e9bccb71fe7d7e3ddc9877dbdc85e5d2d023 +Patch-mainline: v6.2-rc1 +References: bsc#1207619 + +There are many places that will get unhappy (and crash) when ext4_iget() +returns a bad inode. However, if iget the boot loader inode, allows a bad +inode to be returned, because the inode may not be initialized. This +mechanism can be used to bypass some checks and cause panic. To solve this +problem, we add a special iget flag EXT4_IGET_BAD. Only with this flag +we'd be returning bad inode from ext4_iget(), otherwise we always return +the error code if the inode is bad inode.(suggested by Jan Kara) + +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jason Yan <yanaijie@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20221026042310.3839669-4-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ext4.h | 3 ++- + fs/ext4/inode.c | 8 +++++++- + fs/ext4/ioctl.c | 3 ++- + 3 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 8d5453852f98..2b574b143bde 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -2964,7 +2964,8 @@ int do_journal_get_write_access(handle_t *handle, struct inode *inode, + typedef enum { + EXT4_IGET_NORMAL = 0, + EXT4_IGET_SPECIAL = 0x0001, /* OK to iget a system inode */ +- EXT4_IGET_HANDLE = 0x0002 /* Inode # is from a handle */ ++ EXT4_IGET_HANDLE = 0x0002, /* Inode # is from a handle */ ++ EXT4_IGET_BAD = 0x0004 /* Allow to iget a bad inode */ + } ext4_iget_flags; + + extern struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 6d16241666e6..a4bf643aa08b 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5058,8 +5058,14 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, + if (IS_CASEFOLDED(inode) && !ext4_has_feature_casefold(inode->i_sb)) + ext4_error_inode(inode, function, line, 0, + "casefold flag without casefold feature"); +- brelse(iloc.bh); ++ if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD)) { ++ ext4_error_inode(inode, function, line, 0, ++ "bad inode without EXT4_IGET_BAD flag"); ++ ret = -EUCLEAN; ++ goto bad_inode; ++ } + ++ brelse(iloc.bh); + unlock_new_inode(inode); + return inode; + +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index 95dfea28bf4e..9ed7b9fe2132 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -374,7 +374,8 @@ static long swap_inode_boot_loader(struct super_block *sb, + blkcnt_t blocks; + unsigned short bytes; + +- inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, EXT4_IGET_SPECIAL); ++ inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, ++ EXT4_IGET_SPECIAL | EXT4_IGET_BAD); + if (IS_ERR(inode_bl)) + return PTR_ERR(inode_bl); + ei_bl = EXT4_I(inode_bl); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-add-helper-to-check-quota-inums.patch @@ -0,0 +1,83 @@ +From 07342ec259df2a35d6a34aebce010567a80a0e15 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Wed, 26 Oct 2022 12:23:08 +0800 +Subject: [PATCH] ext4: add helper to check quota inums +Git-commit: 07342ec259df2a35d6a34aebce010567a80a0e15 +Patch-mainline: v6.2-rc1 +References: bsc#1207618 + +Before quota is enabled, a check on the preset quota inums in +ext4_super_block is added to prevent wrong quota inodes from being loaded. +In addition, when the quota fails to be enabled, the quota type and quota +inum are printed to facilitate fault locating. + +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jason Yan <yanaijie@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20221026042310.3839669-3-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 0f71542cf453..6f944f5e4b3f 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -6886,6 +6886,20 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id, + return err; + } + ++static inline bool ext4_check_quota_inum(int type, unsigned long qf_inum) ++{ ++ switch (type) { ++ case USRQUOTA: ++ return qf_inum == EXT4_USR_QUOTA_INO; ++ case GRPQUOTA: ++ return qf_inum == EXT4_GRP_QUOTA_INO; ++ case PRJQUOTA: ++ return qf_inum >= EXT4_GOOD_OLD_FIRST_INO; ++ default: ++ BUG(); ++ } ++} ++ + static int ext4_quota_enable(struct super_block *sb, int type, int format_id, + unsigned int flags) + { +@@ -6902,9 +6916,16 @@ static int ext4_quota_enable(struct super_block *sb, int type, int format_id, + if (!qf_inums[type]) + return -EPERM; + ++ if (!ext4_check_quota_inum(type, qf_inums[type])) { ++ ext4_error(sb, "Bad quota inum: %lu, type: %d", ++ qf_inums[type], type); ++ return -EUCLEAN; ++ } ++ + qf_inode = ext4_iget(sb, qf_inums[type], EXT4_IGET_SPECIAL); + if (IS_ERR(qf_inode)) { +- ext4_error(sb, "Bad quota inode # %lu", qf_inums[type]); ++ ext4_error(sb, "Bad quota inode: %lu, type: %d", ++ qf_inums[type], type); + return PTR_ERR(qf_inode); + } + +@@ -6943,8 +6964,9 @@ int ext4_enable_quotas(struct super_block *sb) + if (err) { + ext4_warning(sb, + "Failed to enable quota tracking " +- "(type=%d, err=%d). Please run " +- "e2fsck to fix.", type, err); ++ "(type=%d, err=%d, ino=%lu). " ++ "Please run e2fsck to fix.", type, ++ err, qf_inums[type]); + for (type--; type >= 0; type--) { + struct inode *inode; + +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-add-inode-table-check-in-__ext4_get_inode_loc-t.patch @@ -0,0 +1,89 @@ +From eee22187b53611e173161e38f61de1c7ecbeb876 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Wed, 17 Aug 2022 21:27:01 +0800 +Subject: [PATCH] ext4: add inode table check in __ext4_get_inode_loc to aovid + possible infinite loop +Git-commit: eee22187b53611e173161e38f61de1c7ecbeb876 +Patch-mainline: v6.2-rc1 +References: bsc#1207617 + +In do_writepages, if the value returned by ext4_writepages is "-ENOMEM" +and "wbc->sync_mode == WB_SYNC_ALL", retry until the condition is not met. + +In __ext4_get_inode_loc, if the bh returned by sb_getblk is NULL, +the function returns -ENOMEM. + +In __getblk_slow, if the return value of grow_buffers is less than 0, +the function returns NULL. + +When the three processes are connected in series like the following stack, +an infinite loop may occur: + +do_writepages <--- keep retrying + ext4_writepages + mpage_map_and_submit_extent + mpage_map_one_extent + ext4_map_blocks + ext4_ext_map_blocks + ext4_ext_handle_unwritten_extents + ext4_ext_convert_to_initialized + ext4_split_extent + ext4_split_extent_at + __ext4_ext_dirty + __ext4_mark_inode_dirty + ext4_reserve_inode_write + ext4_get_inode_loc + __ext4_get_inode_loc <--- return -ENOMEM + sb_getblk + __getblk_gfp + __getblk_slow <--- return NULL + grow_buffers + grow_dev_page <--- return -ENXIO + ret = (block < end_block) ? 1 : -ENXIO; + +In this issue, bg_inode_table_hi is overwritten as an incorrect value. +As a result, `block < end_block` cannot be met in grow_dev_page. +Therefore, __ext4_get_inode_loc always returns '-ENOMEM' and do_writepages +keeps retrying. As a result, the writeback process is in the D state due +to an infinite loop. + +Add a check on inode table block in the __ext4_get_inode_loc function by +referring to ext4_read_inode_bitmap to avoid this infinite loop. + +Cc: stable@kernel.org +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com> +Link: https://lore.kernel.org/r/20220817132701.3015912-3-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 121ce2fccfab..6d16241666e6 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4479,9 +4479,17 @@ static int __ext4_get_inode_loc(struct super_block *sb, unsigned long ino, + inodes_per_block = EXT4_SB(sb)->s_inodes_per_block; + inode_offset = ((ino - 1) % + EXT4_INODES_PER_GROUP(sb)); +- block = ext4_inode_table(sb, gdp) + (inode_offset / inodes_per_block); + iloc->offset = (inode_offset % inodes_per_block) * EXT4_INODE_SIZE(sb); + ++ block = ext4_inode_table(sb, gdp); ++ if ((block <= le32_to_cpu(EXT4_SB(sb)->s_es->s_first_data_block)) || ++ (block >= ext4_blocks_count(EXT4_SB(sb)->s_es))) { ++ ext4_error(sb, "Invalid inode table block %llu in " ++ "block_group %u", block, iloc->block_group); ++ return -EFSCORRUPTED; ++ } ++ block += (inode_offset / inodes_per_block); ++ + bh = sb_getblk(sb, block); + if (unlikely(!bh)) + return -ENOMEM; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-add-lockdep-annotations-for-i_data_sem-for-ea_i.patch @@ -0,0 +1,63 @@ +From aff3bea95388299eec63440389b4545c8041b357 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Tue, 23 May 2023 23:49:51 -0400 +Subject: [PATCH] ext4: add lockdep annotations for i_data_sem for ea_inode's +Git-commit: aff3bea95388299eec63440389b4545c8041b357 +Patch-mainline: v6.4-rc5 +References: bsc#1213109 + +Treat i_data_sem for ea_inodes as being in their own lockdep class to +avoid lockdep complaints about ext4_setattr's use of inode_lock() on +normal inodes potentially causing lock ordering with i_data_sem on +ea_inodes in ext4_xattr_inode_write(). However, ea_inodes will be +operated on by ext4_setattr(), so this isn't a problem. + +Cc: stable@kernel.org +Link: https://syzkaller.appspot.com/bug?extid=298c5d8fb4a128bc27b0 +Reported-by: syzbot+298c5d8fb4a128bc27b0@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Link: https://lore.kernel.org/r/20230524034951.779531-5-tytso@mit.edu +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ext4.h | 2 ++ + fs/ext4/xattr.c | 4 ++++ + 2 files changed, 6 insertions(+) + +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 9525c52b78dc..8104a21b001a 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -918,11 +918,13 @@ do { \ + * where the second inode has larger inode number + * than the first + * I_DATA_SEM_QUOTA - Used for quota inodes only ++ * I_DATA_SEM_EA - Used for ea_inodes only + */ + enum { + I_DATA_SEM_NORMAL = 0, + I_DATA_SEM_OTHER, + I_DATA_SEM_QUOTA, ++ I_DATA_SEM_EA + }; + + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index ff7ab63c5b4f..13d7f17a9c8c 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -121,7 +121,11 @@ ext4_expand_inode_array(struct ext4_xattr_inode_array **ea_inode_array, + #ifdef CONFIG_LOCKDEP + void ext4_xattr_inode_set_class(struct inode *ea_inode) + { ++ struct ext4_inode_info *ei = EXT4_I(ea_inode); ++ + lockdep_set_subclass(&ea_inode->i_rwsem, 1); ++ (void) ei; /* shut up clang warning if !CONFIG_LOCKDEP */ ++ lockdep_set_subclass(&ei->i_data_sem, I_DATA_SEM_EA); + } + #endif + +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-add-missing-validation-of-fast-commit-record-le.patch @@ -0,0 +1,97 @@ +From 64b4a25c3de81a69724e888ec2db3533b43816e2 Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Sun, 6 Nov 2022 14:48:38 -0800 +Subject: [PATCH] ext4: add missing validation of fast-commit record lengths +Git-commit: 64b4a25c3de81a69724e888ec2db3533b43816e2 +Patch-mainline: v6.2-rc1 +References: bsc#1207626 + +Validate the inode and filename lengths in fast-commit journal records +so that a malicious fast-commit journal cannot cause a crash by having +invalid values for these. Also validate EXT4_FC_TAG_DEL_RANGE. + +Fixes: aa75f4d3daae ("ext4: main fast-commit commit path") +Cc: <stable@vger.kernel.org> # v5.10+ +Signed-off-by: Eric Biggers <ebiggers@google.com> +Link: https://lore.kernel.org/r/20221106224841.279231-5-ebiggers@kernel.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 38 +++++++++++++++++++------------------- + fs/ext4/fast_commit.h | 2 +- + 2 files changed, 20 insertions(+), 20 deletions(-) + +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -1925,32 +1925,31 @@ void ext4_fc_replay_cleanup(struct super + kfree(sbi->s_fc_replay_state.fc_modified_inodes); + } + +-static inline bool ext4_fc_tag_len_isvalid(struct ext4_fc_tl *tl, +- u8 *val, u8 *end) ++static bool ext4_fc_value_len_isvalid(struct ext4_sb_info *sbi, ++ int tag, int len) + { +- if (val + tl->fc_len > end) +- return false; +- +- /* Here only check ADD_RANGE/TAIL/HEAD which will read data when do +- * journal rescan before do CRC check. Other tags length check will +- * rely on CRC check. +- */ +- switch (tl->fc_tag) { ++ switch (tag) { + case EXT4_FC_TAG_ADD_RANGE: +- return (sizeof(struct ext4_fc_add_range) == tl->fc_len); +- case EXT4_FC_TAG_TAIL: +- return (sizeof(struct ext4_fc_tail) <= tl->fc_len); +- case EXT4_FC_TAG_HEAD: +- return (sizeof(struct ext4_fc_head) == tl->fc_len); ++ return len == sizeof(struct ext4_fc_add_range); + case EXT4_FC_TAG_DEL_RANGE: ++ return len == sizeof(struct ext4_fc_del_range); ++ case EXT4_FC_TAG_CREAT: + case EXT4_FC_TAG_LINK: + case EXT4_FC_TAG_UNLINK: +- case EXT4_FC_TAG_CREAT: ++ len -= sizeof(struct ext4_fc_dentry_info); ++ return len >= 1 && len <= EXT4_NAME_LEN; + case EXT4_FC_TAG_INODE: ++ len -= sizeof(struct ext4_fc_inode); ++ return len >= EXT4_GOOD_OLD_INODE_SIZE && ++ len <= sbi->s_inode_size; + case EXT4_FC_TAG_PAD: +- default: +- return true; ++ return true; /* padding can have any length */ ++ case EXT4_FC_TAG_TAIL: ++ return len >= sizeof(struct ext4_fc_tail); ++ case EXT4_FC_TAG_HEAD: ++ return len == sizeof(struct ext4_fc_head); + } ++ return false; + } + + /* +@@ -2013,7 +2012,8 @@ static int ext4_fc_replay_scan(journal_t + cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) { + ext4_fc_get_tl(&tl, cur); + val = cur + EXT4_FC_TAG_BASE_LEN; +- if (!ext4_fc_tag_len_isvalid(&tl, val, end)) { ++ if (tl.fc_len > end - val || ++ !ext4_fc_value_len_isvalid(sbi, tl.fc_tag, tl.fc_len)) { + ret = state->fc_replay_num_tags ? + JBD2_FC_REPLAY_STOP : -ECANCELED; + goto out_err; +--- a/fs/ext4/fast_commit.h ++++ b/fs/ext4/fast_commit.h +@@ -58,7 +58,7 @@ struct ext4_fc_dentry_info { + __u8 fc_dname[0]; + }; + +-/* Value structure for EXT4_FC_TAG_INODE and EXT4_FC_TAG_INODE_PARTIAL. */ ++/* Value structure for EXT4_FC_TAG_INODE. */ + struct ext4_fc_inode { + __le32 fc_ino; + __u8 fc_raw_inode[0]; --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-add-new-helper-interface-ext4_try_to_trim_range.patch @@ -0,0 +1,161 @@ +From 6920b3913235f517728bb69abe9b39047a987113 Mon Sep 17 00:00:00 2001 +From: Wang Jianchao <wangjianchao@kuaishou.com> +Date: Sat, 24 Jul 2021 15:41:21 +0800 +Subject: [PATCH] ext4: add new helper interface ext4_try_to_trim_range() +Git-commit: 6920b3913235f517728bb69abe9b39047a987113 +Patch-mainline: v5.15-rc1 +References: bsc#1202783 + +There is no functional change in this patch but just split the +codes, which serachs free block and does trim, into a new function +ext4_try_to_trim_range. This is preparing for the following async +backgroup discard. + +Reviewed-by: Andreas Dilger <adilger@dilger.ca> +Signed-off-by: Wang Jianchao <wangjianchao@kuaishou.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20210724074124.25731-3-jianchao.wan9@gmail.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/mballoc.c | 106 +++++++++++++++++++++++++++++------------------------- + 1 file changed, 58 insertions(+), 48 deletions(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -6218,6 +6218,55 @@ __acquires(bitlock) + return ret; + } + ++static int ext4_try_to_trim_range(struct super_block *sb, ++ struct ext4_buddy *e4b, ext4_grpblk_t start, ++ ext4_grpblk_t max, ext4_grpblk_t minblocks) ++{ ++ ext4_grpblk_t next, count, free_count; ++ void *bitmap; ++ int ret = 0; ++ ++ bitmap = e4b->bd_bitmap; ++ start = (e4b->bd_info->bb_first_free > start) ? ++ e4b->bd_info->bb_first_free : start; ++ count = 0; ++ free_count = 0; ++ ++ while (start <= max) { ++ start = mb_find_next_zero_bit(bitmap, max + 1, start); ++ if (start > max) ++ break; ++ next = mb_find_next_bit(bitmap, max + 1, start); ++ ++ if ((next - start) >= minblocks) { ++ ret = ext4_trim_extent(sb, start, next - start, ++ e4b->bd_group, e4b); ++ if (ret && ret != -EOPNOTSUPP) ++ break; ++ ret = 0; ++ count += next - start; ++ } ++ free_count += next - start; ++ start = next + 1; ++ ++ if (fatal_signal_pending(current)) { ++ count = -ERESTARTSYS; ++ break; ++ } ++ ++ if (need_resched()) { ++ ext4_unlock_group(sb, e4b->bd_group); ++ cond_resched(); ++ ext4_lock_group(sb, e4b->bd_group); ++ } ++ ++ if ((e4b->bd_info->bb_free - free_count) < minblocks) ++ break; ++ } ++ ++ return count; ++} ++ + /** + * ext4_trim_all_free -- function to trim all free space in alloc. group + * @sb: super block for file system +@@ -6241,10 +6290,8 @@ ext4_trim_all_free(struct super_block *s + ext4_grpblk_t start, ext4_grpblk_t max, + ext4_grpblk_t minblocks) + { +- void *bitmap; +- ext4_grpblk_t next, count = 0, free_count = 0; + struct ext4_buddy e4b; +- int ret = 0; ++ int ret; + + trace_ext4_trim_all_free(sb, group, start, max); + +@@ -6254,58 +6301,21 @@ ext4_trim_all_free(struct super_block *s + ret, group); + return ret; + } +- bitmap = e4b.bd_bitmap; +- + ext4_lock_group(sb, group); +- if (EXT4_MB_GRP_WAS_TRIMMED(e4b.bd_info) && +- minblocks >= atomic_read(&EXT4_SB(sb)->s_last_trim_minblks)) +- goto out; +- +- start = (e4b.bd_info->bb_first_free > start) ? +- e4b.bd_info->bb_first_free : start; +- +- while (start <= max) { +- start = mb_find_next_zero_bit(bitmap, max + 1, start); +- if (start > max) +- break; +- next = mb_find_next_bit(bitmap, max + 1, start); +- +- if ((next - start) >= minblocks) { +- ret = ext4_trim_extent(sb, start, +- next - start, group, &e4b); +- if (ret && ret != -EOPNOTSUPP) +- break; +- ret = 0; +- count += next - start; +- } +- free_count += next - start; +- start = next + 1; +- +- if (fatal_signal_pending(current)) { +- count = -ERESTARTSYS; +- break; +- } +- +- if (need_resched()) { +- ext4_unlock_group(sb, group); +- cond_resched(); +- ext4_lock_group(sb, group); +- } +- +- if ((e4b.bd_info->bb_free - free_count) < minblocks) +- break; ++ if (!EXT4_MB_GRP_WAS_TRIMMED(e4b.bd_info) || ++ minblocks < atomic_read(&EXT4_SB(sb)->s_last_trim_minblks)) { ++ ret = ext4_try_to_trim_range(sb, &e4b, start, max, minblocks); ++ if (ret >= 0) ++ EXT4_MB_GRP_SET_TRIMMED(e4b.bd_info); ++ } else { ++ ret = 0; + } + +- if (!ret) { +- ret = count; +- EXT4_MB_GRP_SET_TRIMMED(e4b.bd_info); +- } +-out: + ext4_unlock_group(sb, group); + ext4_mb_unload_buddy(&e4b); + + ext4_debug("trimmed %d blocks in the group %d\n", +- count, group); ++ ret, group); + + return ret; + } --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-add-reserved-GDT-blocks-check.patch @@ -0,0 +1,79 @@ +From b55c3cd102a6f48b90e61c44f7f3dda8c290c694 Mon Sep 17 00:00:00 2001 +From: Zhang Yi <yi.zhang@huawei.com> +Date: Wed, 1 Jun 2022 17:27:17 +0800 +Subject: [PATCH] ext4: add reserved GDT blocks check +Git-commit: b55c3cd102a6f48b90e61c44f7f3dda8c290c694 +Patch-mainline: v5.19-rc3 +References: bsc#1202712 + +We capture a NULL pointer issue when resizing a corrupt ext4 image which +is freshly clear resize_inode feature (not run e2fsck). It could be +simply reproduced by following steps. The problem is because of the +resize_inode feature was cleared, and it will convert the filesystem to +meta_bg mode in ext4_resize_fs(), but the es->s_reserved_gdt_blocks was +not reduced to zero, so could we mistakenly call reserve_backup_gdb() +and passing an uninitialized resize_inode to it when adding new group +descriptors. + + mkfs.ext4 /dev/sda 3G + tune2fs -O ^resize_inode /dev/sda #forget to run requested e2fsck + mount /dev/sda /mnt + resize2fs /dev/sda 8G + + ======== + BUG: kernel NULL pointer dereference, address: 0000000000000028 + CPU: 19 PID: 3243 Comm: resize2fs Not tainted 5.18.0-rc7-00001-gfde086c5ebfd #748 + ... + RIP: 0010:ext4_flex_group_add+0xe08/0x2570 + ... + Call Trace: + <TASK> + ext4_resize_fs+0xbec/0x1660 + __ext4_ioctl+0x1749/0x24e0 + ext4_ioctl+0x12/0x20 + __x64_sys_ioctl+0xa6/0x110 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7f2dd739617b + ======== + +The fix is simple, add a check in ext4_resize_begin() to make sure that +the es->s_reserved_gdt_blocks is zero when the resize_inode feature is +disabled. + +Cc: stable@kernel.org +Signed-off-by: Zhang Yi <yi.zhang@huawei.com> +Reviewed-by: Ritesh Harjani <ritesh.list@gmail.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220601092717.763694-1-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/resize.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 90a941d20dff..8b70a4701293 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -53,6 +53,16 @@ int ext4_resize_begin(struct super_block *sb) + if (!capable(CAP_SYS_RESOURCE)) + return -EPERM; + ++ /* ++ * If the reserved GDT blocks is non-zero, the resize_inode feature ++ * should always be set. ++ */ ++ if (EXT4_SB(sb)->s_es->s_reserved_gdt_blocks && ++ !ext4_has_feature_resize_inode(sb)) { ++ ext4_error(sb, "resize_inode disabled but reserved GDT blocks non-zero"); ++ return -EFSCORRUPTED; ++ } ++ + /* + * If we are not using the primary superblock/GDT copy don't resize, + * because the user tools have no way of handling this. Probably a +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-allocate-extended-attribute-value-in-vmalloc-ar.patch @@ -0,0 +1,50 @@ +From cc12a6f25e07ed05d5825a1664b67a970842b2ca Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Thu, 8 Dec 2022 10:32:31 +0800 +Subject: [PATCH] ext4: allocate extended attribute value in vmalloc area +Git-commit: cc12a6f25e07ed05d5825a1664b67a970842b2ca +Patch-mainline: v6.2-rc1 +References: bsc#1207635 + +Now, extended attribute value maximum length is 64K. The memory +requested here does not need continuous physical addresses, so it is +appropriate to use kvmalloc to request memory. At the same time, it +can also cope with the situation that the extended attribute will +become longer in the future. + +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20221208023233.1231330-3-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/xattr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index 6bdd502527f8..b666d3bf8b38 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2548,7 +2548,7 @@ static int ext4_xattr_move_to_block(handle_t *handle, struct inode *inode, + + is = kzalloc(sizeof(struct ext4_xattr_ibody_find), GFP_NOFS); + bs = kzalloc(sizeof(struct ext4_xattr_block_find), GFP_NOFS); +- buffer = kmalloc(value_size, GFP_NOFS); ++ buffer = kvmalloc(value_size, GFP_NOFS); + b_entry_name = kmalloc(entry->e_name_len + 1, GFP_NOFS); + if (!is || !bs || !buffer || !b_entry_name) { + error = -ENOMEM; +@@ -2600,7 +2600,7 @@ static int ext4_xattr_move_to_block(handle_t *handle, struct inode *inode, + error = 0; + out: + kfree(b_entry_name); +- kfree(buffer); ++ kvfree(buffer); + if (is) + brelse(is->iloc.bh); + if (bs) +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-avoid-BUG_ON-when-creating-xattrs.patch @@ -0,0 +1,58 @@ +From b40ebaf63851b3a401b0dc9263843538f64f5ce6 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Mon, 21 Nov 2022 14:09:29 +0100 +Subject: [PATCH] ext4: avoid BUG_ON when creating xattrs +Git-commit: b40ebaf63851b3a401b0dc9263843538f64f5ce6 +Patch-mainline: v6.2-rc1 +References: bsc#1205496 + +Commit fb0a387dcdcd ("ext4: limit block allocations for indirect-block +files to < 2^32") added code to try to allocate xattr block with 32-bit +block number for indirect block based files on the grounds that these +files cannot use larger block numbers. It also added BUG_ON when +allocated block could not fit into 32 bits. This is however bogus +reasoning because xattr block is stored in inode->i_file_acl and +inode->i_file_acl_hi and as such even indirect block based files can +happily use full 48 bits for xattr block number. The proper handling +seems to be there basically since 64-bit block number support was added. +So remove the bogus limitation and BUG_ON. + +Cc: Eric Sandeen <sandeen@redhat.com> +Fixes: fb0a387dcdcd ("ext4: limit block allocations for indirect-block files to < 2^32") +Signed-off-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20221121130929.32031-1-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/xattr.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index 718ef3987f94..4d1c701f0eec 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2071,19 +2071,11 @@ ext4_xattr_block_set(handle_t *handle, struct inode *inode, + + goal = ext4_group_first_block_no(sb, + EXT4_I(inode)->i_block_group); +- +- /* non-extent files can't have physical blocks past 2^32 */ +- if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))) +- goal = goal & EXT4_MAX_BLOCK_FILE_PHYS; +- + block = ext4_new_meta_blocks(handle, inode, goal, 0, + NULL, &error); + if (error) + goto cleanup; + +- if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))) +- BUG_ON(block > EXT4_MAX_BLOCK_FILE_PHYS); +- + ea_idebug(inode, "creating block %llu", + (unsigned long long)block); + +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-avoid-cycles-in-directory-h-tree.patch @@ -0,0 +1,86 @@ +From 3ba733f879c2a88910744647e41edeefbc0d92b2 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Wed, 18 May 2022 11:33:29 +0200 +Subject: [PATCH] ext4: avoid cycles in directory h-tree +Git-commit: 3ba733f879c2a88910744647e41edeefbc0d92b2 +Patch-mainline: v5.19-rc1 +References: bsc#1198577 CVE-2022-1184 + +A maliciously corrupted filesystem can contain cycles in the h-tree +stored inside a directory. That can easily lead to the kernel corrupting +tree nodes that were already verified under its hands while doing a node +split and consequently accessing unallocated memory. Fix the problem by +verifying traversed block numbers are unique. + +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220518093332.13986-2-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/namei.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 7286472e9558..47d0ca4c795b 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -777,12 +777,14 @@ static struct dx_frame * + dx_probe(struct ext4_filename *fname, struct inode *dir, + struct dx_hash_info *hinfo, struct dx_frame *frame_in) + { +- unsigned count, indirect; ++ unsigned count, indirect, level, i; + struct dx_entry *at, *entries, *p, *q, *m; + struct dx_root *root; + struct dx_frame *frame = frame_in; + struct dx_frame *ret_err = ERR_PTR(ERR_BAD_DX_DIR); + u32 hash; ++ ext4_lblk_t block; ++ ext4_lblk_t blocks[EXT4_HTREE_LEVEL]; + + memset(frame_in, 0, EXT4_HTREE_LEVEL * sizeof(frame_in[0])); + frame->bh = ext4_read_dirblock(dir, 0, INDEX); +@@ -854,6 +856,8 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, + } + + dxtrace(printk("Look up %x", hash)); ++ level = 0; ++ blocks[0] = 0; + while (1) { + count = dx_get_count(entries); + if (!count || count > dx_get_limit(entries)) { +@@ -882,15 +886,27 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, + dx_get_block(at))); + frame->entries = entries; + frame->at = at; +- if (!indirect--) ++ ++ block = dx_get_block(at); ++ for (i = 0; i <= level; i++) { ++ if (blocks[i] == block) { ++ ext4_warning_inode(dir, ++ "dx entry: tree cycle block %u points back to block %u", ++ blocks[level], block); ++ goto fail; ++ } ++ } ++ if (++level > indirect) + return frame; ++ blocks[level] = block; + frame++; +- frame->bh = ext4_read_dirblock(dir, dx_get_block(at), INDEX); ++ frame->bh = ext4_read_dirblock(dir, block, INDEX); + if (IS_ERR(frame->bh)) { + ret_err = (struct dx_frame *) frame->bh; + frame->bh = NULL; + goto fail; + } ++ + entries = ((struct dx_node *) frame->bh->b_data)->entries; + + if (dx_get_limit(entries) != dx_node_limit(dir)) { +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-avoid-deadlock-in-fs-reclaim-with-page-writebac.patch @@ -0,0 +1,232 @@ +From 00d873c17e29cc32d90ca852b82685f1673acaa5 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Thu, 4 May 2023 14:47:23 +0200 +Subject: [PATCH] ext4: avoid deadlock in fs reclaim with page writeback +Git-commit: 00d873c17e29cc32d90ca852b82685f1673acaa5 +Patch-mainline: v6.4-rc2 +References: bsc#1213016 + +Ext4 has a filesystem wide lock protecting ext4_writepages() calls to +avoid races with switching of journalled data flag or inode format. This +lock can however cause a deadlock like: + +CPU0 CPU1 + +ext4_writepages() + percpu_down_read(sbi->s_writepages_rwsem); + ext4_change_inode_journal_flag() + percpu_down_write(sbi->s_writepages_rwsem); + - blocks, all readers block from now on + ext4_do_writepages() + ext4_init_io_end() + kmem_cache_zalloc(io_end_cachep, GFP_KERNEL) + fs_reclaim frees dentry... + dentry_unlink_inode() + iput() - last ref => + iput_final() - inode dirty => + write_inode_now()... + ext4_writepages() tries to acquire sbi->s_writepages_rwsem + and blocks forever + +Make sure we cannot recurse into filesystem reclaim from writeback code +to avoid the deadlock. + +Reported-by: syzbot+6898da502aef574c5f8a@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/0000000000004c66b405fa108e27@google.com +Fixes: c8585c6fcaf2 ("ext4: fix races between changing inode journal mode and ext4_writepages") +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230504124723.20205-1-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ext4.h | 25 +++++++++++++++++++++++++ + fs/ext4/inode.c | 18 ++++++++++-------- + fs/ext4/migrate.c | 11 ++++++----- + 3 files changed, 41 insertions(+), 13 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -36,6 +36,7 @@ + #include <linux/falloc.h> + #include <linux/percpu-rwsem.h> + #include <linux/fiemap.h> ++#include <linux/sched/mm.h> + #ifdef __KERNEL__ + #include <linux/compat.h> + #endif +@@ -1720,6 +1721,30 @@ static inline struct ext4_inode_info *EX + return container_of(inode, struct ext4_inode_info, vfs_inode); + } + ++static inline int ext4_writepages_down_read(struct super_block *sb) ++{ ++ percpu_down_read(&EXT4_SB(sb)->s_writepages_rwsem); ++ return memalloc_nofs_save(); ++} ++ ++static inline void ext4_writepages_up_read(struct super_block *sb, int ctx) ++{ ++ memalloc_nofs_restore(ctx); ++ percpu_up_read(&EXT4_SB(sb)->s_writepages_rwsem); ++} ++ ++static inline int ext4_writepages_down_write(struct super_block *sb) ++{ ++ percpu_down_write(&EXT4_SB(sb)->s_writepages_rwsem); ++ return memalloc_nofs_save(); ++} ++ ++static inline void ext4_writepages_up_write(struct super_block *sb, int ctx) ++{ ++ memalloc_nofs_restore(ctx); ++ percpu_up_write(&EXT4_SB(sb)->s_writepages_rwsem); ++} ++ + static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino) + { + return ino == EXT4_ROOT_INO || +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2668,11 +2668,12 @@ static int ext4_writepages(struct addres + struct ext4_sb_info *sbi = EXT4_SB(mapping->host->i_sb); + struct blk_plug plug; + bool give_up_on_write = false; ++ int alloc_ctx; + + if (unlikely(ext4_forced_shutdown(EXT4_SB(inode->i_sb)))) + return -EIO; + +- percpu_down_read(&sbi->s_writepages_rwsem); ++ alloc_ctx = ext4_writepages_down_read(inode->i_sb); + trace_ext4_writepages(inode, wbc); + + /* +@@ -2882,7 +2883,7 @@ unplug: + out_writepages: + trace_ext4_writepages_result(inode, wbc, ret, + nr_to_write - wbc->nr_to_write); +- percpu_up_read(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_read(inode->i_sb, alloc_ctx); + return ret; + } + +@@ -2893,17 +2894,18 @@ static int ext4_dax_writepages(struct ad + long nr_to_write = wbc->nr_to_write; + struct inode *inode = mapping->host; + struct ext4_sb_info *sbi = EXT4_SB(mapping->host->i_sb); ++ int alloc_ctx; + + if (unlikely(ext4_forced_shutdown(EXT4_SB(inode->i_sb)))) + return -EIO; + +- percpu_down_read(&sbi->s_writepages_rwsem); ++ alloc_ctx = ext4_writepages_down_read(inode->i_sb); + trace_ext4_writepages(inode, wbc); + + ret = dax_writeback_mapping_range(mapping, sbi->s_daxdev, wbc); + trace_ext4_writepages_result(inode, wbc, ret, + nr_to_write - wbc->nr_to_write); +- percpu_up_read(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_read(inode->i_sb, alloc_ctx); + return ret; + } + +@@ -6008,7 +6010,7 @@ int ext4_change_inode_journal_flag(struc + journal_t *journal; + handle_t *handle; + int err; +- struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); ++ int alloc_ctx; + + /* + * We have to be very careful here: changing a data block's +@@ -6046,7 +6048,7 @@ int ext4_change_inode_journal_flag(struc + } + } + +- percpu_down_write(&sbi->s_writepages_rwsem); ++ alloc_ctx = ext4_writepages_down_write(inode->i_sb); + jbd2_journal_lock_updates(journal); + + /* +@@ -6063,7 +6065,7 @@ int ext4_change_inode_journal_flag(struc + err = jbd2_journal_flush(journal, 0); + if (err < 0) { + jbd2_journal_unlock_updates(journal); +- percpu_up_write(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_write(inode->i_sb, alloc_ctx); + return err; + } + ext4_clear_inode_flag(inode, EXT4_INODE_JOURNAL_DATA); +@@ -6071,7 +6073,7 @@ int ext4_change_inode_journal_flag(struc + ext4_set_aops(inode); + + jbd2_journal_unlock_updates(journal); +- percpu_up_write(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_write(inode->i_sb, alloc_ctx); + + if (val) + filemap_invalidate_unlock(inode->i_mapping); +--- a/fs/ext4/migrate.c ++++ b/fs/ext4/migrate.c +@@ -409,7 +409,6 @@ static int free_ext_block(handle_t *hand + + int ext4_ext_migrate(struct inode *inode) + { +- struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + handle_t *handle; + int retval = 0, i; + __le32 *i_data; +@@ -419,6 +418,7 @@ int ext4_ext_migrate(struct inode *inode + unsigned long max_entries; + __u32 goal, tmp_csum_seed; + uid_t owner[2]; ++ int alloc_ctx; + + /* + * If the filesystem does not support extents, or the inode +@@ -435,7 +435,7 @@ int ext4_ext_migrate(struct inode *inode + */ + return retval; + +- percpu_down_write(&sbi->s_writepages_rwsem); ++ alloc_ctx = ext4_writepages_down_write(inode->i_sb); + + /* + * Worst case we can touch the allocation bitmaps and a block +@@ -587,7 +587,7 @@ out_tmp_inode: + unlock_new_inode(tmp_inode); + iput(tmp_inode); + out_unlock: +- percpu_up_write(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_write(inode->i_sb, alloc_ctx); + return retval; + } + +@@ -606,6 +606,7 @@ int ext4_ind_migrate(struct inode *inode + ext4_fsblk_t blk; + handle_t *handle; + int ret, ret2 = 0; ++ int alloc_ctx; + + if (!ext4_has_feature_extents(inode->i_sb) || + (!ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))) +@@ -622,7 +623,7 @@ int ext4_ind_migrate(struct inode *inode + if (test_opt(inode->i_sb, DELALLOC)) + ext4_alloc_da_blocks(inode); + +- percpu_down_write(&sbi->s_writepages_rwsem); ++ alloc_ctx = ext4_writepages_down_write(inode->i_sb); + + handle = ext4_journal_start(inode, EXT4_HT_MIGRATE, 1); + if (IS_ERR(handle)) { +@@ -666,6 +667,6 @@ errout: + ext4_journal_stop(handle); + up_write(&EXT4_I(inode)->i_data_sem); + out_unlock: +- percpu_up_write(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_write(inode->i_sb, alloc_ctx); + return ret; + } --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-avoid-trim-error-on-fs-with-small-groups.patch @@ -0,0 +1,72 @@ +From 173b6e383d2a204c9921ffc1eca3b87aa2106c33 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Fri, 12 Nov 2021 16:22:02 +0100 +Subject: [PATCH] ext4: avoid trim error on fs with small groups +Git-commit: 173b6e383d2a204c9921ffc1eca3b87aa2106c33 +Patch-mainline: v5.17-rc1 +References: bsc#1191271 + +A user reported FITRIM ioctl failing for him on ext4 on some devices +without apparent reason. After some debugging we've found out that +these devices (being LVM volumes) report rather large discard +granularity of 42MB and the filesystem had 1k blocksize and thus group +size of 8MB. Because ext4 FITRIM implementation puts discard +granularity into minlen, ext4_trim_fs() declared the trim request as +invalid. However just silently doing nothing seems to be a more +appropriate reaction to such combination of parameters since user did +not specify anything wrong. + +Cc: Lukas Czerner <lczerner@redhat.com> +Fixes: 5c2ed62fd447 ("ext4: Adjust minlen with discard_granularity in the FITRIM ioctl") +Signed-off-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20211112152202.26614-1-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ioctl.c | 2 -- + fs/ext4/mballoc.c | 8 ++++++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index 1366afb59fba..798d9d828795 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -1114,8 +1114,6 @@ static long __ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) + sizeof(range))) + return -EFAULT; + +- range.minlen = max((unsigned int)range.minlen, +- q->limits.discard_granularity); + ret = ext4_trim_fs(sb, &range); + if (ret < 0) + return ret; +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 3dd9b9e2f967..ea764137462e 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -6400,6 +6400,7 @@ ext4_trim_all_free(struct super_block *sb, ext4_group_t group, + */ + int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range) + { ++ struct request_queue *q = bdev_get_queue(sb->s_bdev); + struct ext4_group_info *grp; + ext4_group_t group, first_group, last_group; + ext4_grpblk_t cnt = 0, first_cluster, last_cluster; +@@ -6418,6 +6419,13 @@ int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range) + start >= max_blks || + range->len < sb->s_blocksize) + return -EINVAL; ++ /* No point to try to trim less than discard granularity */ ++ if (range->minlen < q->limits.discard_granularity) { ++ minlen = EXT4_NUM_B2C(EXT4_SB(sb), ++ q->limits.discard_granularity >> sb->s_blocksize_bits); ++ if (minlen > EXT4_CLUSTERS_PER_GROUP(sb)) ++ goto out; ++ } + if (end >= max_blks) + end = max_blks - 1; + if (end <= first_data_blk) +-- +2.34.1 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-avoid-unaccounted-block-allocation-when-expandi.patch @@ -0,0 +1,47 @@ +From 8994d11395f8165b3deca1971946f549f0822630 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Wed, 7 Dec 2022 12:59:28 +0100 +Subject: [PATCH] ext4: avoid unaccounted block allocation when expanding inode +Git-commit: 8994d11395f8165b3deca1971946f549f0822630 +Patch-mainline: v6.2-rc1 +References: bsc#1207634 + +When expanding inode space in ext4_expand_extra_isize_ea() we may need +to allocate external xattr block. If quota is not initialized for the +inode, the block allocation will not be accounted into quota usage. Make +sure the quota is initialized before we try to expand inode space. + +Reported-by: Pengfei Xu <pengfei.xu@intel.com> +Link: https://lore.kernel.org/all/Y5BT+k6xWqthZc1P@xpf.sh.intel.com +Signed-off-by: Jan Kara <jack@suse.cz> +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20221207115937.26601-2-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 38b7db452d37..5a92e5186313 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5945,6 +5945,14 @@ static int __ext4_expand_extra_isize(struct inode *inode, + return 0; + } + ++ /* ++ * We may need to allocate external xattr block so we need quotas ++ * initialized. Here we can be called with various locks held so we ++ * cannot affort to initialize quotas ourselves. So just bail. ++ */ ++ if (dquot_initialize_needed(inode)) ++ return -EAGAIN; ++ + /* try to expand with EAs present */ + error = ext4_expand_extra_isize_ea(inode, new_extra_isize, + raw_inode, handle); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-.patch @@ -0,0 +1,36 @@ +From 2a534e1d0d1591e951f9ece2fb460b2ff92edabd Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Fri, 12 May 2023 15:16:27 -0400 +Subject: [PATCH] ext4: bail out of ext4_xattr_ibody_get() fails for any reason +Git-commit: 2a534e1d0d1591e951f9ece2fb460b2ff92edabd +Patch-mainline: v6.4-rc2 +References: bsc#1213018 + +In ext4_update_inline_data(), if ext4_xattr_ibody_get() fails for any +reason, it's best if we just fail as opposed to stumbling on, +especially if the failure is EFSCORRUPTED. + +Cc: stable@kernel.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index f47adb284e90..5854bd5a3352 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -360,7 +360,7 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode, + + error = ext4_xattr_ibody_get(inode, i.name_index, i.name, + value, len); +- if (error == -ENODATA) ++ if (error < 0) + goto out; + + BUFFER_TRACE(is.iloc.bh, "get_write_access"); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-check-if-directory-block-is-within-i_size.patch @@ -0,0 +1,57 @@ +From 65f8ea4cd57dbd46ea13b41dc8bac03176b04233 Mon Sep 17 00:00:00 2001 +From: Lukas Czerner <lczerner@redhat.com> +Date: Mon, 4 Jul 2022 16:27:20 +0200 +Subject: [PATCH] ext4: check if directory block is within i_size +Git-commit: 65f8ea4cd57dbd46ea13b41dc8bac03176b04233 +Patch-mainline: v6.0-rc1 +References: bsc#1198577 CVE-2022-1184 + +Currently ext4 directory handling code implicitly assumes that the +directory blocks are always within the i_size. In fact ext4_append() +will attempt to allocate next directory block based solely on i_size and +the i_size is then appropriately increased after a successful +allocation. + +However, for this to work it requires i_size to be correct. If, for any +reason, the directory inode i_size is corrupted in a way that the +directory tree refers to a valid directory block past i_size, we could +end up corrupting parts of the directory tree structure by overwriting +already used directory blocks when modifying the directory. + +Fix it by catching the corruption early in __ext4_read_dirblock(). + +Addresses Red-Hat-Bugzilla: #2070205 + +Cve: CVE-2022-1184 +Signed-off-by: Lukas Czerner <lczerner@redhat.com> +Cc: stable@vger.kernel.org +Reviewed-by: Andreas Dilger <adilger@dilger.ca> +Link: https://lore.kernel.org/r/20220704142721.157985-1-lczerner@redhat.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/namei.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 1c6725ecca1a..7fced54e2891 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -110,6 +110,13 @@ static struct buffer_head *__ext4_read_dirblock(struct inode *inode, + struct ext4_dir_entry *dirent; + int is_dx_block = 0; + ++ if (block >= inode->i_size) { ++ ext4_error_inode(inode, func, line, block, ++ "Attempting to read directory block (%u) that is past i_size (%llu)", ++ block, inode->i_size); ++ return ERR_PTR(-EFSCORRUPTED); ++ } ++ + if (ext4_simulate_fail(inode->i_sb, EXT4_SIM_DIRBLOCK_EIO)) + bh = ERR_PTR(-EIO); + else +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-check-iomap-type-only-if-ext4_iomap_begin-does-.patch @@ -0,0 +1,45 @@ +From fa83c34e3e56b3c672af38059e066242655271b1 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Fri, 5 May 2023 21:24:29 +0800 +Subject: [PATCH] ext4: check iomap type only if ext4_iomap_begin() does not + fail +Git-commit: fa83c34e3e56b3c672af38059e066242655271b1 +Patch-mainline: v6.4-rc2 +References: bsc#1213103 + +When ext4_iomap_overwrite_begin() calls ext4_iomap_begin() map blocks may +fail for some reason (e.g. memory allocation failure, bare disk write), and +later because "iomap->type ! = IOMAP_MAPPED" triggers WARN_ON(). When ext4 +iomap_begin() returns an error, it is normal that the type of iomap->type +may not match the expectation. Therefore, we only determine if iomap->type +is as expected when ext4_iomap_begin() is executed successfully. + +Cc: stable@kernel.org +Reported-by: syzbot+08106c4b7d60702dbc14@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/00000000000015760b05f9b4eee9@google.com +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230505132429.714648-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 3cb774d9e3f1..ce5f21b6c2b3 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3377,7 +3377,7 @@ static int ext4_iomap_overwrite_begin(struct inode *inode, loff_t offset, + */ + flags &= ~IOMAP_WRITE; + ret = ext4_iomap_begin(inode, offset, length, flags, iomap, srcmap); +- WARN_ON_ONCE(iomap->type != IOMAP_MAPPED); ++ WARN_ON_ONCE(!ret && iomap->type != IOMAP_MAPPED); + return ret; + } + +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-destroy-ext4_fc_dentry_cachep-kmemcache-on-modu.patch @@ -0,0 +1,79 @@ +From ab047d516dea72f011c15c04a929851e4d053109 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior <bigeasy@linutronix.de> +Date: Thu, 23 Dec 2021 17:44:36 +0100 +Subject: [PATCH] ext4: destroy ext4_fc_dentry_cachep kmemcache on module + removal +Git-commit: ab047d516dea72f011c15c04a929851e4d053109 +Patch-mainline: v5.17-rc1 +References: bsc#1197917 + +The kmemcache for ext4_fc_dentry_cachep remains registered after module +removal. + +Destroy ext4_fc_dentry_cachep kmemcache on module removal. + +Fixes: aa75f4d3daaeb ("ext4: main fast-commit commit path") +Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> +Reviewed-by: Lukas Czerner <lczerner@redhat.com> +Reviewed-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com> +Link: https://lore.kernel.org/r/20211110134640.lyku5vklvdndw6uk@linutronix.de +Link: https://lore.kernel.org/r/YbiK3JetFFl08bd7@linutronix.de +Link: https://lore.kernel.org/r/20211223164436.2628390-1-bigeasy@linutronix.de +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ext4.h | 1 + + fs/ext4/fast_commit.c | 5 +++++ + fs/ext4/super.c | 2 ++ + 3 files changed, 8 insertions(+) + +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 82fa51d6f145..714201fa9e6f 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -2932,6 +2932,7 @@ bool ext4_fc_replay_check_excluded(struct super_block *sb, ext4_fsblk_t block); + void ext4_fc_replay_cleanup(struct super_block *sb); + int ext4_fc_commit(journal_t *journal, tid_t commit_tid); + int __init ext4_fc_init_dentry_cache(void); ++void ext4_fc_destroy_dentry_cache(void); + + /* mballoc.c */ + extern const struct seq_operations ext4_mb_seq_groups_ops; +diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c +index 28ddeb1d6afb..a6d647325742 100644 +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -2153,3 +2153,8 @@ int __init ext4_fc_init_dentry_cache(void) + + return 0; + } ++ ++void ext4_fc_destroy_dentry_cache(void) ++{ ++ kmem_cache_destroy(ext4_fc_dentry_cachep); ++} +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index acdfd9c0d091..499d1734818d 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -7118,6 +7118,7 @@ static int __init ext4_init_fs(void) + out: + unregister_as_ext2(); + unregister_as_ext3(); ++ ext4_fc_destroy_dentry_cache(); + out05: + destroy_inodecache(); + out1: +@@ -7144,6 +7145,7 @@ static void __exit ext4_exit_fs(void) + unregister_as_ext2(); + unregister_as_ext3(); + unregister_filesystem(&ext4_fs_type); ++ ext4_fc_destroy_dentry_cache(); + destroy_inodecache(); + ext4_exit_mballoc(); + ext4_exit_sysfs(); +-- +2.34.1 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-disable-fast-commit-of-encrypted-dir-operations.patch @@ -0,0 +1,151 @@ +From 0fbcb5251fc81b58969b272c4fb7374a7b922e3e Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Sun, 6 Nov 2022 14:48:35 -0800 +Subject: [PATCH] ext4: disable fast-commit of encrypted dir operations +Git-commit: 0fbcb5251fc81b58969b272c4fb7374a7b922e3e +Patch-mainline: v6.2-rc1 +References: bsc#1207623 + +fast-commit of create, link, and unlink operations in encrypted +directories is completely broken because the unencrypted filenames are +being written to the fast-commit journal instead of the encrypted +filenames. These operations can't be replayed, as encryption keys +aren't present at journal replay time. It is also an information leak. + +Until if/when we can get this working properly, make encrypted directory +operations ineligible for fast-commit. + +Note that fast-commit operations on encrypted regular files continue to +be allowed, as they seem to work. + +Fixes: aa75f4d3daae ("ext4: main fast-commit commit path") +Cc: <stable@vger.kernel.org> # v5.10+ +Signed-off-by: Eric Biggers <ebiggers@google.com> +Link: https://lore.kernel.org/r/20221106224841.279231-2-ebiggers@kernel.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 41 +++++++++++++++++++++++++---------------- + fs/ext4/fast_commit.h | 1 + + include/trace/events/ext4.h | 7 +++++-- + 3 files changed, 31 insertions(+), 18 deletions(-) + +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -432,25 +432,34 @@ static int __track_dentry_update(struct + struct __track_dentry_update_args *dentry_update = + (struct __track_dentry_update_args *)arg; + struct dentry *dentry = dentry_update->dentry; +- struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); ++ struct inode *dir = dentry->d_parent->d_inode; ++ struct super_block *sb = inode->i_sb; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); + + mutex_unlock(&ei->i_fc_lock); ++ ++ if (IS_ENCRYPTED(dir)) { ++ ext4_fc_mark_ineligible(sb, EXT4_FC_REASON_ENCRYPTED_FILENAME, ++ NULL); ++ mutex_lock(&ei->i_fc_lock); ++ return -EOPNOTSUPP; ++ } ++ + node = kmem_cache_alloc(ext4_fc_dentry_cachep, GFP_NOFS); + if (!node) { +- ext4_fc_mark_ineligible(inode->i_sb, EXT4_FC_REASON_NOMEM); ++ ext4_fc_mark_ineligible(sb, EXT4_FC_REASON_NOMEM); + mutex_lock(&ei->i_fc_lock); + return -ENOMEM; + } + + node->fcd_op = dentry_update->op; +- node->fcd_parent = dentry->d_parent->d_inode->i_ino; ++ node->fcd_parent = dir->i_ino; + node->fcd_ino = inode->i_ino; + if (dentry->d_name.len > DNAME_INLINE_LEN) { + node->fcd_name.name = kmalloc(dentry->d_name.len, GFP_NOFS); + if (!node->fcd_name.name) { + kmem_cache_free(ext4_fc_dentry_cachep, node); +- ext4_fc_mark_ineligible(inode->i_sb, +- EXT4_FC_REASON_NOMEM); ++ ext4_fc_mark_ineligible(sb, EXT4_FC_REASON_NOMEM); + mutex_lock(&ei->i_fc_lock); + return -ENOMEM; + } +@@ -2205,17 +2214,17 @@ void ext4_fc_init(struct super_block *sb + journal->j_fc_cleanup_callback = ext4_fc_cleanup; + } + +-static const char *fc_ineligible_reasons[] = { +- "Extended attributes changed", +- "Cross rename", +- "Journal flag changed", +- "Insufficient memory", +- "Swap boot", +- "Resize", +- "Dir renamed", +- "Falloc range op", +- "Data journalling", +- "FC Commit Failed" ++static const char * const fc_ineligible_reasons[] = { ++ [EXT4_FC_REASON_XATTR] = "Extended attributes changed", ++ [EXT4_FC_REASON_CROSS_RENAME] = "Cross rename", ++ [EXT4_FC_REASON_JOURNAL_FLAG_CHANGE] = "Journal flag changed", ++ [EXT4_FC_REASON_NOMEM] = "Insufficient memory", ++ [EXT4_FC_REASON_SWAP_BOOT] = "Swap boot", ++ [EXT4_FC_REASON_RESIZE] = "Resize", ++ [EXT4_FC_REASON_RENAME_DIR] = "Dir renamed", ++ [EXT4_FC_REASON_FALLOC_RANGE] = "Falloc range op", ++ [EXT4_FC_REASON_INODE_JOURNAL_DATA] = "Data journalling", ++ [EXT4_FC_REASON_ENCRYPTED_FILENAME] = "Encrypted filename", + }; + + int ext4_fc_info_show(struct seq_file *seq, void *v) +--- a/fs/ext4/fast_commit.h ++++ b/fs/ext4/fast_commit.h +@@ -99,6 +99,7 @@ enum { + EXT4_FC_REASON_FALLOC_RANGE, + EXT4_FC_REASON_INODE_JOURNAL_DATA, + EXT4_FC_COMMIT_FAILED, ++ EXT4_FC_REASON_ENCRYPTED_FILENAME, + EXT4_FC_REASON_MAX + }; + +--- a/include/trace/events/ext4.h ++++ b/include/trace/events/ext4.h +@@ -104,6 +104,7 @@ TRACE_DEFINE_ENUM(EXT4_FC_REASON_RESIZE) + TRACE_DEFINE_ENUM(EXT4_FC_REASON_RENAME_DIR); + TRACE_DEFINE_ENUM(EXT4_FC_REASON_FALLOC_RANGE); + TRACE_DEFINE_ENUM(EXT4_FC_REASON_INODE_JOURNAL_DATA); ++TRACE_DEFINE_ENUM(EXT4_FC_REASON_ENCRYPTED_FILENAME); + TRACE_DEFINE_ENUM(EXT4_FC_REASON_MAX); + + #define show_fc_reason(reason) \ +@@ -116,7 +117,8 @@ TRACE_DEFINE_ENUM(EXT4_FC_REASON_MAX); + { EXT4_FC_REASON_RESIZE, "RESIZE"}, \ + { EXT4_FC_REASON_RENAME_DIR, "RENAME_DIR"}, \ + { EXT4_FC_REASON_FALLOC_RANGE, "FALLOC_RANGE"}, \ +- { EXT4_FC_REASON_INODE_JOURNAL_DATA, "INODE_JOURNAL_DATA"}) ++ { EXT4_FC_REASON_INODE_JOURNAL_DATA, "INODE_JOURNAL_DATA"}, \ ++ { EXT4_FC_REASON_ENCRYPTED_FILENAME, "ENCRYPTED_FILENAME"}) + + TRACE_EVENT(ext4_other_inode_update_time, + TP_PROTO(struct inode *inode, ino_t orig_ino), +@@ -2764,7 +2766,7 @@ TRACE_EVENT(ext4_fc_stats, + ), + + TP_printk("dev %d,%d fc ineligible reasons:\n" +- "%s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u " ++ "%s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u" + "num_commits:%lu, ineligible: %lu, numblks: %lu", + MAJOR(__entry->dev), MINOR(__entry->dev), + FC_REASON_NAME_STAT(EXT4_FC_REASON_XATTR), +@@ -2776,6 +2778,7 @@ TRACE_EVENT(ext4_fc_stats, + FC_REASON_NAME_STAT(EXT4_FC_REASON_RENAME_DIR), + FC_REASON_NAME_STAT(EXT4_FC_REASON_FALLOC_RANGE), + FC_REASON_NAME_STAT(EXT4_FC_REASON_INODE_JOURNAL_DATA), ++ FC_REASON_NAME_STAT(EXT4_FC_REASON_ENCRYPTED_FILENAME), + __entry->fc_commits, __entry->fc_ineligible_commits, + __entry->fc_numblks) + ); --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-disallow-ea_inodes-with-extended-attributes.patch @@ -0,0 +1,39 @@ +From 2bc7e7c1a3bc9bd0cbf0f71006f6fe7ef24a00c2 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Tue, 23 May 2023 23:49:50 -0400 +Subject: [PATCH] ext4: disallow ea_inodes with extended attributes +Git-commit: 2bc7e7c1a3bc9bd0cbf0f71006f6fe7ef24a00c2 +Patch-mainline: v6.4-rc5 +References: bsc#1213108 + +An ea_inode stores the value of an extended attribute; it can not have +extended attributes itself, or this will cause recursive nightmares. +Add a check in ext4_iget() to make sure this is the case. + +Cc: stable@kernel.org +Reported-by: syzbot+e44749b6ba4d0434cd47@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Link: https://lore.kernel.org/r/20230524034951.779531-4-tytso@mit.edu +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 258f3cbed347..02de439bf1f0 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4647,6 +4647,9 @@ static const char *check_igot_inode(struct inode *inode, ext4_iget_flags flags) + if (flags & EXT4_IGET_EA_INODE) { + if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) + return "missing EA_INODE flag"; ++ if (ext4_test_inode_state(inode, EXT4_STATE_XATTR) || ++ EXT4_I(inode)->i_file_acl) ++ return "ea_inode with extended attributes"; + } else { + if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) + return "unexpected EA_INODE flag"; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-don-t-allow-journal-inode-to-have-encrypt-flag.patch @@ -0,0 +1,58 @@ +From 105c78e12468413e426625831faa7db4284e1fec Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Tue, 1 Nov 2022 22:33:12 -0700 +Subject: [PATCH] ext4: don't allow journal inode to have encrypt flag +Git-commit: 105c78e12468413e426625831faa7db4284e1fec +Patch-mainline: v6.2-rc1 +References: bsc#1207621 + +Mounting a filesystem whose journal inode has the encrypt flag causes a +NULL dereference in fscrypt_limit_io_blocks() when the 'inlinecrypt' +mount option is used. + +The problem is that when jbd2_journal_init_inode() calls bmap(), it +eventually finds its way into ext4_iomap_begin(), which calls +fscrypt_limit_io_blocks(). fscrypt_limit_io_blocks() requires that if +the inode is encrypted, then its encryption key must already be set up. +That's not the case here, since the journal inode is never "opened" like +a normal file would be. Hence the crash. + +A reproducer is: + + mkfs.ext4 -F /dev/vdb + debugfs -w /dev/vdb -R "set_inode_field <8> flags 0x80808" + mount /dev/vdb /mnt -o inlinecrypt + +To fix this, make ext4 consider journal inodes with the encrypt flag to +be invalid. (Note, maybe other flags should be rejected on the journal +inode too. For now, this is just the minimal fix for the above issue.) + +I've marked this as fixing the commit that introduced the call to +fscrypt_limit_io_blocks(), since that's what made an actual crash start +being possible. But this fix could be applied to any version of ext4 +that supports the encrypt feature. + +Reported-by: syzbot+ba9dac45bc76c490b7c3@syzkaller.appspotmail.com +Fixes: 38ea50daa7a4 ("ext4: support direct I/O with fscrypt using blk-crypto") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers <ebiggers@google.com> +Link: https://lore.kernel.org/r/20221102053312.189962-1-ebiggers@kernel.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5302,7 +5302,7 @@ static struct inode *ext4_get_journal_in + + jbd_debug(2, "Journal inode found at %p: %lld bytes\n", + journal_inode, journal_inode->i_size); +- if (!S_ISREG(journal_inode->i_mode)) { ++ if (!S_ISREG(journal_inode->i_mode) || IS_ENCRYPTED(journal_inode)) { + ext4_msg(sb, KERN_ERR, "invalid journal inode"); + iput(journal_inode); + return NULL; --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-don-t-increase-iversion-counter-for-ea_inodes.patch @@ -0,0 +1,49 @@ +From 50f094a5580e6297bf10a807d16f0ee23fa576cf Mon Sep 17 00:00:00 2001 +From: Lukas Czerner <lczerner@redhat.com> +Date: Wed, 24 Aug 2022 18:03:47 +0200 +Subject: [PATCH] ext4: don't increase iversion counter for ea_inodes +Git-commit: 50f094a5580e6297bf10a807d16f0ee23fa576cf +Patch-mainline: v6.1-rc1 +References: bsc#1207605 + +ea_inodes are using i_version for storing part of the reference count so +we really need to leave it alone. + +The problem can be reproduced by xfstest ext4/026 when iversion is +enabled. Fix it by not calling inode_inc_iversion() for EXT4_EA_INODE_FL +inodes in ext4_mark_iloc_dirty(). + +Cc: stable@kernel.org +Signed-off-by: Lukas Czerner <lczerner@redhat.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Reviewed-by: Jeff Layton <jlayton@kernel.org> +Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org> +Link: https://lore.kernel.org/r/20220824160349.39664-1-lczerner@redhat.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 601214453c3a..2a220be34caa 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5731,7 +5731,12 @@ int ext4_mark_iloc_dirty(handle_t *handle, + } + ext4_fc_track_inode(handle, inode); + +- if (IS_I_VERSION(inode)) ++ /* ++ * ea_inodes are using i_version for storing reference count, don't ++ * mess with it ++ */ ++ if (IS_I_VERSION(inode) && ++ !(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) + inode_inc_iversion(inode); + + /* the do_update_inode consumes one bh->b_count */ +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-don-t-set-up-encryption-key-during-jbd2-transac.patch @@ -0,0 +1,158 @@ +From 4c0d5778385cb3618ff26a561ce41de2b7d9de70 Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Sun, 6 Nov 2022 14:48:36 -0800 +Subject: [PATCH] ext4: don't set up encryption key during jbd2 transaction +Git-commit: 4c0d5778385cb3618ff26a561ce41de2b7d9de70 +Patch-mainline: v6.2-rc1 +References: bsc#1207624 + +Commit a80f7fcf1867 ("ext4: fixup ext4_fc_track_* functions' signature") +extended the scope of the transaction in ext4_unlink() too far, making +it include the call to ext4_find_entry(). However, ext4_find_entry() +can deadlock when called from within a transaction because it may need +to set up the directory's encryption key. + +Fix this by restoring the transaction to its original scope. + +Reported-by: syzbot+1a748d0007eeac3ab079@syzkaller.appspotmail.com +Fixes: a80f7fcf1867 ("ext4: fixup ext4_fc_track_* functions' signature") +Cc: <stable@vger.kernel.org> # v5.10+ +Signed-off-by: Eric Biggers <ebiggers@google.com> +Link: https://lore.kernel.org/r/20221106224841.279231-3-ebiggers@kernel.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ext4.h | 4 ++-- + fs/ext4/fast_commit.c | 2 +- + fs/ext4/namei.c | 44 ++++++++++++++++++++++++-------------------- + 3 files changed, 27 insertions(+), 23 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -3605,8 +3605,8 @@ extern void ext4_initialize_dirent_tail( + unsigned int blocksize); + extern int ext4_handle_dirty_dirblock(handle_t *handle, struct inode *inode, + struct buffer_head *bh); +-extern int __ext4_unlink(handle_t *handle, struct inode *dir, const struct qstr *d_name, +- struct inode *inode); ++extern int __ext4_unlink(struct inode *dir, const struct qstr *d_name, ++ struct inode *inode, struct dentry *dentry); + extern int __ext4_link(struct inode *dir, struct inode *inode, + struct dentry *dentry); + +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -1334,7 +1334,7 @@ static int ext4_fc_replay_unlink(struct + return 0; + } + +- ret = __ext4_unlink(NULL, old_parent, &entry, inode); ++ ret = __ext4_unlink(old_parent, &entry, inode, NULL); + /* -ENOENT ok coz it might not exist anymore. */ + if (ret == -ENOENT) + ret = 0; +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3389,14 +3389,20 @@ end_rmdir: + return retval; + } + +-int __ext4_unlink(handle_t *handle, struct inode *dir, const struct qstr *d_name, +- struct inode *inode) ++int __ext4_unlink(struct inode *dir, const struct qstr *d_name, ++ struct inode *inode, ++ struct dentry *dentry /* NULL during fast_commit recovery */) + { + int retval = -ENOENT; + struct buffer_head *bh; + struct ext4_dir_entry_2 *de; ++ handle_t *handle; + int skip_remove_dentry = 0; + ++ /* ++ * Keep this outside the transaction; it may have to set up the ++ * directory's encryption key, which isn't GFP_NOFS-safe. ++ */ + bh = ext4_find_entry(dir, d_name, &de, NULL); + if (IS_ERR(bh)) + return PTR_ERR(bh); +@@ -3413,7 +3419,14 @@ int __ext4_unlink(handle_t *handle, stru + if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY) + skip_remove_dentry = 1; + else +- goto out; ++ goto out_bh; ++ } ++ ++ handle = ext4_journal_start(dir, EXT4_HT_DIR, ++ EXT4_DATA_TRANS_BLOCKS(dir->i_sb)); ++ if (IS_ERR(handle)) { ++ retval = PTR_ERR(handle); ++ goto out_bh; + } + + if (IS_DIRSYNC(dir)) +@@ -3422,12 +3435,12 @@ int __ext4_unlink(handle_t *handle, stru + if (!skip_remove_dentry) { + retval = ext4_delete_entry(handle, dir, de, bh); + if (retval) +- goto out; ++ goto out_handle; + dir->i_ctime = dir->i_mtime = current_time(dir); + ext4_update_dx_flag(dir); + retval = ext4_mark_inode_dirty(handle, dir); + if (retval) +- goto out; ++ goto out_handle; + } else { + retval = 0; + } +@@ -3440,15 +3453,17 @@ int __ext4_unlink(handle_t *handle, stru + ext4_orphan_add(handle, inode); + inode->i_ctime = current_time(inode); + retval = ext4_mark_inode_dirty(handle, inode); +- +-out: ++ if (dentry && !retval) ++ ext4_fc_track_unlink(handle, dentry); ++out_handle: ++ ext4_journal_stop(handle); ++out_bh: + brelse(bh); + return retval; + } + + static int ext4_unlink(struct inode *dir, struct dentry *dentry) + { +- handle_t *handle; + int retval; + + if (unlikely(ext4_forced_shutdown(EXT4_SB(dir->i_sb)))) +@@ -3466,16 +3481,7 @@ static int ext4_unlink(struct inode *dir + if (retval) + goto out_trace; + +- handle = ext4_journal_start(dir, EXT4_HT_DIR, +- EXT4_DATA_TRANS_BLOCKS(dir->i_sb)); +- if (IS_ERR(handle)) { +- retval = PTR_ERR(handle); +- goto out_trace; +- } +- +- retval = __ext4_unlink(handle, dir, &dentry->d_name, d_inode(dentry)); +- if (!retval) +- ext4_fc_track_unlink(handle, dentry); ++ retval = __ext4_unlink(dir, &dentry->d_name, d_inode(dentry), dentry); + #ifdef CONFIG_UNICODE + /* VFS negative dentries are incompatible with Encoding and + * Case-insensitiveness. Eventually we'll want avoid +@@ -3486,8 +3492,6 @@ static int ext4_unlink(struct inode *dir + if (IS_CASEFOLDED(dir)) + d_invalidate(dentry); + #endif +- if (handle) +- ext4_journal_stop(handle); + + out_trace: + trace_ext4_unlink_exit(dentry, retval); --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-don-t-use-the-orphan-list-when-migrating-an-ino.patch @@ -0,0 +1,88 @@ +From 6eeaf88fd586f05aaf1d48cb3a139d2a5c6eb055 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Wed, 5 Jan 2022 23:59:56 -0500 +Subject: [PATCH] ext4: don't use the orphan list when migrating an inode +Git-commit: 6eeaf88fd586f05aaf1d48cb3a139d2a5c6eb055 +Patch-mainline: v5.17-rc1 +References: bsc#1197756 + +We probably want to remove the indirect block to extents migration +feature after a deprecation window, but until then, let's fix a +potential data loss problem caused by the fact that we put the +tmp_inode on the orphan list. In the unlikely case where we crash and +do a journal recovery, the data blocks belonging to the inode being +migrated are also represented in the tmp_inode on the orphan list --- +and so its data blocks will get marked unallocated, and available for +reuse. + +Instead, stop putting the tmp_inode on the oprhan list. So in the +case where we crash while migrating the inode, we'll leak an inode, +which is not a disaster. It will be easily fixed the next time we run +fsck, and it's better than potentially having blocks getting claimed +by two different files, and losing data as a result. + +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Reviewed-by: Lukas Czerner <lczerner@redhat.com> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/migrate.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c +index 36dfc88ce05b..ff8916e1d38e 100644 +--- a/fs/ext4/migrate.c ++++ b/fs/ext4/migrate.c +@@ -437,12 +437,12 @@ int ext4_ext_migrate(struct inode *inode) + percpu_down_write(&sbi->s_writepages_rwsem); + + /* +- * Worst case we can touch the allocation bitmaps, a bgd +- * block, and a block to link in the orphan list. We do need +- * need to worry about credits for modifying the quota inode. ++ * Worst case we can touch the allocation bitmaps and a block ++ * group descriptor block. We do need need to worry about ++ * credits for modifying the quota inode. + */ + handle = ext4_journal_start(inode, EXT4_HT_MIGRATE, +- 4 + EXT4_MAXQUOTAS_TRANS_BLOCKS(inode->i_sb)); ++ 3 + EXT4_MAXQUOTAS_TRANS_BLOCKS(inode->i_sb)); + + if (IS_ERR(handle)) { + retval = PTR_ERR(handle); +@@ -463,10 +463,6 @@ int ext4_ext_migrate(struct inode *inode) + * Use the correct seed for checksum (i.e. the seed from 'inode'). This + * is so that the metadata blocks will have the correct checksum after + * the migration. +- * +- * Note however that, if a crash occurs during the migration process, +- * the recovery process is broken because the tmp_inode checksums will +- * be wrong and the orphans cleanup will fail. + */ + ei = EXT4_I(inode); + EXT4_I(tmp_inode)->i_csum_seed = ei->i_csum_seed; +@@ -478,7 +474,6 @@ int ext4_ext_migrate(struct inode *inode) + clear_nlink(tmp_inode); + + ext4_ext_tree_init(handle, tmp_inode); +- ext4_orphan_add(handle, tmp_inode); + ext4_journal_stop(handle); + + /* +@@ -503,12 +498,6 @@ int ext4_ext_migrate(struct inode *inode) + + handle = ext4_journal_start(inode, EXT4_HT_MIGRATE, 1); + if (IS_ERR(handle)) { +- /* +- * It is impossible to update on-disk structures without +- * a handle, so just rollback in-core changes and live other +- * work to orphan_list_cleanup() +- */ +- ext4_orphan_del(NULL, tmp_inode); + retval = PTR_ERR(handle); + goto out_tmp_inode; + } +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-ext4_read_bh_lock-should-submit-IO-if-the-buffe.patch @@ -0,0 +1,81 @@ +From 0b73284c564d3ae4feef4bc920292f004acf4980 Mon Sep 17 00:00:00 2001 +From: Zhang Yi <yi.zhang@huawei.com> +Date: Wed, 31 Aug 2022 15:46:29 +0800 +Subject: [PATCH] ext4: ext4_read_bh_lock() should submit IO if the buffer + isn't uptodate +Git-commit: 0b73284c564d3ae4feef4bc920292f004acf4980 +Patch-mainline: v6.1-rc1 +References: bsc#1207606 + +Recently we notice that ext4 filesystem would occasionally fail to read +metadata from disk and report error message, but the disk and block +layer looks fine. After analyse, we lockon commit 88dbcbb3a484 +("blkdev: avoid migration stalls for blkdev pages"). It provide a +migration method for the bdev, we could move page that has buffers +without extra users now, but it lock the buffers on the page, which +breaks the fragile metadata read operation on ext4 filesystem, +ext4_read_bh_lock() was copied from ll_rw_block(), it depends on the +assumption of that locked buffer means it is under IO. So it just +trylock the buffer and skip submit IO if it lock failed, after +wait_on_buffer() we conclude IO error because the buffer is not +uptodate. + +This issue could be easily reproduced by add some delay just after +buffer_migrate_lock_buffers() in __buffer_migrate_folio() and do +fsstress on ext4 filesystem. + + EXT4-fs error (device pmem1): __ext4_find_entry:1658: inode #73193: + comm fsstress: reading directory lblock 0 + EXT4-fs error (device pmem1): __ext4_find_entry:1658: inode #75334: + comm fsstress: reading directory lblock 0 + +Fix it by removing the trylock logic in ext4_read_bh_lock(), just lock +the buffer and submit IO if it's not uptodate, and also leave over +readahead helper. + +Cc: stable@kernel.org +Signed-off-by: Zhang Yi <yi.zhang@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220831074629.3755110-1-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -187,19 +187,12 @@ int ext4_read_bh(struct buffer_head *bh, + + int ext4_read_bh_lock(struct buffer_head *bh, int op_flags, bool wait) + { +- if (trylock_buffer(bh)) { +- if (wait) +- return ext4_read_bh(bh, op_flags, NULL); ++ lock_buffer(bh); ++ if (!wait) { + ext4_read_bh_nowait(bh, op_flags, NULL); + return 0; + } +- if (wait) { +- wait_on_buffer(bh); +- if (buffer_uptodate(bh)) +- return 0; +- return -EIO; +- } +- return 0; ++ return ext4_read_bh(bh, op_flags, NULL); + } + + /* +@@ -246,7 +239,8 @@ void ext4_sb_breadahead_unmovable(struct + struct buffer_head *bh = sb_getblk_gfp(sb, block, 0); + + if (likely(bh)) { +- ext4_read_bh_lock(bh, REQ_RAHEAD, false); ++ if (trylock_buffer(bh)) ++ ext4_read_bh_nowait(bh, REQ_RAHEAD, NULL); + brelse(bh); + } + } --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-f2fs-fix-readahead-of-verity-data.patch @@ -0,0 +1,48 @@ +From 4fa0e3ff217f775cb58d2d6d51820ec519243fb9 Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" <willy@infradead.org> +Date: Wed, 12 Oct 2022 20:34:19 +0100 +Subject: [PATCH] ext4,f2fs: fix readahead of verity data +Git-commit: 4fa0e3ff217f775cb58d2d6d51820ec519243fb9 +Patch-mainline: v6.1-rc1 +References: bsc#1207648 + +The recent change of page_cache_ra_unbounded() arguments was buggy in the +two callers, causing us to readahead the wrong pages. Move the definition +of ractl down to after the index is set correctly. This affected +performance on configurations that use fs-verity. + +Link: https://lkml.kernel.org/r/20221012193419.1453558-1-willy@infradead.org +Fixes: 73bb49da50cd ("mm/readahead: make page_cache_ra_unbounded take a readahead_control") +Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> +Reported-by: Jintao Yin <nicememory@gmail.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/verity.c | 3 ++- + fs/f2fs/verity.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/verity.c b/fs/ext4/verity.c +index b051d19b5c8a..94442c690ca7 100644 +--- a/fs/ext4/verity.c ++++ b/fs/ext4/verity.c +@@ -365,13 +365,14 @@ static struct page *ext4_read_merkle_tree_page(struct inode *inode, + pgoff_t index, + unsigned long num_ra_pages) + { +- DEFINE_READAHEAD(ractl, NULL, NULL, inode->i_mapping, index); + struct page *page; + + index += ext4_verity_metadata_pos(inode) >> PAGE_SHIFT; + + page = find_get_page_flags(inode->i_mapping, index, FGP_ACCESSED); + if (!page || !PageUptodate(page)) { ++ DEFINE_READAHEAD(ractl, NULL, NULL, inode->i_mapping, index); ++ + if (page) + put_page(page); + else if (num_ra_pages > 1) +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-factor-out-ext4_fc_get_tl.patch @@ -0,0 +1,148 @@ +From dcc5827484d6e53ccda12334f8bbfafcc593ceda Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Sat, 24 Sep 2022 15:52:32 +0800 +Subject: [PATCH] ext4: factor out ext4_fc_get_tl() +Git-commit: dcc5827484d6e53ccda12334f8bbfafcc593ceda +Patch-mainline: v6.1-rc1 +References: bsc#1207615 + +Factor out ext4_fc_get_tl() to fill 'tl' with host byte order. + +Signed-off-by: Ye Bin <yebin10@huawei.com> +Link: https://lore.kernel.org/r/20220924075233.2315259-3-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 46 +++++++++++++++++++++++++--------------------- + 1 file changed, 25 insertions(+), 21 deletions(-) + +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -1275,7 +1275,7 @@ struct dentry_info_args { + }; + + static inline void tl_to_darg(struct dentry_info_args *darg, +- struct ext4_fc_tl *tl, u8 *val) ++ struct ext4_fc_tl *tl, u8 *val) + { + struct ext4_fc_dentry_info fcd; + +@@ -1284,8 +1284,14 @@ static inline void tl_to_darg(struct den + darg->parent_ino = le32_to_cpu(fcd.fc_parent_ino); + darg->ino = le32_to_cpu(fcd.fc_ino); + darg->dname = val + offsetof(struct ext4_fc_dentry_info, fc_dname); +- darg->dname_len = le16_to_cpu(tl->fc_len) - +- sizeof(struct ext4_fc_dentry_info); ++ darg->dname_len = tl->fc_len - sizeof(struct ext4_fc_dentry_info); ++} ++ ++static inline void ext4_fc_get_tl(struct ext4_fc_tl *tl, u8 *val) ++{ ++ memcpy(tl, val, EXT4_FC_TAG_BASE_LEN); ++ tl->fc_len = le16_to_cpu(tl->fc_len); ++ tl->fc_tag = le16_to_cpu(tl->fc_tag); + } + + /* Unlink replay function */ +@@ -1450,7 +1456,7 @@ static int ext4_fc_replay_inode(struct s + struct ext4_inode *raw_fc_inode; + struct inode *inode = NULL; + struct ext4_iloc iloc; +- int inode_len, ino, ret, tag = le16_to_cpu(tl->fc_tag); ++ int inode_len, ino, ret, tag = tl->fc_tag; + struct ext4_extent_header *eh; + + memcpy(&fc_inode, val, sizeof(fc_inode)); +@@ -1475,7 +1481,7 @@ static int ext4_fc_replay_inode(struct s + if (ret) + goto out; + +- inode_len = le16_to_cpu(tl->fc_len) - sizeof(struct ext4_fc_inode); ++ inode_len = tl->fc_len - sizeof(struct ext4_fc_inode); + raw_inode = ext4_raw_inode(&iloc); + + memcpy(raw_inode, raw_fc_inode, offsetof(struct ext4_inode, i_block)); +@@ -1962,12 +1968,12 @@ static int ext4_fc_replay_scan(journal_t + + state->fc_replay_expected_off++; + for (cur = start; cur < end; +- cur = cur + EXT4_FC_TAG_BASE_LEN + le16_to_cpu(tl.fc_len)) { +- memcpy(&tl, cur, EXT4_FC_TAG_BASE_LEN); ++ cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) { ++ ext4_fc_get_tl(&tl, cur); + val = cur + EXT4_FC_TAG_BASE_LEN; + jbd_debug(3, "Scan phase, tag:%s, blk %lld\n", +- tag2str(le16_to_cpu(tl.fc_tag)), bh->b_blocknr); +- switch (le16_to_cpu(tl.fc_tag)) { ++ tag2str(tl.fc_tag), bh->b_blocknr); ++ switch (tl.fc_tag) { + case EXT4_FC_TAG_ADD_RANGE: + memcpy(&ext, val, sizeof(ext)); + ex = (struct ext4_extent *)&ext.fc_ex; +@@ -1987,7 +1993,7 @@ static int ext4_fc_replay_scan(journal_t + case EXT4_FC_TAG_PAD: + state->fc_cur_tag++; + state->fc_crc = ext4_chksum(sbi, state->fc_crc, cur, +- EXT4_FC_TAG_BASE_LEN + le16_to_cpu(tl.fc_len)); ++ EXT4_FC_TAG_BASE_LEN + tl.fc_len); + break; + case EXT4_FC_TAG_TAIL: + state->fc_cur_tag++; +@@ -2020,7 +2026,7 @@ static int ext4_fc_replay_scan(journal_t + } + state->fc_cur_tag++; + state->fc_crc = ext4_chksum(sbi, state->fc_crc, cur, +- EXT4_FC_TAG_BASE_LEN + le16_to_cpu(tl.fc_len)); ++ EXT4_FC_TAG_BASE_LEN + tl.fc_len); + break; + default: + ret = state->fc_replay_num_tags ? +@@ -2076,8 +2082,8 @@ static int ext4_fc_replay(journal_t *jou + end = (__u8 *)bh->b_data + journal->j_blocksize - 1; + + for (cur = start; cur < end; +- cur = cur + EXT4_FC_TAG_BASE_LEN + le16_to_cpu(tl.fc_len)) { +- memcpy(&tl, cur, EXT4_FC_TAG_BASE_LEN); ++ cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) { ++ ext4_fc_get_tl(&tl, cur); + val = cur + EXT4_FC_TAG_BASE_LEN; + + if (state->fc_replay_num_tags == 0) { +@@ -2085,10 +2091,9 @@ static int ext4_fc_replay(journal_t *jou + ext4_fc_set_bitmaps_and_counters(sb); + break; + } +- jbd_debug(3, "Replay phase, tag:%s\n", +- tag2str(le16_to_cpu(tl.fc_tag))); ++ jbd_debug(3, "Replay phase, tag:%s\n", tag2str(tl.fc_tag)); + state->fc_replay_num_tags--; +- switch (le16_to_cpu(tl.fc_tag)) { ++ switch (tl.fc_tag) { + case EXT4_FC_TAG_LINK: + ret = ext4_fc_replay_link(sb, &tl, val); + break; +@@ -2109,19 +2114,18 @@ static int ext4_fc_replay(journal_t *jou + break; + case EXT4_FC_TAG_PAD: + trace_ext4_fc_replay(sb, EXT4_FC_TAG_PAD, 0, +- le16_to_cpu(tl.fc_len), 0); ++ tl.fc_len, 0); + break; + case EXT4_FC_TAG_TAIL: +- trace_ext4_fc_replay(sb, EXT4_FC_TAG_TAIL, 0, +- le16_to_cpu(tl.fc_len), 0); ++ trace_ext4_fc_replay(sb, EXT4_FC_TAG_TAIL, ++ 0, tl.fc_len, 0); + memcpy(&tail, val, sizeof(tail)); + WARN_ON(le32_to_cpu(tail.fc_tid) != expected_tid); + break; + case EXT4_FC_TAG_HEAD: + break; + default: +- trace_ext4_fc_replay(sb, le16_to_cpu(tl.fc_tag), 0, +- le16_to_cpu(tl.fc_len), 0); ++ trace_ext4_fc_replay(sb, tl.fc_tag, 0, tl.fc_len, 0); + ret = -ECANCELED; + break; + } --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fail-ext4_iget-if-special-inode-unallocated.patch @@ -0,0 +1,76 @@ +From 5cd740287ae5e3f9d1c46f5bfe8778972fd6d3fe Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Sat, 7 Jan 2023 11:21:25 +0800 +Subject: [PATCH] ext4: fail ext4_iget if special inode unallocated +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 5cd740287ae5e3f9d1c46f5bfe8778972fd6d3fe +Patch-mainline: v6.3-rc1 +References: bsc#1213010 + +In ext4_fill_super(), EXT4_ORPHAN_FS flag is cleared after +ext4_orphan_cleanup() is executed. Therefore, when __ext4_iget() is +called to get an inode whose i_nlink is 0 when the flag exists, no error +is returned. If the inode is a special inode, a null pointer dereference +may occur. If the value of i_nlink is 0 for any inodes (except boot loader +inodes) got by using the EXT4_IGET_SPECIAL flag, the current file system +is corrupted. Therefore, make the ext4_iget() function return an error if +it gets such an abnormal special inode. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199179 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216541 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216539 +Reported-by: LuÃs Henriques <lhenriques@suse.de> +Suggested-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230107032126.4165860-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 9df913bdb416..b65dadfe3b45 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4872,13 +4872,6 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, + goto bad_inode; + raw_inode = ext4_raw_inode(&iloc); + +- if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) { +- ext4_error_inode(inode, function, line, 0, +- "iget: root inode unallocated"); +- ret = -EFSCORRUPTED; +- goto bad_inode; +- } +- + if ((flags & EXT4_IGET_HANDLE) && + (raw_inode->i_links_count == 0) && (raw_inode->i_mode == 0)) { + ret = -ESTALE; +@@ -4951,11 +4944,16 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, + * NeilBrown 1999oct15 + */ + if (inode->i_nlink == 0) { +- if ((inode->i_mode == 0 || ++ if ((inode->i_mode == 0 || flags & EXT4_IGET_SPECIAL || + !(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ORPHAN_FS)) && + ino != EXT4_BOOT_LOADER_INO) { +- /* this inode is deleted */ +- ret = -ESTALE; ++ /* this inode is deleted or unallocated */ ++ if (flags & EXT4_IGET_SPECIAL) { ++ ext4_error_inode(inode, function, line, 0, ++ "iget: special inode unallocated"); ++ ret = -EFSCORRUPTED; ++ } else ++ ret = -ESTALE; + goto bad_inode; + } + /* The only unlinked inodes we let through here have +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fast-commit-may-miss-tracking-unwritten-range-d.patch @@ -0,0 +1,44 @@ +From 9725958bb75cdfa10f2ec11526fdb23e7485e8e4 Mon Sep 17 00:00:00 2001 +From: Xin Yin <yinxin.x@bytedance.com> +Date: Thu, 23 Dec 2021 11:23:37 +0800 +Subject: [PATCH] ext4: fast commit may miss tracking unwritten range during + ftruncate +Git-commit: 9725958bb75cdfa10f2ec11526fdb23e7485e8e4 +Patch-mainline: v5.17-rc1 +References: bsc#1202759 + +If use FALLOC_FL_KEEP_SIZE to alloc unwritten range at bottom, the +inode->i_size will not include the unwritten range. When call +ftruncate with fast commit enabled, it will miss to track the +unwritten range. + +Change to trace the full range during ftruncate. + +Signed-off-by: Xin Yin <yinxin.x@bytedance.com> +Reviewed-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com> +Link: https://lore.kernel.org/r/20211223032337.5198-3-yinxin.x@bytedance.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 4895909de21b..08a90e25b78b 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5424,8 +5424,7 @@ int ext4_setattr(struct user_namespace *mnt_userns, struct dentry *dentry, + ext4_fc_track_range(handle, inode, + (attr->ia_size > 0 ? attr->ia_size - 1 : 0) >> + inode->i_sb->s_blocksize_bits, +- (oldsize > 0 ? oldsize - 1 : 0) >> +- inode->i_sb->s_blocksize_bits); ++ EXT_MAX_BLOCKS - 1); + else + ext4_fc_track_range( + handle, inode, +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-filter-out-EXT4_FC_REPLAY-from-on-disk-superblo.patch @@ -0,0 +1,62 @@ +From c878bea3c9d724ddfa05a813f30de3d25a0ba83f Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Tue, 17 May 2022 13:27:55 -0400 +Subject: [PATCH] ext4: filter out EXT4_FC_REPLAY from on-disk superblock field + s_state +Git-commit: c878bea3c9d724ddfa05a813f30de3d25a0ba83f +Patch-mainline: v5.19-rc1 +References: bsc#1202771 + +The EXT4_FC_REPLAY bit in sbi->s_mount_state is used to indicate that +we are in the middle of replay the fast commit journal. This was +actually a mistake, since the sbi->s_mount_info is initialized from +es->s_state. Arguably s_mount_state is misleadingly named, but the +name is historical --- s_mount_state and s_state dates back to ext2. + +What should have been used is the ext4_{set,clear,test}_mount_flag() +inline functions, which sets EXT4_MF_* bits in sbi->s_mount_flags. + +The problem with using EXT4_FC_REPLAY is that a maliciously corrupted +superblock could result in EXT4_FC_REPLAY getting set in +s_mount_state. This bypasses some sanity checks, and this can trigger +a BUG() in ext4_es_cache_extent(). As a easy-to-backport-fix, filter +out the EXT4_FC_REPLAY bit for now. We should eventually transition +away from EXT4_FC_REPLAY to something like EXT4_MF_REPLAY. + +Cc: stable@kernel.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Link: https://lore.kernel.org/r/20220420192312.1655305-1-phind.uet@gmail.com +Link: https://lore.kernel.org/r/20220517174028.942119-1-tytso@mit.edu +Reported-by: syzbot+c7358a3cd05ee786eb31@syzkaller.appspotmail.com +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 7f6cd2473163..9cbb22045379 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -4770,7 +4770,7 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) + sbi->s_inodes_per_block; + sbi->s_desc_per_block = blocksize / EXT4_DESC_SIZE(sb); + sbi->s_sbh = bh; +- sbi->s_mount_state = le16_to_cpu(es->s_state); ++ sbi->s_mount_state = le16_to_cpu(es->s_state) & ~EXT4_FC_REPLAY; + sbi->s_addr_per_block_bits = ilog2(EXT4_ADDR_PER_BLOCK(sb)); + sbi->s_desc_per_block_bits = ilog2(EXT4_DESC_PER_BLOCK(sb)); + +@@ -6333,7 +6333,8 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) + if (err) + goto restore_opts; + } +- sbi->s_mount_state = le16_to_cpu(es->s_state); ++ sbi->s_mount_state = (le16_to_cpu(es->s_state) & ++ ~EXT4_FC_REPLAY); + + err = ext4_setup_super(sb, es, 0); + if (err) +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-BUG_ON-when-directory-entry-has-invalid-rec.patch @@ -0,0 +1,74 @@ +From 17a0bc9bd697f75cfdf9b378d5eb2d7409c91340 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lu=C3=ADs=20Henriques?= <lhenriques@suse.de> +Date: Wed, 12 Oct 2022 14:13:30 +0100 +Subject: [PATCH] ext4: fix BUG_ON() when directory entry has invalid rec_len +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 17a0bc9bd697f75cfdf9b378d5eb2d7409c91340 +Patch-mainline: v6.1-rc4 +References: bsc#1206886 + +The rec_len field in the directory entry has to be a multiple of 4. A +corrupted filesystem image can be used to hit a BUG() in +ext4_rec_len_to_disk(), called from make_indexed_dir(). + + ------------[ cut here ]------------ + kernel BUG at fs/ext4/ext4.h:2413! + ... + RIP: 0010:make_indexed_dir+0x53f/0x5f0 + ... + Call Trace: + <TASK> + ? add_dirent_to_buf+0x1b2/0x200 + ext4_add_entry+0x36e/0x480 + ext4_add_nondir+0x2b/0xc0 + ext4_create+0x163/0x200 + path_openat+0x635/0xe90 + do_filp_open+0xb4/0x160 + ? __create_object.isra.0+0x1de/0x3b0 + ? _raw_spin_unlock+0x12/0x30 + do_sys_openat2+0x91/0x150 + __x64_sys_open+0x6c/0xa0 + do_syscall_64+0x3c/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +The fix simply adds a call to ext4_check_dir_entry() to validate the +directory entry, returning -EFSCORRUPTED if the entry is invalid. + +Cc: stable@kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216540 +Signed-off-by: LuÃs Henriques <lhenriques@suse.de> +Link: https://lore.kernel.org/r/20221012131330.32456-1-lhenriques@suse.de +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/namei.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 4183a4cb4a21..be8136aafa22 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2259,8 +2259,16 @@ static int make_indexed_dir(handle_t *handle, struct ext4_filename *fname, + memset(de, 0, len); /* wipe old data */ + de = (struct ext4_dir_entry_2 *) data2; + top = data2 + len; +- while ((char *)(de2 = ext4_next_entry(de, blocksize)) < top) ++ while ((char *)(de2 = ext4_next_entry(de, blocksize)) < top) { ++ if (ext4_check_dir_entry(dir, NULL, de, bh2, data2, len, ++ (data2 + (blocksize - csum_size) - ++ (char *) de))) { ++ brelse(bh2); ++ brelse(bh); ++ return -EFSCORRUPTED; ++ } + de = de2; ++ } + de->rec_len = ext4_rec_len_to_disk(data2 + (blocksize - csum_size) - + (char *) de, blocksize); + +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-RENAME_WHITEOUT-handling-for-inline-directo.patch @@ -0,0 +1,93 @@ +From c9f62c8b2dbf7240536c0cc9a4529397bb8bf38e Mon Sep 17 00:00:00 2001 +From: Eric Whitney <enwlinux@gmail.com> +Date: Fri, 10 Feb 2023 12:32:44 -0500 +Subject: [PATCH] ext4: fix RENAME_WHITEOUT handling for inline directories +Git-commit: c9f62c8b2dbf7240536c0cc9a4529397bb8bf38e +Patch-mainline: v6.3-rc2 +References: bsc#1210766 + +A significant number of xfstests can cause ext4 to log one or more +warning messages when they are run on a test file system where the +inline_data feature has been enabled. An example: + +"EXT4-fs warning (device vdc): ext4_dirblock_csum_set:425: inode + #16385: comm fsstress: No space for directory leaf checksum. Please +run e2fsck -D." + +The xfstests include: ext4/057, 058, and 307; generic/013, 051, 068, +070, 076, 078, 083, 232, 269, 270, 390, 461, 475, 476, 482, 579, 585, +589, 626, 631, and 650. + +In this situation, the warning message indicates a bug in the code that +performs the RENAME_WHITEOUT operation on a directory entry that has +been stored inline. It doesn't detect that the directory is stored +inline, and incorrectly attempts to compute a dirent block checksum on +the whiteout inode when creating it. This attempt fails as a result +of the integrity checking in get_dirent_tail (usually due to a failure +to match the EXT4_FT_DIR_CSUM magic cookie), and the warning message +is then emitted. + +Fix this by simply collecting the inlined data state at the time the +search for the source directory entry is performed. Existing code +handles the rest, and this is sufficient to eliminate all spurious +warning messages produced by the tests above. Go one step further +and do the same in the code that resets the source directory entry in +the event of failure. The inlined state should be present in the +"old" struct, but given the possibility of a race there's no harm +in taking a conservative approach and getting that information again +since the directory entry is being reread anyway. + +Fixes: b7ff91fd030d ("ext4: find old entry again if failed to rename whiteout") +Cc: stable@kernel.org +Signed-off-by: Eric Whitney <enwlinux@gmail.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230210173244.679890-1-enwlinux@gmail.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/namei.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 270fbcba75b6..e8f429330f3c 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1595,11 +1595,10 @@ static struct buffer_head *__ext4_find_entry(struct inode *dir, + int has_inline_data = 1; + ret = ext4_find_inline_entry(dir, fname, res_dir, + &has_inline_data); +- if (has_inline_data) { +- if (inlined) +- *inlined = 1; ++ if (inlined) ++ *inlined = has_inline_data; ++ if (has_inline_data) + goto cleanup_and_exit; +- } + } + + if ((namelen <= 2) && (name[0] == '.') && +@@ -3646,7 +3645,8 @@ static void ext4_resetent(handle_t *handle, struct ext4_renament *ent, + * so the old->de may no longer valid and need to find it again + * before reset old inode info. + */ +- old.bh = ext4_find_entry(old.dir, &old.dentry->d_name, &old.de, NULL); ++ old.bh = ext4_find_entry(old.dir, &old.dentry->d_name, &old.de, ++ &old.inlined); + if (IS_ERR(old.bh)) + retval = PTR_ERR(old.bh); + if (!old.bh) +@@ -3813,7 +3813,8 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + return retval; + } + +- old.bh = ext4_find_entry(old.dir, &old.dentry->d_name, &old.de, NULL); ++ old.bh = ext4_find_entry(old.dir, &old.dentry->d_name, &old.de, ++ &old.inlined); + if (IS_ERR(old.bh)) + return PTR_ERR(old.bh); + /* +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-WARNING-in-ext4_update_inline_data.patch @@ -0,0 +1,114 @@ +From 2b96b4a5d9443ca4cad58b0040be455803c05a42 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Tue, 7 Mar 2023 09:52:53 +0800 +Subject: [PATCH] ext4: fix WARNING in ext4_update_inline_data +Git-commit: 2b96b4a5d9443ca4cad58b0040be455803c05a42 +Patch-mainline: v6.3-rc2 +References: bsc#1213012 + +Syzbot found the following issue: +EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none. + +Fscrypt: AES-256-CTS-CBC using implementation "cts-cbc-aes-aesni" +Fscrypt: AES-256-XTS using implementation "xts-aes-aesni" +Acked-by: Jan Kara <jack@suse.cz> + +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 5071 at mm/page_alloc.c:5525 __alloc_pages+0x30a/0x560 mm/page_alloc.c:5525 +Modules linked in: +CPU: 1 PID: 5071 Comm: syz-executor263 Not tainted 6.2.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +RIP: 0010:__alloc_pages+0x30a/0x560 mm/page_alloc.c:5525 +RSP: 0018:ffffc90003c2f1c0 EFLAGS: 00010246 +RAX: ffffc90003c2f220 RBX: 0000000000000014 RCX: 0000000000000000 +RDX: 0000000000000028 RSI: 0000000000000000 RDI: ffffc90003c2f248 +RBP: ffffc90003c2f2d8 R08: dffffc0000000000 R09: ffffc90003c2f220 +R10: fffff52000785e49 R11: 1ffff92000785e44 R12: 0000000000040d40 +R13: 1ffff92000785e40 R14: dffffc0000000000 R15: 1ffff92000785e3c +FS: 0000555556c0d300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f95d5e04138 CR3: 00000000793aa000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + <TASK> + __alloc_pages_node include/linux/gfp.h:237 [inline] + alloc_pages_node include/linux/gfp.h:260 [inline] + __kmalloc_large_node+0x95/0x1e0 mm/slab_common.c:1113 + __do_kmalloc_node mm/slab_common.c:956 [inline] + __kmalloc+0xfe/0x190 mm/slab_common.c:981 + kmalloc include/linux/slab.h:584 [inline] + kzalloc include/linux/slab.h:720 [inline] + ext4_update_inline_data+0x236/0x6b0 fs/ext4/inline.c:346 + ext4_update_inline_dir fs/ext4/inline.c:1115 [inline] + ext4_try_add_inline_entry+0x328/0x990 fs/ext4/inline.c:1307 + ext4_add_entry+0x5a4/0xeb0 fs/ext4/namei.c:2385 + ext4_add_nondir+0x96/0x260 fs/ext4/namei.c:2772 + ext4_create+0x36c/0x560 fs/ext4/namei.c:2817 + lookup_open fs/namei.c:3413 [inline] + open_last_lookups fs/namei.c:3481 [inline] + path_openat+0x12ac/0x2dd0 fs/namei.c:3711 + do_filp_open+0x264/0x4f0 fs/namei.c:3741 + do_sys_openat2+0x124/0x4e0 fs/open.c:1310 + do_sys_open fs/open.c:1326 [inline] + __do_sys_openat fs/open.c:1342 [inline] + __se_sys_openat fs/open.c:1337 [inline] + __x64_sys_openat+0x243/0x290 fs/open.c:1337 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Above issue happens as follows: +ext4_iget + ext4_find_inline_data_nolock ->i_inline_off=164 i_inline_size=60 +ext4_try_add_inline_entry + __ext4_mark_inode_dirty + ext4_expand_extra_isize_ea ->i_extra_isize=32 s_want_extra_isize=44 + ext4_xattr_shift_entries + ->after shift i_inline_off is incorrect, actually is change to 176 +ext4_try_add_inline_entry + ext4_update_inline_dir + get_max_inline_xattr_value_size + if (EXT4_I(inode)->i_inline_off) + entry = (struct ext4_xattr_entry *)((void *)raw_inode + + EXT4_I(inode)->i_inline_off); + free += EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)); + ->As entry is incorrect, then 'free' may be negative + ext4_update_inline_data + value = kzalloc(len, GFP_NOFS); + -> len is unsigned int, maybe very large, then trigger warning when + 'kzalloc()' + +To resolve the above issue we need to update 'i_inline_off' after +'ext4_xattr_shift_entries()'. We do not need to set +EXT4_STATE_MAY_INLINE_DATA flag here, since ext4_mark_inode_dirty() +already sets this flag if needed. Setting EXT4_STATE_MAY_INLINE_DATA +when it is needed may trigger a BUG_ON in ext4_writepages(). + +Reported-by: syzbot+d30838395804afc2fa6f@syzkaller.appspotmail.com +Cc: stable@kernel.org +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230307015253.2232062-3-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +--- + fs/ext4/xattr.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index 863c15388848..2a006e4db467 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2851,6 +2851,9 @@ int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize, + (void *)header, total_ino); + EXT4_I(inode)->i_extra_isize = new_extra_isize; + ++ if (ext4_has_inline_data(inode)) ++ error = ext4_find_inline_data_nolock(inode); ++ + cleanup: + if (error && (mnt_count != le16_to_cpu(sbi->s_es->s_mnt_count))) { + ext4_warning(inode->i_sb, "Unable to expand inode %lu. Delete some EAs or run e2fsck.", +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-WARNING-in-mb_find_extent.patch @@ -0,0 +1,135 @@ +From fa08a7b61dff8a4df11ff1e84abfc214b487caf7 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Mon, 16 Jan 2023 10:00:15 +0800 +Subject: [PATCH] ext4: fix WARNING in mb_find_extent +Git-commit: fa08a7b61dff8a4df11ff1e84abfc214b487caf7 +Patch-mainline: v6.4-rc2 +References: bsc#1213099 + +Syzbot found the following issue: + +Ext4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support! +EXT4-fs (loop0): orphan cleanup on readonly fs + +Acked-by: Jan Kara <jack@suse.cz> + +------------[ cut here ]------------ +WARNING: CPU: 1 PID: 5067 at fs/ext4/mballoc.c:1869 mb_find_extent+0x8a1/0xe30 +Modules linked in: +CPU: 1 PID: 5067 Comm: syz-executor307 Not tainted 6.2.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +RIP: 0010:mb_find_extent+0x8a1/0xe30 fs/ext4/mballoc.c:1869 +RSP: 0018:ffffc90003c9e098 EFLAGS: 00010293 +RAX: ffffffff82405731 RBX: 0000000000000041 RCX: ffff8880783457c0 +RDX: 0000000000000000 RSI: 0000000000000041 RDI: 0000000000000040 +RBP: 0000000000000040 R08: ffffffff82405723 R09: ffffed10053c9402 +R10: ffffed10053c9402 R11: 1ffff110053c9401 R12: 0000000000000000 +R13: ffffc90003c9e538 R14: dffffc0000000000 R15: ffffc90003c9e2cc +FS: 0000555556665300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000056312f6796f8 CR3: 0000000022437000 CR4: 00000000003506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + <TASK> + ext4_mb_complex_scan_group+0x353/0x1100 fs/ext4/mballoc.c:2307 + ext4_mb_regular_allocator+0x1533/0x3860 fs/ext4/mballoc.c:2735 + ext4_mb_new_blocks+0xddf/0x3db0 fs/ext4/mballoc.c:5605 + ext4_ext_map_blocks+0x1868/0x6880 fs/ext4/extents.c:4286 + ext4_map_blocks+0xa49/0x1cc0 fs/ext4/inode.c:651 + ext4_getblk+0x1b9/0x770 fs/ext4/inode.c:864 + ext4_bread+0x2a/0x170 fs/ext4/inode.c:920 + ext4_quota_write+0x225/0x570 fs/ext4/super.c:7105 + write_blk fs/quota/quota_tree.c:64 [inline] + get_free_dqblk+0x34a/0x6d0 fs/quota/quota_tree.c:130 + do_insert_tree+0x26b/0x1aa0 fs/quota/quota_tree.c:340 + do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375 + do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375 + do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375 + dq_insert_tree fs/quota/quota_tree.c:401 [inline] + qtree_write_dquot+0x3b6/0x530 fs/quota/quota_tree.c:420 + v2_write_dquot+0x11b/0x190 fs/quota/quota_v2.c:358 + dquot_acquire+0x348/0x670 fs/quota/dquot.c:444 + ext4_acquire_dquot+0x2dc/0x400 fs/ext4/super.c:6740 + dqget+0x999/0xdc0 fs/quota/dquot.c:914 + __dquot_initialize+0x3d0/0xcf0 fs/quota/dquot.c:1492 + ext4_process_orphan+0x57/0x2d0 fs/ext4/orphan.c:329 + ext4_orphan_cleanup+0xb60/0x1340 fs/ext4/orphan.c:474 + __ext4_fill_super fs/ext4/super.c:5516 [inline] + ext4_fill_super+0x81cd/0x8700 fs/ext4/super.c:5644 + get_tree_bdev+0x400/0x620 fs/super.c:1282 + vfs_get_tree+0x88/0x270 fs/super.c:1489 + do_new_mount+0x289/0xad0 fs/namespace.c:3145 + do_mount fs/namespace.c:3488 [inline] + __do_sys_mount fs/namespace.c:3697 [inline] + __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Add some debug information: +mb_find_extent: mb_find_extent block=41, order=0 needed=64 next=0 ex=0/41/1@3735929054 64 64 7 +block_bitmap: ff 3f 0c 00 fc 01 00 00 d2 3d 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + +Acctually, blocks per group is 64, but block bitmap indicate at least has +128 blocks. Now, ext4_validate_block_bitmap() didn't check invalid block's +bitmap if set. +To resolve above issue, add check like fsck "Padding at end of block bitmap is +not set". + +Cc: stable@kernel.org +Reported-by: syzbot+68223fe9f6c95ad43bed@syzkaller.appspotmail.com +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230116020015.1506120-1-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +--- + fs/ext4/balloc.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c +index 094269488183..c49e612e3975 100644 +--- a/fs/ext4/balloc.c ++++ b/fs/ext4/balloc.c +@@ -305,6 +305,22 @@ struct ext4_group_desc * ext4_get_group_desc(struct super_block *sb, + return desc; + } + ++static ext4_fsblk_t ext4_valid_block_bitmap_padding(struct super_block *sb, ++ ext4_group_t block_group, ++ struct buffer_head *bh) ++{ ++ ext4_grpblk_t next_zero_bit; ++ unsigned long bitmap_size = sb->s_blocksize * 8; ++ unsigned int offset = num_clusters_in_group(sb, block_group); ++ ++ if (bitmap_size <= offset) ++ return 0; ++ ++ next_zero_bit = ext4_find_next_zero_bit(bh->b_data, bitmap_size, offset); ++ ++ return (next_zero_bit < bitmap_size ? next_zero_bit : 0); ++} ++ + /* + * Return the block number which was discovered to be invalid, or 0 if + * the block bitmap is valid. +@@ -402,6 +418,15 @@ static int ext4_validate_block_bitmap(struct super_block *sb, + EXT4_GROUP_INFO_BBITMAP_CORRUPT); + return -EFSCORRUPTED; + } ++ blk = ext4_valid_block_bitmap_padding(sb, block_group, bh); ++ if (unlikely(blk != 0)) { ++ ext4_unlock_group(sb, block_group); ++ ext4_error(sb, "bg %u: block %llu: padding at end of block bitmap is not set", ++ block_group, blk); ++ ext4_mark_group_bitmap_corrupted(sb, block_group, ++ EXT4_GROUP_INFO_BBITMAP_CORRUPT); ++ return -EFSCORRUPTED; ++ } + set_buffer_verified(bh); + verified: + ext4_unlock_group(sb, block_group); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-a-possible-ABBA-deadlock-due-to-busy-PA.patch @@ -0,0 +1,159 @@ +From 8c80fb312d7abf8bcd66cca1d843a80318a2c522 Mon Sep 17 00:00:00 2001 +From: Chunguang Xu <brookxu@tencent.com> +Date: Tue, 23 Nov 2021 09:17:57 +0800 +Subject: [PATCH] ext4: fix a possible ABBA deadlock due to busy PA +Git-commit: 8c80fb312d7abf8bcd66cca1d843a80318a2c522 +Patch-mainline: v5.17-rc1 +References: bsc#1202762 + +We found on older kernel (3.10) that in the scenario of insufficient +disk space, system may trigger an ABBA deadlock problem, it seems that +this problem still exists in latest kernel, try to fix it here. The +main process triggered by this problem is that task A occupies the PA +and waits for the jbd2 transaction finish, the jbd2 transaction waits +for the completion of task B's IO (plug_list), but task B waits for +the release of PA by task A to finish discard, which indirectly forms +an ABBA deadlock. The related calltrace is as follows: + + Task A + vfs_write + ext4_mb_new_blocks() + ext4_mb_mark_diskspace_used() JBD2 + jbd2_journal_get_write_access() -> jbd2_journal_commit_transaction() + ->schedule() filemap_fdatawait() + | | + | Task B | + | do_unlinkat() | + | ext4_evict_inode() | + | jbd2_journal_begin_ordered_truncate() | + | filemap_fdatawrite_range() | + | ext4_mb_new_blocks() | + -ext4_mb_discard_group_preallocations() <----- + +Here, try to cancel ext4_mb_discard_group_preallocations() internal +retry due to PA busy, and do a limited number of retries inside +ext4_mb_discard_preallocations(), which can circumvent the above +problems, but also has some advantages: + +1. Since the PA is in a busy state, if other groups have free PAs, + keeping the current PA may help to reduce fragmentation. +2. Continue to traverse forward instead of waiting for the current + group PA to be released. In most scenarios, the PA discard time + can be reduced. + +However, in the case of smaller free space, if only a few groups have +space, then due to multiple traversals of the group, it may increase +CPU overhead. But in contrast, I feel that the overall benefit is +better than the cost. + +Signed-off-by: Chunguang Xu <brookxu@tencent.com> +Reported-by: kernel test robot <lkp@intel.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/1637630277-23496-1-git-send-email-brookxu.cn@gmail.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/mballoc.c | 40 ++++++++++++++++++---------------------- + 1 file changed, 18 insertions(+), 22 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 215b7068f548..3dd9b9e2f967 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4814,7 +4814,7 @@ ext4_mb_release_group_pa(struct ext4_buddy *e4b, + */ + static noinline_for_stack int + ext4_mb_discard_group_preallocations(struct super_block *sb, +- ext4_group_t group, int needed) ++ ext4_group_t group, int *busy) + { + struct ext4_group_info *grp = ext4_get_group_info(sb, group); + struct buffer_head *bitmap_bh = NULL; +@@ -4822,8 +4822,7 @@ ext4_mb_discard_group_preallocations(struct super_block *sb, + struct list_head list; + struct ext4_buddy e4b; + int err; +- int busy = 0; +- int free, free_total = 0; ++ int free = 0; + + mb_debug(sb, "discard preallocation for group %u\n", group); + if (list_empty(&grp->bb_prealloc_list)) +@@ -4846,19 +4845,14 @@ ext4_mb_discard_group_preallocations(struct super_block *sb, + goto out_dbg; + } + +- if (needed == 0) +- needed = EXT4_CLUSTERS_PER_GROUP(sb) + 1; +- + INIT_LIST_HEAD(&list); +-repeat: +- free = 0; + ext4_lock_group(sb, group); + list_for_each_entry_safe(pa, tmp, + &grp->bb_prealloc_list, pa_group_list) { + spin_lock(&pa->pa_lock); + if (atomic_read(&pa->pa_count)) { + spin_unlock(&pa->pa_lock); +- busy = 1; ++ *busy = 1; + continue; + } + if (pa->pa_deleted) { +@@ -4898,22 +4892,13 @@ ext4_mb_discard_group_preallocations(struct super_block *sb, + call_rcu(&(pa)->u.pa_rcu, ext4_mb_pa_callback); + } + +- free_total += free; +- +- /* if we still need more blocks and some PAs were used, try again */ +- if (free_total < needed && busy) { +- ext4_unlock_group(sb, group); +- cond_resched(); +- busy = 0; +- goto repeat; +- } + ext4_unlock_group(sb, group); + ext4_mb_unload_buddy(&e4b); + put_bh(bitmap_bh); + out_dbg: + mb_debug(sb, "discarded (%d) blocks preallocated for group %u bb_free (%d)\n", +- free_total, group, grp->bb_free); +- return free_total; ++ free, group, grp->bb_free); ++ return free; + } + + /* +@@ -5455,13 +5440,24 @@ static int ext4_mb_discard_preallocations(struct super_block *sb, int needed) + { + ext4_group_t i, ngroups = ext4_get_groups_count(sb); + int ret; +- int freed = 0; ++ int freed = 0, busy = 0; ++ int retry = 0; + + trace_ext4_mb_discard_preallocations(sb, needed); ++ ++ if (needed == 0) ++ needed = EXT4_CLUSTERS_PER_GROUP(sb) + 1; ++ repeat: + for (i = 0; i < ngroups && needed > 0; i++) { +- ret = ext4_mb_discard_group_preallocations(sb, i, needed); ++ ret = ext4_mb_discard_group_preallocations(sb, i, &busy); + freed += ret; + needed -= ret; ++ cond_resched(); ++ } ++ ++ if (needed > 0 && busy && ++retry < 3) { ++ busy = 0; ++ goto repeat; + } + + return freed; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-an-use-after-free-issue-about-data-journal-.patch @@ -0,0 +1,135 @@ +From 5c48a7df91499e371ef725895b2e2d21a126e227 Mon Sep 17 00:00:00 2001 +From: Zhang Yi <yi.zhang@huawei.com> +Date: Sat, 25 Dec 2021 17:09:37 +0800 +Subject: [PATCH] ext4: fix an use-after-free issue about data=journal + writeback mode +Git-commit: 5c48a7df91499e371ef725895b2e2d21a126e227 +Patch-mainline: v5.17-rc1 +References: bsc#1195482 + +Our syzkaller report an use-after-free issue that accessing the freed +buffer_head on the writeback page in __ext4_journalled_writepage(). The +problem is that if there was a truncate racing with the data=journalled +writeback procedure, the writeback length could become zero and +bget_one() refuse to get buffer_head's refcount, then the truncate +procedure release buffer once we drop page lock, finally, the last +ext4_walk_page_buffers() trigger the use-after-free problem. + +sync truncate +ext4_sync_file() + file_write_and_wait_range() + ext4_setattr(0) + inode->i_size = 0 + ext4_writepage() + len = 0 + __ext4_journalled_writepage() + page_bufs = page_buffers(page) + ext4_walk_page_buffers(bget_one) <- does not get refcount + do_invalidatepage() + free_buffer_head() + ext4_walk_page_buffers(page_bufs) <- trigger use-after-free + +After commit bdf96838aea6 ("ext4: fix race between truncate and +__ext4_journalled_writepage()"), we have already handled the racing +case, so the bget_one() and bput_one() are not needed. So this patch +simply remove these hunk, and recheck the i_size to make it safe. + +Fixes: bdf96838aea6 ("ext4: fix race between truncate and __ext4_journalled_writepage()") +Signed-off-by: Zhang Yi <yi.zhang@huawei.com> +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211225090937.712867-1-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 37 ++++++++++--------------------------- + 1 file changed, 10 insertions(+), 27 deletions(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index bca9951634d9..68070f34f0cf 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1845,30 +1845,16 @@ int ext4_da_get_block_prep(struct inode *inode, sector_t iblock, + return 0; + } + +-static int bget_one(handle_t *handle, struct inode *inode, +- struct buffer_head *bh) +-{ +- get_bh(bh); +- return 0; +-} +- +-static int bput_one(handle_t *handle, struct inode *inode, +- struct buffer_head *bh) +-{ +- put_bh(bh); +- return 0; +-} +- + static int __ext4_journalled_writepage(struct page *page, + unsigned int len) + { + struct address_space *mapping = page->mapping; + struct inode *inode = mapping->host; +- struct buffer_head *page_bufs = NULL; + handle_t *handle = NULL; + int ret = 0, err = 0; + int inline_data = ext4_has_inline_data(inode); + struct buffer_head *inode_bh = NULL; ++ loff_t size; + + ClearPageChecked(page); + +@@ -1878,14 +1864,6 @@ static int __ext4_journalled_writepage(struct page *page, + inode_bh = ext4_journalled_write_inline_data(inode, len, page); + if (inode_bh == NULL) + goto out; +- } else { +- page_bufs = page_buffers(page); +- if (!page_bufs) { +- BUG(); +- goto out; +- } +- ext4_walk_page_buffers(handle, inode, page_bufs, 0, len, +- NULL, bget_one); + } + /* + * We need to release the page lock before we start the +@@ -1906,7 +1884,8 @@ static int __ext4_journalled_writepage(struct page *page, + + lock_page(page); + put_page(page); +- if (page->mapping != mapping) { ++ size = i_size_read(inode); ++ if (page->mapping != mapping || page_offset(page) > size) { + /* The page got truncated from under us */ + ext4_journal_stop(handle); + ret = 0; +@@ -1916,6 +1895,13 @@ static int __ext4_journalled_writepage(struct page *page, + if (inline_data) { + ret = ext4_mark_inode_dirty(handle, inode); + } else { ++ struct buffer_head *page_bufs = page_buffers(page); ++ ++ if (page->index == size >> PAGE_SHIFT) ++ len = size & ~PAGE_MASK; ++ else ++ len = PAGE_SIZE; ++ + ret = ext4_walk_page_buffers(handle, inode, page_bufs, 0, len, + NULL, do_journal_get_write_access); + +@@ -1936,9 +1922,6 @@ static int __ext4_journalled_writepage(struct page *page, + out: + unlock_page(page); + out_no_pagelock: +- if (!inline_data && page_bufs) +- ext4_walk_page_buffers(NULL, inode, page_bufs, 0, len, +- NULL, bput_one); + brelse(inode_bh); + return ret; + } +-- +2.34.1 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-another-off-by-one-fsmap-error-on-1k-block-.patch @@ -0,0 +1,127 @@ +From c993799baf9c5861f8df91beb80e1611b12efcbd Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" <djwong@kernel.org> +Date: Thu, 16 Feb 2023 10:55:48 -0800 +Subject: [PATCH] ext4: fix another off-by-one fsmap error on 1k block + filesystems +Git-commit: c993799baf9c5861f8df91beb80e1611b12efcbd +Patch-mainline: v6.3-rc2 +References: bsc#1210767 + +Apparently syzbot figured out that issuing this FSMAP call: + +struct fsmap_head cmd = { + .fmh_count = ...; + .fmh_keys = { + { .fmr_device = /* ext4 dev */, .fmr_physical = 0, }, + { .fmr_device = /* ext4 dev */, .fmr_physical = 0, }, + }, +... +}; +ret = ioctl(fd, FS_IOC_GETFSMAP, &cmd); + +Produces this crash if the underlying filesystem is a 1k-block ext4 +Filesystem: + +kernel BUG at fs/ext4/ext4.h:3331! +invalid opcode: 0000 [#1] PREEMPT SMP +Cpu: 3 PID: 3227965 Comm: xfs_io Tainted: G W O 6.2.0-rc8-achx +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +Rip: 0010:ext4_mb_load_buddy_gfp+0x47c/0x570 [ext4] +Rsp: 0018:ffffc90007c03998 EFLAGS: 00010246 +Rax: ffff888004978000 RBX: ffffc90007c03a20 RCX: ffff888041618000 +Rdx: 0000000000000000 RSI: 00000000000005a4 RDI: ffffffffa0c99b11 +Rbp: ffff888012330000 R08: ffffffffa0c2b7d0 R09: 0000000000000400 +R10: ffffc90007c03950 R11: 0000000000000000 R12: 0000000000000001 +R13: 00000000ffffffff R14: 0000000000000c40 R15: ffff88802678c398 +Fs: 00007fdf2020c880(0000) GS:ffff88807e100000(0000) knlGS:0000000000000000 +Cs: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Cr2: 00007ffd318a5fe8 CR3: 000000007f80f001 CR4: 00000000001706e0 +Call Trace: + <TASK> + ext4_mballoc_query_range+0x4b/0x210 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80] + ext4_getfsmap_datadev+0x713/0x890 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80] + ext4_getfsmap+0x2b7/0x330 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80] + ext4_ioc_getfsmap+0x153/0x2b0 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80] + __ext4_ioctl+0x2a7/0x17e0 [ext4 dfa189daddffe8fecd3cdfd00564e0f265a8ab80] + __x64_sys_ioctl+0x82/0xa0 + do_syscall_64+0x2b/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 +Rip: 0033:0x7fdf20558aff +Rsp: 002b:00007ffd318a9e30 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +Rax: ffffffffffffffda RBX: 00000000000200c0 RCX: 00007fdf20558aff +Rdx: 00007fdf1feb2010 RSI: 00000000c0c0583b RDI: 0000000000000003 +Rbp: 00005625c0634be0 R08: 00005625c0634c40 R09: 0000000000000001 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdf1feb2010 +R13: 00005625be70d994 R14: 0000000000000800 R15: 0000000000000000 + +For GETFSMAP calls, the caller selects a physical block device by +writing its block number into fsmap_head.fmh_keys[01].fmr_device. +To query mappings for a subrange of the device, the starting byte of the +range is written to fsmap_head.fmh_keys[0].fmr_physical and the last +byte of the range goes in fsmap_head.fmh_keys[1].fmr_physical. + +IOWs, to query what mappings overlap with bytes 3-14 of /dev/sda, you'd +set the inputs as follows: + + fmh_keys[0] = { .fmr_device = major(8, 0), .fmr_physical = 3}, + fmh_keys[1] = { .fmr_device = major(8, 0), .fmr_physical = 14}, + +Which would return you whatever is mapped in the 12 bytes starting at +physical offset 3. + +The crash is due to insufficient range validation of keys[1] in +ext4_getfsmap_datadev. On 1k-block filesystems, block 0 is not part of +the filesystem, which means that s_first_data_block is nonzero. +ext4_get_group_no_and_offset subtracts this quantity from the blocknr +argument before cracking it into a group number and a block number +within a group. IOWs, block group 0 spans blocks 1-8192 (1-based) +instead of 0-8191 (0-based) like what happens with larger blocksizes. + +The net result of this encoding is that blocknr < s_first_data_block is +not a valid input to this function. The end_fsb variable is set from +the keys that are copied from userspace, which means that in the above +example, its value is zero. That leads to an underflow here: + + blocknr = blocknr - le32_to_cpu(es->s_first_data_block); + +The division then operates on -1: + + offset = do_div(blocknr, EXT4_BLOCKS_PER_GROUP(sb)) >> + EXT4_SB(sb)->s_cluster_bits; + +Leaving an impossibly large group number (2^32-1) in blocknr. +ext4_getfsmap_check_keys checked that keys[0].fmr_physical and +keys[1].fmr_physical are in increasing order, but +ext4_getfsmap_datadev adjusts keys[0].fmr_physical to be at least +s_first_data_block. This implies that we have to check it again after +the adjustment, which is the piece that I forgot. + +Reported-by: syzbot+6be2b977c89f79b6b153@syzkaller.appspotmail.com +Fixes: 4a4956249dac ("ext4: fix off-by-one fsmap error on 1k block filesystems") +Link: https://syzkaller.appspot.com/bug?id=79d5768e9bfe362911ac1a5057a36fc6b5c30002 +Cc: stable@vger.kernel.org +Signed-off-by: Darrick J. Wong <djwong@kernel.org> +Link: https://lore.kernel.org/r/Y+58NPTH7VNGgzdd@magnolia +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fsmap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/ext4/fsmap.c b/fs/ext4/fsmap.c +index 4493ef0c715e..cdf9bfe10137 100644 +--- a/fs/ext4/fsmap.c ++++ b/fs/ext4/fsmap.c +@@ -486,6 +486,8 @@ static int ext4_getfsmap_datadev(struct super_block *sb, + keys[0].fmr_physical = bofs; + if (keys[1].fmr_physical >= eofs) + keys[1].fmr_physical = eofs - 1; ++ if (keys[1].fmr_physical < keys[0].fmr_physical) ++ return 0; + start_fsb = keys[0].fmr_physical; + end_fsb = keys[1].fmr_physical; + +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-bad-checksum-after-online-resize.patch @@ -0,0 +1,54 @@ +From a408f33e895e455f16cf964cb5cd4979b658db7b Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Thu, 17 Nov 2022 12:03:39 +0800 +Subject: [PATCH] ext4: fix bad checksum after online resize +Git-commit: a408f33e895e455f16cf964cb5cd4979b658db7b +Patch-mainline: v6.2-rc1 +References: bsc#1210762 bsc#1208076 + +When online resizing is performed twice consecutively, the error message +"Superblock checksum does not match superblock" is displayed for the +second time. Here's the reproducer: + + mkfs.ext4 -F /dev/sdb 100M + mount /dev/sdb /tmp/test + resize2fs /dev/sdb 5G + resize2fs /dev/sdb 6G + +To solve this issue, we moved the update of the checksum after the +es->s_overhead_clusters is updated. + +Fixes: 026d0d27c488 ("ext4: reduce computation of overhead during resize") +Fixes: de394a86658f ("ext4: update s_overhead_clusters in the superblock during an on-line resize") +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Darrick J. Wong <djwong@kernel.org> +Reviewed-by: Jan Kara <jack@suse.cz> +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20221117040341.1380702-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/resize.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1445,8 +1445,6 @@ static void ext4_update_super(struct sup + * active. */ + ext4_r_blocks_count_set(es, ext4_r_blocks_count(es) + + reserved_blocks); +- ext4_superblock_csum_set(sb); +- unlock_buffer(sbi->s_sbh); + + /* Update the free space counts */ + percpu_counter_add(&sbi->s_freeclusters_counter, +@@ -1474,6 +1472,8 @@ static void ext4_update_super(struct sup + ext4_calculate_overhead(sb); + es->s_overhead_clusters = cpu_to_le32(sbi->s_overhead); + ++ ext4_superblock_csum_set(sb); ++ unlock_buffer(sbi->s_sbh); + if (test_opt(sb, DEBUG)) + printk(KERN_DEBUG "EXT4-fs: added group %u:" + "%llu blocks(%llu free %llu reserved)\n", flex_gd->count, --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-bug_on-ext4_mb_use_inode_pa.patch @@ -0,0 +1,103 @@ +From a08f789d2ab5242c07e716baf9a835725046be89 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Sat, 28 May 2022 19:00:15 +0800 +Subject: [PATCH] ext4: fix bug_on ext4_mb_use_inode_pa +Git-commit: a08f789d2ab5242c07e716baf9a835725046be89 +Patch-mainline: v5.19-rc3 +References: bsc#1200810 + +Hulk Robot reported a BUG_ON: +================================================================== +kernel BUG at fs/ext4/mballoc.c:3211! +[...] +Rip: 0010:ext4_mb_mark_diskspace_used.cold+0x85/0x136f +[...] +Call Trace: + ext4_mb_new_blocks+0x9df/0x5d30 + ext4_ext_map_blocks+0x1803/0x4d80 + ext4_map_blocks+0x3a4/0x1a10 + ext4_writepages+0x126d/0x2c30 + do_writepages+0x7f/0x1b0 + __filemap_fdatawrite_range+0x285/0x3b0 + file_write_and_wait_range+0xb1/0x140 + ext4_sync_file+0x1aa/0xca0 + vfs_fsync_range+0xfb/0x260 + do_fsync+0x48/0xa0 +[...] +================================================================== + +Above issue may happen as follows: + +Acked-by: Jan Kara <jack@suse.cz> + +------------------------------------- +do_fsync + vfs_fsync_range + ext4_sync_file + file_write_and_wait_range + __filemap_fdatawrite_range + do_writepages + ext4_writepages + mpage_map_and_submit_extent + mpage_map_one_extent + ext4_map_blocks + ext4_mb_new_blocks + ext4_mb_normalize_request + >>> start + size <= ac->ac_o_ex.fe_logical + ext4_mb_regular_allocator + ext4_mb_simple_scan_group + ext4_mb_use_best_found + ext4_mb_new_preallocation + ext4_mb_new_inode_pa + ext4_mb_use_inode_pa + >>> set ac->ac_b_ex.fe_len <= 0 + ext4_mb_mark_diskspace_used + >>> BUG_ON(ac->ac_b_ex.fe_len <= 0); + +we can easily reproduce this problem with the following commands: + `fallocate -l100M disk` + `mkfs.ext4 -b 1024 -g 256 disk` + `mount disk /mnt` + `fsstress -d /mnt -l 0 -n 1000 -p 1` + +The size must be smaller than or equal to EXT4_BLOCKS_PER_GROUP. +Therefore, "start + size <= ac->ac_o_ex.fe_logical" may occur +when the size is truncated. So start should be the start position of +the group where ac_o_ex.fe_logical is located after alignment. +In addition, when the value of fe_logical or EXT4_BLOCKS_PER_GROUP +is very large, the value calculated by start_off is more accurate. + +Cc: stable@kernel.org +Fixes: cd648b8a8fd5 ("ext4: trim allocation requests to group size") +Reported-by: Hulk Robot <hulkci@huawei.com> +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Ritesh Harjani <ritesh.list@gmail.com> +Link: https://lore.kernel.org/r/20220528110017.354175-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +--- + fs/ext4/mballoc.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 9f12f29bc346..4d3740fdff90 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4104,6 +4104,15 @@ ext4_mb_normalize_request(struct ext4_allocation_context *ac, + size = size >> bsbits; + start = start_off >> bsbits; + ++ /* ++ * For tiny groups (smaller than 8MB) the chosen allocation ++ * alignment may be larger than group size. Make sure the ++ * alignment does not move allocation to a different group which ++ * makes mballoc fail assertions later. ++ */ ++ start = max(start, rounddown(ac->ac_o_ex.fe_logical, ++ (ext4_lblk_t)EXT4_BLOCKS_PER_GROUP(ac->ac_sb))); ++ + /* don't cover already allocated blocks in selected range */ + if (ar->pleft && start <= ar->lleft) { + size -= ar->lleft + 1 - start; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-bug_on-in-__es_tree_search-caused-by-bad-bo.patch @@ -0,0 +1,102 @@ +From 991ed014de0840c5dc405b679168924afb2952ac Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Wed, 26 Oct 2022 12:23:10 +0800 +Subject: [PATCH] ext4: fix bug_on in __es_tree_search caused by bad boot + loader inode +Git-commit: 991ed014de0840c5dc405b679168924afb2952ac +Patch-mainline: v6.2-rc1 +References: bsc#1207620 + +We got a issue as fllows: +================================================================== + kernel BUG at fs/ext4/extents_status.c:203! + invalid opcode: 0000 [#1] PREEMPT SMP + CPU: 1 PID: 945 Comm: cat Not tainted 6.0.0-next-20221007-dirty #349 + RIP: 0010:ext4_es_end.isra.0+0x34/0x42 + RSP: 0018:ffffc9000143b768 EFLAGS: 00010203 + RAX: 0000000000000000 RBX: ffff8881769cd0b8 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: ffffffff8fc27cf7 RDI: 00000000ffffffff + RBP: ffff8881769cd0bc R08: 0000000000000000 R09: ffffc9000143b5f8 + R10: 0000000000000001 R11: 0000000000000001 R12: ffff8881769cd0a0 + R13: ffff8881768e5668 R14: 00000000768e52f0 R15: 0000000000000000 + FS: 00007f359f7f05c0(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f359f5a2000 CR3: 000000017130c000 CR4: 00000000000006e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + <TASK> + __es_tree_search.isra.0+0x6d/0xf5 + ext4_es_cache_extent+0xfa/0x230 + ext4_cache_extents+0xd2/0x110 + ext4_find_extent+0x5d5/0x8c0 + ext4_ext_map_blocks+0x9c/0x1d30 + ext4_map_blocks+0x431/0xa50 + ext4_mpage_readpages+0x48e/0xe40 + ext4_readahead+0x47/0x50 + read_pages+0x82/0x530 + page_cache_ra_unbounded+0x199/0x2a0 + do_page_cache_ra+0x47/0x70 + page_cache_ra_order+0x242/0x400 + ondemand_readahead+0x1e8/0x4b0 + page_cache_sync_ra+0xf4/0x110 + filemap_get_pages+0x131/0xb20 + filemap_read+0xda/0x4b0 + generic_file_read_iter+0x13a/0x250 + ext4_file_read_iter+0x59/0x1d0 + vfs_read+0x28f/0x460 + ksys_read+0x73/0x160 + __x64_sys_read+0x1e/0x30 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + </TASK> +================================================================== + +In the above issue, ioctl invokes the swap_inode_boot_loader function to +swap inode<5> and inode<12>. However, inode<5> contain incorrect imode and +disordered extents, and i_nlink is set to 1. The extents check for inode in +the ext4_iget function can be bypassed bacause 5 is EXT4_BOOT_LOADER_INO. +While links_count is set to 1, the extents are not initialized in +swap_inode_boot_loader. After the ioctl command is executed successfully, +the extents are swapped to inode<12>, in this case, run the `cat` command +to view inode<12>. And Bug_ON is triggered due to the incorrect extents. + +When the boot loader inode is not initialized, its imode can be one of the +Following: +1) the imode is a bad type, which is marked as bad_inode in ext4_iget and + set to S_IFREG. +2) the imode is good type but not S_IFREG. +3) the imode is S_IFREG. + +The BUG_ON may be triggered by bypassing the check in cases 1 and 2. +Therefore, when the boot loader inode is bad_inode or its imode is not +S_IFREG, initialize the inode to avoid triggering the BUG. + +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jason Yan <yanaijie@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20221026042310.3839669-5-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index 9ed7b9fe2132..e5f60057db5b 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -425,7 +425,7 @@ static long swap_inode_boot_loader(struct super_block *sb, + /* Protect extent tree against block allocations via delalloc */ + ext4_double_down_write_data_sem(inode, inode_bl); + +- if (inode_bl->i_nlink == 0) { ++ if (is_bad_inode(inode_bl) || !S_ISREG(inode_bl->i_mode)) { + /* this inode has never been used as a BOOT_LOADER */ + set_nlink(inode_bl, 1); + i_uid_write(inode_bl, 0); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-bug_on-in-__es_tree_search.patch @@ -0,0 +1,144 @@ +From d36f6ed761b53933b0b4126486c10d3da7751e7f Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Wed, 18 May 2022 20:08:16 +0800 +Subject: [PATCH] ext4: fix bug_on in __es_tree_search +Git-commit: d36f6ed761b53933b0b4126486c10d3da7751e7f +Patch-mainline: v5.19-rc1 +References: bsc#1200809 + +Hulk Robot reported a BUG_ON: +================================================================== +kernel BUG at fs/ext4/extents_status.c:199! +[...] +Rip: 0010:ext4_es_end fs/ext4/extents_status.c:199 [inline] +Rip: 0010:__es_tree_search+0x1e0/0x260 fs/ext4/extents_status.c:217 +[...] +Call Trace: + ext4_es_cache_extent+0x109/0x340 fs/ext4/extents_status.c:766 + ext4_cache_extents+0x239/0x2e0 fs/ext4/extents.c:561 + ext4_find_extent+0x6b7/0xa20 fs/ext4/extents.c:964 + ext4_ext_map_blocks+0x16b/0x4b70 fs/ext4/extents.c:4384 + ext4_map_blocks+0xe26/0x19f0 fs/ext4/inode.c:567 + ext4_getblk+0x320/0x4c0 fs/ext4/inode.c:980 + ext4_bread+0x2d/0x170 fs/ext4/inode.c:1031 + ext4_quota_read+0x248/0x320 fs/ext4/super.c:6257 + v2_read_header+0x78/0x110 fs/quota/quota_v2.c:63 + v2_check_quota_file+0x76/0x230 fs/quota/quota_v2.c:82 + vfs_load_quota_inode+0x5d1/0x1530 fs/quota/dquot.c:2368 + dquot_enable+0x28a/0x330 fs/quota/dquot.c:2490 + ext4_quota_enable fs/ext4/super.c:6137 [inline] + ext4_enable_quotas+0x5d7/0x960 fs/ext4/super.c:6163 + ext4_fill_super+0xa7c9/0xdc00 fs/ext4/super.c:4754 + mount_bdev+0x2e9/0x3b0 fs/super.c:1158 + mount_fs+0x4b/0x1e4 fs/super.c:1261 +[...] +================================================================== + +Above issue may happen as follows: + +Acked-by: Jan Kara <jack@suse.cz> + +------------------------------------- +ext4_fill_super + ext4_enable_quotas + ext4_quota_enable + ext4_iget + __ext4_iget + ext4_ext_check_inode + ext4_ext_check + __ext4_ext_check + ext4_valid_extent_entries + Check for overlapping extents does't take effect + dquot_enable + vfs_load_quota_inode + v2_check_quota_file + v2_read_header + ext4_quota_read + ext4_bread + ext4_getblk + ext4_map_blocks + ext4_ext_map_blocks + ext4_find_extent + ext4_cache_extents + ext4_es_cache_extent + ext4_es_cache_extent + __es_tree_search + ext4_es_end + BUG_ON(es->es_lblk + es->es_len < es->es_lblk) + +The error ext4 extents is as follows: +0af3 0300 0400 0000 00000000 extent_header +00000000 0100 0000 12000000 extent1 +00000000 0100 0000 18000000 extent2 +02000000 0400 0000 14000000 extent3 + +In the ext4_valid_extent_entries function, +if prev is 0, no error is returned even if lblock<=prev. +This was intended to skip the check on the first extent, but +in the error image above, prev=0+1-1=0 when checking the second extent, +so even though lblock<=prev, the function does not return an error. +As a result, bug_ON occurs in __es_tree_search and the system panics. + +To solve this problem, we only need to check that: +1. The lblock of the first extent is not less than 0. +2. The lblock of the next extent is not less than + the next block of the previous extent. +The same applies to extent_idx. + +Cc: stable@kernel.org +Fixes: 5946d089379a ("ext4: check for overlapping extents in ext4_valid_extent_entries()") +Reported-by: Hulk Robot <hulkci@huawei.com> +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220518120816.1541863-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +--- + fs/ext4/extents.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 474479ce76e0..c148bb97b527 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -372,7 +372,7 @@ static int ext4_valid_extent_entries(struct inode *inode, + { + unsigned short entries; + ext4_lblk_t lblock = 0; +- ext4_lblk_t prev = 0; ++ ext4_lblk_t cur = 0; + + if (eh->eh_entries == 0) + return 1; +@@ -396,11 +396,11 @@ static int ext4_valid_extent_entries(struct inode *inode, + + /* Check for overlapping extents */ + lblock = le32_to_cpu(ext->ee_block); +- if ((lblock <= prev) && prev) { ++ if (lblock < cur) { + *pblk = ext4_ext_pblock(ext); + return 0; + } +- prev = lblock + ext4_ext_get_actual_len(ext) - 1; ++ cur = lblock + ext4_ext_get_actual_len(ext); + ext++; + entries--; + } +@@ -420,13 +420,13 @@ static int ext4_valid_extent_entries(struct inode *inode, + + /* Check for overlapping index extents */ + lblock = le32_to_cpu(ext_idx->ei_block); +- if ((lblock <= prev) && prev) { ++ if (lblock < cur) { + *pblk = ext4_idx_pblock(ext_idx); + return 0; + } + ext_idx++; + entries--; +- prev = lblock; ++ cur = lblock + 1; + } + } + return 1; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-bug_on-in-ext4_writepages.patch @@ -0,0 +1,113 @@ +From ef09ed5d37b84d18562b30cf7253e57062d0db05 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Mon, 16 May 2022 20:26:34 +0800 +Subject: [PATCH] ext4: fix bug_on in ext4_writepages +Git-commit: ef09ed5d37b84d18562b30cf7253e57062d0db05 +Patch-mainline: v5.19-rc1 +References: bsc#1200872 + +we got issue as follows: +EXT4-fs error (device loop0): ext4_mb_generate_buddy:1141: group 0, block bitmap and bg descriptor inconsistent: 25 vs 31513 free cls + +Acked-by: Jan Kara <jack@suse.cz> + +------------[ cut here ]------------ +kernel BUG at fs/ext4/inode.c:2708! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 2 PID: 2147 Comm: rep Not tainted 5.18.0-rc2-next-20220413+ #155 +RIP: 0010:ext4_writepages+0x1977/0x1c10 +RSP: 0018:ffff88811d3e7880 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88811c098000 +RDX: 0000000000000000 RSI: ffff88811c098000 RDI: 0000000000000002 +RBP: ffff888128140f50 R08: ffffffffb1ff6387 R09: 0000000000000000 +R10: 0000000000000007 R11: ffffed10250281ea R12: 0000000000000001 +R13: 00000000000000a4 R14: ffff88811d3e7bb8 R15: ffff888128141028 +FS: 00007f443aed9740(0000) GS:ffff8883aef00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020007200 CR3: 000000011c2a4000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + <TASK> + do_writepages+0x130/0x3a0 + filemap_fdatawrite_wbc+0x83/0xa0 + filemap_flush+0xab/0xe0 + ext4_alloc_da_blocks+0x51/0x120 + __ext4_ioctl+0x1534/0x3210 + __x64_sys_ioctl+0x12c/0x170 + do_syscall_64+0x3b/0x90 + +It may happen as follows: +1. write inline_data inode +vfs_write + new_sync_write + ext4_file_write_iter + ext4_buffered_write_iter + generic_perform_write + ext4_da_write_begin + ext4_da_write_inline_data_begin -> If inline data size too + small will allocate block to write, then mapping will has + dirty page + ext4_da_convert_inline_data_to_extent ->clear EXT4_STATE_MAY_INLINE_DATA +2. fallocate +do_vfs_ioctl + ioctl_preallocate + vfs_fallocate + ext4_fallocate + ext4_convert_inline_data + ext4_convert_inline_data_nolock + ext4_map_blocks -> fail will goto restore data + ext4_restore_inline_data + ext4_create_inline_data + ext4_write_inline_data + ext4_set_inode_state -> set inode EXT4_STATE_MAY_INLINE_DATA +3. writepages +__ext4_ioctl + ext4_alloc_da_blocks + filemap_flush + filemap_fdatawrite_wbc + do_writepages + ext4_writepages + if (ext4_has_inline_data(inode)) + BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) + +The root cause of this issue is we destory inline data until call +ext4_writepages under delay allocation mode. But there maybe already +convert from inline to extent. To solve this issue, we call +filemap_flush first.. + +Cc: stable@kernel.org +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220516122634.1690462-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +--- + fs/ext4/inline.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 13a63e3639b1..513762c087a9 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -2005,6 +2005,18 @@ int ext4_convert_inline_data(struct inode *inode) + if (!ext4_has_inline_data(inode)) { + ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA); + return 0; ++ } else if (!ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) { ++ /* ++ * Inode has inline data but EXT4_STATE_MAY_INLINE_DATA is ++ * cleared. This means we are in the middle of moving of ++ * inline data to delay allocated block. Just force writeout ++ * here to finish conversion. ++ */ ++ error = filemap_flush(inode->i_mapping); ++ if (error) ++ return error; ++ if (!ext4_has_inline_data(inode)) ++ return 0; + } + + needed_blocks = ext4_writepage_trans_blocks(inode); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-cgroup-writeback-accounting-with-fs-layer-e.patch @@ -0,0 +1,71 @@ +From ffec85d53d0f39ee4680a2cf0795255e000e1feb Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Thu, 2 Feb 2023 16:55:03 -0800 +Subject: [PATCH] ext4: fix cgroup writeback accounting with fs-layer + encryption +Git-commit: ffec85d53d0f39ee4680a2cf0795255e000e1feb +Patch-mainline: v6.3-rc2 +References: bsc#1210765 + +When writing a page from an encrypted file that is using +filesystem-layer encryption (not inline encryption), ext4 encrypts the +pagecache page into a bounce page, then writes the bounce page. + +It also passes the bounce page to wbc_account_cgroup_owner(). That's +incorrect, because the bounce page is a newly allocated temporary page +that doesn't have the memory cgroup of the original pagecache page. +This makes wbc_account_cgroup_owner() not account the I/O to the owner +of the pagecache page as it should. + +Fix this by always passing the pagecache page to +wbc_account_cgroup_owner(). + +Fixes: 001e4a8775f6 ("ext4: implement cgroup writeback support") +Cc: stable@vger.kernel.org +Reported-by: Matthew Wilcox (Oracle) <willy@infradead.org> +Signed-off-by: Eric Biggers <ebiggers@google.com> +Acked-by: Tejun Heo <tj@kernel.org> +Link: https://lore.kernel.org/r/20230203005503.141557-1-ebiggers@kernel.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/page-io.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/fs/ext4/page-io.c ++++ b/fs/ext4/page-io.c +@@ -413,7 +413,8 @@ static void io_submit_init_bio(struct ex + + static void io_submit_add_bh(struct ext4_io_submit *io, + struct inode *inode, +- struct page *page, ++ struct page *pagecache_page, ++ struct page *bounce_page, + struct buffer_head *bh) + { + int ret; +@@ -427,10 +428,11 @@ submit_and_retry: + io_submit_init_bio(io, bh); + io->io_bio->bi_write_hint = inode->i_write_hint; + } +- ret = bio_add_page(io->io_bio, page, bh->b_size, bh_offset(bh)); ++ ret = bio_add_page(io->io_bio, bounce_page ?: pagecache_page, ++ bh->b_size, bh_offset(bh)); + if (ret != bh->b_size) + goto submit_and_retry; +- wbc_account_cgroup_owner(io->io_wbc, page, bh->b_size); ++ wbc_account_cgroup_owner(io->io_wbc, pagecache_page, bh->b_size); + io->io_next_block++; + } + +@@ -548,8 +550,7 @@ int ext4_bio_write_page(struct ext4_io_s + do { + if (!buffer_async_write(bh)) + continue; +- io_submit_add_bh(io, inode, +- bounce_page ? bounce_page : page, bh); ++ io_submit_add_bh(io, inode, page, bounce_page, bh); + nr_submitted++; + clear_buffer_dirty(bh); + } while ((bh = bh->b_this_page) != head); --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-corruption-when-online-resizing-a-1K-bigall.patch @@ -0,0 +1,58 @@ +From 0aeaa2559d6d53358fca3e3fce73807367adca74 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Thu, 17 Nov 2022 12:03:41 +0800 +Subject: [PATCH] ext4: fix corruption when online resizing a 1K bigalloc fs +Git-commit: 0aeaa2559d6d53358fca3e3fce73807367adca74 +Patch-mainline: v6.2-rc1 +References: bsc#1206891 + +When a backup superblock is updated in update_backups(), the primary +superblock's offset in the group (that is, sbi->s_sbh->b_blocknr) is used +as the backup superblock's offset in its group. However, when the block +size is 1K and bigalloc is enabled, the two offsets are not equal. This +causes the backup group descriptors to be overwritten by the superblock +in update_backups(). Moreover, if meta_bg is enabled, the file system will +be corrupted because this feature uses backup group descriptors. + +To solve this issue, we use a more accurate ext4_group_first_block_no() as +the offset of the backup superblock in its group. + +Fixes: d77147ff443b ("ext4: add support for online resizing with bigalloc") +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20221117040341.1380702-4-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/resize.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index d460440d6dee..6b91443d6bf3 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1604,8 +1604,8 @@ static int ext4_flex_group_add(struct super_block *sb, + int meta_bg = ext4_has_feature_meta_bg(sb); + sector_t old_gdb = 0; + +- update_backups(sb, sbi->s_sbh->b_blocknr, (char *)es, +- sizeof(struct ext4_super_block), 0); ++ update_backups(sb, ext4_group_first_block_no(sb, 0), ++ (char *)es, sizeof(struct ext4_super_block), 0); + for (; gdb_num <= gdb_num_end; gdb_num++) { + struct buffer_head *gdb_bh; + +@@ -1816,7 +1816,7 @@ static int ext4_group_extend_no_check(struct super_block *sb, + if (test_opt(sb, DEBUG)) + printk(KERN_DEBUG "EXT4-fs: extended group to %llu " + "blocks\n", ext4_blocks_count(es)); +- update_backups(sb, EXT4_SB(sb)->s_sbh->b_blocknr, ++ update_backups(sb, ext4_group_first_block_no(sb, 0), + (char *)es, sizeof(struct ext4_super_block), 0); + } + return err; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-data-races-when-using-cached-status-extents.patch @@ -0,0 +1,86 @@ +From 492888df0c7b42fc0843631168b0021bc4caee84 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Thu, 4 May 2023 14:55:24 +0200 +Subject: [PATCH] ext4: fix data races when using cached status extents +Git-commit: 492888df0c7b42fc0843631168b0021bc4caee84 +Patch-mainline: v6.4-rc2 +References: bsc#1213102 + +When using cached extent stored in extent status tree in tree->cache_es +another process holding ei->i_es_lock for reading can be racing with us +setting new value of tree->cache_es. If the compiler would decide to +refetch tree->cache_es at an unfortunate moment, it could result in a +bogus in_range() check. Fix the possible race by using READ_ONCE() when +using tree->cache_es only under ei->i_es_lock for reading. + +Cc: stable@kernel.org +Reported-by: syzbot+4a03518df1e31b537066@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/000000000000d3b33905fa0fd4a6@google.com +Suggested-by: Dmitry Vyukov <dvyukov@google.com> +Signed-off-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230504125524.10802-1-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/extents_status.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c +index 7bc221038c6c..595abb9e7d74 100644 +--- a/fs/ext4/extents_status.c ++++ b/fs/ext4/extents_status.c +@@ -267,14 +267,12 @@ static void __es_find_extent_range(struct inode *inode, + + /* see if the extent has been cached */ + es->es_lblk = es->es_len = es->es_pblk = 0; +- if (tree->cache_es) { +- es1 = tree->cache_es; +- if (in_range(lblk, es1->es_lblk, es1->es_len)) { +- es_debug("%u cached by [%u/%u) %llu %x\n", +- lblk, es1->es_lblk, es1->es_len, +- ext4_es_pblock(es1), ext4_es_status(es1)); +- goto out; +- } ++ es1 = READ_ONCE(tree->cache_es); ++ if (es1 && in_range(lblk, es1->es_lblk, es1->es_len)) { ++ es_debug("%u cached by [%u/%u) %llu %x\n", ++ lblk, es1->es_lblk, es1->es_len, ++ ext4_es_pblock(es1), ext4_es_status(es1)); ++ goto out; + } + + es1 = __es_tree_search(&tree->root, lblk); +@@ -293,7 +291,7 @@ static void __es_find_extent_range(struct inode *inode, + } + + if (es1 && matching_fn(es1)) { +- tree->cache_es = es1; ++ WRITE_ONCE(tree->cache_es, es1); + es->es_lblk = es1->es_lblk; + es->es_len = es1->es_len; + es->es_pblk = es1->es_pblk; +@@ -931,14 +929,12 @@ int ext4_es_lookup_extent(struct inode *inode, ext4_lblk_t lblk, + + /* find extent in cache firstly */ + es->es_lblk = es->es_len = es->es_pblk = 0; +- if (tree->cache_es) { +- es1 = tree->cache_es; +- if (in_range(lblk, es1->es_lblk, es1->es_len)) { +- es_debug("%u cached by [%u/%u)\n", +- lblk, es1->es_lblk, es1->es_len); +- found = 1; +- goto out; +- } ++ es1 = READ_ONCE(tree->cache_es); ++ if (es1 && in_range(lblk, es1->es_lblk, es1->es_len)) { ++ es_debug("%u cached by [%u/%u)\n", ++ lblk, es1->es_lblk, es1->es_len); ++ found = 1; ++ goto out; + } + + node = tree->root.rb_node; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-deadlock-due-to-mbcache-entry-corruption.patch @@ -0,0 +1,92 @@ +From a44e84a9b7764c72896f7241a0ec9ac7e7ef38dd Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Wed, 23 Nov 2022 20:39:50 +0100 +Subject: [PATCH] ext4: fix deadlock due to mbcache entry corruption +Git-commit: a44e84a9b7764c72896f7241a0ec9ac7e7ef38dd +Patch-mainline: v6.2-rc1 +References: bsc#1207653 + +When manipulating xattr blocks, we can deadlock infinitely looping +inside ext4_xattr_block_set() where we constantly keep finding xattr +block for reuse in mbcache but we are unable to reuse it because its +reference count is too big. This happens because cache entry for the +xattr block is marked as reusable (e_reusable set) although its +reference count is too big. When this inconsistency happens, this +inconsistent state is kept indefinitely and so ext4_xattr_block_set() +keeps retrying indefinitely. + +The inconsistent state is caused by non-atomic update of e_reusable bit. +e_reusable is part of a bitfield and e_reusable update can race with +update of e_referenced bit in the same bitfield resulting in loss of one +of the updates. Fix the problem by using atomic bitops instead. + +This bug has been around for many years, but it became *much* easier +to hit after commit 65f8b80053a1 ("ext4: fix race when reusing xattr +blocks"). + +Cc: stable@vger.kernel.org +Fixes: 6048c64b2609 ("mbcache: add reusable flag to cache entries") +Fixes: 65f8b80053a1 ("ext4: fix race when reusing xattr blocks") +Reported-and-tested-by: Jeremi Piotrowski <jpiotrowski@linux.microsoft.com> +Reported-by: Thilo Fromm <t-lo@linux.microsoft.com> +Link: https://lore.kernel.org/r/c77bf00f-4618-7149-56f1-b8d1664b9d07@linux.microsoft.com/ +Signed-off-by: Jan Kara <jack@suse.cz> +Reviewed-by: Andreas Dilger <adilger@dilger.ca> +Link: https://lore.kernel.org/r/20221123193950.16758-1-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/xattr.c | 27 ++++++++++++++++++++++++--- + 1 file changed, 24 insertions(+), 3 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1209,6 +1209,24 @@ ext4_xattr_inode_dec_ref_all(handle_t *h + } + } + ++/* Cache entry flags */ ++enum { ++ MBE_REFERENCED_B = 0, ++ MBE_REUSABLE_B ++}; ++struct mb_cache_entry_alt { ++ /* List of entries in cache - protected by cache->c_list_lock */ ++ struct list_head e_list; ++ /* Hash table list - protected by hash chain bitlock */ ++ struct hlist_bl_node e_hash_list; ++ atomic_t e_refcnt; ++ /* Key in hash - stable during lifetime of the entry */ ++ u32 e_key; ++ unsigned long e_flags; ++ /* User provided value - stable during lifetime of the entry */ ++ u64 e_value; ++}; ++ + /* + * Release the xattr block BH: If the reference count is > 1, decrement it; + * otherwise free the block. +@@ -1264,7 +1282,8 @@ ext4_xattr_release_block(handle_t *handl + ce = mb_cache_entry_get(ea_block_cache, hash, + bh->b_blocknr); + if (ce) { +- ce->e_reusable = 1; ++ struct mb_cache_entry_alt *cea = (void*)ce; ++ set_bit(MBE_REUSABLE_B, &cea->e_flags); + mb_cache_entry_put(ea_block_cache, ce); + } + } +@@ -2019,8 +2038,10 @@ inserted: + } + ref = le32_to_cpu(BHDR(new_bh)->h_refcount) + 1; + BHDR(new_bh)->h_refcount = cpu_to_le32(ref); +- if (ref >= EXT4_XATTR_REFCOUNT_MAX) +- ce->e_reusable = 0; ++ if (ref >= EXT4_XATTR_REFCOUNT_MAX) { ++ struct mb_cache_entry_alt *cea = (void*)ce; ++ clear_bit(MBE_REUSABLE_B, &cea->e_flags); ++ } + ea_bdebug(new_bh, "reusing; refcount now=%d", + ref); + ext4_xattr_block_csum_set(inode, new_bh); --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-deadlock-when-converting-an-inline-director.patch @@ -0,0 +1,69 @@ +From f4ce24f54d9cca4f09a395f3eecce20d6bec4663 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Sat, 6 May 2023 21:04:01 -0400 +Subject: [PATCH] ext4: fix deadlock when converting an inline directory in + nojournal mode +Git-commit: f4ce24f54d9cca4f09a395f3eecce20d6bec4663 +Patch-mainline: v6.4-rc2 +References: bsc#1213105 + +In no journal mode, ext4_finish_convert_inline_dir() can self-deadlock +by calling ext4_handle_dirty_dirblock() when it already has taken the +directory lock. There is a similar self-deadlock in +ext4_incvert_inline_data_nolock() for data files which we'll fix at +the same time. + +A simple reproducer demonstrating the problem: + + mke2fs -Fq -t ext2 -O inline_data -b 4k /dev/vdc 64 + mount -t ext4 -o dirsync /dev/vdc /vdc + cd /vdc + mkdir file0 + cd file0 + touch file0 + touch file1 + attr -s BurnSpaceInEA -V abcde . + touch supercalifragilisticexpialidocious + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230507021608.1290720-1-tytso@mit.edu +Reported-by: syzbot+91dccab7c64e2850a4e5@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=ba84cc80a9491d65416bc7877e1650c87530fe8a +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inline.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 859bc4e2c9b0..d3dfc51a43c5 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1175,6 +1175,7 @@ static int ext4_finish_convert_inline_dir(handle_t *handle, + ext4_initialize_dirent_tail(dir_block, + inode->i_sb->s_blocksize); + set_buffer_uptodate(dir_block); ++ unlock_buffer(dir_block); + err = ext4_handle_dirty_dirblock(handle, inode, dir_block); + if (err) + return err; +@@ -1249,6 +1250,7 @@ static int ext4_convert_inline_data_nolock(handle_t *handle, + if (!S_ISDIR(inode->i_mode)) { + memcpy(data_bh->b_data, buf, inline_size); + set_buffer_uptodate(data_bh); ++ unlock_buffer(data_bh); + error = ext4_handle_dirty_metadata(handle, + inode, data_bh); + } else { +@@ -1256,7 +1258,6 @@ static int ext4_convert_inline_data_nolock(handle_t *handle, + buf, inline_size); + } + +- unlock_buffer(data_bh); + out_restore: + if (error) + ext4_restore_inline_data(handle, inode, iloc, buf, inline_size); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-delayed-allocation-bug-in-ext4_clu_mapped-f.patch @@ -0,0 +1,63 @@ +From 131294c35ed6f777bd4e79d42af13b5c41bf2775 Mon Sep 17 00:00:00 2001 +From: Eric Whitney <enwlinux@gmail.com> +Date: Thu, 17 Nov 2022 10:22:07 -0500 +Subject: [PATCH] ext4: fix delayed allocation bug in ext4_clu_mapped for + bigalloc + inline +Git-commit: 131294c35ed6f777bd4e79d42af13b5c41bf2775 +Patch-mainline: v6.2-rc1 +References: bsc#1207631 + +When converting files with inline data to extents, delayed allocations +made on a file system created with both the bigalloc and inline options +can result in invalid extent status cache content, incorrect reserved +cluster counts, kernel memory leaks, and potential kernel panics. + +With bigalloc, the code that determines whether a block must be +delayed allocated searches the extent tree to see if that block maps +to a previously allocated cluster. If not, the block is delayed +allocated, and otherwise, it isn't. However, if the inline option is +also used, and if the file containing the block is marked as able to +store data inline, there isn't a valid extent tree associated with +the file. The current code in ext4_clu_mapped() calls +ext4_find_extent() to search the non-existent tree for a previously +allocated cluster anyway, which typically finds nothing, as desired. +However, a side effect of the search can be to cache invalid content +from the non-existent tree (garbage) in the extent status tree, +including bogus entries in the pending reservation tree. + +To fix this, avoid searching the extent tree when allocating blocks +for bigalloc + inline files that are being converted from inline to +extent mapped. + +Signed-off-by: Eric Whitney <enwlinux@gmail.com> +Link: https://lore.kernel.org/r/20221117152207.2424-1-enwlinux@gmail.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/extents.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index ec008278d970..9de1c9d1a13d 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -5797,6 +5797,14 @@ int ext4_clu_mapped(struct inode *inode, ext4_lblk_t lclu) + struct ext4_extent *extent; + ext4_lblk_t first_lblk, first_lclu, last_lclu; + ++ /* ++ * if data can be stored inline, the logical cluster isn't ++ * mapped - no physical clusters have been allocated, and the ++ * file has no extents ++ */ ++ if (ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) ++ return 0; ++ + /* search for the extent closest to the first block in the cluster */ + path = ext4_find_extent(inode, EXT4_C2B(sbi, lclu), NULL, 0); + if (IS_ERR(path)) { +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-dir-corruption-when-ext4_dx_add_entry-fails.patch @@ -0,0 +1,100 @@ +From 7177dd009c7c04290891e9a534cd47d1b620bd04 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng <chengzhihao1@huawei.com> +Date: Sun, 11 Sep 2022 12:52:04 +0800 +Subject: [PATCH] ext4: fix dir corruption when ext4_dx_add_entry() fails +Git-commit: 7177dd009c7c04290891e9a534cd47d1b620bd04 +Patch-mainline: v6.1-rc1 +References: bsc#1207608 + +Following process may lead to fs corruption: +1. ext4_create(dir/foo) + ext4_add_nondir + ext4_add_entry + ext4_dx_add_entry + a. add_dirent_to_buf + ext4_mark_inode_dirty + ext4_handle_dirty_metadata // dir inode bh is recorded into journal + b. ext4_append // dx_get_count(entries) == dx_get_limit(entries) + ext4_bread(EXT4_GET_BLOCKS_CREATE) + ext4_getblk + ext4_map_blocks + ext4_ext_map_blocks + ext4_mb_new_blocks + dquot_alloc_block + dquot_alloc_space_nodirty + inode_add_bytes // update dir's i_blocks + ext4_ext_insert_extent + ext4_ext_dirty // record extent bh into journal + ext4_handle_dirty_metadata(bh) + // record new block into journal + inode->i_size += inode->i_sb->s_blocksize // new size(in mem) + c. ext4_handle_dirty_dx_node(bh2) + // record dir's new block(dx_node) into journal + d. ext4_handle_dirty_dx_node((frame - 1)->bh) + e. ext4_handle_dirty_dx_node(frame->bh) + f. do_split // ret err! + g. add_dirent_to_buf + ext4_mark_inode_dirty(dir) // update raw_inode on disk(skipped) +2. fsck -a /dev/sdb + drop last block(dx_node) which beyonds dir's i_size. + /dev/sdb: recovering journal + /dev/sdb contains a file system with errors, check forced. + /dev/sdb: Inode 12, end of extent exceeds allowed value + (logical block 128, physical block 3938, len 1) +3. fsck -fn /dev/sdb + dx_node->entry[i].blk > dir->i_size + Pass 2: Checking directory structure + Problem in HTREE directory inode 12 (/dir): bad block number 128. + Clear HTree index? no + Problem in HTREE directory inode 12: block #3 has invalid depth (2) + Problem in HTREE directory inode 12: block #3 has bad max hash + Problem in HTREE directory inode 12: block #3 not referenced + +Fix it by marking inode dirty directly inside ext4_append(). +Fetch a reproducer in [Link]. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216466 +Cc: stable@vger.kernel.org +Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220911045204.516460-1-chengzhihao1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/namei.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index bc2e0612ec32..4183a4cb4a21 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -85,15 +85,20 @@ static struct buffer_head *ext4_append(handle_t *handle, + return bh; + inode->i_size += inode->i_sb->s_blocksize; + EXT4_I(inode)->i_disksize = inode->i_size; ++ err = ext4_mark_inode_dirty(handle, inode); ++ if (err) ++ goto out; + BUFFER_TRACE(bh, "get_write_access"); + err = ext4_journal_get_write_access(handle, inode->i_sb, bh, + EXT4_JTR_NONE); +- if (err) { +- brelse(bh); +- ext4_std_error(inode->i_sb, err); +- return ERR_PTR(err); +- } ++ if (err) ++ goto out; + return bh; ++ ++out: ++ brelse(bh); ++ ext4_std_error(inode->i_sb, err); ++ return ERR_PTR(err); + } + + static int ext4_dx_csum_verify(struct inode *inode, +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-error-code-return-to-user-space-in-ext4_get.patch @@ -0,0 +1,57 @@ +From 26d75a16af285a70863ba6a81f85d81e7e65da50 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lu=C3=ADs=20Henriques?= <lhenriques@suse.de> +Date: Wed, 9 Nov 2022 18:14:45 +0000 +Subject: [PATCH] ext4: fix error code return to user-space in + ext4_get_branch() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 26d75a16af285a70863ba6a81f85d81e7e65da50 +Patch-mainline: v6.2-rc1 +References: bsc#1207630 + +If a block is out of range in ext4_get_branch(), -ENOMEM will be returned +to user-space. Obviously, this error code isn't really useful. This +patch fixes it by making sure the right error code (-EFSCORRUPTED) is +propagated to user-space. EUCLEAN is more informative than ENOMEM. + +Signed-off-by: LuÃs Henriques <lhenriques@suse.de> +Link: https://lore.kernel.org/r/20221109181445.17843-1-lhenriques@suse.de +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/indirect.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c +index 860fc5119009..c68bebe7ff4b 100644 +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -148,6 +148,7 @@ static Indirect *ext4_get_branch(struct inode *inode, int depth, + struct super_block *sb = inode->i_sb; + Indirect *p = chain; + struct buffer_head *bh; ++ unsigned int key; + int ret = -EIO; + + *err = 0; +@@ -156,7 +157,13 @@ static Indirect *ext4_get_branch(struct inode *inode, int depth, + if (!p->key) + goto no_block; + while (--depth) { +- bh = sb_getblk(sb, le32_to_cpu(p->key)); ++ key = le32_to_cpu(p->key); ++ if (key > ext4_blocks_count(EXT4_SB(sb)->s_es)) { ++ /* the block was out of range */ ++ ret = -EFSCORRUPTED; ++ goto failure; ++ } ++ bh = sb_getblk(sb, key); + if (unlikely(!bh)) { + ret = -ENOMEM; + goto failure; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-error-handling-in-ext4_fc_record_modified_i.patch @@ -0,0 +1,187 @@ +From cdce59a1549190b66f8e3fe465c2b2f714b98a94 Mon Sep 17 00:00:00 2001 +From: Ritesh Harjani <riteshh@linux.ibm.com> +Date: Mon, 17 Jan 2022 17:41:49 +0530 +Subject: [PATCH] ext4: fix error handling in ext4_fc_record_modified_inode() +Git-commit: cdce59a1549190b66f8e3fe465c2b2f714b98a94 +Patch-mainline: v5.17-rc3 +References: bsc#1202767 + +Current code does not fully takes care of krealloc() error case, which +could lead to silent memory corruption or a kernel bug. This patch +fixes that. + +Also it cleans up some duplicated error handling logic from various +functions in fast_commit.c file. + +Reported-by: luo penghao <luo.penghao@zte.com.cn> +Suggested-by: Lukas Czerner <lczerner@redhat.com> +Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/62e8b6a1cce9359682051deb736a3c0953c9d1e9.1642416995.git.riteshh@linux.ibm.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 64 ++++++++++++++++++++----------------------- + 1 file changed, 29 insertions(+), 35 deletions(-) + +diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c +index ccd2b216d6ba..5934c23e153e 100644 +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -1410,14 +1410,15 @@ static int ext4_fc_record_modified_inode(struct super_block *sb, int ino) + if (state->fc_modified_inodes[i] == ino) + return 0; + if (state->fc_modified_inodes_used == state->fc_modified_inodes_size) { +- state->fc_modified_inodes_size += +- EXT4_FC_REPLAY_REALLOC_INCREMENT; + state->fc_modified_inodes = krealloc( +- state->fc_modified_inodes, sizeof(int) * +- state->fc_modified_inodes_size, +- GFP_KERNEL); ++ state->fc_modified_inodes, ++ sizeof(int) * (state->fc_modified_inodes_size + ++ EXT4_FC_REPLAY_REALLOC_INCREMENT), ++ GFP_KERNEL); + if (!state->fc_modified_inodes) + return -ENOMEM; ++ state->fc_modified_inodes_size += ++ EXT4_FC_REPLAY_REALLOC_INCREMENT; + } + state->fc_modified_inodes[state->fc_modified_inodes_used++] = ino; + return 0; +@@ -1449,7 +1450,9 @@ static int ext4_fc_replay_inode(struct super_block *sb, struct ext4_fc_tl *tl, + } + inode = NULL; + +- ext4_fc_record_modified_inode(sb, ino); ++ ret = ext4_fc_record_modified_inode(sb, ino); ++ if (ret) ++ goto out; + + raw_fc_inode = (struct ext4_inode *) + (val + offsetof(struct ext4_fc_inode, fc_raw_inode)); +@@ -1649,6 +1652,8 @@ static int ext4_fc_replay_add_range(struct super_block *sb, + } + + ret = ext4_fc_record_modified_inode(sb, inode->i_ino); ++ if (ret) ++ goto out; + + start = le32_to_cpu(ex->ee_block); + start_pblk = ext4_ext_pblock(ex); +@@ -1666,18 +1671,14 @@ static int ext4_fc_replay_add_range(struct super_block *sb, + map.m_pblk = 0; + ret = ext4_map_blocks(NULL, inode, &map, 0); + +- if (ret < 0) { +- iput(inode); +- return 0; +- } ++ if (ret < 0) ++ goto out; + + if (ret == 0) { + /* Range is not mapped */ + path = ext4_find_extent(inode, cur, NULL, 0); +- if (IS_ERR(path)) { +- iput(inode); +- return 0; +- } ++ if (IS_ERR(path)) ++ goto out; + memset(&newex, 0, sizeof(newex)); + newex.ee_block = cpu_to_le32(cur); + ext4_ext_store_pblock( +@@ -1691,10 +1692,8 @@ static int ext4_fc_replay_add_range(struct super_block *sb, + up_write((&EXT4_I(inode)->i_data_sem)); + ext4_ext_drop_refs(path); + kfree(path); +- if (ret) { +- iput(inode); +- return 0; +- } ++ if (ret) ++ goto out; + goto next; + } + +@@ -1707,10 +1706,8 @@ static int ext4_fc_replay_add_range(struct super_block *sb, + ret = ext4_ext_replay_update_ex(inode, cur, map.m_len, + ext4_ext_is_unwritten(ex), + start_pblk + cur - start); +- if (ret) { +- iput(inode); +- return 0; +- } ++ if (ret) ++ goto out; + /* + * Mark the old blocks as free since they aren't used + * anymore. We maintain an array of all the modified +@@ -1730,10 +1727,8 @@ static int ext4_fc_replay_add_range(struct super_block *sb, + ext4_ext_is_unwritten(ex), map.m_pblk); + ret = ext4_ext_replay_update_ex(inode, cur, map.m_len, + ext4_ext_is_unwritten(ex), map.m_pblk); +- if (ret) { +- iput(inode); +- return 0; +- } ++ if (ret) ++ goto out; + /* + * We may have split the extent tree while toggling the state. + * Try to shrink the extent tree now. +@@ -1745,6 +1740,7 @@ static int ext4_fc_replay_add_range(struct super_block *sb, + } + ext4_ext_replay_shrink_inode(inode, i_size_read(inode) >> + sb->s_blocksize_bits); ++out: + iput(inode); + return 0; + } +@@ -1774,6 +1770,8 @@ ext4_fc_replay_del_range(struct super_block *sb, struct ext4_fc_tl *tl, + } + + ret = ext4_fc_record_modified_inode(sb, inode->i_ino); ++ if (ret) ++ goto out; + + jbd_debug(1, "DEL_RANGE, inode %ld, lblk %d, len %d\n", + inode->i_ino, le32_to_cpu(lrange.fc_lblk), +@@ -1783,10 +1781,8 @@ ext4_fc_replay_del_range(struct super_block *sb, struct ext4_fc_tl *tl, + map.m_len = remaining; + + ret = ext4_map_blocks(NULL, inode, &map, 0); +- if (ret < 0) { +- iput(inode); +- return 0; +- } ++ if (ret < 0) ++ goto out; + if (ret > 0) { + remaining -= ret; + cur += ret; +@@ -1801,15 +1797,13 @@ ext4_fc_replay_del_range(struct super_block *sb, struct ext4_fc_tl *tl, + ret = ext4_ext_remove_space(inode, lrange.fc_lblk, + lrange.fc_lblk + lrange.fc_len - 1); + up_write(&EXT4_I(inode)->i_data_sem); +- if (ret) { +- iput(inode); +- return 0; +- } ++ if (ret) ++ goto out; + ext4_ext_replay_shrink_inode(inode, + i_size_read(inode) >> sb->s_blocksize_bits); + ext4_mark_inode_dirty(NULL, inode); ++out: + iput(inode); +- + return 0; + } + +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-error-handling-in-ext4_restore_inline_data.patch @@ -0,0 +1,65 @@ +From 897026aaa73eb2517dfea8d147f20ddb0b813044 Mon Sep 17 00:00:00 2001 +From: Ritesh Harjani <riteshh@linux.ibm.com> +Date: Mon, 17 Jan 2022 17:41:47 +0530 +Subject: [PATCH] ext4: fix error handling in ext4_restore_inline_data() +Git-commit: 897026aaa73eb2517dfea8d147f20ddb0b813044 +Patch-mainline: v5.17-rc3 +References: bsc#1197757 + +While running "./check -I 200 generic/475" it sometimes gives below +kernel BUG(). Ideally we should not call ext4_write_inline_data() if +ext4_create_inline_data() has failed. + +<log snip> +[73131.453234] kernel BUG at fs/ext4/inline.c:223! + +<code snip> + 212 static void ext4_write_inline_data(struct inode *inode, struct ext4_iloc *iloc, + 213 void *buffer, loff_t pos, unsigned int len) + 214 { +<...> + 223 BUG_ON(!EXT4_I(inode)->i_inline_off); + 224 BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); + +This patch handles the error and prints out a emergency msg saying potential +data loss for the given inode (since we couldn't restore the original +inline_data due to some previous error). + +[ 9571.070313] EXT4-fs (dm-0): error restoring inline_data for inode -- potential data loss! (inode 1703982, error -30) + +Reported-by: Eric Whitney <enwlinux@gmail.com> +Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/9f4cd7dfd54fa58ff27270881823d94ddf78dd07.1642416995.git.riteshh@linux.ibm.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inline.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 39a1ab129fdc..d091133a4b46 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1133,7 +1133,15 @@ static void ext4_restore_inline_data(handle_t *handle, struct inode *inode, + struct ext4_iloc *iloc, + void *buf, int inline_size) + { +- ext4_create_inline_data(handle, inode, inline_size); ++ int ret; ++ ++ ret = ext4_create_inline_data(handle, inode, inline_size); ++ if (ret) { ++ ext4_msg(inode->i_sb, KERN_EMERG, ++ "error restoring inline_data for inode -- potential data loss! (inode %lu, error %d)", ++ inode->i_ino, ret); ++ return; ++ } + ext4_write_inline_data(inode, iloc, buf, 0, inline_size); + ext4_set_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA); + } +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-ext4_fc_stats-trace-point.patch @@ -0,0 +1,136 @@ +From: Ritesh Harjani <riteshh@linux.ibm.com> +Date: Sat, 12 Mar 2022 11:09:47 +0530 +Subject: ext4: fix ext4_fc_stats trace point +Git-commit: 7af1974af0a9ba8a8ed2e3e947d87dd4d9a78d27 +Patch-mainline: v5.17 or v5.17-rc9 (next release) +References: git-fixes + +ftrace's __print_symbolic() requires that any enum values used in the +symbol to string translation table be wrapped in a TRACE_DEFINE_ENUM +so that the enum value can be decoded from the ftrace ring buffer by +user space tooling. + +This patch also fixes few other problems found in this trace point. +e.g. dereferencing structures in TP_printk which should not be done +at any cost. + +Also to avoid checkpatch warnings, this patch removes those +whitespaces/tab stops issues. + +Cc: stable@kernel.org +Fixes: aa75f4d3daae ("ext4: main fast-commit commit path") +Reported-by: Steven Rostedt <rostedt@goodmis.org> +Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org> +Reviewed-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com> +Link: https://lore.kernel.org/r/b4b9691414c35c62e570b723e661c80674169f9a.1647057583.git.riteshh@linux.ibm.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Miroslav Benes <mbenes@suse.cz> +--- + include/trace/events/ext4.h | 78 ++++++++++++++++++++++++++++----------------- + 1 file changed, 49 insertions(+), 29 deletions(-) + +diff --git a/include/trace/events/ext4.h b/include/trace/events/ext4.h +index 19e957b7f941..1a0b7030f72a 100644 +--- a/include/trace/events/ext4.h ++++ b/include/trace/events/ext4.h +@@ -95,6 +95,17 @@ TRACE_DEFINE_ENUM(ES_REFERENCED_B); + { FALLOC_FL_COLLAPSE_RANGE, "COLLAPSE_RANGE"}, \ + { FALLOC_FL_ZERO_RANGE, "ZERO_RANGE"}) + ++TRACE_DEFINE_ENUM(EXT4_FC_REASON_XATTR); ++TRACE_DEFINE_ENUM(EXT4_FC_REASON_CROSS_RENAME); ++TRACE_DEFINE_ENUM(EXT4_FC_REASON_JOURNAL_FLAG_CHANGE); ++TRACE_DEFINE_ENUM(EXT4_FC_REASON_NOMEM); ++TRACE_DEFINE_ENUM(EXT4_FC_REASON_SWAP_BOOT); ++TRACE_DEFINE_ENUM(EXT4_FC_REASON_RESIZE); ++TRACE_DEFINE_ENUM(EXT4_FC_REASON_RENAME_DIR); ++TRACE_DEFINE_ENUM(EXT4_FC_REASON_FALLOC_RANGE); ++TRACE_DEFINE_ENUM(EXT4_FC_REASON_INODE_JOURNAL_DATA); ++TRACE_DEFINE_ENUM(EXT4_FC_REASON_MAX); ++ + #define show_fc_reason(reason) \ + __print_symbolic(reason, \ + { EXT4_FC_REASON_XATTR, "XATTR"}, \ +@@ -2723,41 +2734,50 @@ TRACE_EVENT(ext4_fc_commit_stop, + + #define FC_REASON_NAME_STAT(reason) \ + show_fc_reason(reason), \ +- __entry->sbi->s_fc_stats.fc_ineligible_reason_count[reason] ++ __entry->fc_ineligible_rc[reason] + + TRACE_EVENT(ext4_fc_stats, +- TP_PROTO(struct super_block *sb), +- +- TP_ARGS(sb), ++ TP_PROTO(struct super_block *sb), + +- TP_STRUCT__entry( +- __field(dev_t, dev) +- __field(struct ext4_sb_info *, sbi) +- __field(int, count) +- ), ++ TP_ARGS(sb), + +- TP_fast_assign( +- __entry->dev = sb->s_dev; +- __entry->sbi = EXT4_SB(sb); +- ), ++ TP_STRUCT__entry( ++ __field(dev_t, dev) ++ __array(unsigned int, fc_ineligible_rc, EXT4_FC_REASON_MAX) ++ __field(unsigned long, fc_commits) ++ __field(unsigned long, fc_ineligible_commits) ++ __field(unsigned long, fc_numblks) ++ ), + +- TP_printk("dev %d:%d fc ineligible reasons:\n" +- "%s:%d, %s:%d, %s:%d, %s:%d, %s:%d, %s:%d, %s:%d, %s:%d, %s:%d; " +- "num_commits:%ld, ineligible: %ld, numblks: %ld", +- MAJOR(__entry->dev), MINOR(__entry->dev), +- FC_REASON_NAME_STAT(EXT4_FC_REASON_XATTR), +- FC_REASON_NAME_STAT(EXT4_FC_REASON_CROSS_RENAME), +- FC_REASON_NAME_STAT(EXT4_FC_REASON_JOURNAL_FLAG_CHANGE), +- FC_REASON_NAME_STAT(EXT4_FC_REASON_NOMEM), +- FC_REASON_NAME_STAT(EXT4_FC_REASON_SWAP_BOOT), +- FC_REASON_NAME_STAT(EXT4_FC_REASON_RESIZE), +- FC_REASON_NAME_STAT(EXT4_FC_REASON_RENAME_DIR), +- FC_REASON_NAME_STAT(EXT4_FC_REASON_FALLOC_RANGE), +- FC_REASON_NAME_STAT(EXT4_FC_REASON_INODE_JOURNAL_DATA), +- __entry->sbi->s_fc_stats.fc_num_commits, +- __entry->sbi->s_fc_stats.fc_ineligible_commits, +- __entry->sbi->s_fc_stats.fc_numblks) ++ TP_fast_assign( ++ int i; + ++ __entry->dev = sb->s_dev; ++ for (i = 0; i < EXT4_FC_REASON_MAX; i++) { ++ __entry->fc_ineligible_rc[i] = ++ EXT4_SB(sb)->s_fc_stats.fc_ineligible_reason_count[i]; ++ } ++ __entry->fc_commits = EXT4_SB(sb)->s_fc_stats.fc_num_commits; ++ __entry->fc_ineligible_commits = ++ EXT4_SB(sb)->s_fc_stats.fc_ineligible_commits; ++ __entry->fc_numblks = EXT4_SB(sb)->s_fc_stats.fc_numblks; ++ ), ++ ++ TP_printk("dev %d,%d fc ineligible reasons:\n" ++ "%s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u " ++ "num_commits:%lu, ineligible: %lu, numblks: %lu", ++ MAJOR(__entry->dev), MINOR(__entry->dev), ++ FC_REASON_NAME_STAT(EXT4_FC_REASON_XATTR), ++ FC_REASON_NAME_STAT(EXT4_FC_REASON_CROSS_RENAME), ++ FC_REASON_NAME_STAT(EXT4_FC_REASON_JOURNAL_FLAG_CHANGE), ++ FC_REASON_NAME_STAT(EXT4_FC_REASON_NOMEM), ++ FC_REASON_NAME_STAT(EXT4_FC_REASON_SWAP_BOOT), ++ FC_REASON_NAME_STAT(EXT4_FC_REASON_RESIZE), ++ FC_REASON_NAME_STAT(EXT4_FC_REASON_RENAME_DIR), ++ FC_REASON_NAME_STAT(EXT4_FC_REASON_FALLOC_RANGE), ++ FC_REASON_NAME_STAT(EXT4_FC_REASON_INODE_JOURNAL_DATA), ++ __entry->fc_commits, __entry->fc_ineligible_commits, ++ __entry->fc_numblks) + ); + + #define DEFINE_TRACE_DENTRY_EVENT(__type) \ + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-fallocate-to-use-file_modified-to-update-pe.patch @@ -0,0 +1,171 @@ +From ad5cd4f4ee4d5fcdb1bfb7a0c073072961e70783 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" <djwong@kernel.org> +Date: Tue, 8 Mar 2022 10:50:43 -0800 +Subject: [PATCH] ext4: fix fallocate to use file_modified to update + permissions consistently +Git-commit: ad5cd4f4ee4d5fcdb1bfb7a0c073072961e70783 +Patch-mainline: v5.18-rc4 +References: bsc#1202769 + +Since the initial introduction of (posix) fallocate back at the turn of +the century, it has been possible to use this syscall to change the +user-visible contents of files. This can happen by extending the file +size during a preallocation, or through any of the newer modes (punch, +zero, collapse, insert range). Because the call can be used to change +file contents, we should treat it like we do any other modification to a +file -- update the mtime, and drop set[ug]id privileges/capabilities. + +The VFS function file_modified() does all this for us if pass it a +locked inode, so let's make fallocate drop permissions correctly. + +Signed-off-by: Darrick J. Wong <djwong@kernel.org> +Link: https://lore.kernel.org/r/20220308185043.GA117678@magnolia +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ext4.h | 2 +- + fs/ext4/extents.c | 32 +++++++++++++++++++++++++------- + fs/ext4/inode.c | 7 ++++++- + 3 files changed, 32 insertions(+), 9 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -2980,7 +2980,7 @@ extern int ext4_inode_attach_jinode(stru + extern int ext4_can_truncate(struct inode *inode); + extern int ext4_truncate(struct inode *); + extern int ext4_break_layouts(struct inode *); +-extern int ext4_punch_hole(struct inode *inode, loff_t offset, loff_t length); ++extern int ext4_punch_hole(struct file *file, loff_t offset, loff_t length); + extern void ext4_set_inode_flags(struct inode *, bool init); + extern int ext4_alloc_da_blocks(struct inode *inode); + extern void ext4_set_aops(struct inode *inode); +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -4503,9 +4503,9 @@ retry: + return ret > 0 ? ret2 : ret; + } + +-static int ext4_collapse_range(struct inode *inode, loff_t offset, loff_t len); ++static int ext4_collapse_range(struct file *file, loff_t offset, loff_t len); + +-static int ext4_insert_range(struct inode *inode, loff_t offset, loff_t len); ++static int ext4_insert_range(struct file *file, loff_t offset, loff_t len); + + static long ext4_zero_range(struct file *file, loff_t offset, + loff_t len, int mode) +@@ -4577,6 +4577,10 @@ static long ext4_zero_range(struct file + /* Wait all existing dio workers, newcomers will block on i_mutex */ + inode_dio_wait(inode); + ++ ret = file_modified(file); ++ if (ret) ++ goto out_mutex; ++ + /* Preallocate the range including the unaligned edges */ + if (partial_begin || partial_end) { + ret = ext4_alloc_file_blocks(file, +@@ -4695,7 +4699,7 @@ long ext4_fallocate(struct file *file, i + ext4_fc_start_update(inode); + + if (mode & FALLOC_FL_PUNCH_HOLE) { +- ret = ext4_punch_hole(inode, offset, len); ++ ret = ext4_punch_hole(file, offset, len); + goto exit; + } + +@@ -4704,12 +4708,12 @@ long ext4_fallocate(struct file *file, i + goto exit; + + if (mode & FALLOC_FL_COLLAPSE_RANGE) { +- ret = ext4_collapse_range(inode, offset, len); ++ ret = ext4_collapse_range(file, offset, len); + goto exit; + } + + if (mode & FALLOC_FL_INSERT_RANGE) { +- ret = ext4_insert_range(inode, offset, len); ++ ret = ext4_insert_range(file, offset, len); + goto exit; + } + +@@ -4745,6 +4749,10 @@ long ext4_fallocate(struct file *file, i + /* Wait all existing dio workers, newcomers will block on i_mutex */ + inode_dio_wait(inode); + ++ ret = file_modified(file); ++ if (ret) ++ goto out; ++ + ret = ext4_alloc_file_blocks(file, lblk, max_blocks, new_size, flags); + if (ret) + goto out; +@@ -5247,8 +5255,9 @@ out: + * This implements the fallocate's collapse range functionality for ext4 + * Returns: 0 and non-zero on error. + */ +-static int ext4_collapse_range(struct inode *inode, loff_t offset, loff_t len) ++static int ext4_collapse_range(struct file *file, loff_t offset, loff_t len) + { ++ struct inode *inode = file_inode(file); + struct super_block *sb = inode->i_sb; + struct address_space *mapping = inode->i_mapping; + ext4_lblk_t punch_start, punch_stop; +@@ -5300,6 +5309,10 @@ static int ext4_collapse_range(struct in + /* Wait for existing dio to complete */ + inode_dio_wait(inode); + ++ ret = file_modified(file); ++ if (ret) ++ goto out_mutex; ++ + /* + * Prevent page faults from reinstantiating pages we have released from + * page cache. +@@ -5394,8 +5407,9 @@ out_mutex: + * by len bytes. + * Returns 0 on success, error otherwise. + */ +-static int ext4_insert_range(struct inode *inode, loff_t offset, loff_t len) ++static int ext4_insert_range(struct file *file, loff_t offset, loff_t len) + { ++ struct inode *inode = file_inode(file); + struct super_block *sb = inode->i_sb; + struct address_space *mapping = inode->i_mapping; + handle_t *handle; +@@ -5452,6 +5466,10 @@ static int ext4_insert_range(struct inod + /* Wait for existing dio to complete */ + inode_dio_wait(inode); + ++ ret = file_modified(file); ++ if (ret) ++ goto out_mutex; ++ + /* + * Prevent page faults from reinstantiating pages we have released from + * page cache. +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3991,8 +3991,9 @@ int ext4_break_layouts(struct inode *ino + * Returns: 0 on success or negative on failure + */ + +-int ext4_punch_hole(struct inode *inode, loff_t offset, loff_t length) ++int ext4_punch_hole(struct file *file, loff_t offset, loff_t length) + { ++ struct inode *inode = file_inode(file); + struct super_block *sb = inode->i_sb; + ext4_lblk_t first_block, stop_block; + struct address_space *mapping = inode->i_mapping; +@@ -4054,6 +4055,10 @@ int ext4_punch_hole(struct inode *inode, + /* Wait all existing dio workers, newcomers will block on i_mutex */ + inode_dio_wait(inode); + ++ ret = file_modified(file); ++ if (ret) ++ goto out_mutex; ++ + /* + * Prevent page faults from reinstantiating pages we have released from + * page cache. --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-fast-commit-may-miss-tracking-range-for-FAL.patch @@ -0,0 +1,62 @@ +From 5e4d0eba1ccaf19f93222abdeda5a368be141785 Mon Sep 17 00:00:00 2001 +From: Xin Yin <yinxin.x@bytedance.com> +Date: Tue, 21 Dec 2021 10:28:39 +0800 +Subject: [PATCH] ext4: fix fast commit may miss tracking range for + FALLOC_FL_ZERO_RANGE +Git-commit: 5e4d0eba1ccaf19f93222abdeda5a368be141785 +Patch-mainline: v5.17-rc1 +References: bsc#1202757 + +when call falloc with FALLOC_FL_ZERO_RANGE, to set an range to unwritten, +which has been already initialized. If the range is align to blocksize, +fast commit will not track range for this change. + +Also track range for unwritten range in ext4_map_blocks(). + +Signed-off-by: Xin Yin <yinxin.x@bytedance.com> +Reviewed-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com> +Link: https://lore.kernel.org/r/20211221022839.374606-1-yinxin.x@bytedance.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/extents.c | 2 -- + fs/ext4/inode.c | 7 ++++--- + 2 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 38111ea18ae1..c3e76a5de661 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -4647,8 +4647,6 @@ static long ext4_zero_range(struct file *file, loff_t offset, + ret = ext4_mark_inode_dirty(handle, inode); + if (unlikely(ret)) + goto out_handle; +- ext4_fc_track_range(handle, inode, offset >> inode->i_sb->s_blocksize_bits, +- (offset + len - 1) >> inode->i_sb->s_blocksize_bits); + /* Zero out partial block at the edges of the range */ + ret = ext4_zero_partial_blocks(handle, inode, offset, len); + if (ret >= 0) +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 82f555d26980..4895909de21b 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -741,10 +741,11 @@ int ext4_map_blocks(handle_t *handle, struct inode *inode, + if (ret) + return ret; + } +- ext4_fc_track_range(handle, inode, map->m_lblk, +- map->m_lblk + map->m_len - 1); + } +- ++ if (retval > 0 && (map->m_flags & EXT4_MAP_UNWRITTEN || ++ map->m_flags & EXT4_MAP_MAPPED)) ++ ext4_fc_track_range(handle, inode, map->m_lblk, ++ map->m_lblk + map->m_len - 1); + if (retval < 0) + ext_debug(inode, "failed with err %d\n", retval); + return retval; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-fs-corruption-when-tring-to-remove-a-non-em.patch @@ -0,0 +1,163 @@ +From 7aab5c84a0f6ec2290e2ba4a6b245178b1bf949a Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Mon, 28 Feb 2022 10:48:15 +0800 +Subject: [PATCH] ext4: fix fs corruption when tring to remove a non-empty + directory with IO error +Git-commit: 7aab5c84a0f6ec2290e2ba4a6b245178b1bf949a +Patch-mainline: v5.18-rc1 +References: bsc#1202768 + +We inject IO error when rmdir non empty direcory, then got issue as follows: +Step1: mkfs.ext4 -F /dev/sda +Step2: mount /dev/sda test +Step3: cd test +Step4: mkdir -p 1/2 +Step5: rmdir 1 + [ 110.920551] ext4_empty_dir: inject fault + [ 110.921926] EXT4-fs warning (device sda): ext4_rmdir:3113: inode #12: + comm rmdir: empty directory '1' has too many links (3) +Step6: cd .. +Step7: umount test +Step8: fsck.ext4 -f /dev/sda + e2fsck 1.42.9 (28-Dec-2013) + Pass 1: Checking inodes, blocks, and sizes + Pass 2: Checking directory structure + Entry '..' in .../??? (13) has deleted/unused inode 12. Clear<y>? yes + Pass 3: Checking directory connectivity + Unconnected directory inode 13 (...) + Connect to /lost+found<y>? yes + Pass 4: Checking reference counts + Inode 13 ref count is 3, should be 2. Fix<y>? yes + Pass 5: Checking group summary information + + /dev/sda: ***** FILE SYSTEM WAS MODIFIED ***** + /dev/sda: 12/131072 files (0.0% non-contiguous), 26157/524288 blocks + +ext4_rmdir + if (!ext4_empty_dir(inode)) + goto end_rmdir; +ext4_empty_dir + bh = ext4_read_dirblock(inode, 0, DIRENT_HTREE); + if (IS_ERR(bh)) + return true; +Now if read directory block failed, 'ext4_empty_dir' will return true, assume +directory is empty. Obviously, it will lead to above issue. +To solve this issue, if read directory block failed 'ext4_empty_dir' just +return false. To avoid making things worse when file system is already +corrupted, 'ext4_empty_dir' also return false. + +Signed-off-by: Ye Bin <yebin10@huawei.com> +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20220228024815.3952506-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inline.c | 9 ++++----- + fs/ext4/namei.c | 10 +++++----- + 2 files changed, 9 insertions(+), 10 deletions(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index e42941803605..9c076262770d 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1783,19 +1783,20 @@ bool empty_inline_dir(struct inode *dir, int *has_inline_data) + void *inline_pos; + unsigned int offset; + struct ext4_dir_entry_2 *de; +- bool ret = true; ++ bool ret = false; + + err = ext4_get_inode_loc(dir, &iloc); + if (err) { + EXT4_ERROR_INODE_ERR(dir, -err, + "error %d getting inode %lu block", + err, dir->i_ino); +- return true; ++ return false; + } + + down_read(&EXT4_I(dir)->xattr_sem); + if (!ext4_has_inline_data(dir)) { + *has_inline_data = 0; ++ ret = true; + goto out; + } + +@@ -1804,7 +1805,6 @@ bool empty_inline_dir(struct inode *dir, int *has_inline_data) + ext4_warning(dir->i_sb, + "bad inline directory (dir #%lu) - no `..'", + dir->i_ino); +- ret = true; + goto out; + } + +@@ -1823,16 +1823,15 @@ bool empty_inline_dir(struct inode *dir, int *has_inline_data) + dir->i_ino, le32_to_cpu(de->inode), + le16_to_cpu(de->rec_len), de->name_len, + inline_size); +- ret = true; + goto out; + } + if (le32_to_cpu(de->inode)) { +- ret = false; + goto out; + } + offset += ext4_rec_len_from_disk(de->rec_len, inline_size); + } + ++ ret = true; + out: + up_read(&EXT4_I(dir)->xattr_sem); + brelse(iloc.bh); +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 8cf0a924a49b..39e223f7bf64 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2997,14 +2997,14 @@ bool ext4_empty_dir(struct inode *inode) + if (inode->i_size < ext4_dir_rec_len(1, NULL) + + ext4_dir_rec_len(2, NULL)) { + EXT4_ERROR_INODE(inode, "invalid size"); +- return true; ++ return false; + } + /* The first directory block must not be a hole, + * so treat it as DIRENT_HTREE + */ + bh = ext4_read_dirblock(inode, 0, DIRENT_HTREE); + if (IS_ERR(bh)) +- return true; ++ return false; + + de = (struct ext4_dir_entry_2 *) bh->b_data; + if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size, +@@ -3012,7 +3012,7 @@ bool ext4_empty_dir(struct inode *inode) + le32_to_cpu(de->inode) != inode->i_ino || strcmp(".", de->name)) { + ext4_warning_inode(inode, "directory missing '.'"); + brelse(bh); +- return true; ++ return false; + } + offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize); + de = ext4_next_entry(de, sb->s_blocksize); +@@ -3021,7 +3021,7 @@ bool ext4_empty_dir(struct inode *inode) + le32_to_cpu(de->inode) == 0 || strcmp("..", de->name)) { + ext4_warning_inode(inode, "directory missing '..'"); + brelse(bh); +- return true; ++ return false; + } + offset += ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize); + while (offset < inode->i_size) { +@@ -3035,7 +3035,7 @@ bool ext4_empty_dir(struct inode *inode) + continue; + } + if (IS_ERR(bh)) +- return true; ++ return false; + } + de = (struct ext4_dir_entry_2 *) (bh->b_data + + (offset & (sb->s_blocksize - 1))); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-i_disksize-exceeding-i_size-problem-in-pari.patch @@ -0,0 +1,75 @@ +From 1dedde690303c05ef732b7c5c8356fdf60a4ade3 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng <chengzhihao1@huawei.com> +Date: Tue, 21 Mar 2023 09:37:21 +0800 +Subject: [PATCH] ext4: fix i_disksize exceeding i_size problem in paritally + written case +Git-commit: 1dedde690303c05ef732b7c5c8356fdf60a4ade3 +Patch-mainline: v6.4-rc1 +References: bsc#1213015 + +It is possible for i_disksize can exceed i_size, triggering a warning. + +generic_perform_write + copied = iov_iter_copy_from_user_atomic(len) // copied < len + ext4_da_write_end + | ext4_update_i_disksize + | new_i_size = pos + copied; + | WRITE_ONCE(EXT4_I(inode)->i_disksize, newsize) // update i_disksize + | generic_write_end + | copied = block_write_end(copied, len) // copied = 0 + | if (unlikely(copied < len)) + | if (!PageUptodate(page)) + | copied = 0; + | if (pos + copied > inode->i_size) // return false + if (unlikely(copied == 0)) + goto again; + if (unlikely(iov_iter_fault_in_readable(i, bytes))) { + status = -EFAULT; + break; + } + +We get i_disksize greater than i_size here, which could trigger WARNING +check 'i_size_read(inode) < EXT4_I(inode)->i_disksize' while doing dio: + +ext4_dio_write_iter + iomap_dio_rw + __iomap_dio_rw // return err, length is not aligned to 512 + ext4_handle_inode_extension + WARN_ON_ONCE(i_size_read(inode) < EXT4_I(inode)->i_disksize) // Oops + + WARNING: CPU: 2 PID: 2609 at fs/ext4/file.c:319 + CPU: 2 PID: 2609 Comm: aa Not tainted 6.3.0-rc2 + RIP: 0010:ext4_file_write_iter+0xbc7 + Call Trace: + vfs_write+0x3b1 + ksys_write+0x77 + do_syscall_64+0x39 + +Fix it by updating 'copied' value before updating i_disksize just like +ext4_write_inline_data_end() does. + +A reproducer can be found in the buganizer link below. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217209 +Fixes: 64769240bd07 ("ext4: Add delayed allocation support in data=writeback mode") +Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230321013721.89818-1-chengzhihao1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3095,6 +3095,8 @@ static int ext4_da_write_end(struct file + len, copied, page, fsdata); + + trace_ext4_da_write_end(inode, pos, len, copied); ++ if (unlikely(copied < len) && !PageUptodate(page)) ++ copied = 0; + start = pos & (PAGE_SIZE - 1); + end = start + copied - 1; + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-incorrect-options-show-of-original-mount_op.patch @@ -0,0 +1,109 @@ +From e3645d72f8865ffe36f9dc811540d40aa3c848d3 Mon Sep 17 00:00:00 2001 +From: Zhang Yi <yi.zhang@huawei.com> +Date: Sun, 29 Jan 2023 11:49:39 +0800 +Subject: [PATCH] ext4: fix incorrect options show of original mount_opt and + extend mount_opt2 +Git-commit: e3645d72f8865ffe36f9dc811540d40aa3c848d3 +Patch-mainline: v6.3-rc1 +References: bsc#1210764 + +Current _ext4_show_options() do not distinguish MOPT_2 flag, so it mixed +extend sbi->s_mount_opt2 options with sbi->s_mount_opt, it could lead to +show incorrect options, e.g. show fc_debug_force if we mount with +errors=continue mode and miss it if we set. + + $ mkfs.ext4 /dev/pmem0 + $ mount -o errors=remount-ro /dev/pmem0 /mnt + $ cat /proc/fs/ext4/pmem0/options | grep fc_debug_force + #empty + $ mount -o remount,errors=continue /mnt + $ cat /proc/fs/ext4/pmem0/options | grep fc_debug_force + fc_debug_force + $ mount -o remount,errors=remount-ro,fc_debug_force /mnt + $ cat /proc/fs/ext4/pmem0/options | grep fc_debug_force + #empty + +Fixes: 995a3ed67fc8 ("ext4: add fast_commit feature and handling for extended mount options") +Signed-off-by: Zhang Yi <yi.zhang@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230129034939.3702550-1-yi.zhang@huaweicloud.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ext4.h | 1 + + fs/ext4/super.c | 28 +++++++++++++++++++++------- + 2 files changed, 22 insertions(+), 7 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -1483,6 +1483,7 @@ struct ext4_sb_info { + unsigned int s_mount_opt2; + unsigned long s_mount_flags; + unsigned int s_def_mount_opt; ++ unsigned int s_def_mount_opt2; + ext4_fsblk_t s_sb_block; + atomic64_t s_resv_clusters; + kuid_t s_resuid; +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2538,7 +2538,7 @@ static int _ext4_show_options(struct seq + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + struct ext4_super_block *es = sbi->s_es; +- int def_errors, def_mount_opt = sbi->s_def_mount_opt; ++ int def_errors; + const struct mount_opts *m; + char sep = nodefs ? '\n' : ','; + +@@ -2550,15 +2550,28 @@ static int _ext4_show_options(struct seq + + for (m = ext4_mount_opts; m->token != Opt_err; m++) { + int want_set = m->flags & MOPT_SET; ++ int opt_2 = m->flags & MOPT_2; ++ unsigned int mount_opt, def_mount_opt; ++ + if (((m->flags & (MOPT_SET|MOPT_CLEAR)) == 0) || + (m->flags & MOPT_CLEAR_ERR) || m->flags & MOPT_SKIP) + continue; +- if (!nodefs && !(m->mount_opt & (sbi->s_mount_opt ^ def_mount_opt))) +- continue; /* skip if same as the default */ ++ ++ if (opt_2) { ++ mount_opt = sbi->s_mount_opt2; ++ def_mount_opt = sbi->s_def_mount_opt2; ++ } else { ++ mount_opt = sbi->s_mount_opt; ++ def_mount_opt = sbi->s_def_mount_opt; ++ } ++ /* skip if same as the default */ ++ if (!nodefs && !(m->mount_opt & (mount_opt ^ def_mount_opt))) ++ continue; ++ /* select Opt_noFoo vs Opt_Foo */ + if ((want_set && +- (sbi->s_mount_opt & m->mount_opt) != m->mount_opt) || +- (!want_set && (sbi->s_mount_opt & m->mount_opt))) +- continue; /* select Opt_noFoo vs Opt_Foo */ ++ (mount_opt & m->mount_opt) != m->mount_opt) || ++ (!want_set && (mount_opt & m->mount_opt))) ++ continue; + SEQ_OPTS_PRINT("%s", token2str(m->token)); + } + +@@ -2586,7 +2599,7 @@ static int _ext4_show_options(struct seq + if (nodefs || sbi->s_stripe) + SEQ_OPTS_PRINT("stripe=%lu", sbi->s_stripe); + if (nodefs || EXT4_MOUNT_DATA_FLAGS & +- (sbi->s_mount_opt ^ def_mount_opt)) { ++ (sbi->s_mount_opt ^ sbi->s_def_mount_opt)) { + if (test_opt(sb, DATA_FLAGS) == EXT4_MOUNT_JOURNAL_DATA) + SEQ_OPTS_PUTS("data=journal"); + else if (test_opt(sb, DATA_FLAGS) == EXT4_MOUNT_ORDERED_DATA) +@@ -4324,6 +4337,7 @@ static int ext4_fill_super(struct super_ + kfree(s_mount_opts); + } + sbi->s_def_mount_opt = sbi->s_mount_opt; ++ sbi->s_def_mount_opt2 = sbi->s_mount_opt2; + if (!parse_options((char *) data, sb, &parsed_opts, 0)) + goto failed_mount; + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-incorrect-type-issue-during-replay_del_rang.patch @@ -0,0 +1,42 @@ +From 8fca8a2b0a822f7936130af7299d2fd7f0a66714 Mon Sep 17 00:00:00 2001 +From: Xin Yin <yinxin.x@bytedance.com> +Date: Wed, 26 Jan 2022 14:31:46 +0800 +Subject: [PATCH] ext4: fix incorrect type issue during replay_del_range +Git-commit: 8fca8a2b0a822f7936130af7299d2fd7f0a66714 +Patch-mainline: v5.17-rc3 +References: bsc#1202867 + +should not use fast commit log data directly, add le32_to_cpu(). + +Reported-by: kernel test robot <lkp@intel.com> +Fixes: 0b5b5a62b945 ("ext4: use ext4_ext_remove_space() for fast commit replay delete range") +Cc: stable@kernel.org +Signed-off-by: Xin Yin <yinxin.x@bytedance.com> +Reviewed-by: Ritesh Harjani <riteshh@linux.ibm.com> +Link: https://lore.kernel.org/r/20220126063146.2302-1-yinxin.x@bytedance.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c +index 5934c23e153e..7964ee34e322 100644 +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -1794,8 +1794,9 @@ ext4_fc_replay_del_range(struct super_block *sb, struct ext4_fc_tl *tl, + } + + down_write(&EXT4_I(inode)->i_data_sem); +- ret = ext4_ext_remove_space(inode, lrange.fc_lblk, +- lrange.fc_lblk + lrange.fc_len - 1); ++ ret = ext4_ext_remove_space(inode, le32_to_cpu(lrange.fc_lblk), ++ le32_to_cpu(lrange.fc_lblk) + ++ le32_to_cpu(lrange.fc_len) - 1); + up_write(&EXT4_I(inode)->i_data_sem); + if (ret) + goto out; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-inode-leak-in-ext4_xattr_inode_create-on-an.patch @@ -0,0 +1,59 @@ +From e4db04f7d3dbbe16680e0ded27ea2a65b10f766a Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Thu, 8 Dec 2022 10:32:33 +0800 +Subject: [PATCH] ext4: fix inode leak in ext4_xattr_inode_create() on an error + path +Git-commit: e4db04f7d3dbbe16680e0ded27ea2a65b10f766a +Patch-mainline: v6.2-rc1 +References: bsc#1207636 + +There is issue as follows when do setxattr with inject fault: + +[localhost]# fsck.ext4 -fn /dev/sda +e2fsck 1.46.6-rc1 (12-Sep-2022) +Pass 1: Checking inodes, blocks, and sizes +Pass 2: Checking directory structure +Pass 3: Checking directory connectivity +Pass 4: Checking reference counts +Unattached zero-length inode 15. Clear? no + +Unattached inode 15 +Connect to /lost+found? no + +Pass 5: Checking group summary information + +/dev/sda: ********** WARNING: Filesystem still has errors ********** + +/dev/sda: 15/655360 files (0.0% non-contiguous), 66755/2621440 blocks + +This occurs in 'ext4_xattr_inode_create()'. If 'ext4_mark_inode_dirty()' +fails, dropping i_nlink of the inode is needed. Or will lead to inode leak. + +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20221208023233.1231330-5-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/xattr.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index b666d3bf8b38..7decaaf27e82 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1441,6 +1441,9 @@ static struct inode *ext4_xattr_inode_create(handle_t *handle, + if (!err) + err = ext4_inode_attach_jinode(ea_inode); + if (err) { ++ if (ext4_xattr_inode_dec_ref(handle, ea_inode)) ++ ext4_warning_inode(ea_inode, ++ "cleanup dec ref error %d", err); + iput(ea_inode); + return ERR_PTR(err); + } +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-kernel-BUG-in-ext4_write_inline_data_end.patch @@ -0,0 +1,108 @@ +From 5c099c4fdc438014d5893629e70a8ba934433ee8 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Tue, 6 Dec 2022 22:41:34 +0800 +Subject: [PATCH] ext4: fix kernel BUG in 'ext4_write_inline_data_end()' +Git-commit: 5c099c4fdc438014d5893629e70a8ba934433ee8 +Patch-mainline: v6.2-rc1 +References: bsc#1206894 + +Syzbot report follow issue: + +Acked-by: Jan Kara <jack@suse.cz> + +------------[ cut here ]------------ +kernel BUG at fs/ext4/inline.c:227! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +CPU: 1 PID: 3629 Comm: syz-executor212 Not tainted 6.1.0-rc5-syzkaller-00018-g59d0d52c30d4 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +RIP: 0010:ext4_write_inline_data+0x344/0x3e0 fs/ext4/inline.c:227 +RSP: 0018:ffffc90003b3f368 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffff8880704e16c0 RCX: 0000000000000000 +RDX: ffff888021763a80 RSI: ffffffff821e31a4 RDI: 0000000000000006 +RBP: 000000000006818e R08: 0000000000000006 R09: 0000000000068199 +R10: 0000000000000079 R11: 0000000000000000 R12: 000000000000000b +R13: 0000000000068199 R14: ffffc90003b3f408 R15: ffff8880704e1c82 +FS: 000055555723e3c0(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fffe8ac9080 CR3: 0000000079f81000 CR4: 0000000000350ee0 +Call Trace: + <TASK> + ext4_write_inline_data_end+0x2a3/0x12f0 fs/ext4/inline.c:768 + ext4_write_end+0x242/0xdd0 fs/ext4/inode.c:1313 + ext4_da_write_end+0x3ed/0xa30 fs/ext4/inode.c:3063 + generic_perform_write+0x316/0x570 mm/filemap.c:3764 + ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:285 + ext4_file_write_iter+0x8bc/0x16e0 fs/ext4/file.c:700 + call_write_iter include/linux/fs.h:2191 [inline] + do_iter_readv_writev+0x20b/0x3b0 fs/read_write.c:735 + do_iter_write+0x182/0x700 fs/read_write.c:861 + vfs_iter_write+0x74/0xa0 fs/read_write.c:902 + iter_file_splice_write+0x745/0xc90 fs/splice.c:686 + do_splice_from fs/splice.c:764 [inline] + direct_splice_actor+0x114/0x180 fs/splice.c:931 + splice_direct_to_actor+0x335/0x8a0 fs/splice.c:886 + do_splice_direct+0x1ab/0x280 fs/splice.c:974 + do_sendfile+0xb19/0x1270 fs/read_write.c:1255 + __do_sys_sendfile64 fs/read_write.c:1323 [inline] + __se_sys_sendfile64 fs/read_write.c:1309 [inline] + __x64_sys_sendfile64+0x1d0/0x210 fs/read_write.c:1309 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +---[ end trace 0000000000000000 ]--- + +Above issue may happens as follows: +ext4_da_write_begin + ext4_da_write_inline_data_begin + ext4_da_convert_inline_data_to_extent + ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA); +ext4_da_write_end + +ext4_run_li_request + ext4_mb_prefetch + ext4_read_block_bitmap_nowait + ext4_validate_block_bitmap + ext4_mark_group_bitmap_corrupted(sb, block_group, EXT4_GROUP_INFO_BBITMAP_CORRUPT) + percpu_counter_sub(&sbi->s_freeclusters_counter,grp->bb_free); + -> sbi->s_freeclusters_counter become zero +ext4_da_write_begin + if (ext4_nonda_switch(inode->i_sb)) -> As freeclusters_counter is zero will return true + *fsdata = (void *)FALL_BACK_TO_NONDELALLOC; + ext4_write_begin +ext4_da_write_end + if (write_mode == FALL_BACK_TO_NONDELALLOC) + ext4_write_end + if (inline_data) + ext4_write_inline_data_end + ext4_write_inline_data + BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); + -> As inode is already convert to extent, so 'pos + len' > inline_size + -> then trigger BUG. + +To solve this issue, instead of checking ext4_has_inline_data() which +is only cleared after data has been written back, check the +EXT4_STATE_MAY_INLINE_DATA flag in ext4_write_end(). + +Fixes: f19d5870cbf7 ("ext4: add normal write support for inline data") +Reported-by: syzbot+4faa160fa96bfba639f8@syzkaller.appspotmail.com +Reported-by: Jun Nie <jun.nie@linaro.org> +Signed-off-by: Ye Bin <yebin10@huawei.com> +Link: https://lore.kernel.org/r/20221206144134.1919987-1-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +--- + fs/ext4/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1294,7 +1294,8 @@ static int ext4_write_end(struct file *f + loff_t old_size = inode->i_size; + int ret = 0, ret2; + int i_size_changed = 0; +- int inline_data = ext4_has_inline_data(inode); ++ int inline_data = ext4_has_inline_data(inode) && ++ ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA); + bool verity = ext4_verity_in_progress(inode); + + trace_ext4_write_end(inode, pos, len, copied); --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-leaking-uninitialized-memory-in-fast-commit.patch @@ -0,0 +1,48 @@ +From 594bc43b410316d70bb42aeff168837888d96810 Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Sun, 6 Nov 2022 14:48:37 -0800 +Subject: [PATCH] ext4: fix leaking uninitialized memory in fast-commit journal +Git-commit: 594bc43b410316d70bb42aeff168837888d96810 +Patch-mainline: v6.2-rc1 +References: bsc#1207625 + +When space at the end of fast-commit journal blocks is unused, make sure +to zero it out so that uninitialized memory is not leaked to disk. + +Fixes: aa75f4d3daae ("ext4: main fast-commit commit path") +Cc: <stable@vger.kernel.org> # v5.10+ +Signed-off-by: Eric Biggers <ebiggers@google.com> +Link: https://lore.kernel.org/r/20221106224841.279231-4-ebiggers@kernel.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c +index da0c8228cf9c..1e8be0554239 100644 +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -737,6 +737,9 @@ static u8 *ext4_fc_reserve_space(struct super_block *sb, int len, u32 *crc) + *crc = ext4_chksum(sbi, *crc, tl, EXT4_FC_TAG_BASE_LEN); + if (pad_len > 0) + ext4_fc_memzero(sb, tl + 1, pad_len, crc); ++ /* Don't leak uninitialized memory in the unused last byte. */ ++ *((u8 *)(tl + 1) + pad_len) = 0; ++ + ext4_fc_submit_bh(sb, false); + + ret = jbd2_fc_get_buf(EXT4_SB(sb)->s_journal, &bh); +@@ -793,6 +796,8 @@ static int ext4_fc_write_tail(struct super_block *sb, u32 crc) + dst += sizeof(tail.fc_tid); + tail.fc_crc = cpu_to_le32(crc); + ext4_fc_memcpy(sb, dst, &tail.fc_crc, sizeof(tail.fc_crc), NULL); ++ dst += sizeof(tail.fc_crc); ++ memset(dst, 0, bsize - off); /* Don't leak uninitialized memory. */ + + ext4_fc_submit_bh(sb, true); + +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-lockdep-warning-when-enabling-MMP.patch @@ -0,0 +1,89 @@ +From 949f95ff39bf188e594e7ecd8e29b82eb108f5bf Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Tue, 11 Apr 2023 14:10:19 +0200 +Subject: [PATCH] ext4: fix lockdep warning when enabling MMP +Git-commit: 949f95ff39bf188e594e7ecd8e29b82eb108f5bf +Patch-mainline: v6.4-rc2 +References: bsc#1213100 + +When we enable MMP in ext4_multi_mount_protect() during mount or +remount, we end up calling sb_start_write() from write_mmp_block(). This +triggers lockdep warning because freeze protection ranks above s_umount +semaphore we are holding during mount / remount. The problem is harmless +because we are guaranteed the filesystem is not frozen during mount / +remount but still let's fix the warning by not grabbing freeze +protection from ext4_multi_mount_protect(). + +Cc: stable@kernel.org +Reported-by: syzbot+6b7df7d5506b32467149@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=ab7e5b6f400b7778d46f01841422e5718fb81843 +Signed-off-by: Jan Kara <jack@suse.cz> +Reviewed-by: Christian Brauner <brauner@kernel.org> +Link: https://lore.kernel.org/r/20230411121019.21940-1-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/mmp.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +--- a/fs/ext4/mmp.c ++++ b/fs/ext4/mmp.c +@@ -39,28 +39,36 @@ static void ext4_mmp_csum_set(struct sup + * Write the MMP block using REQ_SYNC to try to get the block on-disk + * faster. + */ +-static int write_mmp_block(struct super_block *sb, struct buffer_head *bh) ++static int write_mmp_block_thawed(struct super_block *sb, ++ struct buffer_head *bh) + { + struct mmp_struct *mmp = (struct mmp_struct *)(bh->b_data); + +- /* +- * We protect against freezing so that we don't create dirty buffers +- * on frozen filesystem. +- */ +- sb_start_write(sb); + ext4_mmp_csum_set(sb, mmp); + lock_buffer(bh); + bh->b_end_io = end_buffer_write_sync; + get_bh(bh); + submit_bh(REQ_OP_WRITE, REQ_SYNC | REQ_META | REQ_PRIO, bh); + wait_on_buffer(bh); +- sb_end_write(sb); + if (unlikely(!buffer_uptodate(bh))) + return -EIO; +- + return 0; + } + ++static int write_mmp_block(struct super_block *sb, struct buffer_head *bh) ++{ ++ int err; ++ ++ /* ++ * We protect against freezing so that we don't create dirty buffers ++ * on frozen filesystem. ++ */ ++ sb_start_write(sb); ++ err = write_mmp_block_thawed(sb, bh); ++ sb_end_write(sb); ++ return err; ++} ++ + /* + * Read the MMP block. It _must_ be read from disk and hence we clear the + * uptodate flag on the buffer. +@@ -348,7 +356,11 @@ skip: + seq = mmp_new_seq(); + mmp->mmp_seq = cpu_to_le32(seq); + +- retval = write_mmp_block(sb, bh); ++ /* ++ * On mount / remount we are protected against fs freezing (by s_umount ++ * semaphore) and grabbing freeze protection upsets lockdep ++ */ ++ retval = write_mmp_block_thawed(sb, bh); + if (retval) + goto failed; + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-miss-release-buffer-head-in-ext4_fc_write_i.patch @@ -0,0 +1,62 @@ +From ccbf8eeb39f2ff00b54726a2b20b35d788c4ecb5 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Wed, 14 Sep 2022 18:08:59 +0800 +Subject: [PATCH] ext4: fix miss release buffer head in ext4_fc_write_inode +Git-commit: ccbf8eeb39f2ff00b54726a2b20b35d788c4ecb5 +Patch-mainline: v6.1-rc1 +References: bsc#1207609 + +In 'ext4_fc_write_inode' function first call 'ext4_get_inode_loc' get 'iloc', +after use it miss release 'iloc.bh'. +So just release 'iloc.bh' before 'ext4_fc_write_inode' return. + +Cc: stable@kernel.org +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220914100859.1415196-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c +index 2af962cbb835..b7414a5812f6 100644 +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -874,22 +874,25 @@ static int ext4_fc_write_inode(struct inode *inode, u32 *crc) + tl.fc_tag = cpu_to_le16(EXT4_FC_TAG_INODE); + tl.fc_len = cpu_to_le16(inode_len + sizeof(fc_inode.fc_ino)); + ++ ret = -ECANCELED; + dst = ext4_fc_reserve_space(inode->i_sb, + sizeof(tl) + inode_len + sizeof(fc_inode.fc_ino), crc); + if (!dst) +- return -ECANCELED; ++ goto err; + + if (!ext4_fc_memcpy(inode->i_sb, dst, &tl, sizeof(tl), crc)) +- return -ECANCELED; ++ goto err; + dst += sizeof(tl); + if (!ext4_fc_memcpy(inode->i_sb, dst, &fc_inode, sizeof(fc_inode), crc)) +- return -ECANCELED; ++ goto err; + dst += sizeof(fc_inode); + if (!ext4_fc_memcpy(inode->i_sb, dst, (u8 *)ext4_raw_inode(&iloc), + inode_len, crc)) +- return -ECANCELED; +- +- return 0; ++ goto err; ++ ret = 0; ++err: ++ brelse(iloc.bh); ++ return ret; + } + + /* +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-null-ptr-deref-in-__ext4_journal_ensure_cre.patch @@ -0,0 +1,95 @@ +From 298b5c521746d69c07beb2757292fb5ccc1b0f85 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Fri, 24 Dec 2021 18:03:41 +0800 +Subject: [PATCH] ext4: fix null-ptr-deref in '__ext4_journal_ensure_credits' +Git-commit: 298b5c521746d69c07beb2757292fb5ccc1b0f85 +Patch-mainline: v5.17-rc1 +References: bsc#1202764 + +We got issue as follows when run syzkaller test: +[ 1901.130043] EXT4-fs error (device vda): ext4_remount:5624: comm syz-executor.5: Abort forced by user +[ 1901.130901] Aborting journal on device vda-8. +[ 1901.131437] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.16: Detected aborted journal +[ 1901.131566] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.11: Detected aborted journal +[ 1901.132586] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.18: Detected aborted journal +[ 1901.132751] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.9: Detected aborted journal +[ 1901.136149] EXT4-fs error (device vda) in ext4_reserve_inode_write:6035: Journal has aborted +[ 1901.136837] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-fuzzer: Detected aborted journal +[ 1901.136915] ================================================================== +[ 1901.138175] BUG: KASAN: null-ptr-deref in __ext4_journal_ensure_credits+0x74/0x140 [ext4] +[ 1901.138343] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.13: Detected aborted journal +[ 1901.138398] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.1: Detected aborted journal +[ 1901.138808] Read of size 8 at addr 0000000000000000 by task syz-executor.17/968 +[ 1901.138817] +[ 1901.138852] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.30: Detected aborted journal +[ 1901.144779] CPU: 1 PID: 968 Comm: syz-executor.17 Not tainted 4.19.90-vhulk2111.1.0.h893.eulerosv2r10.aarch64+ #1 +[ 1901.146479] Hardware name: linux,dummy-virt (DT) +[ 1901.147317] Call trace: +[ 1901.147552] dump_backtrace+0x0/0x2d8 +[ 1901.147898] show_stack+0x28/0x38 +[ 1901.148215] dump_stack+0xec/0x15c +[ 1901.148746] kasan_report+0x108/0x338 +[ 1901.149207] __asan_load8+0x58/0xb0 +[ 1901.149753] __ext4_journal_ensure_credits+0x74/0x140 [ext4] +[ 1901.150579] ext4_xattr_delete_inode+0xe4/0x700 [ext4] +[ 1901.151316] ext4_evict_inode+0x524/0xba8 [ext4] +[ 1901.151985] evict+0x1a4/0x378 +[ 1901.152353] iput+0x310/0x428 +[ 1901.152733] do_unlinkat+0x260/0x428 +[ 1901.153056] __arm64_sys_unlinkat+0x6c/0xc0 +[ 1901.153455] el0_svc_common+0xc8/0x320 +[ 1901.153799] el0_svc_handler+0xf8/0x160 +[ 1901.154265] el0_svc+0x10/0x218 +[ 1901.154682] ================================================================== + +This issue may happens like this: + Process1 Process2 +ext4_evict_inode + ext4_journal_start + ext4_truncate + ext4_ind_truncate + ext4_free_branches + ext4_ind_truncate_ensure_credits + ext4_journal_ensure_credits_fn + ext4_journal_restart + handle->h_transaction = NULL; + mount -o remount,abort /mnt + -> trigger JBD abort + start_this_handle -> will return failed + ext4_xattr_delete_inode + ext4_journal_ensure_credits + ext4_journal_ensure_credits_fn + __ext4_journal_ensure_credits + jbd2_handle_buffer_credits + journal = handle->h_transaction->t_journal; ->null-ptr-deref + +Now, indirect truncate process didn't handle error. To solve this issue +maybe simply add check handle is abort in '__ext4_journal_ensure_credits' +is enough, and i also think this is necessary. + +Cc: stable@kernel.org +Signed-off-by: Ye Bin <yebin10@huawei.com> +Link: https://lore.kernel.org/r/20211224100341.3299128-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ext4_jbd2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c +index 6def7339056d..3477a16d08ae 100644 +--- a/fs/ext4/ext4_jbd2.c ++++ b/fs/ext4/ext4_jbd2.c +@@ -162,6 +162,8 @@ int __ext4_journal_ensure_credits(handle_t *handle, int check_cred, + { + if (!ext4_handle_valid(handle)) + return 0; ++ if (is_handle_aborted(handle)) ++ return -EROFS; + if (jbd2_handle_buffer_credits(handle) >= check_cred && + handle->h_revoke_credits >= revoke_cred) + return 0; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-off-by-one-errors-in-fast-commit-block-fill.patch @@ -0,0 +1,171 @@ +From 48a6a66db82b8043d298a630f22c62d43550cae5 Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Sun, 6 Nov 2022 14:48:40 -0800 +Subject: [PATCH] ext4: fix off-by-one errors in fast-commit block filling +Git-commit: 48a6a66db82b8043d298a630f22c62d43550cae5 +Patch-mainline: v6.2-rc1 +References: bsc#1207628 + +Due to several different off-by-one errors, or perhaps due to a late +change in design that wasn't fully reflected in the code that was +actually merged, there are several very strange constraints on how +fast-commit blocks are filled with tlv entries: + +- tlvs must start at least 10 bytes before the end of the block, even + though the minimum tlv length is 8. Otherwise, the replay code will + ignore them. (BUG: ext4_fc_reserve_space() could violate this + requirement if called with a len of blocksize - 9 or blocksize - 8. + Fortunately, this doesn't seem to happen currently.) + +- tlvs must end at least 1 byte before the end of the block. Otherwise + the replay code will consider them to be invalid. This quirk + contributed to a bug (fixed by an earlier commit) where uninitialized + memory was being leaked to disk in the last byte of blocks. + +Also, strangely these constraints don't apply to the replay code in +e2fsprogs, which will accept any tlvs in the blocks (with no bounds +checks at all, but that is a separate issue...). + +Given that this all seems to be a bug, let's fix it by just filling +blocks with tlv entries in the natural way. + +Note that old kernels will be unable to replay fast-commit journals +created by kernels that have this commit. + +Fixes: aa75f4d3daae ("ext4: main fast-commit commit path") +Cc: <stable@vger.kernel.org> # v5.10+ +Signed-off-by: Eric Biggers <ebiggers@google.com> +Link: https://lore.kernel.org/r/20221106224841.279231-7-ebiggers@kernel.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 66 +++++++++++++++++++++---------------------- + 1 file changed, 33 insertions(+), 33 deletions(-) + +diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c +index 892fa7c7a768..7ed71c652f67 100644 +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -714,43 +714,43 @@ static u8 *ext4_fc_reserve_space(struct super_block *sb, int len, u32 *crc) + struct buffer_head *bh; + int bsize = sbi->s_journal->j_blocksize; + int ret, off = sbi->s_fc_bytes % bsize; +- int pad_len; ++ int remaining; + u8 *dst; + + /* +- * After allocating len, we should have space at least for a 0 byte +- * padding. ++ * If 'len' is too long to fit in any block alongside a PAD tlv, then we ++ * cannot fulfill the request. + */ +- if (len + EXT4_FC_TAG_BASE_LEN > bsize) ++ if (len > bsize - EXT4_FC_TAG_BASE_LEN) + return NULL; + +- if (bsize - off - 1 > len + EXT4_FC_TAG_BASE_LEN) { +- /* +- * Only allocate from current buffer if we have enough space for +- * this request AND we have space to add a zero byte padding. +- */ +- if (!sbi->s_fc_bh) { +- ret = jbd2_fc_get_buf(EXT4_SB(sb)->s_journal, &bh); +- if (ret) +- return NULL; +- sbi->s_fc_bh = bh; +- } +- sbi->s_fc_bytes += len; +- return sbi->s_fc_bh->b_data + off; ++ if (!sbi->s_fc_bh) { ++ ret = jbd2_fc_get_buf(EXT4_SB(sb)->s_journal, &bh); ++ if (ret) ++ return NULL; ++ sbi->s_fc_bh = bh; + } +- /* Need to add PAD tag */ + dst = sbi->s_fc_bh->b_data + off; ++ ++ /* ++ * Allocate the bytes in the current block if we can do so while still ++ * leaving enough space for a PAD tlv. ++ */ ++ remaining = bsize - EXT4_FC_TAG_BASE_LEN - off; ++ if (len <= remaining) { ++ sbi->s_fc_bytes += len; ++ return dst; ++ } ++ ++ /* ++ * Else, terminate the current block with a PAD tlv, then allocate a new ++ * block and allocate the bytes at the start of that new block. ++ */ ++ + tl.fc_tag = cpu_to_le16(EXT4_FC_TAG_PAD); +- pad_len = bsize - off - 1 - EXT4_FC_TAG_BASE_LEN; +- tl.fc_len = cpu_to_le16(pad_len); ++ tl.fc_len = cpu_to_le16(remaining); + ext4_fc_memcpy(sb, dst, &tl, EXT4_FC_TAG_BASE_LEN, crc); +- dst += EXT4_FC_TAG_BASE_LEN; +- if (pad_len > 0) { +- ext4_fc_memzero(sb, dst, pad_len, crc); +- dst += pad_len; +- } +- /* Don't leak uninitialized memory in the unused last byte. */ +- *dst = 0; ++ ext4_fc_memzero(sb, dst + EXT4_FC_TAG_BASE_LEN, remaining, crc); + + ext4_fc_submit_bh(sb, false); + +@@ -758,7 +758,7 @@ static u8 *ext4_fc_reserve_space(struct super_block *sb, int len, u32 *crc) + if (ret) + return NULL; + sbi->s_fc_bh = bh; +- sbi->s_fc_bytes = (sbi->s_fc_bytes / bsize + 1) * bsize + len; ++ sbi->s_fc_bytes += bsize - off + len; + return sbi->s_fc_bh->b_data; + } + +@@ -789,7 +789,7 @@ static int ext4_fc_write_tail(struct super_block *sb, u32 crc) + off = sbi->s_fc_bytes % bsize; + + tl.fc_tag = cpu_to_le16(EXT4_FC_TAG_TAIL); +- tl.fc_len = cpu_to_le16(bsize - off - 1 + sizeof(struct ext4_fc_tail)); ++ tl.fc_len = cpu_to_le16(bsize - off + sizeof(struct ext4_fc_tail)); + sbi->s_fc_bytes = round_up(sbi->s_fc_bytes, bsize); + + ext4_fc_memcpy(sb, dst, &tl, EXT4_FC_TAG_BASE_LEN, &crc); +@@ -2056,7 +2056,7 @@ static int ext4_fc_replay_scan(journal_t *journal, + state = &sbi->s_fc_replay_state; + + start = (u8 *)bh->b_data; +- end = (__u8 *)bh->b_data + journal->j_blocksize - 1; ++ end = start + journal->j_blocksize; + + if (state->fc_replay_expected_off == 0) { + state->fc_cur_tag = 0; +@@ -2077,7 +2077,7 @@ static int ext4_fc_replay_scan(journal_t *journal, + } + + state->fc_replay_expected_off++; +- for (cur = start; cur < end - EXT4_FC_TAG_BASE_LEN; ++ for (cur = start; cur <= end - EXT4_FC_TAG_BASE_LEN; + cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) { + ext4_fc_get_tl(&tl, cur); + val = cur + EXT4_FC_TAG_BASE_LEN; +@@ -2195,9 +2195,9 @@ static int ext4_fc_replay(journal_t *journal, struct buffer_head *bh, + #endif + + start = (u8 *)bh->b_data; +- end = (__u8 *)bh->b_data + journal->j_blocksize - 1; ++ end = start + journal->j_blocksize; + +- for (cur = start; cur < end - EXT4_FC_TAG_BASE_LEN; ++ for (cur = start; cur <= end - EXT4_FC_TAG_BASE_LEN; + cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) { + ext4_fc_get_tl(&tl, cur); + val = cur + EXT4_FC_TAG_BASE_LEN; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-overhead-calculation-to-account-for-the-res.patch @@ -0,0 +1,41 @@ +From 10b01ee92df52c8d7200afead4d5e5f55a5c58b1 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Thu, 14 Apr 2022 21:31:27 -0400 +Subject: [PATCH] ext4: fix overhead calculation to account for the reserved + gdt blocks +Git-commit: 10b01ee92df52c8d7200afead4d5e5f55a5c58b1 +Patch-mainline: v5.18-rc4 +References: bsc#1200869 + +The kernel calculation was underestimating the overhead by not taking +into account the reserved gdt blocks. With this change, the overhead +calculated by the kernel matches the overhead calculation in mke2fs. + +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index f2a5e78f93a9..23a9b2c086ed 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -4177,9 +4177,11 @@ static int count_overhead(struct super_block *sb, ext4_group_t grp, + ext4_fsblk_t first_block, last_block, b; + ext4_group_t i, ngroups = ext4_get_groups_count(sb); + int s, j, count = 0; ++ int has_super = ext4_bg_has_super(sb, grp); + + if (!ext4_has_feature_bigalloc(sb)) +- return (ext4_bg_has_super(sb, grp) + ext4_bg_num_gdb(sb, grp) + ++ return (has_super + ext4_bg_num_gdb(sb, grp) + ++ (has_super ? le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) : 0) + + sbi->s_itb_per_group + 2); + + first_block = le32_to_cpu(sbi->s_es->s_first_data_block) + +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-possible-double-unlock-when-moving-a-direct.patch @@ -0,0 +1,38 @@ +From 70e42feab2e20618ddd0cbfc4ab4b08628236ecd Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Fri, 17 Mar 2023 21:53:52 -0400 +Subject: [PATCH] ext4: fix possible double unlock when moving a directory +Git-commit: 70e42feab2e20618ddd0cbfc4ab4b08628236ecd +Patch-mainline: v6.3-rc3 +References: bsc#1210763 + +Fixes: 0813299c586b ("ext4: Fix possible corruption when moving a directory") +Link: https://lore.kernel.org/r/5efbe1b9-ad8b-4a4f-b422-24824d2b775c@kili.mountain +Reported-by: Dan Carpenter <error27@gmail.com> +Reported-by: syzbot+0c73d1d8b952c5f3d714@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/namei.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 31e21de56432..a5010b5b8a8c 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3884,10 +3884,8 @@ static int ext4_rename(struct mnt_idmap *idmap, struct inode *old_dir, + goto end_rename; + } + retval = ext4_rename_dir_prepare(handle, &old); +- if (retval) { +- inode_unlock(old.inode); ++ if (retval) + goto end_rename; +- } + } + /* + * If we're renaming a file within an inline_data dir and adding or +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-potential-memory-leak-in-ext4_fc_record_mod.patch @@ -0,0 +1,50 @@ +From 9305721a309fa1bd7c194e0d4a2335bf3b29dca4 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Wed, 21 Sep 2022 14:40:38 +0800 +Subject: [PATCH] ext4: fix potential memory leak in + ext4_fc_record_modified_inode() +Git-commit: 9305721a309fa1bd7c194e0d4a2335bf3b29dca4 +Patch-mainline: v6.1-rc1 +References: bsc#1207611 + +As krealloc may return NULL, in this case 'state->fc_modified_inodes' +may not be freed by krealloc, but 'state->fc_modified_inodes' already +set NULL. Then will lead to 'state->fc_modified_inodes' memory leak. + +Cc: stable@kernel.org +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220921064040.3693255-2-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c +index 9217a588afd1..9555ab816d7d 100644 +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -1486,13 +1486,15 @@ static int ext4_fc_record_modified_inode(struct super_block *sb, int ino) + if (state->fc_modified_inodes[i] == ino) + return 0; + if (state->fc_modified_inodes_used == state->fc_modified_inodes_size) { +- state->fc_modified_inodes = krealloc( +- state->fc_modified_inodes, ++ int *fc_modified_inodes; ++ ++ fc_modified_inodes = krealloc(state->fc_modified_inodes, + sizeof(int) * (state->fc_modified_inodes_size + + EXT4_FC_REPLAY_REALLOC_INCREMENT), + GFP_KERNEL); +- if (!state->fc_modified_inodes) ++ if (!fc_modified_inodes) + return -ENOMEM; ++ state->fc_modified_inodes = fc_modified_inodes; + state->fc_modified_inodes_size += + EXT4_FC_REPLAY_REALLOC_INCREMENT; + } +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-potential-memory-leak-in-ext4_fc_record_reg.patch @@ -0,0 +1,54 @@ +From 7069d105c1f15c442b68af43f7fde784f3126739 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Wed, 21 Sep 2022 14:40:39 +0800 +Subject: [PATCH] ext4: fix potential memory leak in ext4_fc_record_regions() +Git-commit: 7069d105c1f15c442b68af43f7fde784f3126739 +Patch-mainline: v6.1-rc1 +References: bsc#1207612 + +As krealloc may return NULL, in this case 'state->fc_regions' may not be +freed by krealloc, but 'state->fc_regions' already set NULL. Then will +lead to 'state->fc_regions' memory leak. + +Cc: stable@kernel.org +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220921064040.3693255-3-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c +index 9555ab816d7d..5ab58cb4ce8d 100644 +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -1679,15 +1679,17 @@ int ext4_fc_record_regions(struct super_block *sb, int ino, + if (replay && state->fc_regions_used != state->fc_regions_valid) + state->fc_regions_used = state->fc_regions_valid; + if (state->fc_regions_used == state->fc_regions_size) { ++ struct ext4_fc_alloc_region *fc_regions; ++ + state->fc_regions_size += + EXT4_FC_REPLAY_REALLOC_INCREMENT; +- state->fc_regions = krealloc( +- state->fc_regions, +- state->fc_regions_size * +- sizeof(struct ext4_fc_alloc_region), +- GFP_KERNEL); +- if (!state->fc_regions) ++ fc_regions = krealloc(state->fc_regions, ++ state->fc_regions_size * ++ sizeof(struct ext4_fc_alloc_region), ++ GFP_KERNEL); ++ if (!fc_regions) + return -ENOMEM; ++ state->fc_regions = fc_regions; + } + region = &state->fc_regions[state->fc_regions_used++]; + region->ino = ino; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-potential-out-of-bound-read-in-ext4_fc_repl.patch @@ -0,0 +1,97 @@ +From 1b45cc5c7b920fd8bf72e5a888ec7abeadf41e09 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Sat, 24 Sep 2022 15:52:33 +0800 +Subject: [PATCH] ext4: fix potential out of bound read in + ext4_fc_replay_scan() +Git-commit: 1b45cc5c7b920fd8bf72e5a888ec7abeadf41e09 +Patch-mainline: v6.1-rc1 +References: bsc#1207616 + +For scan loop must ensure that at least EXT4_FC_TAG_BASE_LEN space. If remain +space less than EXT4_FC_TAG_BASE_LEN which will lead to out of bound read +when mounting corrupt file system image. +ADD_RANGE/HEAD/TAIL is needed to add extra check when do journal scan, as this +three tags will read data during scan, tag length couldn't less than data length +which will read. + +Cc: stable@kernel.org +Signed-off-by: Ye Bin <yebin10@huawei.com> +Link: https://lore.kernel.org/r/20220924075233.2315259-4-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 38 ++++++++++++++++++++++++++++++++++++-- + 1 file changed, 36 insertions(+), 2 deletions(-) + +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -1911,6 +1911,34 @@ void ext4_fc_replay_cleanup(struct super + kfree(sbi->s_fc_replay_state.fc_modified_inodes); + } + ++static inline bool ext4_fc_tag_len_isvalid(struct ext4_fc_tl *tl, ++ u8 *val, u8 *end) ++{ ++ if (val + tl->fc_len > end) ++ return false; ++ ++ /* Here only check ADD_RANGE/TAIL/HEAD which will read data when do ++ * journal rescan before do CRC check. Other tags length check will ++ * rely on CRC check. ++ */ ++ switch (tl->fc_tag) { ++ case EXT4_FC_TAG_ADD_RANGE: ++ return (sizeof(struct ext4_fc_add_range) == tl->fc_len); ++ case EXT4_FC_TAG_TAIL: ++ return (sizeof(struct ext4_fc_tail) <= tl->fc_len); ++ case EXT4_FC_TAG_HEAD: ++ return (sizeof(struct ext4_fc_head) == tl->fc_len); ++ case EXT4_FC_TAG_DEL_RANGE: ++ case EXT4_FC_TAG_LINK: ++ case EXT4_FC_TAG_UNLINK: ++ case EXT4_FC_TAG_CREAT: ++ case EXT4_FC_TAG_INODE: ++ case EXT4_FC_TAG_PAD: ++ default: ++ return true; ++ } ++} ++ + /* + * Recovery Scan phase handler + * +@@ -1967,10 +1995,15 @@ static int ext4_fc_replay_scan(journal_t + } + + state->fc_replay_expected_off++; +- for (cur = start; cur < end; ++ for (cur = start; cur < end - EXT4_FC_TAG_BASE_LEN; + cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) { + ext4_fc_get_tl(&tl, cur); + val = cur + EXT4_FC_TAG_BASE_LEN; ++ if (!ext4_fc_tag_len_isvalid(&tl, val, end)) { ++ ret = state->fc_replay_num_tags ? ++ JBD2_FC_REPLAY_STOP : -ECANCELED; ++ goto out_err; ++ } + jbd_debug(3, "Scan phase, tag:%s, blk %lld\n", + tag2str(tl.fc_tag), bh->b_blocknr); + switch (tl.fc_tag) { +@@ -2081,7 +2114,7 @@ static int ext4_fc_replay(journal_t *jou + start = (u8 *)bh->b_data; + end = (__u8 *)bh->b_data + journal->j_blocksize - 1; + +- for (cur = start; cur < end; ++ for (cur = start; cur < end - EXT4_FC_TAG_BASE_LEN; + cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) { + ext4_fc_get_tl(&tl, cur); + val = cur + EXT4_FC_TAG_BASE_LEN; +@@ -2091,6 +2124,7 @@ static int ext4_fc_replay(journal_t *jou + ext4_fc_set_bitmaps_and_counters(sb); + break; + } ++ + jbd_debug(3, "Replay phase, tag:%s\n", tag2str(tl.fc_tag)); + state->fc_replay_num_tags--; + switch (tl.fc_tag) { --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-race-condition-between-ext4_write-and-ext4_.patch @@ -0,0 +1,133 @@ +From f87c7a4b084afc13190cbb263538e444cb2b392a Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Thu, 28 Apr 2022 21:40:31 +0800 +Subject: [PATCH] ext4: fix race condition between ext4_write and + ext4_convert_inline_data +Git-commit: f87c7a4b084afc13190cbb263538e444cb2b392a +Patch-mainline: v5.19-rc1 +References: bsc#1200807 + +Hulk Robot reported a BUG_ON: + ================================================================== + EXT4-fs error (device loop3): ext4_mb_generate_buddy:805: group 0, + block bitmap and bg descriptor inconsistent: 25 vs 31513 free clusters + kernel BUG at fs/ext4/ext4_jbd2.c:53! + invalid opcode: 0000 [#1] SMP KASAN PTI + CPU: 0 PID: 25371 Comm: syz-executor.3 Not tainted 5.10.0+ #1 + RIP: 0010:ext4_put_nojournal fs/ext4/ext4_jbd2.c:53 [inline] + RIP: 0010:__ext4_journal_stop+0x10e/0x110 fs/ext4/ext4_jbd2.c:116 + [...] + Call Trace: + ext4_write_inline_data_end+0x59a/0x730 fs/ext4/inline.c:795 + generic_perform_write+0x279/0x3c0 mm/filemap.c:3344 + ext4_buffered_write_iter+0x2e3/0x3d0 fs/ext4/file.c:270 + ext4_file_write_iter+0x30a/0x11c0 fs/ext4/file.c:520 + do_iter_readv_writev+0x339/0x3c0 fs/read_write.c:732 + do_iter_write+0x107/0x430 fs/read_write.c:861 + vfs_writev fs/read_write.c:934 [inline] + do_pwritev+0x1e5/0x380 fs/read_write.c:1031 + [...] + ================================================================== + +Above issue may happen as follows: + cpu1 cpu2 +__________________________|__________________________ +do_pwritev + vfs_writev + do_iter_write + ext4_file_write_iter + ext4_buffered_write_iter + generic_perform_write + ext4_da_write_begin + vfs_fallocate + ext4_fallocate + ext4_convert_inline_data + ext4_convert_inline_data_nolock + ext4_destroy_inline_data_nolock + clear EXT4_STATE_MAY_INLINE_DATA + ext4_map_blocks + ext4_ext_map_blocks + ext4_mb_new_blocks + ext4_mb_regular_allocator + ext4_mb_good_group_nolock + ext4_mb_init_group + ext4_mb_init_cache + ext4_mb_generate_buddy --> error + ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA) + ext4_restore_inline_data + set EXT4_STATE_MAY_INLINE_DATA + ext4_block_write_begin + ext4_da_write_end + ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA) + ext4_write_inline_data_end + handle=NULL + ext4_journal_stop(handle) + __ext4_journal_stop + ext4_put_nojournal(handle) + ref_cnt = (unsigned long)handle + BUG_ON(ref_cnt == 0) ---> BUG_ON + +The lock held by ext4_convert_inline_data is xattr_sem, but the lock +held by generic_perform_write is i_rwsem. Therefore, the two locks can +be concurrent. + +To solve above issue, we add inode_lock() for ext4_convert_inline_data(). +At the same time, move ext4_convert_inline_data() in front of +ext4_punch_hole(), remove similar handling from ext4_punch_hole(). + +Fixes: 0c8d414f163f ("ext4: let fallocate handle inline data correctly") +Cc: stable@vger.kernel.org +Reported-by: Hulk Robot <hulkci@huawei.com> +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220428134031.4153381-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/extents.c | 10 ++++++---- + fs/ext4/inode.c | 9 --------- + 2 files changed, 6 insertions(+), 13 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -4698,15 +4698,17 @@ long ext4_fallocate(struct file *file, i + + ext4_fc_start_update(inode); + ++ inode_lock(inode); ++ ret = ext4_convert_inline_data(inode); ++ inode_unlock(inode); ++ if (ret) ++ goto exit; ++ + if (mode & FALLOC_FL_PUNCH_HOLE) { + ret = ext4_punch_hole(file, offset, len); + goto exit; + } + +- ret = ext4_convert_inline_data(inode); +- if (ret) +- goto exit; +- + if (mode & FALLOC_FL_COLLAPSE_RANGE) { + ret = ext4_collapse_range(file, offset, len); + goto exit; +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4005,15 +4005,6 @@ int ext4_punch_hole(struct file *file, l + + trace_ext4_punch_hole(inode, offset, length, 0); + +- ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA); +- if (ext4_has_inline_data(inode)) { +- filemap_invalidate_lock(mapping); +- ret = ext4_convert_inline_data(inode); +- filemap_invalidate_unlock(mapping); +- if (ret) +- return ret; +- } +- + /* + * Write out all dirty pages to avoid race conditions + * Then release them. --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-reserved-cluster-accounting-in-__es_remove_.patch @@ -0,0 +1,96 @@ +From 1da18e38cb97e9521e93d63034521a9649524f64 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Thu, 8 Dec 2022 11:34:24 +0800 +Subject: [PATCH] ext4: fix reserved cluster accounting in __es_remove_extent() +Git-commit: 1da18e38cb97e9521e93d63034521a9649524f64 +Patch-mainline: v6.2-rc1 +References: bsc#1207637 + +When bigalloc is enabled, reserved cluster accounting for delayed +allocation is handled in extent_status.c. With a corrupted file +system, it's possible for this accounting to be incorrect, +dsicovered by Syzbot: + +EXT4-fs error (device loop0): ext4_validate_block_bitmap:398: comm rep: + bg 0: block 5: invalid block bitmap +EXT4-fs (loop0): Delayed block allocation failed for inode 18 at logical + offset 0 with max blocks 32 with error 28 +EXT4-fs (loop0): This should not happen!! Data will be lost + +EXT4-fs (loop0): Total free blocks count 0 +EXT4-fs (loop0): Free/Dirty block details +EXT4-fs (loop0): free_blocks=0 +EXT4-fs (loop0): dirty_blocks=32 +EXT4-fs (loop0): Block reservation details +EXT4-fs (loop0): i_reserved_data_blocks=2 +EXT4-fs (loop0): Inode 18 (00000000845cd634): + i_reserved_data_blocks (1) not cleared! + +Above issue happens as follows: +Assume: +sbi->s_cluster_ratio = 16 +Step1: +Insert delay block [0, 31] -> ei->i_reserved_data_blocks=2 +Step2: +ext4_writepages + mpage_map_and_submit_extent -> return failed + mpage_release_unused_pages -> to release [0, 30] + ext4_es_remove_extent -> remove lblk=0 end=30 + __es_remove_extent -> len1=0 len2=31-30=1 + __es_remove_extent: + ... + if (len2 > 0) { + ... + if (len1 > 0) { + ... + } else { + es->es_lblk = end + 1; + es->es_len = len2; + ... + } + if (count_reserved) + count_rsvd(inode, lblk, ...); + goto out; -> will return but didn't calculate 'reserved' + ... +Step3: +ext4_destroy_inode -> trigger "i_reserved_data_blocks (1) not cleared!" + +To solve above issue if 'len2>0' call 'get_rsvd()' before goto out. + +Reported-by: syzbot+05a0f0ccab4a25626e38@syzkaller.appspotmail.com +Fixes: 8fcc3a580651 ("ext4: rework reserved cluster accounting when invalidating pages") +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Eric Whitney <enwlinux@gmail.com> +Link: https://lore.kernel.org/r/20221208033426.1832460-2-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/extents_status.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c +index 97eccc0028a1..7bc221038c6c 100644 +--- a/fs/ext4/extents_status.c ++++ b/fs/ext4/extents_status.c +@@ -1369,7 +1369,7 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, + if (count_reserved) + count_rsvd(inode, lblk, orig_es.es_len - len1 - len2, + &orig_es, &rc); +- goto out; ++ goto out_get_reserved; + } + + if (len1 > 0) { +@@ -1411,6 +1411,7 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, + } + } + ++out_get_reserved: + if (count_reserved) + *reserved = get_rsvd(inode, end, es, &rc); + out: +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-super-block-checksum-incorrect-after-mount.patch @@ -0,0 +1,78 @@ +From 9b6641dd95a0c441b277dd72ba22fed8d61f76ad Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Wed, 25 May 2022 09:29:04 +0800 +Subject: [PATCH] ext4: fix super block checksum incorrect after mount +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 9b6641dd95a0c441b277dd72ba22fed8d61f76ad +Patch-mainline: v5.19-rc3 +References: bsc#1202773 + +We got issue as follows: +[home]# mount /dev/sda test +EXT4-fs (sda): warning: mounting fs with errors, running e2fsck is recommended +[home]# dmesg +EXT4-fs (sda): warning: mounting fs with errors, running e2fsck is recommended +EXT4-fs (sda): Errors on filesystem, clearing orphan list. +EXT4-fs (sda): recovery complete +EXT4-fs (sda): mounted filesystem with ordered data mode. Quota mode: none. +[home]# debugfs /dev/sda +debugfs 1.46.5 (30-Dec-2021) +Checksum errors in superblock! Retrying... + +Reason is ext4_orphan_cleanup will reset ‘s_last_orphan’ but not update +super block checksum. + +To solve above issue, defer update super block checksum after +ext4_orphan_cleanup. + +Signed-off-by: Ye Bin <yebin10@huawei.com> +Cc: stable@kernel.org +Reviewed-by: Jan Kara <jack@suse.cz> +Reviewed-by: Ritesh Harjani <ritesh.list@gmail.com> +Link: https://lore.kernel.org/r/20220525012904.1604737-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index b2ecae8adbfc..13d562d11235 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5302,14 +5302,6 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) + err = percpu_counter_init(&sbi->s_freeinodes_counter, freei, + GFP_KERNEL); + } +- /* +- * Update the checksum after updating free space/inode +- * counters. Otherwise the superblock can have an incorrect +- * checksum in the buffer cache until it is written out and +- * e2fsprogs programs trying to open a file system immediately +- * after it is mounted can fail. +- */ +- ext4_superblock_csum_set(sb); + if (!err) + err = percpu_counter_init(&sbi->s_dirs_counter, + ext4_count_dirs(sb), GFP_KERNEL); +@@ -5367,6 +5359,14 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) + EXT4_SB(sb)->s_mount_state |= EXT4_ORPHAN_FS; + ext4_orphan_cleanup(sb, es); + EXT4_SB(sb)->s_mount_state &= ~EXT4_ORPHAN_FS; ++ /* ++ * Update the checksum after updating free space/inode counters and ++ * ext4_orphan_cleanup. Otherwise the superblock can have an incorrect ++ * checksum in the buffer cache until it is written out and ++ * e2fsprogs programs trying to open a file system immediately ++ * after it is mounted can fail. ++ */ ++ ext4_superblock_csum_set(sb); + if (needs_recovery) { + ext4_msg(sb, KERN_INFO, "recovery complete"); + err = ext4_mark_recovery_complete(sb, es); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-symlink-file-size-not-match-to-file-content.patch @@ -0,0 +1,56 @@ +From a2b0b205d125f27cddfb4f7280e39affdaf46686 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Mon, 21 Mar 2022 22:44:38 +0800 +Subject: [PATCH] ext4: fix symlink file size not match to file content +Git-commit: a2b0b205d125f27cddfb4f7280e39affdaf46686 +Patch-mainline: v5.18-rc4 +References: bsc#1200868 + +We got issue as follows: +[home]# fsck.ext4 -fn ram0yb +e2fsck 1.45.6 (20-Mar-2020) +Pass 1: Checking inodes, blocks, and sizes +Pass 2: Checking directory structure +Symlink /p3/d14/d1a/l3d (inode #3494) is invalid. +Clear? no +Entry 'l3d' in /p3/d14/d1a (3383) has an incorrect filetype (was 7, should be 0). +Fix? no + +As the symlink file size does not match the file content. If the writeback +of the symlink data block failed, ext4_finish_bio() handles the end of IO. +However this function fails to mark the buffer with BH_write_io_error and +so when unmount does journal checkpoint it cannot detect the writeback +error and will cleanup the journal. Thus we've lost the correct data in the +journal area. To solve this issue, mark the buffer as BH_write_io_error in +ext4_finish_bio(). + +Cc: stable@kernel.org +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220321144438.201685-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/page-io.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c +index 1d370364230e..40b7d8485b44 100644 +--- a/fs/ext4/page-io.c ++++ b/fs/ext4/page-io.c +@@ -134,8 +134,10 @@ static void ext4_finish_bio(struct bio *bio) + continue; + } + clear_buffer_async_write(bh); +- if (bio->bi_status) ++ if (bio->bi_status) { ++ set_buffer_write_io_error(bh); + buffer_io_error(bh); ++ } + } while ((bh = bh->b_this_page) != head); + spin_unlock_irqrestore(&head->b_uptodate_lock, flags); + if (!under_io) { +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch @@ -0,0 +1,97 @@ +From 0f7bfd6f8164be32dbbdf36aa1e5d00485c53cd7 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Tue, 10 Jan 2023 21:34:36 +0800 +Subject: [PATCH] ext4: fix task hung in ext4_xattr_delete_inode +Git-commit: 0f7bfd6f8164be32dbbdf36aa1e5d00485c53cd7 +Patch-mainline: v6.3-rc1 +References: bsc#1213096 + +Syzbot reported a hung task problem: +================================================================== +Info: task syz-executor232:5073 blocked for more than 143 seconds. + Not tainted 6.2.0-rc2-syzkaller-00024-g512dee0c00ad #0 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:syz-exec232 state:D stack:21024 pid:5073 ppid:5072 flags:0x00004004 +Call Trace: + <TASK> + context_switch kernel/sched/core.c:5244 [inline] + __schedule+0x995/0xe20 kernel/sched/core.c:6555 + schedule+0xcb/0x190 kernel/sched/core.c:6631 + __wait_on_freeing_inode fs/inode.c:2196 [inline] + find_inode_fast+0x35a/0x4c0 fs/inode.c:950 + iget_locked+0xb1/0x830 fs/inode.c:1273 + __ext4_iget+0x22e/0x3ed0 fs/ext4/inode.c:4861 + ext4_xattr_inode_iget+0x68/0x4e0 fs/ext4/xattr.c:389 + ext4_xattr_inode_dec_ref_all+0x1a7/0xe50 fs/ext4/xattr.c:1148 + ext4_xattr_delete_inode+0xb04/0xcd0 fs/ext4/xattr.c:2880 + ext4_evict_inode+0xd7c/0x10b0 fs/ext4/inode.c:296 + evict+0x2a4/0x620 fs/inode.c:664 + ext4_orphan_cleanup+0xb60/0x1340 fs/ext4/orphan.c:474 + __ext4_fill_super fs/ext4/super.c:5516 [inline] + ext4_fill_super+0x81cd/0x8700 fs/ext4/super.c:5644 + get_tree_bdev+0x400/0x620 fs/super.c:1282 + vfs_get_tree+0x88/0x270 fs/super.c:1489 + do_new_mount+0x289/0xad0 fs/namespace.c:3145 + do_mount fs/namespace.c:3488 [inline] + __do_sys_mount fs/namespace.c:3697 [inline] + __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +Rip: 0033:0x7fa5406fd5ea +Rsp: 002b:00007ffc7232f968 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +Rax: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fa5406fd5ea +Rdx: 0000000020000440 RSI: 0000000020000000 RDI: 00007ffc7232f970 +Rbp: 00007ffc7232f970 R08: 00007ffc7232f9b0 R09: 0000000000000432 +R10: 0000000000804a03 R11: 0000000000000202 R12: 0000000000000004 +R13: 0000555556a7a2c0 R14: 00007ffc7232f9b0 R15: 0000000000000000 + </TASK> +================================================================== + +The problem is that the inode contains an xattr entry with ea_inum of 15 +when cleaning up an orphan inode <15>. When evict inode <15>, the reference +counting of the corresponding EA inode is decreased. When EA inode <15> is +found by find_inode_fast() in __ext4_iget(), it is found that the EA inode +holds the I_FREEING flag and waits for the EA inode to complete deletion. +As a result, when inode <15> is being deleted, we wait for inode <15> to +complete the deletion, resulting in an infinite loop and triggering Hung +Task. To solve this problem, we only need to check whether the ino of EA +inode and parent is the same before getting EA inode. + +Link: https://syzkaller.appspot.com/bug?extid=77d6fcc37bbb92f26048 +Reported-by: syzbot+77d6fcc37bbb92f26048@syzkaller.appspotmail.com +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230110133436.996350-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/xattr.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index d8fef540ca9b..863c15388848 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -422,6 +422,17 @@ static int ext4_xattr_inode_iget(struct inode *parent, unsigned long ea_ino, + struct inode *inode; + int err; + ++ /* ++ * We have to check for this corruption early as otherwise ++ * iget_locked() could wait indefinitely for the state of our ++ * parent inode. ++ */ ++ if (parent->i_ino == ea_ino) { ++ ext4_error(parent->i_sb, ++ "Parent and EA inode have the same ino %lu", ea_ino); ++ return -EFSCORRUPTED; ++ } ++ + inode = ext4_iget(parent->i_sb, ea_ino, EXT4_IGET_NORMAL); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext.patch @@ -0,0 +1,49 @@ +From c4d13222afd8a64bf11bc7ec68645496ee8b54b9 Mon Sep 17 00:00:00 2001 +From: Chao Yu <chao@kernel.org> +Date: Tue, 6 Jun 2023 15:32:03 +0800 +Subject: [PATCH] ext4: fix to check return value of freeze_bdev() in + ext4_shutdown() +Git-commit: c4d13222afd8a64bf11bc7ec68645496ee8b54b9 +Patch-mainline: v6.5-rc1 +References: bsc#1213021 + +freeze_bdev() can fail due to a lot of reasons, it needs to check its +reason before later process. + +Fixes: 783d94854499 ("ext4: add EXT4_IOC_GOINGDOWN ioctl") +Cc: stable@kernel.org +Signed-off-by: Chao Yu <chao@kernel.org> +Link: https://lore.kernel.org/r/20230606073203.1310389-1-chao@kernel.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ioctl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index f9a430152063..55be1b8a6360 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -797,6 +797,7 @@ static int ext4_shutdown(struct super_block *sb, unsigned long arg) + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + __u32 flags; ++ int ret; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +@@ -815,7 +816,9 @@ static int ext4_shutdown(struct super_block *sb, unsigned long arg) + + switch (flags) { + case EXT4_GOING_FLAGS_DEFAULT: +- freeze_bdev(sb->s_bdev); ++ ret = freeze_bdev(sb->s_bdev); ++ if (ret) ++ return ret; + set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags); + thaw_bdev(sb->s_bdev); + break; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-unaligned-memory-access-in-ext4_fc_reserve_.patch @@ -0,0 +1,104 @@ +From 8415ce07ecf0cc25efdd5db264a7133716e503cf Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Sun, 6 Nov 2022 14:48:39 -0800 +Subject: [PATCH] ext4: fix unaligned memory access in ext4_fc_reserve_space() +Git-commit: 8415ce07ecf0cc25efdd5db264a7133716e503cf +Patch-mainline: v6.2-rc1 +References: bsc#1207627 + +As is done elsewhere in the file, build the struct ext4_fc_tl on the +stack and memcpy() it into the buffer, rather than directly writing it +to a potentially-unaligned location in the buffer. + +Fixes: aa75f4d3daae ("ext4: main fast-commit commit path") +Cc: <stable@vger.kernel.org> # v5.10+ +Signed-off-by: Eric Biggers <ebiggers@google.com> +Link: https://lore.kernel.org/r/20221106224841.279231-6-ebiggers@kernel.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 39 +++++++++++++++++++++------------------ + 1 file changed, 21 insertions(+), 18 deletions(-) + +diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c +index d5ad4b2b235d..892fa7c7a768 100644 +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -675,6 +675,15 @@ static void ext4_fc_submit_bh(struct super_block *sb, bool is_tail) + + /* Ext4 commit path routines */ + ++/* memcpy to fc reserved space and update CRC */ ++static void *ext4_fc_memcpy(struct super_block *sb, void *dst, const void *src, ++ int len, u32 *crc) ++{ ++ if (crc) ++ *crc = ext4_chksum(EXT4_SB(sb), *crc, src, len); ++ return memcpy(dst, src, len); ++} ++ + /* memzero and update CRC */ + static void *ext4_fc_memzero(struct super_block *sb, void *dst, int len, + u32 *crc) +@@ -700,12 +709,13 @@ static void *ext4_fc_memzero(struct super_block *sb, void *dst, int len, + */ + static u8 *ext4_fc_reserve_space(struct super_block *sb, int len, u32 *crc) + { +- struct ext4_fc_tl *tl; ++ struct ext4_fc_tl tl; + struct ext4_sb_info *sbi = EXT4_SB(sb); + struct buffer_head *bh; + int bsize = sbi->s_journal->j_blocksize; + int ret, off = sbi->s_fc_bytes % bsize; + int pad_len; ++ u8 *dst; + + /* + * After allocating len, we should have space at least for a 0 byte +@@ -729,16 +739,18 @@ static u8 *ext4_fc_reserve_space(struct super_block *sb, int len, u32 *crc) + return sbi->s_fc_bh->b_data + off; + } + /* Need to add PAD tag */ +- tl = (struct ext4_fc_tl *)(sbi->s_fc_bh->b_data + off); +- tl->fc_tag = cpu_to_le16(EXT4_FC_TAG_PAD); ++ dst = sbi->s_fc_bh->b_data + off; ++ tl.fc_tag = cpu_to_le16(EXT4_FC_TAG_PAD); + pad_len = bsize - off - 1 - EXT4_FC_TAG_BASE_LEN; +- tl->fc_len = cpu_to_le16(pad_len); +- if (crc) +- *crc = ext4_chksum(sbi, *crc, tl, EXT4_FC_TAG_BASE_LEN); +- if (pad_len > 0) +- ext4_fc_memzero(sb, tl + 1, pad_len, crc); ++ tl.fc_len = cpu_to_le16(pad_len); ++ ext4_fc_memcpy(sb, dst, &tl, EXT4_FC_TAG_BASE_LEN, crc); ++ dst += EXT4_FC_TAG_BASE_LEN; ++ if (pad_len > 0) { ++ ext4_fc_memzero(sb, dst, pad_len, crc); ++ dst += pad_len; ++ } + /* Don't leak uninitialized memory in the unused last byte. */ +- *((u8 *)(tl + 1) + pad_len) = 0; ++ *dst = 0; + + ext4_fc_submit_bh(sb, false); + +@@ -750,15 +762,6 @@ static u8 *ext4_fc_reserve_space(struct super_block *sb, int len, u32 *crc) + return sbi->s_fc_bh->b_data; + } + +-/* memcpy to fc reserved space and update CRC */ +-static void *ext4_fc_memcpy(struct super_block *sb, void *dst, const void *src, +- int len, u32 *crc) +-{ +- if (crc) +- *crc = ext4_chksum(EXT4_SB(sb), *crc, src, len); +- return memcpy(dst, src, len); +-} +- + /* + * Complete a fast commit by writing tail tag. + * +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-undefined-behavior-in-bit-shift-for-ext4_ch.patch @@ -0,0 +1,54 @@ +From 3bf678a0f9c017c9ba7c581541dbc8453452a7ae Mon Sep 17 00:00:00 2001 +From: Gaosheng Cui <cuigaosheng1@huawei.com> +Date: Mon, 31 Oct 2022 13:58:33 +0800 +Subject: [PATCH] ext4: fix undefined behavior in bit shift for + ext4_check_flag_values +Git-commit: 3bf678a0f9c017c9ba7c581541dbc8453452a7ae +Patch-mainline: v6.2-rc1 +References: bsc#1206890 + +Shifting signed 32-bit value by 31 bits is undefined, so changing +significant bit to unsigned. The UBSAN warning calltrace like below: + +Ubsan: shift-out-of-bounds in fs/ext4/ext4.h:591:2 +left shift of 1 by 31 places cannot be represented in type 'int' +Call Trace: + <TASK> + dump_stack_lvl+0x7d/0xa5 + dump_stack+0x15/0x1b + ubsan_epilogue+0xe/0x4e + __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c + ext4_init_fs+0x5a/0x277 + do_one_initcall+0x76/0x430 + kernel_init_freeable+0x3b3/0x422 + kernel_init+0x24/0x1e0 + ret_from_fork+0x1f/0x30 + </TASK> + +Fixes: 9a4c80194713 ("ext4: ensure Inode flags consistency are checked at build time") +Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> +Link: https://lore.kernel.org/r/20221031055833.3966222-1-cuigaosheng1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ext4.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 2b574b143bde..3afdd99bb214 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -558,7 +558,7 @@ enum { + * + * It's not paranoia if the Murphy's Law really *is* out to get you. :-) + */ +-#define TEST_FLAG_VALUE(FLAG) (EXT4_##FLAG##_FL == (1 << EXT4_INODE_##FLAG)) ++#define TEST_FLAG_VALUE(FLAG) (EXT4_##FLAG##_FL == (1U << EXT4_INODE_##FLAG)) + #define CHECK_FLAG_VALUE(FLAG) BUILD_BUG_ON(!TEST_FLAG_VALUE(FLAG)) + + static inline void ext4_check_flag_values(void) +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-uninititialized-value-in-ext4_evict_inode.patch @@ -0,0 +1,97 @@ +From 7ea71af94eaaaf6d9aed24bc94a05b977a741cb9 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Thu, 17 Nov 2022 15:36:03 +0800 +Subject: [PATCH] ext4: fix uninititialized value in 'ext4_evict_inode' +Git-commit: 7ea71af94eaaaf6d9aed24bc94a05b977a741cb9 +Patch-mainline: v6.2-rc1 +References: bsc#1206893 + +Syzbot found the following issue: +===================================================== +Bug: KMSAN: uninit-value in ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180 + ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180 + evict+0x365/0x9a0 fs/inode.c:664 + iput_final fs/inode.c:1747 [inline] + iput+0x985/0xdd0 fs/inode.c:1773 + __ext4_new_inode+0xe54/0x7ec0 fs/ext4/ialloc.c:1361 + ext4_mknod+0x376/0x840 fs/ext4/namei.c:2844 + vfs_mknod+0x79d/0x830 fs/namei.c:3914 + do_mknodat+0x47d/0xaa0 + __do_sys_mknodat fs/namei.c:3992 [inline] + __se_sys_mknodat fs/namei.c:3989 [inline] + __ia32_sys_mknodat+0xeb/0x150 fs/namei.c:3989 + do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] + __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 + do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 + do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246 + entry_SYSENTER_compat_after_hwframe+0x70/0x82 + +Uninit was created at: + __alloc_pages+0x9f1/0xe80 mm/page_alloc.c:5578 + alloc_pages+0xaae/0xd80 mm/mempolicy.c:2285 + alloc_slab_page mm/slub.c:1794 [inline] + allocate_slab+0x1b5/0x1010 mm/slub.c:1939 + new_slab mm/slub.c:1992 [inline] + ___slab_alloc+0x10c3/0x2d60 mm/slub.c:3180 + __slab_alloc mm/slub.c:3279 [inline] + slab_alloc_node mm/slub.c:3364 [inline] + slab_alloc mm/slub.c:3406 [inline] + __kmem_cache_alloc_lru mm/slub.c:3413 [inline] + kmem_cache_alloc_lru+0x6f3/0xb30 mm/slub.c:3429 + alloc_inode_sb include/linux/fs.h:3117 [inline] + ext4_alloc_inode+0x5f/0x860 fs/ext4/super.c:1321 + alloc_inode+0x83/0x440 fs/inode.c:259 + new_inode_pseudo fs/inode.c:1018 [inline] + new_inode+0x3b/0x430 fs/inode.c:1046 + __ext4_new_inode+0x2a7/0x7ec0 fs/ext4/ialloc.c:959 + ext4_mkdir+0x4d5/0x1560 fs/ext4/namei.c:2992 + vfs_mkdir+0x62a/0x870 fs/namei.c:4035 + do_mkdirat+0x466/0x7b0 fs/namei.c:4060 + __do_sys_mkdirat fs/namei.c:4075 [inline] + __se_sys_mkdirat fs/namei.c:4073 [inline] + __ia32_sys_mkdirat+0xc4/0x120 fs/namei.c:4073 + do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] + __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 + do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 + do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246 + entry_SYSENTER_compat_after_hwframe+0x70/0x82 + +Cpu: 1 PID: 4625 Comm: syz-executor.2 Not tainted 6.1.0-rc4-syzkaller-62821-gcb231e2f67ec #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +===================================================== + +Now, 'ext4_alloc_inode()' didn't init 'ei->i_flags'. If new inode failed +before set 'ei->i_flags' in '__ext4_new_inode()', then do 'iput()'. As after +6bc0d63dad7f commit will access 'ei->i_flags' in 'ext4_evict_inode()' which +will lead to access uninit-value. +To solve above issue just init 'ei->i_flags' in 'ext4_alloc_inode()'. + +Reported-by: syzbot+57b25da729eb0b88177d@syzkaller.appspotmail.com +Signed-off-by: Ye Bin <yebin10@huawei.com> +Fixes: 6bc0d63dad7f ("ext4: remove EA inode entry from mbcache on inode eviction") +Reviewed-by: Jan Kara <jack@suse.cz> +Reviewed-by: Eric Biggers <ebiggers@google.com> +Link: https://lore.kernel.org/r/20221117073603.2598882-1-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 878be47faaaf..28d009151d23 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1324,6 +1324,7 @@ static struct inode *ext4_alloc_inode(struct super_block *sb) + return NULL; + + inode_set_iversion(&ei->vfs_inode, 1); ++ ei->i_flags = 0; + spin_lock_init(&ei->i_raw_lock); + INIT_LIST_HEAD(&ei->i_prealloc_list); + atomic_set(&ei->i_prealloc_active, 0); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch @@ -0,0 +1,106 @@ +From f6b1a1cf1c3ee430d3f5e47847047ce789a690aa Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Thu, 22 Sep 2022 20:04:34 +0800 +Subject: [PATCH] ext4: fix use-after-free in ext4_ext_shift_extents +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: f6b1a1cf1c3ee430d3f5e47847047ce789a690aa +Patch-mainline: v6.1-rc7 +References: bsc#1206888 + +If the starting position of our insert range happens to be in the hole +between the two ext4_extent_idx, because the lblk of the ext4_extent in +the previous ext4_extent_idx is always less than the start, which leads +to the "extent" variable access across the boundary, the following UAF is +Triggered: +================================================================== +Bug: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790 +Read of size 4 at addr ffff88819807a008 by task fallocate/8010 +Cpu: 3 PID: 8010 Comm: fallocate Tainted: G E 5.10.0+ #492 +Call Trace: + dump_stack+0x7d/0xa3 + print_address_description.constprop.0+0x1e/0x220 + kasan_report.cold+0x67/0x7f + ext4_ext_shift_extents+0x257/0x790 + ext4_insert_range+0x5b6/0x700 + ext4_fallocate+0x39e/0x3d0 + vfs_fallocate+0x26f/0x470 + ksys_fallocate+0x3a/0x70 + __x64_sys_fallocate+0x4f/0x60 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +================================================================== + +For right shifts, we can divide them into the following situations: + +1. When the first ee_block of ext4_extent_idx is greater than or equal to + start, make right shifts directly from the first ee_block. + 1) If it is greater than start, we need to continue searching in the + previous ext4_extent_idx. + 2) If it is equal to start, we can exit the loop (iterator=NULL). + +2. When the first ee_block of ext4_extent_idx is less than start, then + traverse from the last extent to find the first extent whose ee_block + is less than start. + 1) If extent is still the last extent after traversal, it means that + the last ee_block of ext4_extent_idx is less than start, that is, + start is located in the hole between idx and (idx+1), so we can + exit the loop directly (break) without right shifts. + 2) Otherwise, make right shifts at the corresponding position of the + found extent, and then exit the loop (iterator=NULL). + +Fixes: 331573febb6a ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate") +Cc: stable@vger.kernel.org # v4.2+ +Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com> +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Link: https://lore.kernel.org/r/20220922120434.1294789-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/extents.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index f1956288307f..6c399a8b22b3 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -5184,6 +5184,7 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle, + * and it is decreased till we reach start. + */ + again: ++ ret = 0; + if (SHIFT == SHIFT_LEFT) + iterator = &start; + else +@@ -5227,14 +5228,21 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle, + ext4_ext_get_actual_len(extent); + } else { + extent = EXT_FIRST_EXTENT(path[depth].p_hdr); +- if (le32_to_cpu(extent->ee_block) > 0) ++ if (le32_to_cpu(extent->ee_block) > start) + *iterator = le32_to_cpu(extent->ee_block) - 1; +- else +- /* Beginning is reached, end of the loop */ ++ else if (le32_to_cpu(extent->ee_block) == start) + iterator = NULL; +- /* Update path extent in case we need to stop */ +- while (le32_to_cpu(extent->ee_block) < start) ++ else { ++ extent = EXT_LAST_EXTENT(path[depth].p_hdr); ++ while (le32_to_cpu(extent->ee_block) >= start) ++ extent--; ++ ++ if (extent == EXT_LAST_EXTENT(path[depth].p_hdr)) ++ break; ++ + extent++; ++ iterator = NULL; ++ } + path[depth].p_ext = extent; + } + ret = ext4_ext_shift_path_extents(path, shift, inode, +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-use-after-free-in-ext4_orphan_cleanup.patch @@ -0,0 +1,81 @@ +From a71248b1accb2b42e4980afef4fa4a27fa0e36f5 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Wed, 2 Nov 2022 16:06:33 +0800 +Subject: [PATCH] ext4: fix use-after-free in ext4_orphan_cleanup +Git-commit: a71248b1accb2b42e4980afef4fa4a27fa0e36f5 +Patch-mainline: v6.2-rc1 +References: bsc#1207622 + +I caught a issue as follows: +================================================================== + BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0 + Read of size 8 at addr ffff88814b13f378 by task mount/710 + + CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370 + Call Trace: + <TASK> + dump_stack_lvl+0x73/0x9f + print_report+0x25d/0x759 + kasan_report+0xc0/0x120 + __asan_load8+0x99/0x140 + __list_add_valid+0x28/0x1a0 + ext4_orphan_cleanup+0x564/0x9d0 [ext4] + __ext4_fill_super+0x48e2/0x5300 [ext4] + ext4_fill_super+0x19f/0x3a0 [ext4] + get_tree_bdev+0x27b/0x450 + ext4_get_tree+0x19/0x30 [ext4] + vfs_get_tree+0x49/0x150 + path_mount+0xaae/0x1350 + do_mount+0xe2/0x110 + __x64_sys_mount+0xf0/0x190 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + </TASK> + [...] +================================================================== + +Above issue may happen as follows: + +Acked-by: Jan Kara <jack@suse.cz> + +------------------------------------- +ext4_fill_super + ext4_orphan_cleanup + --- loop1: assume last_orphan is 12 --- + list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan) + ext4_truncate --> return 0 + ext4_inode_attach_jinode --> return -ENOMEM + iput(inode) --> free inode<12> + --- loop2: last_orphan is still 12 --- + list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan); + // use inode<12> and trigger UAF + +To solve this issue, we need to propagate the return value of +ext4_inode_attach_jinode() appropriately. + +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20221102080633.1630225-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +--- + fs/ext4/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index a4bf643aa08b..181bc161b1ac 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4231,7 +4231,8 @@ int ext4_truncate(struct inode *inode) + + /* If we zero-out tail of the page, we have to create jinode for jbd2 */ + if (inode->i_size & (inode->i_sb->s_blocksize - 1)) { +- if (ext4_inode_attach_jinode(inode) < 0) ++ err = ext4_inode_attach_jinode(inode); ++ if (err) + goto out_trace; + } + +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-use-after-free-in-ext4_rename_dir_prepare.patch @@ -0,0 +1,130 @@ +From 0be698ecbe4471fcad80e81ec6a05001421041b3 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Thu, 14 Apr 2022 10:52:23 +0800 +Subject: [PATCH] ext4: fix use-after-free in ext4_rename_dir_prepare +Git-commit: 0be698ecbe4471fcad80e81ec6a05001421041b3 +Patch-mainline: v5.19-rc1 +References: bsc#1200871 + +We got issue as follows: +EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue +Ext4_get_first_dir_block: bh->b_data=0xffff88810bee6000 len=34478 +Ext4_get_first_dir_block: *parent_de=0xffff88810beee6ae bh->b_data=0xffff88810bee6000 +Ext4_rename_dir_prepare: [1] parent_de=0xffff88810beee6ae +================================================================== +Bug: KASAN: use-after-free in ext4_rename_dir_prepare+0x152/0x220 +Read of size 4 at addr ffff88810beee6ae by task rep/1895 + +Cpu: 13 PID: 1895 Comm: rep Not tainted 5.10.0+ #241 +Call Trace: + dump_stack+0xbe/0xf9 + print_address_description.constprop.0+0x1e/0x220 + kasan_report.cold+0x37/0x7f + ext4_rename_dir_prepare+0x152/0x220 + ext4_rename+0xf44/0x1ad0 + ext4_rename2+0x11c/0x170 + vfs_rename+0xa84/0x1440 + do_renameat2+0x683/0x8f0 + __x64_sys_renameat+0x53/0x60 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +Rip: 0033:0x7f45a6fc41c9 +Rsp: 002b:00007ffc5a470218 EFLAGS: 00000246 ORIG_RAX: 0000000000000108 +Rax: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f45a6fc41c9 +Rdx: 0000000000000005 RSI: 0000000020000180 RDI: 0000000000000005 +Rbp: 00007ffc5a470240 R08: 00007ffc5a470160 R09: 0000000020000080 +R10: 00000000200001c0 R11: 0000000000000246 R12: 0000000000400bb0 +R13: 00007ffc5a470320 R14: 0000000000000000 R15: 0000000000000000 + +The buggy address belongs to the page: +page:00000000440015ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x10beee +Flags: 0x200000000000000() +Raw: 0200000000000000 ffffea00043ff4c8 ffffea0004325608 0000000000000000 +Raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88810beee580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff88810beee600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +>ffff88810beee680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ^ + ffff88810beee700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff88810beee780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +================================================================== +Disabling lock debugging due to kernel taint +Ext4_rename_dir_prepare: [2] parent_de->inode=3537895424 +Ext4_rename_dir_prepare: [3] dir=0xffff888124170140 +Ext4_rename_dir_prepare: [4] ino=2 +Ext4_rename_dir_prepare: ent->dir->i_ino=2 parent=-757071872 + +Reason is first directory entry which 'rec_len' is 34478, then will get illegal +parent entry. Now, we do not check directory entry after read directory block +in 'ext4_get_first_dir_block'. +To solve this issue, check directory entry in 'ext4_get_first_dir_block'. + +[ Trigger an ext4_error() instead of just warning if the directory is + missing a '.' or '..' entry. Also make sure we return an error code + if the file system is corrupted. -TYT ] + +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220414025223.4113128-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/namei.c | 30 +++++++++++++++++++++++++++--- + 1 file changed, 27 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index dfe5514035c1..b202626391ff 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3454,6 +3454,9 @@ static struct buffer_head *ext4_get_first_dir_block(handle_t *handle, + struct buffer_head *bh; + + if (!ext4_has_inline_data(inode)) { ++ struct ext4_dir_entry_2 *de; ++ unsigned int offset; ++ + /* The first directory block must not be a hole, so + * treat it as DIRENT_HTREE + */ +@@ -3462,9 +3465,30 @@ static struct buffer_head *ext4_get_first_dir_block(handle_t *handle, + *retval = PTR_ERR(bh); + return NULL; + } +- *parent_de = ext4_next_entry( +- (struct ext4_dir_entry_2 *)bh->b_data, +- inode->i_sb->s_blocksize); ++ ++ de = (struct ext4_dir_entry_2 *) bh->b_data; ++ if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, ++ bh->b_size, 0) || ++ le32_to_cpu(de->inode) != inode->i_ino || ++ strcmp(".", de->name)) { ++ EXT4_ERROR_INODE(inode, "directory missing '.'"); ++ brelse(bh); ++ *retval = -EFSCORRUPTED; ++ return NULL; ++ } ++ offset = ext4_rec_len_from_disk(de->rec_len, ++ inode->i_sb->s_blocksize); ++ de = ext4_next_entry(de, inode->i_sb->s_blocksize); ++ if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, ++ bh->b_size, offset) || ++ le32_to_cpu(de->inode) == 0 || strcmp("..", de->name)) { ++ EXT4_ERROR_INODE(inode, "directory missing '..'"); ++ brelse(bh); ++ *retval = -EFSCORRUPTED; ++ return NULL; ++ } ++ *parent_de = de; ++ + return bh; + } + +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-use-after-free-in-ext4_search_dir.patch @@ -0,0 +1,131 @@ +From c186f0887fe7061a35cebef024550ec33ef8fbd8 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Thu, 24 Mar 2022 14:48:16 +0800 +Subject: [PATCH] ext4: fix use-after-free in ext4_search_dir +Git-commit: c186f0887fe7061a35cebef024550ec33ef8fbd8 +Patch-mainline: v5.18-rc4 +References: bsc#1202710 + +We got issue as follows: +EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue +================================================================== +Bug: KASAN: use-after-free in ext4_search_dir fs/ext4/namei.c:1394 [inline] +Bug: KASAN: use-after-free in search_dirblock fs/ext4/namei.c:1199 [inline] +Bug: KASAN: use-after-free in __ext4_find_entry+0xdca/0x1210 fs/ext4/namei.c:1553 +Read of size 1 at addr ffff8881317c3005 by task syz-executor117/2331 + +Cpu: 1 PID: 2331 Comm: syz-executor117 Not tainted 5.10.0+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:83 [inline] + dump_stack+0x144/0x187 lib/dump_stack.c:124 + print_address_description+0x7d/0x630 mm/kasan/report.c:387 + __kasan_report+0x132/0x190 mm/kasan/report.c:547 + kasan_report+0x47/0x60 mm/kasan/report.c:564 + ext4_search_dir fs/ext4/namei.c:1394 [inline] + search_dirblock fs/ext4/namei.c:1199 [inline] + __ext4_find_entry+0xdca/0x1210 fs/ext4/namei.c:1553 + ext4_lookup_entry fs/ext4/namei.c:1622 [inline] + ext4_lookup+0xb8/0x3a0 fs/ext4/namei.c:1690 + __lookup_hash+0xc5/0x190 fs/namei.c:1451 + do_rmdir+0x19e/0x310 fs/namei.c:3760 + do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +Rip: 0033:0x445e59 +Code: 4d c7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b c7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +Rsp: 002b:00007fff2277fac8 EFLAGS: 00000246 ORIG_RAX: 0000000000000054 +Rax: ffffffffffffffda RBX: 0000000000400280 RCX: 0000000000445e59 +Rdx: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0 +Rbp: 0000000000000000 R08: 0000000000000000 R09: 0000000000000002 +R10: 00007fff2277f990 R11: 0000000000000246 R12: 0000000000000000 +R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 + +The buggy address belongs to the page: +page:0000000048cd3304 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1317c3 +Flags: 0x200000000000000() +Raw: 0200000000000000 ffffea0004526588 ffffea0004528088 0000000000000000 +Raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8881317c2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8881317c2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff8881317c3000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ^ + ffff8881317c3080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ffff8881317c3100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +================================================================== + +Ext4_search_dir: ... + de = (struct ext4_dir_entry_2 *)search_buf; + dlimit = search_buf + buf_size; + while ((char *) de < dlimit) { + ... + if ((char *) de + de->name_len <= dlimit && + ext4_match(dir, fname, de)) { + ... + } + ... + de_len = ext4_rec_len_from_disk(de->rec_len, dir->i_sb->s_blocksize); + if (de_len <= 0) + return -1; + offset += de_len; + de = (struct ext4_dir_entry_2 *) ((char *) de + de_len); + } + +Assume: +de=0xffff8881317c2fff +dlimit=0x0xffff8881317c3000 + +If read 'de->name_len' which address is 0xffff8881317c3005, obviously is +out of range, then will trigger use-after-free. +To solve this issue, 'dlimit' must reserve 8 bytes, as we will read +'de->name_len' to judge if '(char *) de + de->name_len' out of range. + +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220324064816.1209985-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ext4.h | 4 ++++ + fs/ext4/namei.c | 4 ++-- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 1d79012c5a5b..48dc2c3247ad 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -2273,6 +2273,10 @@ static inline int ext4_forced_shutdown(struct ext4_sb_info *sbi) + * Structure of a directory entry + */ + #define EXT4_NAME_LEN 255 ++/* ++ * Base length of the ext4 directory entry excluding the name length ++ */ ++#define EXT4_BASE_DIR_LEN (sizeof(struct ext4_dir_entry_2) - EXT4_NAME_LEN) + + struct ext4_dir_entry { + __le32 inode; /* Inode number */ +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index e37da8d5cd0c..767b4bfe39c3 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1466,10 +1466,10 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, + + de = (struct ext4_dir_entry_2 *)search_buf; + dlimit = search_buf + buf_size; +- while ((char *) de < dlimit) { ++ while ((char *) de < dlimit - EXT4_BASE_DIR_LEN) { + /* this code is executed quadratically often */ + /* do minimal checking `by hand' */ +- if ((char *) de + de->name_len <= dlimit && ++ if (de->name + de->name_len <= dlimit && + ext4_match(dir, fname, de)) { + /* found a match - just to be sure, do + * a full check */ +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-use-after-free-read-in-ext4_find_extent-for.patch @@ -0,0 +1,94 @@ +From 835659598c67907b98cd2aa57bb951dfaf675c69 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Thu, 6 Apr 2023 11:16:27 +0000 +Subject: [PATCH] ext4: fix use-after-free read in ext4_find_extent for + bigalloc + inline +Git-commit: 835659598c67907b98cd2aa57bb951dfaf675c69 +Patch-mainline: v6.4-rc1 +References: bsc#1213098 + +Syzbot found the following issue: +Loop0: detected capacity change from 0 to 2048 +EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none. +================================================================== +Bug: KASAN: use-after-free in ext4_ext_binsearch_idx fs/ext4/extents.c:768 [inline] +Bug: KASAN: use-after-free in ext4_find_extent+0x76e/0xd90 fs/ext4/extents.c:931 +Read of size 4 at addr ffff888073644750 by task syz-executor420/5067 + +Cpu: 0 PID: 5067 Comm: syz-executor420 Not tainted 6.2.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +Call Trace: + <TASK> + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:306 + print_report+0x107/0x1f0 mm/kasan/report.c:417 + kasan_report+0xcd/0x100 mm/kasan/report.c:517 + ext4_ext_binsearch_idx fs/ext4/extents.c:768 [inline] + ext4_find_extent+0x76e/0xd90 fs/ext4/extents.c:931 + ext4_clu_mapped+0x117/0x970 fs/ext4/extents.c:5809 + ext4_insert_delayed_block fs/ext4/inode.c:1696 [inline] + ext4_da_map_blocks fs/ext4/inode.c:1806 [inline] + ext4_da_get_block_prep+0x9e8/0x13c0 fs/ext4/inode.c:1870 + ext4_block_write_begin+0x6a8/0x2290 fs/ext4/inode.c:1098 + ext4_da_write_begin+0x539/0x760 fs/ext4/inode.c:3082 + generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772 + ext4_buffered_write_iter+0x122/0x3a0 fs/ext4/file.c:285 + ext4_file_write_iter+0x1d0/0x18f0 + call_write_iter include/linux/fs.h:2186 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x7dc/0xc50 fs/read_write.c:584 + ksys_write+0x177/0x2a0 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +Rip: 0033:0x7f4b7a9737b9 +Rsp: 002b:00007ffc5cac3668 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +Rax: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4b7a9737b9 +Rdx: 00000000175d9003 RSI: 0000000020000200 RDI: 0000000000000004 +Rbp: 00007f4b7a933050 R08: 0000000000000000 R09: 0000000000000000 +R10: 000000000000079f R11: 0000000000000246 R12: 00007f4b7a9330e0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + </TASK> + +Above issue is happens when enable bigalloc and inline data feature. As +commit 131294c35ed6 fixed delayed allocation bug in ext4_clu_mapped for +bigalloc + inline. But it only resolved issue when has inline data, if +inline data has been converted to extent(ext4_da_convert_inline_data_to_extent) +before writepages, there is no EXT4_STATE_MAY_INLINE_DATA flag. However +i_data is still store inline data in this scene. Then will trigger UAF +when find extent. +To resolve above issue, there is need to add judge "ext4_has_inline_data(inode)" +in ext4_clu_mapped(). + +Fixes: 131294c35ed6 ("ext4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline") +Reported-by: syzbot+bf4bb7731ef73b83a3b4@syzkaller.appspotmail.com +Reviewed-by: Jan Kara <jack@suse.cz> +Reviewed-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org> +Tested-by: Tudor Ambarus <tudor.ambarus@linaro.org> +Link: https://lore.kernel.org/r/20230406111627.1916759-1-tudor.ambarus@linaro.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/extents.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index e79c767cc5e0..35703dce23a3 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -5795,7 +5795,8 @@ int ext4_clu_mapped(struct inode *inode, ext4_lblk_t lclu) + * mapped - no physical clusters have been allocated, and the + * file has no extents + */ +- if (ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) ++ if (ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA) || ++ ext4_has_inline_data(inode)) + return 0; + + /* search for the extent closest to the first block in the cluster */ +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-warning-in-ext4_da_release_space.patch @@ -0,0 +1,108 @@ +From 1b8f787ef547230a3249bcf897221ef0cc78481b Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Tue, 18 Oct 2022 10:27:01 +0800 +Subject: [PATCH] ext4: fix warning in 'ext4_da_release_space' +Git-commit: 1b8f787ef547230a3249bcf897221ef0cc78481b +Patch-mainline: v6.1-rc4 +References: bsc#1206887 + +Syzkaller report issue as follows: +EXT4-fs (loop0): Free/Dirty block details +EXT4-fs (loop0): free_blocks=0 +EXT4-fs (loop0): dirty_blocks=0 +EXT4-fs (loop0): Block reservation details +EXT4-fs (loop0): i_reserved_data_blocks=0 +EXT4-fs warning (device loop0): ext4_da_release_space:1527: ext4_da_release_space: ino 18, to_free 1 with only 0 reserved data blocks + +Acked-by: Jan Kara <jack@suse.cz> + +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 92 at fs/ext4/inode.c:1528 ext4_da_release_space+0x25e/0x370 fs/ext4/inode.c:1524 +Modules linked in: +CPU: 0 PID: 92 Comm: kworker/u4:4 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 +Workqueue: writeback wb_workfn (flush-7:0) +RIP: 0010:ext4_da_release_space+0x25e/0x370 fs/ext4/inode.c:1528 +RSP: 0018:ffffc900015f6c90 EFLAGS: 00010296 +RAX: 42215896cd52ea00 RBX: 0000000000000000 RCX: 42215896cd52ea00 +RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000 +RBP: 1ffff1100e907d96 R08: ffffffff816aa79d R09: fffff520002bece5 +R10: fffff520002bece5 R11: 1ffff920002bece4 R12: ffff888021fd2000 +R13: ffff88807483ecb0 R14: 0000000000000001 R15: ffff88807483e740 +FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00005555569ba628 CR3: 000000000c88e000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + <TASK> + ext4_es_remove_extent+0x1ab/0x260 fs/ext4/extents_status.c:1461 + mpage_release_unused_pages+0x24d/0xef0 fs/ext4/inode.c:1589 + ext4_writepages+0x12eb/0x3be0 fs/ext4/inode.c:2852 + do_writepages+0x3c3/0x680 mm/page-writeback.c:2469 + __writeback_single_inode+0xd1/0x670 fs/fs-writeback.c:1587 + writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1870 + wb_writeback+0x41f/0x7b0 fs/fs-writeback.c:2044 + wb_do_writeback fs/fs-writeback.c:2187 [inline] + wb_workfn+0x3cb/0xef0 fs/fs-writeback.c:2227 + process_one_work+0x877/0xdb0 kernel/workqueue.c:2289 + worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 + kthread+0x266/0x300 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + </TASK> + +Above issue may happens as follows: +ext4_da_write_begin + ext4_create_inline_data + ext4_clear_inode_flag(inode, EXT4_INODE_EXTENTS); + ext4_set_inode_flag(inode, EXT4_INODE_INLINE_DATA); +__ext4_ioctl + ext4_ext_migrate -> will lead to eh->eh_entries not zero, and set extent flag +ext4_da_write_begin + ext4_da_convert_inline_data_to_extent + ext4_da_write_inline_data_begin + ext4_da_map_blocks + ext4_insert_delayed_block + if (!ext4_es_scan_clu(inode, &ext4_es_is_delonly, lblk)) + if (!ext4_es_scan_clu(inode, &ext4_es_is_mapped, lblk)) + ext4_clu_mapped(inode, EXT4_B2C(sbi, lblk)); -> will return 1 + allocated = true; + ext4_es_insert_delayed_block(inode, lblk, allocated); +ext4_writepages + mpage_map_and_submit_extent(handle, &mpd, &give_up_on_write); -> return -ENOSPC + mpage_release_unused_pages(&mpd, give_up_on_write); -> give_up_on_write == 1 + ext4_es_remove_extent + ext4_da_release_space(inode, reserved); + if (unlikely(to_free > ei->i_reserved_data_blocks)) + -> to_free == 1 but ei->i_reserved_data_blocks == 0 + -> then trigger warning as above + +To solve above issue, forbid inode do migrate which has inline data. + +Cc: stable@kernel.org +Reported-by: syzbot+c740bb18df70ad00952e@syzkaller.appspotmail.com +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20221018022701.683489-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +--- + fs/ext4/migrate.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c +index 0a220ec9862d..a19a9661646e 100644 +--- a/fs/ext4/migrate.c ++++ b/fs/ext4/migrate.c +@@ -424,7 +424,8 @@ int ext4_ext_migrate(struct inode *inode) + * already is extent-based, error out. + */ + if (!ext4_has_feature_extents(inode->i_sb) || +- (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))) ++ ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS) || ++ ext4_has_inline_data(inode)) + return -EINVAL; + + if (S_ISLNK(inode->i_mode) && inode->i_blocks == 0) +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fix-warning-in-ext4_handle_inode_extension.patch @@ -0,0 +1,113 @@ +From f4534c9fc94d22383f187b9409abb3f9df2e3db3 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Sat, 26 Mar 2022 14:53:51 +0800 +Subject: [PATCH] ext4: fix warning in ext4_handle_inode_extension +Git-commit: f4534c9fc94d22383f187b9409abb3f9df2e3db3 +Patch-mainline: v5.19-rc1 +References: bsc#1202711 + +We got issue as follows: +EXT4-fs error (device loop0) in ext4_reserve_inode_write:5741: Out of memory +EXT4-fs error (device loop0): ext4_setattr:5462: inode #13: comm syz-executor.0: mark_inode_dirty error +EXT4-fs error (device loop0) in ext4_setattr:5519: Out of memory +EXT4-fs error (device loop0): ext4_ind_map_blocks:595: inode #13: comm syz-executor.0: Can't allocate blocks for non-extent mapped inodes with bigalloc + +Acked-by: Jan Kara <jack@suse.cz> + +------------[ cut here ]------------ +WARNING: CPU: 1 PID: 4361 at fs/ext4/file.c:301 ext4_file_write_iter+0x11c9/0x1220 +Modules linked in: +CPU: 1 PID: 4361 Comm: syz-executor.0 Not tainted 5.10.0+ #1 +RIP: 0010:ext4_file_write_iter+0x11c9/0x1220 +RSP: 0018:ffff924d80b27c00 EFLAGS: 00010282 +RAX: ffffffff815a3379 RBX: 0000000000000000 RCX: 000000003b000000 +RDX: ffff924d81601000 RSI: 00000000000009cc RDI: 00000000000009cd +RBP: 000000000000000d R08: ffffffffbc5a2c6b R09: 0000902e0e52a96f +R10: ffff902e2b7c1b40 R11: ffff902e2b7c1b40 R12: 000000000000000a +R13: 0000000000000001 R14: ffff902e0e52aa10 R15: ffffffffffffff8b +FS: 00007f81a7f65700(0000) GS:ffff902e3bc80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffff600400 CR3: 000000012db88001 CR4: 00000000003706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + do_iter_readv_writev+0x2e5/0x360 + do_iter_write+0x112/0x4c0 + do_pwritev+0x1e5/0x390 + __x64_sys_pwritev2+0x7e/0xa0 + do_syscall_64+0x37/0x50 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Above issue may happen as follows: +Assume +inode.i_size=4096 +EXT4_I(inode)->i_disksize=4096 + +step 1: set inode->i_isize = 8192 +ext4_setattr + if (attr->ia_size != inode->i_size) + EXT4_I(inode)->i_disksize = attr->ia_size; + rc = ext4_mark_inode_dirty + ext4_reserve_inode_write + ext4_get_inode_loc + __ext4_get_inode_loc + sb_getblk --> return -ENOMEM + ... + if (!error) ->will not update i_size + i_size_write(inode, attr->ia_size); +Now: +inode.i_size=4096 +EXT4_I(inode)->i_disksize=8192 + +step 2: Direct write 4096 bytes +ext4_file_write_iter + ext4_dio_write_iter + iomap_dio_rw ->return error + if (extend) + ext4_handle_inode_extension + WARN_ON_ONCE(i_size_read(inode) < EXT4_I(inode)->i_disksize); +->Then trigger warning. + +To solve above issue, if mark inode dirty failed in ext4_setattr just +set 'EXT4_I(inode)->i_disksize' with old value. + +Signed-off-by: Ye Bin <yebin10@huawei.com> +Link: https://lore.kernel.org/r/20220326065351.761952-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +--- + fs/ext4/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 646ece9b3455..15165c87c915 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5398,6 +5398,7 @@ int ext4_setattr(struct user_namespace *mnt_userns, struct dentry *dentry, + if (attr->ia_valid & ATTR_SIZE) { + handle_t *handle; + loff_t oldsize = inode->i_size; ++ loff_t old_disksize; + int shrink = (attr->ia_size < inode->i_size); + + if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))) { +@@ -5469,6 +5470,7 @@ int ext4_setattr(struct user_namespace *mnt_userns, struct dentry *dentry, + inode->i_sb->s_blocksize_bits); + + down_write(&EXT4_I(inode)->i_data_sem); ++ old_disksize = EXT4_I(inode)->i_disksize; + EXT4_I(inode)->i_disksize = attr->ia_size; + rc = ext4_mark_inode_dirty(handle, inode); + if (!error) +@@ -5480,6 +5482,8 @@ int ext4_setattr(struct user_namespace *mnt_userns, struct dentry *dentry, + */ + if (!error) + i_size_write(inode, attr->ia_size); ++ else ++ EXT4_I(inode)->i_disksize = old_disksize; + up_write(&EXT4_I(inode)->i_data_sem); + ext4_journal_stop(handle); + if (error) +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-fixup-pages-without-buffers.patch @@ -0,0 +1,74 @@ +From: Jan Kara <jack@suse.cz> +Subject: ext4: Fixup pages without buffers +References: bsc#1205495 +Patch-mainline: Never, upstream has page pinning tracking infrastructure which should be used for this + +When application use RDMA or various offload engines they pin pages which they +dirty once they are done with these pages. However the page may be cleaned and +buffers reclaimed before it is dirtied which confuses ext4 writeback code. +Detect such case and restore page buffers as good as we can. + +Signed-off-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2122,6 +2122,37 @@ out_no_pagelock: + } + + /* ++ * Create buffers under a dirty page. This is a hack for the case when someone ++ * pinned the page, the page got cleaned and buffers released, and then the ++ * pinning process dirtied the page ++ */ ++static void ext4_restore_page_buffers(struct inode *inode, struct page *page) ++{ ++ int bsize = 1 << inode->i_blkbits; ++ struct buffer_head *bh, *head; ++ loff_t isize = i_size_read(inode); ++ unsigned int off, end; ++ ext4_lblk_t iblock = page->index << (PAGE_SHIFT - inode->i_blkbits); ++ ++ if (page->index == isize >> PAGE_SHIFT) ++ end = isize & (PAGE_SIZE - 1); ++ else ++ end = PAGE_SIZE; ++ ++ create_empty_buffers(page, bsize, 0); ++ bh = head = page_buffers(page); ++ off = 0; ++ do { ++ if (off > end) ++ break; ++ ext4_get_block(inode, iblock, bh, 0); ++ off += bsize; ++ iblock++; ++ bh = bh->b_this_page; ++ } while (bh != head); ++} ++ ++/* + * Note that we don't need to start a transaction unless we're journaling data + * because we should have holes filled from ext4_page_mkwrite(). We even don't + * need to file the inode to the transaction's list in ordered mode because if +@@ -2186,6 +2217,8 @@ static int ext4_writepage(struct page *p + else + len = PAGE_SIZE; + ++ if (!page_has_buffers(page)) ++ ext4_restore_page_buffers(inode, page); + page_bufs = page_buffers(page); + /* + * We cannot do block allocation or other extent handling in this +@@ -2731,6 +2764,8 @@ static int mpage_prepare_extent_to_map(s + wait_on_page_writeback(page); + BUG_ON(PageWriteback(page)); + ++ if (!page_has_buffers(page)) ++ ext4_restore_page_buffers(mpd->inode, page); + if (mpd->map.m_len == 0) + mpd->first_page = page->index; + mpd->next_page = page->index + 1; --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-force-overhead-calculation-if-the-s_overhead_cl.patch @@ -0,0 +1,50 @@ +From 85d825dbf4899a69407338bae462a59aa9a37326 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Thu, 14 Apr 2022 21:57:49 -0400 +Subject: [PATCH] ext4: force overhead calculation if the s_overhead_cluster + makes no sense +Git-commit: 85d825dbf4899a69407338bae462a59aa9a37326 +Patch-mainline: v5.18-rc4 +References: bsc#1200870 + +If the file system does not use bigalloc, calculating the overhead is +cheap, so force the recalculation of the overhead so we don't have to +trust the precalculated overhead in the superblock. + +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 23a9b2c086ed..d08820fdfdee 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5289,9 +5289,18 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) + * Get the # of file system overhead blocks from the + * superblock if present. + */ +- if (es->s_overhead_clusters) +- sbi->s_overhead = le32_to_cpu(es->s_overhead_clusters); +- else { ++ sbi->s_overhead = le32_to_cpu(es->s_overhead_clusters); ++ /* ignore the precalculated value if it is ridiculous */ ++ if (sbi->s_overhead > ext4_blocks_count(es)) ++ sbi->s_overhead = 0; ++ /* ++ * If the bigalloc feature is not enabled recalculating the ++ * overhead doesn't take long, so we might as well just redo ++ * it to make sure we are using the correct value. ++ */ ++ if (!ext4_has_feature_bigalloc(sb)) ++ sbi->s_overhead = 0; ++ if (sbi->s_overhead == 0) { + err = ext4_calculate_overhead(sb); + if (err) + goto failed_mount_wq; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-goto-right-label-failed_mount3a.patch @@ -0,0 +1,68 @@ +From 43bd6f1b49b61f43de4d4e33661b8dbe8c911f14 Mon Sep 17 00:00:00 2001 +From: Jason Yan <yanaijie@huawei.com> +Date: Fri, 16 Sep 2022 22:15:12 +0800 +Subject: [PATCH] ext4: goto right label 'failed_mount3a' +Git-commit: 43bd6f1b49b61f43de4d4e33661b8dbe8c911f14 +Patch-mainline: v6.1-rc1 +References: bsc#1207610 + +Before these two branches neither loaded the journal nor created the +xattr cache. So the right label to goto is 'failed_mount3a'. Although +this did not cause any issues because the error handler validated if the +pointer is null. However this still made me confused when reading +the code. So it's still worth to modify to goto the right label. + +Signed-off-by: Jason Yan <yanaijie@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com> +Link: https://lore.kernel.org/r/20220916141527.1012715-2-yanaijie@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 4eb18c4c52d7..016b3410e915 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5053,30 +5053,30 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) + ext4_has_feature_journal_needs_recovery(sb)) { + ext4_msg(sb, KERN_ERR, "required journal recovery " + "suppressed and not mounted read-only"); +- goto failed_mount_wq; ++ goto failed_mount3a; + } else { + /* Nojournal mode, all journal mount options are illegal */ + if (test_opt2(sb, EXPLICIT_JOURNAL_CHECKSUM)) { + ext4_msg(sb, KERN_ERR, "can't mount with " + "journal_checksum, fs mounted w/o journal"); +- goto failed_mount_wq; ++ goto failed_mount3a; + } + if (test_opt(sb, JOURNAL_ASYNC_COMMIT)) { + ext4_msg(sb, KERN_ERR, "can't mount with " + "journal_async_commit, fs mounted w/o journal"); +- goto failed_mount_wq; ++ goto failed_mount3a; + } + if (sbi->s_commit_interval != JBD2_DEFAULT_MAX_COMMIT_AGE*HZ) { + ext4_msg(sb, KERN_ERR, "can't mount with " + "commit=%lu, fs mounted w/o journal", + sbi->s_commit_interval / HZ); +- goto failed_mount_wq; ++ goto failed_mount3a; + } + if (EXT4_MOUNT_DATA_FLAGS & + (sbi->s_mount_opt ^ sbi->s_def_mount_opt)) { + ext4_msg(sb, KERN_ERR, "can't mount with " + "data=, fs mounted w/o journal"); +- goto failed_mount_wq; ++ goto failed_mount3a; + } + sbi->s_def_mount_opt &= ~EXT4_MOUNT_JOURNAL_CHECKSUM; + clear_opt(sb, JOURNAL_CHECKSUM); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-improve-error-handling-from-ext4_dirhash.patch @@ -0,0 +1,163 @@ +From 4b3cb1d108bfc2aebb0d7c8a52261a53cf7f5786 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Sat, 6 May 2023 11:59:13 -0400 +Subject: [PATCH] ext4: improve error handling from ext4_dirhash() +Git-commit: 4b3cb1d108bfc2aebb0d7c8a52261a53cf7f5786 +Patch-mainline: v6.4-rc2 +References: bsc#1213104 + +The ext4_dirhash() will *almost* never fail, especially when the hash +tree feature was first introduced. However, with the addition of +support of encrypted, casefolded file names, that function can most +certainly fail today. + +So make sure the callers of ext4_dirhash() properly check for +failures, and reflect the errors back up to their callers. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230506142419.984260-1-tytso@mit.edu +Reported-by: syzbot+394aa8a792cb99dbc837@syzkaller.appspotmail.com +Reported-by: syzbot+344aaa8697ebd232bfc8@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=db56459ea4ac4a676ae4b4678f633e55da005a9b +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/hash.c | 6 +++++- + fs/ext4/namei.c | 53 ++++++++++++++++++++++++++++++++++--------------- + 2 files changed, 42 insertions(+), 17 deletions(-) + +diff --git a/fs/ext4/hash.c b/fs/ext4/hash.c +index 147b5241dd94..46c3423ddfa1 100644 +--- a/fs/ext4/hash.c ++++ b/fs/ext4/hash.c +@@ -277,7 +277,11 @@ static int __ext4fs_dirhash(const struct inode *dir, const char *name, int len, + } + default: + hinfo->hash = 0; +- return -1; ++ hinfo->minor_hash = 0; ++ ext4_warning(dir->i_sb, ++ "invalid/unsupported hash tree version %u", ++ hinfo->hash_version); ++ return -EINVAL; + } + hash = hash & ~1; + if (hash == (EXT4_HTREE_EOF_32BIT << 1)) +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index a5010b5b8a8c..45b579805c95 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -674,7 +674,7 @@ static struct stats dx_show_leaf(struct inode *dir, + len = de->name_len; + if (!IS_ENCRYPTED(dir)) { + /* Directory is not encrypted */ +- ext4fs_dirhash(dir, de->name, ++ (void) ext4fs_dirhash(dir, de->name, + de->name_len, &h); + printk("%*.s:(U)%x.%u ", len, + name, h.hash, +@@ -709,8 +709,9 @@ static struct stats dx_show_leaf(struct inode *dir, + if (IS_CASEFOLDED(dir)) + h.hash = EXT4_DIRENT_HASH(de); + else +- ext4fs_dirhash(dir, de->name, +- de->name_len, &h); ++ (void) ext4fs_dirhash(dir, ++ de->name, ++ de->name_len, &h); + printk("%*.s:(E)%x.%u ", len, name, + h.hash, (unsigned) ((char *) de + - base)); +@@ -720,7 +721,8 @@ static struct stats dx_show_leaf(struct inode *dir, + #else + int len = de->name_len; + char *name = de->name; +- ext4fs_dirhash(dir, de->name, de->name_len, &h); ++ (void) ext4fs_dirhash(dir, de->name, ++ de->name_len, &h); + printk("%*.s:%x.%u ", len, name, h.hash, + (unsigned) ((char *) de - base)); + #endif +@@ -849,8 +851,14 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, + hinfo->seed = EXT4_SB(dir->i_sb)->s_hash_seed; + /* hash is already computed for encrypted casefolded directory */ + if (fname && fname_name(fname) && +- !(IS_ENCRYPTED(dir) && IS_CASEFOLDED(dir))) +- ext4fs_dirhash(dir, fname_name(fname), fname_len(fname), hinfo); ++ !(IS_ENCRYPTED(dir) && IS_CASEFOLDED(dir))) { ++ int ret = ext4fs_dirhash(dir, fname_name(fname), ++ fname_len(fname), hinfo); ++ if (ret < 0) { ++ ret_err = ERR_PTR(ret); ++ goto fail; ++ } ++ } + hash = hinfo->hash; + + if (root->info.unused_flags & 1) { +@@ -1111,7 +1119,12 @@ static int htree_dirblock_to_tree(struct file *dir_file, + hinfo->minor_hash = 0; + } + } else { +- ext4fs_dirhash(dir, de->name, de->name_len, hinfo); ++ err = ext4fs_dirhash(dir, de->name, ++ de->name_len, hinfo); ++ if (err < 0) { ++ count = err; ++ goto errout; ++ } + } + if ((hinfo->hash < start_hash) || + ((hinfo->hash == start_hash) && +@@ -1313,8 +1326,12 @@ static int dx_make_map(struct inode *dir, struct buffer_head *bh, + if (de->name_len && de->inode) { + if (ext4_hash_in_dirent(dir)) + h.hash = EXT4_DIRENT_HASH(de); +- else +- ext4fs_dirhash(dir, de->name, de->name_len, &h); ++ else { ++ int err = ext4fs_dirhash(dir, de->name, ++ de->name_len, &h); ++ if (err < 0) ++ return err; ++ } + map_tail--; + map_tail->hash = h.hash; + map_tail->offs = ((char *) de - base)>>2; +@@ -1452,10 +1469,9 @@ int ext4_fname_setup_ci_filename(struct inode *dir, const struct qstr *iname, + hinfo->hash_version = DX_HASH_SIPHASH; + hinfo->seed = NULL; + if (cf_name->name) +- ext4fs_dirhash(dir, cf_name->name, cf_name->len, hinfo); ++ return ext4fs_dirhash(dir, cf_name->name, cf_name->len, hinfo); + else +- ext4fs_dirhash(dir, iname->name, iname->len, hinfo); +- return 0; ++ return ext4fs_dirhash(dir, iname->name, iname->len, hinfo); + } + #endif + +@@ -2298,10 +2314,15 @@ static int make_indexed_dir(handle_t *handle, struct ext4_filename *fname, + fname->hinfo.seed = EXT4_SB(dir->i_sb)->s_hash_seed; + + /* casefolded encrypted hashes are computed on fname setup */ +- if (!ext4_hash_in_dirent(dir)) +- ext4fs_dirhash(dir, fname_name(fname), +- fname_len(fname), &fname->hinfo); +- ++ if (!ext4_hash_in_dirent(dir)) { ++ int err = ext4fs_dirhash(dir, fname_name(fname), ++ fname_len(fname), &fname->hinfo); ++ if (err < 0) { ++ brelse(bh2); ++ brelse(bh); ++ return err; ++ } ++ } + memset(frames, 0, sizeof(frames)); + frame = frames; + frame->entries = entries; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-improve-error-recovery-code-paths-in-__ext4_rem.patch @@ -0,0 +1,67 @@ +From 4c0b4818b1f636bc96359f7817a2d8bab6370162 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Fri, 5 May 2023 22:20:29 -0400 +Subject: [PATCH] ext4: improve error recovery code paths in __ext4_remount() +Git-commit: 4c0b4818b1f636bc96359f7817a2d8bab6370162 +Patch-mainline: v6.4-rc2 +References: bsc#1213017 + +If there are failures while changing the mount options in +__ext4_remount(), we need to restore the old mount options. + +This commit fixes two problem. The first is there is a chance that we +will free the old quota file names before a potential failure leading +to a use-after-free. The second problem addressed in this commit is +if there is a failed read/write to read-only transition, if the quota +has already been suspended, we need to renable quota handling. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230506142419.984260-2-tytso@mit.edu +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index c7bc4a2709cc..bc0b4a98b337 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -6617,9 +6617,6 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) + } + + #ifdef CONFIG_QUOTA +- /* Release old quota file names */ +- for (i = 0; i < EXT4_MAXQUOTAS; i++) +- kfree(old_opts.s_qf_names[i]); + if (enable_quota) { + if (sb_any_quota_suspended(sb)) + dquot_resume(sb, -1); +@@ -6629,6 +6626,9 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) + goto restore_opts; + } + } ++ /* Release old quota file names */ ++ for (i = 0; i < EXT4_MAXQUOTAS; i++) ++ kfree(old_opts.s_qf_names[i]); + #endif + if (!test_opt(sb, BLOCK_VALIDITY) && sbi->s_system_blks) + ext4_release_system_zone(sb); +@@ -6642,6 +6642,13 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) + return 0; + + restore_opts: ++ /* ++ * If there was a failing r/w to ro transition, we may need to ++ * re-enable quota ++ */ ++ if ((sb->s_flags & SB_RDONLY) && !(old_sb_flags & SB_RDONLY) && ++ sb_any_quota_suspended(sb)) ++ dquot_resume(sb, -1); + sb->s_flags = old_sb_flags; + sbi->s_mount_opt = old_opts.s_mount_opt; + sbi->s_mount_opt2 = old_opts.s_mount_opt2; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-init-quota-for-old.inode-in-ext4_rename.patch @@ -0,0 +1,83 @@ +From fae381a3d79bb94aa2eb752170d47458d778b797 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Mon, 7 Nov 2022 09:53:35 +0800 +Subject: [PATCH] ext4: init quota for 'old.inode' in 'ext4_rename' +Git-commit: fae381a3d79bb94aa2eb752170d47458d778b797 +Patch-mainline: v6.2-rc1 +References: bsc#1207629 + +Syzbot found the following issue: + +Ext4_parse_param: s_want_extra_isize=128 +Ext4_inode_info_init: s_want_extra_isize=32 +Ext4_rename: old.inode=ffff88823869a2c8 old.dir=ffff888238699828 new.inode=ffff88823869d7e8 new.dir=ffff888238699828 +__ext4_mark_inode_dirty: inode=ffff888238699828 ea_isize=32 want_ea_size=128 +__ext4_mark_inode_dirty: inode=ffff88823869a2c8 ea_isize=32 want_ea_size=128 +Ext4_xattr_block_set: inode=ffff88823869a2c8 +Acked-by: Jan Kara <jack@suse.cz> + +------------[ cut here ]------------ +WARNING: CPU: 13 PID: 2234 at fs/ext4/xattr.c:2070 ext4_xattr_block_set.cold+0x22/0x980 +Modules linked in: +RIP: 0010:ext4_xattr_block_set.cold+0x22/0x980 +RSP: 0018:ffff888227d3f3b0 EFLAGS: 00010202 +RAX: 0000000000000001 RBX: ffff88823007a000 RCX: 0000000000000000 +RDX: 0000000000000a03 RSI: 0000000000000040 RDI: ffff888230078178 +RBP: 0000000000000000 R08: 000000000000002c R09: ffffed1075c7df8e +R10: ffff8883ae3efc6b R11: ffffed1075c7df8d R12: 0000000000000000 +R13: ffff88823869a2c8 R14: ffff8881012e0460 R15: dffffc0000000000 +FS: 00007f350ac1f740(0000) GS:ffff8883ae200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f350a6ed6a0 CR3: 0000000237456000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + <TASK> + ? ext4_xattr_set_entry+0x3b7/0x2320 + ? ext4_xattr_block_set+0x0/0x2020 + ? ext4_xattr_set_entry+0x0/0x2320 + ? ext4_xattr_check_entries+0x77/0x310 + ? ext4_xattr_ibody_set+0x23b/0x340 + ext4_xattr_move_to_block+0x594/0x720 + ext4_expand_extra_isize_ea+0x59a/0x10f0 + __ext4_expand_extra_isize+0x278/0x3f0 + __ext4_mark_inode_dirty.cold+0x347/0x410 + ext4_rename+0xed3/0x174f + vfs_rename+0x13a7/0x2510 + do_renameat2+0x55d/0x920 + __x64_sys_rename+0x7d/0xb0 + do_syscall_64+0x3b/0xa0 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +As 'ext4_rename' will modify 'old.inode' ctime and mark inode dirty, +which may trigger expand 'extra_isize' and allocate block. If inode +didn't init quota will lead to warning. To solve above issue, init +'old.inode' firstly in 'ext4_rename'. + +Reported-by: syzbot+98346927678ac3059c77@syzkaller.appspotmail.com +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20221107015335.2524319-1-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +--- + fs/ext4/namei.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index a789ea9b61a0..1c5518a4bdf9 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3796,6 +3796,9 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + return -EXDEV; + + retval = dquot_initialize(old.dir); ++ if (retval) ++ return retval; ++ retval = dquot_initialize(old.inode); + if (retval) + return retval; + retval = dquot_initialize(new.dir); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-initialize-err_blk-before-calling-__ext4_get_in.patch @@ -0,0 +1,43 @@ +From c27c29c6af4f3f4ce925a2111c256733c5a5b430 Mon Sep 17 00:00:00 2001 +From: Harshad Shirwadkar <harshadshirwadkar@gmail.com> +Date: Wed, 1 Dec 2021 08:34:21 -0800 +Subject: [PATCH] ext4: initialize err_blk before calling __ext4_get_inode_loc +Git-commit: c27c29c6af4f3f4ce925a2111c256733c5a5b430 +Patch-mainline: v5.17-rc1 +References: bsc#1202763 + +It is not guaranteed that __ext4_get_inode_loc will definitely set +err_blk pointer when it returns EIO. To avoid using uninitialized +variables, let's first set err_blk to 0. + +Reported-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com> +Link: https://lore.kernel.org/r/20211201163421.2631661-1-harshads@google.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4451,7 +4451,7 @@ has_buffer: + static int __ext4_get_inode_loc_noinmem(struct inode *inode, + struct ext4_iloc *iloc) + { +- ext4_fsblk_t err_blk; ++ ext4_fsblk_t err_blk = 0; + int ret; + + ret = __ext4_get_inode_loc(inode->i_sb, inode->i_ino, iloc, 0, +@@ -4466,7 +4466,7 @@ static int __ext4_get_inode_loc_noinmem( + + int ext4_get_inode_loc(struct inode *inode, struct ext4_iloc *iloc) + { +- ext4_fsblk_t err_blk; ++ ext4_fsblk_t err_blk = 0; + int ret; + + /* We have all inode data except xattrs in memory here. */ --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-initialize-quota-before-expanding-inode-in-setp.patch @@ -0,0 +1,53 @@ +From 1485f726c6dec1a1f85438f2962feaa3d585526f Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Wed, 7 Dec 2022 12:59:27 +0100 +Subject: [PATCH] ext4: initialize quota before expanding inode in setproject + ioctl +Git-commit: 1485f726c6dec1a1f85438f2962feaa3d585526f +Patch-mainline: v6.2-rc1 +References: bsc#1207633 + +Make sure we initialize quotas before possibly expanding inode space +(and thus maybe needing to allocate external xattr block) in +ext4_ioctl_setproject(). This prevents not accounting the necessary +block allocation. + +Signed-off-by: Jan Kara <jack@suse.cz> +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20221207115937.26601-1-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ioctl.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index 202953b5db49..8067ccda34e4 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -732,6 +732,10 @@ static int ext4_ioctl_setproject(struct inode *inode, __u32 projid) + if (ext4_is_quota_file(inode)) + return err; + ++ err = dquot_initialize(inode); ++ if (err) ++ return err; ++ + err = ext4_get_inode_loc(inode, &iloc); + if (err) + return err; +@@ -747,10 +751,6 @@ static int ext4_ioctl_setproject(struct inode *inode, __u32 projid) + brelse(iloc.bh); + } + +- err = dquot_initialize(inode); +- if (err) +- return err; +- + handle = ext4_journal_start(inode, EXT4_HT_QUOTA, + EXT4_QUOTA_INIT_BLOCKS(sb) + + EXT4_QUOTA_DEL_BLOCKS(sb) + 3); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-introduce-EXT4_FC_TAG_BASE_LEN-helper.patch @@ -0,0 +1,192 @@ +From fdc2a3c75dd8345c5b48718af90bad1a7811bedb Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Sat, 24 Sep 2022 15:52:31 +0800 +Subject: [PATCH] ext4: introduce EXT4_FC_TAG_BASE_LEN helper +Git-commit: fdc2a3c75dd8345c5b48718af90bad1a7811bedb +Patch-mainline: v6.1-rc1 +References: bsc#1207614 + +Introduce EXT4_FC_TAG_BASE_LEN helper for calculate length of +struct ext4_fc_tl. + +Signed-off-by: Ye Bin <yebin10@huawei.com> +Link: https://lore.kernel.org/r/20220924075233.2315259-2-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 54 +++++++++++++++++++++++++------------------------- + fs/ext4/fast_commit.h | 3 ++ + 2 files changed, 31 insertions(+), 26 deletions(-) + +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -631,10 +631,10 @@ static u8 *ext4_fc_reserve_space(struct + * After allocating len, we should have space at least for a 0 byte + * padding. + */ +- if (len + sizeof(struct ext4_fc_tl) > bsize) ++ if (len + EXT4_FC_TAG_BASE_LEN > bsize) + return NULL; + +- if (bsize - off - 1 > len + sizeof(struct ext4_fc_tl)) { ++ if (bsize - off - 1 > len + EXT4_FC_TAG_BASE_LEN) { + /* + * Only allocate from current buffer if we have enough space for + * this request AND we have space to add a zero byte padding. +@@ -651,10 +651,10 @@ static u8 *ext4_fc_reserve_space(struct + /* Need to add PAD tag */ + tl = (struct ext4_fc_tl *)(sbi->s_fc_bh->b_data + off); + tl->fc_tag = cpu_to_le16(EXT4_FC_TAG_PAD); +- pad_len = bsize - off - 1 - sizeof(struct ext4_fc_tl); ++ pad_len = bsize - off - 1 - EXT4_FC_TAG_BASE_LEN; + tl->fc_len = cpu_to_le16(pad_len); + if (crc) +- *crc = ext4_chksum(sbi, *crc, tl, sizeof(*tl)); ++ *crc = ext4_chksum(sbi, *crc, tl, EXT4_FC_TAG_BASE_LEN); + if (pad_len > 0) + ext4_fc_memzero(sb, tl + 1, pad_len, crc); + ext4_fc_submit_bh(sb, false); +@@ -696,7 +696,7 @@ static int ext4_fc_write_tail(struct sup + * ext4_fc_reserve_space takes care of allocating an extra block if + * there's no enough space on this block for accommodating this tail. + */ +- dst = ext4_fc_reserve_space(sb, sizeof(tl) + sizeof(tail), &crc); ++ dst = ext4_fc_reserve_space(sb, EXT4_FC_TAG_BASE_LEN + sizeof(tail), &crc); + if (!dst) + return -ENOSPC; + +@@ -706,8 +706,8 @@ static int ext4_fc_write_tail(struct sup + tl.fc_len = cpu_to_le16(bsize - off - 1 + sizeof(struct ext4_fc_tail)); + sbi->s_fc_bytes = round_up(sbi->s_fc_bytes, bsize); + +- ext4_fc_memcpy(sb, dst, &tl, sizeof(tl), &crc); +- dst += sizeof(tl); ++ ext4_fc_memcpy(sb, dst, &tl, EXT4_FC_TAG_BASE_LEN, &crc); ++ dst += EXT4_FC_TAG_BASE_LEN; + tail.fc_tid = cpu_to_le32(sbi->s_journal->j_running_transaction->t_tid); + ext4_fc_memcpy(sb, dst, &tail.fc_tid, sizeof(tail.fc_tid), &crc); + dst += sizeof(tail.fc_tid); +@@ -729,15 +729,15 @@ static bool ext4_fc_add_tlv(struct super + struct ext4_fc_tl tl; + u8 *dst; + +- dst = ext4_fc_reserve_space(sb, sizeof(tl) + len, crc); ++ dst = ext4_fc_reserve_space(sb, EXT4_FC_TAG_BASE_LEN + len, crc); + if (!dst) + return false; + + tl.fc_tag = cpu_to_le16(tag); + tl.fc_len = cpu_to_le16(len); + +- ext4_fc_memcpy(sb, dst, &tl, sizeof(tl), crc); +- ext4_fc_memcpy(sb, dst + sizeof(tl), val, len, crc); ++ ext4_fc_memcpy(sb, dst, &tl, EXT4_FC_TAG_BASE_LEN, crc); ++ ext4_fc_memcpy(sb, dst + EXT4_FC_TAG_BASE_LEN, val, len, crc); + + return true; + } +@@ -750,8 +750,8 @@ static bool ext4_fc_add_dentry_tlv(stru + { + struct ext4_fc_dentry_info fcd; + struct ext4_fc_tl tl; +- u8 *dst = ext4_fc_reserve_space(sb, sizeof(tl) + sizeof(fcd) + dlen, +- crc); ++ u8 *dst = ext4_fc_reserve_space(sb, ++ EXT4_FC_TAG_BASE_LEN + sizeof(fcd) + dlen, crc); + + if (!dst) + return false; +@@ -760,8 +760,8 @@ static bool ext4_fc_add_dentry_tlv(stru + fcd.fc_ino = cpu_to_le32(ino); + tl.fc_tag = cpu_to_le16(tag); + tl.fc_len = cpu_to_le16(sizeof(fcd) + dlen); +- ext4_fc_memcpy(sb, dst, &tl, sizeof(tl), crc); +- dst += sizeof(tl); ++ ext4_fc_memcpy(sb, dst, &tl, EXT4_FC_TAG_BASE_LEN, crc); ++ dst += EXT4_FC_TAG_BASE_LEN; + ext4_fc_memcpy(sb, dst, &fcd, sizeof(fcd), crc); + dst += sizeof(fcd); + ext4_fc_memcpy(sb, dst, dname, dlen, crc); +@@ -797,13 +797,13 @@ static int ext4_fc_write_inode(struct in + + ret = -ECANCELED; + dst = ext4_fc_reserve_space(inode->i_sb, +- sizeof(tl) + inode_len + sizeof(fc_inode.fc_ino), crc); ++ EXT4_FC_TAG_BASE_LEN + inode_len + sizeof(fc_inode.fc_ino), crc); + if (!dst) + goto err; + +- if (!ext4_fc_memcpy(inode->i_sb, dst, &tl, sizeof(tl), crc)) ++ if (!ext4_fc_memcpy(inode->i_sb, dst, &tl, EXT4_FC_TAG_BASE_LEN, crc)) + goto err; +- dst += sizeof(tl); ++ dst += EXT4_FC_TAG_BASE_LEN; + if (!ext4_fc_memcpy(inode->i_sb, dst, &fc_inode, sizeof(fc_inode), crc)) + goto err; + dst += sizeof(fc_inode); +@@ -1961,9 +1961,10 @@ static int ext4_fc_replay_scan(journal_t + } + + state->fc_replay_expected_off++; +- for (cur = start; cur < end; cur = cur + sizeof(tl) + le16_to_cpu(tl.fc_len)) { +- memcpy(&tl, cur, sizeof(tl)); +- val = cur + sizeof(tl); ++ for (cur = start; cur < end; ++ cur = cur + EXT4_FC_TAG_BASE_LEN + le16_to_cpu(tl.fc_len)) { ++ memcpy(&tl, cur, EXT4_FC_TAG_BASE_LEN); ++ val = cur + EXT4_FC_TAG_BASE_LEN; + jbd_debug(3, "Scan phase, tag:%s, blk %lld\n", + tag2str(le16_to_cpu(tl.fc_tag)), bh->b_blocknr); + switch (le16_to_cpu(tl.fc_tag)) { +@@ -1986,13 +1987,13 @@ static int ext4_fc_replay_scan(journal_t + case EXT4_FC_TAG_PAD: + state->fc_cur_tag++; + state->fc_crc = ext4_chksum(sbi, state->fc_crc, cur, +- sizeof(tl) + le16_to_cpu(tl.fc_len)); ++ EXT4_FC_TAG_BASE_LEN + le16_to_cpu(tl.fc_len)); + break; + case EXT4_FC_TAG_TAIL: + state->fc_cur_tag++; + memcpy(&tail, val, sizeof(tail)); + state->fc_crc = ext4_chksum(sbi, state->fc_crc, cur, +- sizeof(tl) + ++ EXT4_FC_TAG_BASE_LEN + + offsetof(struct ext4_fc_tail, + fc_crc)); + if (le32_to_cpu(tail.fc_tid) == expected_tid && +@@ -2019,7 +2020,7 @@ static int ext4_fc_replay_scan(journal_t + } + state->fc_cur_tag++; + state->fc_crc = ext4_chksum(sbi, state->fc_crc, cur, +- sizeof(tl) + le16_to_cpu(tl.fc_len)); ++ EXT4_FC_TAG_BASE_LEN + le16_to_cpu(tl.fc_len)); + break; + default: + ret = state->fc_replay_num_tags ? +@@ -2074,9 +2075,10 @@ static int ext4_fc_replay(journal_t *jou + start = (u8 *)bh->b_data; + end = (__u8 *)bh->b_data + journal->j_blocksize - 1; + +- for (cur = start; cur < end; cur = cur + sizeof(tl) + le16_to_cpu(tl.fc_len)) { +- memcpy(&tl, cur, sizeof(tl)); +- val = cur + sizeof(tl); ++ for (cur = start; cur < end; ++ cur = cur + EXT4_FC_TAG_BASE_LEN + le16_to_cpu(tl.fc_len)) { ++ memcpy(&tl, cur, EXT4_FC_TAG_BASE_LEN); ++ val = cur + EXT4_FC_TAG_BASE_LEN; + + if (state->fc_replay_num_tags == 0) { + ret = JBD2_FC_REPLAY_STOP; +--- a/fs/ext4/fast_commit.h ++++ b/fs/ext4/fast_commit.h +@@ -70,6 +70,9 @@ struct ext4_fc_tail { + __le32 fc_crc; + }; + ++/* Tag base length */ ++#define EXT4_FC_TAG_BASE_LEN (sizeof(struct ext4_fc_tl)) ++ + /* + * Fast commit status codes + */ --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-limit-length-to-bitmap_maxbytes-blocksize-in-pu.patch @@ -0,0 +1,66 @@ +From 2da376228a2427501feb9d15815a45dbdbdd753e Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk <tadeusz.struk@linaro.org> +Date: Thu, 31 Mar 2022 13:05:15 -0700 +Subject: [PATCH] ext4: limit length to bitmap_maxbytes - blocksize in + punch_hole +Git-commit: 2da376228a2427501feb9d15815a45dbdbdd753e +Patch-mainline: v5.18-rc4 +References: bsc#1200806 + +Syzbot found an issue [1] in ext4_fallocate(). +The C reproducer [2] calls fallocate(), passing size 0xffeffeff000ul, +and offset 0x1000000ul, which, when added together exceed the +bitmap_maxbytes for the inode. This triggers a BUG in +ext4_ind_remove_space(). According to the comments in this function +the 'end' parameter needs to be one block after the last block to be +removed. In the case when the BUG is triggered it points to the last +block. Modify the ext4_punch_hole() function and add constraint that +caps the length to satisfy the one before laster block requirement. + +Link: [1] https://syzkaller.appspot.com/bug?id=b80bd9cf348aac724a4f4dff251800106d721331 +Link: [2] https://syzkaller.appspot.com/text?tag=ReproC&x=14ba0238700000 + +Fixes: a4bb6b64e39a ("ext4: enable "punch hole" functionality") +Reported-by: syzbot+7a806094edd5d07ba029@syzkaller.appspotmail.com +Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org> +Link: https://lore.kernel.org/r/20220331200515.153214-1-tadeusz.struk@linaro.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 955dd978dccf..d815502cc97c 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3952,7 +3952,8 @@ int ext4_punch_hole(struct file *file, loff_t offset, loff_t length) + struct super_block *sb = inode->i_sb; + ext4_lblk_t first_block, stop_block; + struct address_space *mapping = inode->i_mapping; +- loff_t first_block_offset, last_block_offset; ++ loff_t first_block_offset, last_block_offset, max_length; ++ struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + handle_t *handle; + unsigned int credits; + int ret = 0, ret2 = 0; +@@ -3995,6 +3996,14 @@ int ext4_punch_hole(struct file *file, loff_t offset, loff_t length) + offset; + } + ++ /* ++ * For punch hole the length + offset needs to be within one block ++ * before last range. Adjust the length if it goes beyond that limit. ++ */ ++ max_length = sbi->s_bitmap_maxbytes - inode->i_sb->s_blocksize; ++ if (offset + length > max_length) ++ length = max_length - offset; ++ + if (offset & (sb->s_blocksize - 1) || + (offset + length) & (sb->s_blocksize - 1)) { + /* +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-make-sure-ext4_append-always-allocates-new-bloc.patch @@ -0,0 +1,63 @@ +From b8a04fe77ef1360fbf73c80fddbdfeaa9407ed1b Mon Sep 17 00:00:00 2001 +From: Lukas Czerner <lczerner@redhat.com> +Date: Mon, 4 Jul 2022 16:27:21 +0200 +Subject: [PATCH] ext4: make sure ext4_append() always allocates new block +Git-commit: b8a04fe77ef1360fbf73c80fddbdfeaa9407ed1b +Patch-mainline: v6.0-rc1 +References: bsc#1198577 CVE-2022-1184 + +ext4_append() must always allocate a new block, otherwise we run the +risk of overwriting existing directory block corrupting the directory +tree in the process resulting in all manner of problems later on. + +Add a sanity check to see if the logical block is already allocated and +error out if it is. + +Cc: stable@kernel.org +Signed-off-by: Lukas Czerner <lczerner@redhat.com> +Reviewed-by: Andreas Dilger <adilger@dilger.ca> +Link: https://lore.kernel.org/r/20220704142721.157985-2-lczerner@redhat.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/namei.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 7fced54e2891..3a31b662f661 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -54,6 +54,7 @@ static struct buffer_head *ext4_append(handle_t *handle, + struct inode *inode, + ext4_lblk_t *block) + { ++ struct ext4_map_blocks map; + struct buffer_head *bh; + int err; + +@@ -63,6 +64,21 @@ static struct buffer_head *ext4_append(handle_t *handle, + return ERR_PTR(-ENOSPC); + + *block = inode->i_size >> inode->i_sb->s_blocksize_bits; ++ map.m_lblk = *block; ++ map.m_len = 1; ++ ++ /* ++ * We're appending new directory block. Make sure the block is not ++ * allocated yet, otherwise we will end up corrupting the ++ * directory. ++ */ ++ err = ext4_map_blocks(NULL, inode, &map, 0); ++ if (err < 0) ++ return ERR_PTR(err); ++ if (err) { ++ EXT4_ERROR_INODE(inode, "Logical block already allocated"); ++ return ERR_PTR(-EFSCORRUPTED); ++ } + + bh = ext4_bread(handle, inode, *block, EXT4_GET_BLOCKS_CREATE); + if (IS_ERR(bh)) +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-make-sure-quota-gets-properly-shutdown-on-error.patch @@ -0,0 +1,56 @@ +From 15fc69bbbbbc8c72e5f6cc4e1be0f51283c5448e Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Thu, 7 Oct 2021 17:53:35 +0200 +Subject: [PATCH] ext4: make sure quota gets properly shutdown on error +Git-commit: 15fc69bbbbbc8c72e5f6cc4e1be0f51283c5448e +Patch-mainline: v5.17-rc1 +References: bsc#1195480 + +When we hit an error when enabling quotas and setting inode flags, we do +not properly shutdown quota subsystem despite returning error from +Q_QUOTAON quotactl. This can lead to some odd situations like kernel +using quota file while it is still writeable for userspace. Make sure we +properly cleanup the quota subsystem in case of error. + +Signed-off-by: Jan Kara <jack@suse.cz> +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20211007155336.12493-2-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index b72f8f6084e4..863a3eae505a 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -6749,10 +6749,7 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id, + + lockdep_set_quota_inode(path->dentry->d_inode, I_DATA_SEM_QUOTA); + err = dquot_quota_on(sb, type, format_id, path); +- if (err) { +- lockdep_set_quota_inode(path->dentry->d_inode, +- I_DATA_SEM_NORMAL); +- } else { ++ if (!err) { + struct inode *inode = d_inode(path->dentry); + handle_t *handle; + +@@ -6772,7 +6769,12 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id, + ext4_journal_stop(handle); + unlock_inode: + inode_unlock(inode); ++ if (err) ++ dquot_quota_off(sb, type); + } ++ if (err) ++ lockdep_set_quota_inode(path->dentry->d_inode, ++ I_DATA_SEM_NORMAL); + return err; + } + +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-make-sure-to-reset-inode-lockdep-class-when-quo.patch @@ -0,0 +1,55 @@ +From 4013d47a5307fdb5c13370b5392498b00fedd274 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Thu, 7 Oct 2021 17:53:36 +0200 +Subject: [PATCH] ext4: make sure to reset inode lockdep class when quota + enabling fails +Git-commit: 4013d47a5307fdb5c13370b5392498b00fedd274 +Patch-mainline: v5.17-rc1 +References: bsc#1202761 + +When we succeed in enabling some quota type but fail to enable another +one with quota feature, we correctly disable all enabled quota types. +However we forget to reset i_data_sem lockdep class. When the inode gets +freed and reused, it will inherit this lockdep class (i_data_sem is +initialized only when a slab is created) and thus eventually lockdep +barfs about possible deadlocks. + +Reported-and-tested-by: syzbot+3b6f9218b1301ddda3e2@syzkaller.appspotmail.com +Signed-off-by: Jan Kara <jack@suse.cz> +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20211007155336.12493-3-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 863a3eae505a..1b55f234e006 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -6837,8 +6837,19 @@ int ext4_enable_quotas(struct super_block *sb) + "Failed to enable quota tracking " + "(type=%d, err=%d). Please run " + "e2fsck to fix.", type, err); +- for (type--; type >= 0; type--) ++ for (type--; type >= 0; type--) { ++ struct inode *inode; ++ ++ inode = sb_dqopt(sb)->files[type]; ++ if (inode) ++ inode = igrab(inode); + dquot_quota_off(sb, type); ++ if (inode) { ++ lockdep_set_quota_inode(inode, ++ I_DATA_SEM_NORMAL); ++ iput(inode); ++ } ++ } + + return err; + } +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-make-variable-count-signed.patch @@ -0,0 +1,40 @@ +From bc75a6eb856cb1507fa907bf6c1eda91b3fef52f Mon Sep 17 00:00:00 2001 +From: Ding Xiang <dingxiang@cmss.chinamobile.com> +Date: Mon, 30 May 2022 18:00:47 +0800 +Subject: [PATCH] ext4: make variable "count" signed +Git-commit: bc75a6eb856cb1507fa907bf6c1eda91b3fef52f +Patch-mainline: v5.19-rc3 +References: bsc#1200820 + +Since dx_make_map() may return -EFSCORRUPTED now, so change "count" to +be a signed integer so we can correctly check for an error code returned +by dx_make_map(). + +Fixes: 46c116b920eb ("ext4: verify dir block before splitting it") +Cc: stable@kernel.org +Signed-off-by: Ding Xiang <dingxiang@cmss.chinamobile.com> +Link: https://lore.kernel.org/r/20220530100047.537598-1-dingxiang@cmss.chinamobile.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/namei.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 47d0ca4c795b..db4ba99d1ceb 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1929,7 +1929,8 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, + struct dx_hash_info *hinfo) + { + unsigned blocksize = dir->i_sb->s_blocksize; +- unsigned count, continued; ++ unsigned continued; ++ int count; + struct buffer_head *bh2; + ext4_lblk_t newblock; + u32 hash2; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-mark-group-as-trimmed-only-if-it-was-fully-scan.patch @@ -0,0 +1,101 @@ +From d63c00ea435a5352f486c259665a4ced60399421 Mon Sep 17 00:00:00 2001 +From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> +Date: Sun, 17 Apr 2022 20:03:15 +0300 +Subject: [PATCH] ext4: mark group as trimmed only if it was fully scanned +Git-commit: d63c00ea435a5352f486c259665a4ced60399421 +Patch-mainline: v5.19-rc1 +References: bsc#1202770 + +Otherwise nonaligned fstrim calls will works inconveniently for iterative +scanners, for example: + +// trim [0,16MB] for group-1, but mark full group as trimmed +fstrim -o $((1024*1024*128)) -l $((1024*1024*16)) ./m +// handle [16MB,16MB] for group-1, do nothing because group already has the flag. +fstrim -o $((1024*1024*144)) -l $((1024*1024*16)) ./m + +[ Update function documentation for ext4_trim_all_free -- TYT ] + +Signed-off-by: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru> +Link: https://lore.kernel.org/r/1650214995-860245-1-git-send-email-dmtrmonakhov@yandex-team.ru +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/mballoc.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -6281,6 +6281,7 @@ static int ext4_try_to_trim_range(struct + * @start: first group block to examine + * @max: last group block to examine + * @minblocks: minimum extent block count ++ * @set_trimmed: set the trimmed flag if at least one block is trimmed + * + * ext4_trim_all_free walks through group's buddy bitmap searching for free + * extents. When the free block is found, ext4_trim_extent is called to TRIM +@@ -6295,7 +6296,7 @@ static int ext4_try_to_trim_range(struct + static ext4_grpblk_t + ext4_trim_all_free(struct super_block *sb, ext4_group_t group, + ext4_grpblk_t start, ext4_grpblk_t max, +- ext4_grpblk_t minblocks) ++ ext4_grpblk_t minblocks, bool set_trimmed) + { + struct ext4_buddy e4b; + int ret; +@@ -6312,7 +6313,7 @@ ext4_trim_all_free(struct super_block *s + if (!EXT4_MB_GRP_WAS_TRIMMED(e4b.bd_info) || + minblocks < atomic_read(&EXT4_SB(sb)->s_last_trim_minblks)) { + ret = ext4_try_to_trim_range(sb, &e4b, start, max, minblocks); +- if (ret >= 0) ++ if (ret >= 0 && set_trimmed) + EXT4_MB_GRP_SET_TRIMMED(e4b.bd_info); + } else { + ret = 0; +@@ -6349,6 +6350,7 @@ int ext4_trim_fs(struct super_block *sb, + ext4_fsblk_t first_data_blk = + le32_to_cpu(EXT4_SB(sb)->s_es->s_first_data_block); + ext4_fsblk_t max_blks = ext4_blocks_count(EXT4_SB(sb)->s_es); ++ bool whole_group, eof = false; + int ret = 0; + + start = range->start >> sb->s_blocksize_bits; +@@ -6367,8 +6369,10 @@ int ext4_trim_fs(struct super_block *sb, + if (minlen > EXT4_CLUSTERS_PER_GROUP(sb)) + goto out; + } +- if (end >= max_blks) ++ if (end >= max_blks - 1) { + end = max_blks - 1; ++ eof = true; ++ } + if (end <= first_data_blk) + goto out; + if (start < first_data_blk) +@@ -6382,6 +6386,7 @@ int ext4_trim_fs(struct super_block *sb, + + /* end now represents the last cluster to discard in this group */ + end = EXT4_CLUSTERS_PER_GROUP(sb) - 1; ++ whole_group = true; + + for (group = first_group; group <= last_group; group++) { + grp = ext4_get_group_info(sb, group); +@@ -6398,12 +6403,13 @@ int ext4_trim_fs(struct super_block *sb, + * change it for the last group, note that last_cluster is + * already computed earlier by ext4_get_group_no_and_offset() + */ +- if (group == last_group) ++ if (group == last_group) { + end = last_cluster; +- ++ whole_group = eof ? true : end == EXT4_CLUSTERS_PER_GROUP(sb) - 1; ++ } + if (grp->bb_free >= minlen) { + cnt = ext4_trim_all_free(sb, group, first_cluster, +- end, minlen); ++ end, minlen, whole_group); + if (cnt < 0) { + ret = cnt; + break; --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-modify-the-logic-of-ext4_mb_new_blocks_simple.patch @@ -0,0 +1,79 @@ +From 31a074a0c62dc0d2bfb9b543142db4fe27f9e5eb Mon Sep 17 00:00:00 2001 +From: Xin Yin <yinxin.x@bytedance.com> +Date: Mon, 10 Jan 2022 11:51:41 +0800 +Subject: [PATCH] ext4: modify the logic of ext4_mb_new_blocks_simple +Git-commit: 31a074a0c62dc0d2bfb9b543142db4fe27f9e5eb +Patch-mainline: v5.17-rc3 +References: bsc#1202766 + +For now in ext4_mb_new_blocks_simple, if we found a block which +should be excluded then will switch to next group, this may +probably cause 'group' run out of range. + +Change to check next block in the same group when get a block should +be excluded. Also change the search range to EXT4_CLUSTERS_PER_GROUP +and add error checking. + +Signed-off-by: Xin Yin <yinxin.x@bytedance.com> +Reviewed-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com> +Link: https://lore.kernel.org/r/20220110035141.1980-3-yinxin.x@bytedance.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/mballoc.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index cf2fd9fc7d98..c781974df9d0 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5753,7 +5753,8 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle, + struct super_block *sb = ar->inode->i_sb; + ext4_group_t group; + ext4_grpblk_t blkoff; +- int i = sb->s_blocksize; ++ ext4_grpblk_t max = EXT4_CLUSTERS_PER_GROUP(sb); ++ ext4_grpblk_t i = 0; + ext4_fsblk_t goal, block; + struct ext4_super_block *es = EXT4_SB(sb)->s_es; + +@@ -5775,19 +5776,26 @@ static ext4_fsblk_t ext4_mb_new_blocks_simple(handle_t *handle, + ext4_get_group_no_and_offset(sb, + max(ext4_group_first_block_no(sb, group), goal), + NULL, &blkoff); +- i = mb_find_next_zero_bit(bitmap_bh->b_data, sb->s_blocksize, ++ while (1) { ++ i = mb_find_next_zero_bit(bitmap_bh->b_data, max, + blkoff); ++ if (i >= max) ++ break; ++ if (ext4_fc_replay_check_excluded(sb, ++ ext4_group_first_block_no(sb, group) + i)) { ++ blkoff = i + 1; ++ } else ++ break; ++ } + brelse(bitmap_bh); +- if (i >= sb->s_blocksize) +- continue; +- if (ext4_fc_replay_check_excluded(sb, +- ext4_group_first_block_no(sb, group) + i)) +- continue; +- break; ++ if (i < max) ++ break; + } + +- if (group >= ext4_get_groups_count(sb) && i >= sb->s_blocksize) ++ if (group >= ext4_get_groups_count(sb) || i >= max) { ++ *errp = -ENOSPC; + return 0; ++ } + + block = ext4_group_first_block_no(sb, group) + i; + ext4_mb_mark_bb(sb, block, 1, 1); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-move-where-set-the-MAY_INLINE_DATA-flag-is-set.patch @@ -0,0 +1,61 @@ +From 1dcdce5919115a471bf4921a57f20050c545a236 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Tue, 7 Mar 2023 09:52:52 +0800 +Subject: [PATCH] ext4: move where set the MAY_INLINE_DATA flag is set +Git-commit: 1dcdce5919115a471bf4921a57f20050c545a236 +Patch-mainline: v6.3-rc2 +References: bsc#1213011 + +The only caller of ext4_find_inline_data_nolock() that needs setting of +EXT4_STATE_MAY_INLINE_DATA flag is ext4_iget_extra_inode(). In +ext4_write_inline_data_end() we just need to update inode->i_inline_off. +Since we are going to add one more caller that does not need to set +EXT4_STATE_MAY_INLINE_DATA, just move setting of EXT4_STATE_MAY_INLINE_DATA +out to ext4_iget_extra_inode(). + +Signed-off-by: Ye Bin <yebin10@huawei.com> +Cc: stable@kernel.org +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230307015253.2232062-2-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inline.c | 1 - + fs/ext4/inode.c | 7 ++++++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 2b42ececa46d..1602d74b5eeb 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -159,7 +159,6 @@ int ext4_find_inline_data_nolock(struct inode *inode) + (void *)ext4_raw_inode(&is.iloc)); + EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE + + le32_to_cpu(is.s.here->e_value_size); +- ext4_set_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA); + } + out: + brelse(is.iloc.bh); +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index b65dadfe3b45..530e420ae0e8 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4797,8 +4797,13 @@ static inline int ext4_iget_extra_inode(struct inode *inode, + + if (EXT4_INODE_HAS_XATTR_SPACE(inode) && + *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) { ++ int err; ++ + ext4_set_inode_state(inode, EXT4_STATE_XATTR); +- return ext4_find_inline_data_nolock(inode); ++ err = ext4_find_inline_data_nolock(inode); ++ if (!err && ext4_has_inline_data(inode)) ++ ext4_set_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA); ++ return err; + } else + EXT4_I(inode)->i_inline_off = 0; + return 0; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-only-update-i_reserved_data_blocks-on-successfu.patch @@ -0,0 +1,100 @@ +From de25d6e9610a8b30cce9bbb19b50615d02ebca02 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Mon, 24 Apr 2023 11:38:35 +0800 +Subject: [PATCH] ext4: only update i_reserved_data_blocks on successful block + allocation +Git-commit: de25d6e9610a8b30cce9bbb19b50615d02ebca02 +Patch-mainline: v6.5-rc1 +References: bsc#1213019 + +In our fault injection test, we create an ext4 file, migrate it to +non-extent based file, then punch a hole and finally trigger a WARN_ON +in the ext4_da_update_reserve_space(): + +EXT4-fs warning (device sda): ext4_da_update_reserve_space:369: +ino 14, used 11 with only 10 reserved data blocks + +When writing back a non-extent based file, if we enable delalloc, the +number of reserved blocks will be subtracted from the number of blocks +mapped by ext4_ind_map_blocks(), and the extent status tree will be +updated. We update the extent status tree by first removing the old +extent_status and then inserting the new extent_status. If the block range +we remove happens to be in an extent, then we need to allocate another +extent_status with ext4_es_alloc_extent(). + + use old to remove to add new + |----------|------------|------------| + old extent_status + +The problem is that the allocation of a new extent_status failed due to a +fault injection, and __es_shrink() did not get free memory, resulting in +a return of -ENOMEM. Then do_writepages() retries after receiving -ENOMEM, +we map to the same extent again, and the number of reserved blocks is again +subtracted from the number of blocks in that extent. Since the blocks in +the same extent are subtracted twice, we end up triggering WARN_ON at +ext4_da_update_reserve_space() because used > ei->i_reserved_data_blocks. + +For non-extent based file, we update the number of reserved blocks after +ext4_ind_map_blocks() is executed, which causes a problem that when we call +ext4_ind_map_blocks() to create a block, it doesn't always create a block, +but we always reduce the number of reserved blocks. So we move the logic +for updating reserved blocks to ext4_ind_map_blocks() to ensure that the +number of reserved blocks is updated only after we do succeed in allocating +some new blocks. + +Fixes: 5f634d064c70 ("ext4: Fix quota accounting error with fallocate") +Cc: stable@kernel.org +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230424033846.4732-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/indirect.c | 8 ++++++++ + fs/ext4/inode.c | 10 ---------- + 2 files changed, 8 insertions(+), 10 deletions(-) + +diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c +index c68bebe7ff4b..a9f3716119d3 100644 +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -651,6 +651,14 @@ int ext4_ind_map_blocks(handle_t *handle, struct inode *inode, + + ext4_update_inode_fsync_trans(handle, inode, 1); + count = ar.len; ++ ++ /* ++ * Update reserved blocks/metadata blocks after successful block ++ * allocation which had been deferred till now. ++ */ ++ if (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE) ++ ext4_da_update_reserve_space(inode, count, 1); ++ + got_it: + map->m_flags |= EXT4_MAP_MAPPED; + map->m_pblk = le32_to_cpu(chain[depth-1].key); +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index c2868282ad81..ef7ec2690b84 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -632,16 +632,6 @@ int ext4_map_blocks(handle_t *handle, struct inode *inode, + */ + ext4_clear_inode_state(inode, EXT4_STATE_EXT_MIGRATE); + } +- +- /* +- * Update reserved blocks/metadata blocks after successful +- * block allocation which had been deferred till now. We don't +- * support fallocate for non extent files. So we can update +- * reserve space here. +- */ +- if ((retval > 0) && +- (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE)) +- ext4_da_update_reserve_space(inode, retval, 1); + } + + if (retval > 0) { +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-place-buffer-head-allocation-before-handle-star.patch @@ -0,0 +1,49 @@ +From d1052d236eddf6aa851434db1897b942e8db9921 Mon Sep 17 00:00:00 2001 +From: Jinke Han <hanjinke.666@bytedance.com> +Date: Sat, 3 Sep 2022 09:24:29 +0800 +Subject: [PATCH] ext4: place buffer head allocation before handle start +Git-commit: d1052d236eddf6aa851434db1897b942e8db9921 +Patch-mainline: v6.1-rc1 +References: bsc#1207607 + +In our product environment, we encounter some jbd hung waiting handles to +stop while several writters were doing memory reclaim for buffer head +allocation in delay alloc write path. Ext4 do buffer head allocation with +holding transaction handle which may be blocked too long if the reclaim +works not so smooth. According to our bcc trace, the reclaim time in +buffer head allocation can reach 258s and the jbd transaction commit also +take almost the same time meanwhile. Except for these extreme cases, +we often see several seconds delays for cgroup memory reclaim on our +servers. This is more likely to happen considering docker environment. + +One thing to note, the allocation of buffer heads is as often as page +allocation or more often when blocksize less than page size. Just like +page cache allocation, we should also place the buffer head allocation +before startting the handle. + +Cc: stable@kernel.org +Signed-off-by: Jinke Han <hanjinke.666@bytedance.com> +Link: https://lore.kernel.org/r/20220903012429.22555-1-hanjinke.666@bytedance.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1177,6 +1177,13 @@ retry_grab: + page = grab_cache_page_write_begin(mapping, index, flags); + if (!page) + return -ENOMEM; ++ /* ++ * The same as page allocation, we prealloc buffer heads before ++ * starting the handle. ++ */ ++ if (!page_has_buffers(page)) ++ create_empty_buffers(page, inode->i_sb->s_blocksize, 0); ++ + unlock_page(page); + + retry_journal: --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-prevent-used-blocks-from-being-allocated-during.patch @@ -0,0 +1,117 @@ +From 599ea31d13617c5484c40cdf50d88301dc351cfc Mon Sep 17 00:00:00 2001 +From: Xin Yin <yinxin.x@bytedance.com> +Date: Mon, 10 Jan 2022 11:51:40 +0800 +Subject: [PATCH] ext4: prevent used blocks from being allocated during fast + commit replay +Git-commit: 599ea31d13617c5484c40cdf50d88301dc351cfc +Patch-mainline: v5.17-rc3 +References: bsc#1202765 + +During fast commit replay procedure, we clear inode blocks bitmap in +ext4_ext_clear_bb(), this may cause ext4_mb_new_blocks_simple() allocate +blocks still in use. + +Make ext4_fc_record_regions() also record physical disk regions used by +inodes during replay procedure. Then ext4_mb_new_blocks_simple() can +excludes these blocks in use. + +Signed-off-by: Xin Yin <yinxin.x@bytedance.com> +Link: https://lore.kernel.org/r/20220110035141.1980-2-yinxin.x@bytedance.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ext4.h | 3 +++ + fs/ext4/extents.c | 4 ++++ + fs/ext4/fast_commit.c | 20 +++++++++++++++----- + 3 files changed, 22 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 715ee206dfe1..598ecf07652a 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -2934,6 +2934,9 @@ void ext4_fc_replay_cleanup(struct super_block *sb); + int ext4_fc_commit(journal_t *journal, tid_t commit_tid); + int __init ext4_fc_init_dentry_cache(void); + void ext4_fc_destroy_dentry_cache(void); ++int ext4_fc_record_regions(struct super_block *sb, int ino, ++ ext4_lblk_t lblk, ext4_fsblk_t pblk, ++ int len, int replay); + + /* mballoc.c */ + extern const struct seq_operations ext4_mb_seq_groups_ops; +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 1077ce7e189f..5dd13108d4b7 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -6093,11 +6093,15 @@ int ext4_ext_clear_bb(struct inode *inode) + + ext4_mb_mark_bb(inode->i_sb, + path[j].p_block, 1, 0); ++ ext4_fc_record_regions(inode->i_sb, inode->i_ino, ++ 0, path[j].p_block, 1, 1); + } + ext4_ext_drop_refs(path); + kfree(path); + } + ext4_mb_mark_bb(inode->i_sb, map.m_pblk, map.m_len, 0); ++ ext4_fc_record_regions(inode->i_sb, inode->i_ino, ++ map.m_lblk, map.m_pblk, map.m_len, 1); + } + cur = cur + map.m_len; + } +diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c +index 5ae8026a0c56..1abe78b8d84f 100644 +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -1563,16 +1563,23 @@ static int ext4_fc_replay_create(struct super_block *sb, struct ext4_fc_tl *tl, + } + + /* +- * Record physical disk regions which are in use as per fast commit area. Our +- * simple replay phase allocator excludes these regions from allocation. ++ * Record physical disk regions which are in use as per fast commit area, ++ * and used by inodes during replay phase. Our simple replay phase ++ * allocator excludes these regions from allocation. + */ +-static int ext4_fc_record_regions(struct super_block *sb, int ino, +- ext4_lblk_t lblk, ext4_fsblk_t pblk, int len) ++int ext4_fc_record_regions(struct super_block *sb, int ino, ++ ext4_lblk_t lblk, ext4_fsblk_t pblk, int len, int replay) + { + struct ext4_fc_replay_state *state; + struct ext4_fc_alloc_region *region; + + state = &EXT4_SB(sb)->s_fc_replay_state; ++ /* ++ * during replay phase, the fc_regions_valid may not same as ++ * fc_regions_used, update it when do new additions. ++ */ ++ if (replay && state->fc_regions_used != state->fc_regions_valid) ++ state->fc_regions_used = state->fc_regions_valid; + if (state->fc_regions_used == state->fc_regions_size) { + state->fc_regions_size += + EXT4_FC_REPLAY_REALLOC_INCREMENT; +@@ -1590,6 +1597,9 @@ static int ext4_fc_record_regions(struct super_block *sb, int ino, + region->pblk = pblk; + region->len = len; + ++ if (replay) ++ state->fc_regions_valid++; ++ + return 0; + } + +@@ -1937,7 +1947,7 @@ static int ext4_fc_replay_scan(journal_t *journal, + ret = ext4_fc_record_regions(sb, + le32_to_cpu(ext.fc_ino), + le32_to_cpu(ex->ee_block), ext4_ext_pblock(ex), +- ext4_ext_get_actual_len(ex)); ++ ext4_ext_get_actual_len(ex), 0); + if (ret < 0) + break; + ret = JBD2_FC_REPLAY_CONTINUE; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-recover-csum-seed-of-tmp_inode-after-migrating-.patch @@ -0,0 +1,77 @@ +From 07ea7a617d6b278fb7acedb5cbe1a81ce2de7d0c Mon Sep 17 00:00:00 2001 +From: Li Lingfeng <lilingfeng3@huawei.com> +Date: Fri, 17 Jun 2022 14:25:15 +0800 +Subject: [PATCH] ext4: recover csum seed of tmp_inode after migrating to + extents +Git-commit: 07ea7a617d6b278fb7acedb5cbe1a81ce2de7d0c +Patch-mainline: v6.0-rc1 +References: bsc#1202713 + +When migrating to extents, the checksum seed of temporary inode +need to be replaced by inode's, otherwise the inode checksums +will be incorrect when swapping the inodes data. + +However, the temporary inode can not match it's checksum to +itself since it has lost it's own checksum seed. + +mkfs.ext4 -F /dev/sdc +mount /dev/sdc /mnt/sdc +xfs_io -fc "pwrite 4k 4k" -c "fsync" /mnt/sdc/testfile +chattr -e /mnt/sdc/testfile +chattr +e /mnt/sdc/testfile +umount /dev/sdc +fsck -fn /dev/sdc + +======== +... +Pass 1: Checking inodes, blocks, and sizes +Inode 13 passes checks, but checksum does not match inode. Fix? no +... +======== + +The fix is simple, save the checksum seed of temporary inode, and +recover it after migrating to extents. + +Fixes: e81c9302a6c3 ("ext4: set csum seed in tmp inode while migrating to extents") +Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220617062515.2113438-1-lilingfeng3@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/migrate.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c +index 42f590518b4c..54e7d3c95fd7 100644 +--- a/fs/ext4/migrate.c ++++ b/fs/ext4/migrate.c +@@ -417,7 +417,7 @@ int ext4_ext_migrate(struct inode *inode) + struct inode *tmp_inode = NULL; + struct migrate_struct lb; + unsigned long max_entries; +- __u32 goal; ++ __u32 goal, tmp_csum_seed; + uid_t owner[2]; + + /* +@@ -465,6 +465,7 @@ int ext4_ext_migrate(struct inode *inode) + * the migration. + */ + ei = EXT4_I(inode); ++ tmp_csum_seed = EXT4_I(tmp_inode)->i_csum_seed; + EXT4_I(tmp_inode)->i_csum_seed = ei->i_csum_seed; + i_size_write(tmp_inode, i_size_read(inode)); + /* +@@ -575,6 +576,7 @@ int ext4_ext_migrate(struct inode *inode) + * the inode is not visible to user space. + */ + tmp_inode->i_blocks = 0; ++ EXT4_I(tmp_inode)->i_csum_seed = tmp_csum_seed; + + /* Reset the extent details */ + ext4_ext_tree_init(handle, tmp_inode); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-refuse-to-create-ea-block-when-umounted.patch @@ -0,0 +1,45 @@ +From f31173c19901a96bb2ebf6bcfec8a08df7095c91 Mon Sep 17 00:00:00 2001 +From: Jun Nie <jun.nie@linaro.org> +Date: Tue, 3 Jan 2023 09:45:17 +0800 +Subject: [PATCH] ext4: refuse to create ea block when umounted +Git-commit: f31173c19901a96bb2ebf6bcfec8a08df7095c91 +Patch-mainline: v6.3-rc1 +References: bsc#1213093 + +The ea block expansion need to access s_root while it is +already set as NULL when umount is triggered. Refuse this +request to avoid panic. + +Reported-by: syzbot+2dacb8f015bf1420155f@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=3613786cb88c93aa1c6a279b1df6a7b201347d08 +Link: https://lore.kernel.org/r/20230103014517.495275-3-jun.nie@linaro.org +Cc: stable@kernel.org +Signed-off-by: Jun Nie <jun.nie@linaro.org> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/xattr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index 38e08b438ccb..d8fef540ca9b 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1471,6 +1471,13 @@ static struct inode *ext4_xattr_inode_create(handle_t *handle, + uid_t owner[2] = { i_uid_read(inode), i_gid_read(inode) }; + int err; + ++ if (inode->i_sb->s_root == NULL) { ++ ext4_warning(inode->i_sb, ++ "refuse to create EA inode when umounting"); ++ WARN_ON(1); ++ return ERR_PTR(-EINVAL); ++ } ++ + /* + * Let the next inode be the goal, so we try and allocate the EA inode + * in the same group, or nearby one. +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-reject-the-commit-option-on-ext2-filesystems.patch @@ -0,0 +1,40 @@ +From cb8435dc8ba33bcafa41cf2aa253794320a3b8df Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Tue, 10 May 2022 11:32:32 -0700 +Subject: [PATCH] ext4: reject the 'commit' option on ext2 filesystems +Git-commit: cb8435dc8ba33bcafa41cf2aa253794320a3b8df +Patch-mainline: v5.19-rc1 +References: bsc#1200808 + +The 'commit' option is only applicable for ext3 and ext4 filesystems, +and has never been accepted by the ext2 filesystem driver, so the ext4 +driver shouldn't allow it on ext2 filesystems. + +This fixes a failure in xfstest ext4/053. + +Fixes: 8dc0aa8cf0f7 ("ext4: check incompatible mount options while mounting ext2/3") +Signed-off-by: Eric Biggers <ebiggers@google.com> +Reviewed-by: Ritesh Harjani <ritesh.list@gmail.com> +Reviewed-by: Lukas Czerner <lczerner@redhat.com> +Link: https://lore.kernel.org/r/20220510183232.172615-1-ebiggers@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 4b0ea8df1f5c..3f59efd3aa3e 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1915,6 +1915,7 @@ static const struct mount_opts { + MOPT_EXT4_ONLY | MOPT_CLEAR}, + {Opt_warn_on_error, EXT4_MOUNT_WARN_ON_ERROR, MOPT_SET}, + {Opt_nowarn_on_error, EXT4_MOUNT_WARN_ON_ERROR, MOPT_CLEAR}, ++ {Opt_commit, 0, MOPT_NO_EXT2}, + {Opt_nojournal_checksum, EXT4_MOUNT_JOURNAL_CHECKSUM, + MOPT_EXT4_ONLY | MOPT_CLEAR}, + {Opt_journal_checksum, EXT4_MOUNT_JOURNAL_CHECKSUM, +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-remove-EA-inode-entry-from-mbcache-on-inode-evi.patch @@ -0,0 +1,116 @@ +From 6bc0d63dad7f9f54d381925ee855b402f652fa39 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Tue, 12 Jul 2022 12:54:22 +0200 +Subject: [PATCH] ext4: remove EA inode entry from mbcache on inode eviction +Git-commit: 6bc0d63dad7f9f54d381925ee855b402f652fa39 +Patch-mainline: v6.0-rc1 +References: bsc#1198971 + +Currently we remove EA inode from mbcache as soon as its xattr refcount +drops to zero. However there can be pending attempts to reuse the inode +and thus refcount handling code has to handle the situation when +refcount increases from zero anyway. So save some work and just keep EA +inode in mbcache until it is getting evicted. At that moment we are sure +following iget() of EA inode will fail anyway (or wait for eviction to +finish and load things from the disk again) and so removing mbcache +entry at that moment is fine and simplifies the code a bit. + +Cc: stable@vger.kernel.org +Fixes: 82939d7999df ("ext4: convert to mbcache2") +Signed-off-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220712105436.32204-3-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 2 ++ + fs/ext4/xattr.c | 24 ++++++++---------------- + fs/ext4/xattr.h | 1 + + 3 files changed, 11 insertions(+), 16 deletions(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 7db52defcb16..8204c59bdd1d 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -177,6 +177,8 @@ void ext4_evict_inode(struct inode *inode) + + trace_ext4_evict_inode(inode); + ++ if (EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL) ++ ext4_evict_ea_inode(inode); + if (inode->i_nlink) { + /* + * When journalling data dirty buffers are tracked only in the +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index c42b3e0d2d94..d92d50de5a01 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -436,6 +436,14 @@ static int ext4_xattr_inode_iget(struct inode *parent, unsigned long ea_ino, + return err; + } + ++/* Remove entry from mbcache when EA inode is getting evicted */ ++void ext4_evict_ea_inode(struct inode *inode) ++{ ++ if (EA_INODE_CACHE(inode)) ++ mb_cache_entry_delete(EA_INODE_CACHE(inode), ++ ext4_xattr_inode_get_hash(inode), inode->i_ino); ++} ++ + static int + ext4_xattr_inode_verify_hashes(struct inode *ea_inode, + struct ext4_xattr_entry *entry, void *buffer, +@@ -976,10 +984,8 @@ int __ext4_xattr_set_credits(struct super_block *sb, struct inode *inode, + static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode, + int ref_change) + { +- struct mb_cache *ea_inode_cache = EA_INODE_CACHE(ea_inode); + struct ext4_iloc iloc; + s64 ref_count; +- u32 hash; + int ret; + + inode_lock(ea_inode); +@@ -1002,14 +1008,6 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode, + + set_nlink(ea_inode, 1); + ext4_orphan_del(handle, ea_inode); +- +- if (ea_inode_cache) { +- hash = ext4_xattr_inode_get_hash(ea_inode); +- mb_cache_entry_create(ea_inode_cache, +- GFP_NOFS, hash, +- ea_inode->i_ino, +- true /* reusable */); +- } + } + } else { + WARN_ONCE(ref_count < 0, "EA inode %lu ref_count=%lld", +@@ -1022,12 +1020,6 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode, + + clear_nlink(ea_inode); + ext4_orphan_add(handle, ea_inode); +- +- if (ea_inode_cache) { +- hash = ext4_xattr_inode_get_hash(ea_inode); +- mb_cache_entry_delete(ea_inode_cache, hash, +- ea_inode->i_ino); +- } + } + } + +diff --git a/fs/ext4/xattr.h b/fs/ext4/xattr.h +index e29101168733..824faf0b15a8 100644 +--- a/fs/ext4/xattr.h ++++ b/fs/ext4/xattr.h +@@ -191,6 +191,7 @@ extern void ext4_xattr_inode_array_free(struct ext4_xattr_inode_array *array); + + extern int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize, + struct ext4_inode *raw_inode, handle_t *handle); ++extern void ext4_evict_ea_inode(struct inode *inode); + + extern const struct xattr_handler *ext4_xattr_handlers[]; + +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-set-lockdep-subclass-for-the-ea_inode-in-ext4_x.patch @@ -0,0 +1,39 @@ +From b928dfdcb27d8fa59917b794cfba53052a2f050f Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Tue, 23 May 2023 23:49:49 -0400 +Subject: [PATCH] ext4: set lockdep subclass for the ea_inode in + ext4_xattr_inode_cache_find() +Git-commit: b928dfdcb27d8fa59917b794cfba53052a2f050f +Patch-mainline: v6.4-rc5 +References: bsc#1213107 + +If the ea_inode has been pushed out of the inode cache while there is +still a reference in the mb_cache, the lockdep subclass will not be +set on the inode, which can lead to some lockdep false positives. + +Fixes: 33d201e0277b ("ext4: fix lockdep warning about recursive inode locking") +Cc: stable@kernel.org +Reported-by: syzbot+d4b971e744b1f5439336@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Link: https://lore.kernel.org/r/20230524034951.779531-3-tytso@mit.edu +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/xattr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index a27208129a80..ff7ab63c5b4f 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1539,6 +1539,7 @@ ext4_xattr_inode_cache_find(struct inode *inode, const void *value, + EXT4_IGET_EA_INODE); + if (IS_ERR(ea_inode)) + goto next_entry; ++ ext4_xattr_inode_set_class(ea_inode); + if (i_size_read(ea_inode) == value_len && + !ext4_xattr_inode_read(ea_inode, ea_data, value_len) && + !ext4_xattr_inode_verify_hashes(ea_inode, NULL, ea_data, +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-silence-the-warning-when-evicting-inode-with-di.patch @@ -0,0 +1,99 @@ +From bc12ac98ea2e1b70adc6478c8b473a0003b659d3 Mon Sep 17 00:00:00 2001 +From: Zhang Yi <yi.zhang@huawei.com> +Date: Wed, 29 Jun 2022 19:26:46 +0800 +Subject: [PATCH] ext4: silence the warning when evicting inode with + dioread_nolock +Git-commit: bc12ac98ea2e1b70adc6478c8b473a0003b659d3 +Patch-mainline: v6.2-rc1 +References: bsc#1206889 + +When evicting an inode with default dioread_nolock, it could be raced by +the unwritten extents converting kworker after writeback some new +allocated dirty blocks. It convert unwritten extents to written, the +extents could be merged to upper level and free extent blocks, so it +could mark the inode dirty again even this inode has been marked +I_FREEING. But the inode->i_io_list check and warning in +ext4_evict_inode() missing this corner case. Fortunately, +ext4_evict_inode() will wait all extents converting finished before this +check, so it will not lead to inode use-after-free problem, every thing +is OK besides this warning. The WARN_ON_ONCE was originally designed +for finding inode use-after-free issues in advance, but if we add +current dioread_nolock case in, it will become not quite useful, so fix +this warning by just remove this check. + + ====== + WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227 + ext4_evict_inode+0x875/0xc60 + ... + RIP: 0010:ext4_evict_inode+0x875/0xc60 + ... + Call Trace: + <TASK> + evict+0x11c/0x2b0 + iput+0x236/0x3a0 + do_unlinkat+0x1b4/0x490 + __x64_sys_unlinkat+0x4c/0xb0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + RIP: 0033:0x7fa933c1115b + ====== + +rm kworker + ext4_end_io_end() +vfs_unlink() + ext4_unlink() + ext4_convert_unwritten_io_end_vec() + ext4_convert_unwritten_extents() + ext4_map_blocks() + ext4_ext_map_blocks() + ext4_ext_try_to_merge_up() + __mark_inode_dirty() + check !I_FREEING + locked_inode_to_wb_and_lock_list() + iput() + iput_final() + evict() + ext4_evict_inode() + truncate_inode_pages_final() //wait release io_end + inode_io_list_move_locked() + ext4_release_io_end() + trigger WARN_ON_ONCE() + +Cc: stable@kernel.org +Fixes: ceff86fddae8 ("ext4: Avoid freeing inodes on dirty list") +Signed-off-by: Zhang Yi <yi.zhang@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220629112647.4141034-1-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 2b5ef1b64249..7c5f5dabe0fd 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -222,13 +222,13 @@ void ext4_evict_inode(struct inode *inode) + + /* + * For inodes with journalled data, transaction commit could have +- * dirtied the inode. Flush worker is ignoring it because of I_FREEING +- * flag but we still need to remove the inode from the writeback lists. ++ * dirtied the inode. And for inodes with dioread_nolock, unwritten ++ * extents converting worker could merge extents and also have dirtied ++ * the inode. Flush worker is ignoring it because of I_FREEING flag but ++ * we still need to remove the inode from the writeback lists. + */ +- if (!list_empty_careful(&inode->i_io_list)) { +- WARN_ON_ONCE(!ext4_should_journal_data(inode)); ++ if (!list_empty_careful(&inode->i_io_list)) + inode_io_list_del(inode); +- } + + /* + * Protect us against freezing - iput() caller didn't have to have any +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-turn-quotas-off-if-mount-failed-after-enabling-.patch @@ -0,0 +1,76 @@ +From d13f99632748462c32fc95d729f5e754bab06064 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Mon, 27 Mar 2023 22:16:29 +0800 +Subject: [PATCH] ext4: turn quotas off if mount failed after enabling quotas +Git-commit: d13f99632748462c32fc95d729f5e754bab06064 +Patch-mainline: v6.5-rc1 +References: bsc#1213110 + +Yi found during a review of the patch "ext4: don't BUG on inconsistent +journal feature" that when ext4_mark_recovery_complete() returns an error +value, the error handling path does not turn off the enabled quotas, +which triggers the following kmemleak: + +================================================================ +unreferenced object 0xffff8cf68678e7c0 (size 64): +comm "mount", pid 746, jiffies 4294871231 (age 11.540s) +hex dump (first 32 bytes): +00 90 ef 82 f6 8c ff ff 00 00 00 00 41 01 00 00 ............A... +c7 00 00 00 bd 00 00 00 0a 00 00 00 48 00 00 00 ............H... +Backtrace: +[<00000000c561ef24>] __kmem_cache_alloc_node+0x4d4/0x880 +[<00000000d4e621d7>] kmalloc_trace+0x39/0x140 +[<00000000837eee74>] v2_read_file_info+0x18a/0x3a0 +[<0000000088f6c877>] dquot_load_quota_sb+0x2ed/0x770 +[<00000000340a4782>] dquot_load_quota_inode+0xc6/0x1c0 +[<0000000089a18bd5>] ext4_enable_quotas+0x17e/0x3a0 [ext4] +[<000000003a0268fa>] __ext4_fill_super+0x3448/0x3910 [ext4] +[<00000000b0f2a8a8>] ext4_fill_super+0x13d/0x340 [ext4] +[<000000004a9489c4>] get_tree_bdev+0x1dc/0x370 +[<000000006e723bf1>] ext4_get_tree+0x1d/0x30 [ext4] +[<00000000c7cb663d>] vfs_get_tree+0x31/0x160 +[<00000000320e1bed>] do_new_mount+0x1d5/0x480 +[<00000000c074654c>] path_mount+0x22e/0xbe0 +[<0000000003e97a8e>] do_mount+0x95/0xc0 +[<000000002f3d3736>] __x64_sys_mount+0xc4/0x160 +[<0000000027d2140c>] do_syscall_64+0x3f/0x90 +================================================================ + +To solve this problem, we add a "failed_mount10" tag, and call +ext4_quota_off_umount() in this tag to release the enabled qoutas. + +Fixes: 11215630aada ("ext4: don't BUG on inconsistent journal feature") +Cc: stable@kernel.org +Signed-off-by: Zhang Yi <yi.zhang@huawei.com> +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230327141630.156875-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5135,7 +5135,7 @@ no_journal: + ext4_msg(sb, KERN_INFO, "recovery complete"); + err = ext4_mark_recovery_complete(sb, es); + if (err) +- goto failed_mount8; ++ goto failed_mount9; + } + if (EXT4_SB(sb)->s_journal) { + if (test_opt(sb, DATA_FLAGS) == EXT4_MOUNT_JOURNAL_DATA) +@@ -5181,7 +5181,9 @@ cantfind_ext4: + ext4_msg(sb, KERN_ERR, "VFS: Can't find ext4 filesystem"); + goto failed_mount; + +-failed_mount8: ++failed_mount9: ++ ext4_quota_off_umount(sb); ++failed_mount8: __maybe_unused + ext4_unregister_sysfs(sb); + kobject_put(&sbi->s_kobj); + failed_mount7: --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-unconditionally-enable-the-i_version-counter.patch @@ -0,0 +1,121 @@ +From 1ff20307393e17dc57fde62226df625a3a3c36e9 Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@kernel.org> +Date: Wed, 24 Aug 2022 18:03:49 +0200 +Subject: [PATCH] ext4: unconditionally enable the i_version counter +Git-commit: 1ff20307393e17dc57fde62226df625a3a3c36e9 +Patch-mainline: v6.1-rc1 +References: bsc#1211299 + +The original i_version implementation was pretty expensive, requiring a +log flush on every change. Because of this, it was gated behind a mount +option (implemented via the MS_I_VERSION mountoption flag). + +Commit ae5e165d855d (fs: new API for handling inode->i_version) made the +i_version flag much less expensive, so there is no longer a performance +penalty from enabling it. xfs and btrfs already enable it +unconditionally when the on-disk format can support it. + +Have ext4 ignore the SB_I_VERSION flag, and just enable it +unconditionally. While we're in here, mark the i_version mount +option Opt_removed. + +[ Removed leftover bits of i_version from ext4_apply_options() since it + now can't ever be set in ctx->mask_s_flags -- lczerner ] + +Cc: stable@kernel.org +Cc: Dave Chinner <david@fromorbit.com> +Cc: Benjamin Coddington <bcodding@redhat.com> +Cc: Christoph Hellwig <hch@infradead.org> +Cc: Darrick J. Wong <djwong@kernel.org> +Signed-off-by: Jeff Layton <jlayton@kernel.org> +Signed-off-by: Lukas Czerner <lczerner@redhat.com> +Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220824160349.39664-3-lczerner@redhat.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/inode.c | 5 ++--- + fs/ext4/super.c | 14 ++++++-------- + 2 files changed, 8 insertions(+), 11 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5421,7 +5421,7 @@ int ext4_setattr(struct user_namespace * + return -EINVAL; + } + +- if (IS_I_VERSION(inode) && attr->ia_size != inode->i_size) ++ if (attr->ia_size != inode->i_size) + inode_inc_iversion(inode); + + if (shrink) { +@@ -5731,8 +5731,7 @@ int ext4_mark_iloc_dirty(handle_t *handl + * ea_inodes are using i_version for storing reference count, don't + * mess with it + */ +- if (IS_I_VERSION(inode) && +- !(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) ++ if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) + inode_inc_iversion(inode); + + /* the do_update_inode consumes one bh->b_count */ +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1673,7 +1673,7 @@ enum { + Opt_usrjquota, Opt_grpjquota, Opt_offusrjquota, Opt_offgrpjquota, + Opt_jqfmt_vfsold, Opt_jqfmt_vfsv0, Opt_jqfmt_vfsv1, Opt_quota, + Opt_noquota, Opt_barrier, Opt_nobarrier, Opt_err, +- Opt_usrquota, Opt_grpquota, Opt_prjquota, Opt_i_version, ++ Opt_usrquota, Opt_grpquota, Opt_prjquota, + Opt_dax, Opt_dax_always, Opt_dax_inode, Opt_dax_never, + Opt_stripe, Opt_delalloc, Opt_nodelalloc, Opt_warn_on_error, + Opt_nowarn_on_error, Opt_mblk_io_submit, +@@ -1743,7 +1743,7 @@ static const match_table_t tokens = { + {Opt_barrier, "barrier=%u"}, + {Opt_barrier, "barrier"}, + {Opt_nobarrier, "nobarrier"}, +- {Opt_i_version, "i_version"}, ++ {Opt_removed, "i_version"}, + {Opt_dax, "dax"}, + {Opt_dax_always, "dax=always"}, + {Opt_dax_inode, "dax=inode"}, +@@ -2130,9 +2130,6 @@ static int handle_mount_opt(struct super + case Opt_abort: + ext4_set_mount_flag(sb, EXT4_MF_FS_ABORTED); + return 1; +- case Opt_i_version: +- sb->s_flags |= SB_I_VERSION; +- return 1; + case Opt_lazytime: + sb->s_flags |= SB_LAZYTIME; + return 1; +@@ -2593,8 +2590,6 @@ static int _ext4_show_options(struct seq + SEQ_OPTS_PRINT("min_batch_time=%u", sbi->s_min_batch_time); + if (nodefs || sbi->s_max_batch_time != EXT4_DEF_MAX_BATCH_TIME) + SEQ_OPTS_PRINT("max_batch_time=%u", sbi->s_max_batch_time); +- if (sb->s_flags & SB_I_VERSION) +- SEQ_OPTS_PUTS("i_version"); + if (nodefs || sbi->s_stripe) + SEQ_OPTS_PRINT("stripe=%lu", sbi->s_stripe); + if (nodefs || EXT4_MOUNT_DATA_FLAGS & +@@ -4381,6 +4376,9 @@ static int ext4_fill_super(struct super_ + sb->s_flags = (sb->s_flags & ~SB_POSIXACL) | + (test_opt(sb, POSIX_ACL) ? SB_POSIXACL : 0); + ++ /* i_version is always enabled now */ ++ sb->s_flags |= SB_I_VERSION; ++ + if (le32_to_cpu(es->s_rev_level) == EXT4_GOOD_OLD_REV && + (ext4_has_compat_features(sb) || + ext4_has_ro_compat_features(sb) || +@@ -5931,7 +5929,7 @@ static int ext4_remount(struct super_blo + * either way we need to make sure it matches in both *flags and + * s_flags. Copy those selected flags from *flags to s_flags + */ +- vfs_flags = SB_LAZYTIME | SB_I_VERSION; ++ vfs_flags = SB_LAZYTIME; + sb->s_flags = (sb->s_flags & ~vfs_flags) | (*flags & vfs_flags); + + if (!parse_options(data, sb, &parsed_opts, 1)) { --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-unindent-codeblock-in-ext4_xattr_block_set.patch @@ -0,0 +1,123 @@ +From fd48e9acdf26d0cbd80051de07d4a735d05d29b2 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Tue, 12 Jul 2022 12:54:23 +0200 +Subject: [PATCH] ext4: unindent codeblock in ext4_xattr_block_set() +Git-commit: fd48e9acdf26d0cbd80051de07d4a735d05d29b2 +Patch-mainline: v6.0-rc1 +References: bsc#1198971 + +Remove unnecessary else (and thus indentation level) from a code block +in ext4_xattr_block_set(). It will also make following code changes +easier. No functional changes. + +Cc: stable@vger.kernel.org +Fixes: 82939d7999df ("ext4: convert to mbcache2") +Signed-off-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220712105436.32204-4-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/xattr.c | 81 +++++++++++++++++++++++++++----------------------------- + 1 file changed, 40 insertions(+), 41 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1850,6 +1850,8 @@ ext4_xattr_block_set(handle_t *handle, s + #define header(x) ((struct ext4_xattr_header *)(x)) + + if (s->base) { ++ int offset = (char *)s->here - bs->bh->b_data; ++ + BUFFER_TRACE(bs->bh, "get_write_access"); + error = ext4_journal_get_write_access(handle, sb, bs->bh, + EXT4_JTR_NONE); +@@ -1882,50 +1884,47 @@ ext4_xattr_block_set(handle_t *handle, s + if (error) + goto cleanup; + goto inserted; +- } else { +- int offset = (char *)s->here - bs->bh->b_data; +- +- unlock_buffer(bs->bh); +- ea_bdebug(bs->bh, "cloning"); +- s->base = kmalloc(bs->bh->b_size, GFP_NOFS); +- error = -ENOMEM; +- if (s->base == NULL) ++ } ++ unlock_buffer(bs->bh); ++ ea_bdebug(bs->bh, "cloning"); ++ s->base = kmalloc(bs->bh->b_size, GFP_NOFS); ++ error = -ENOMEM; ++ if (s->base == NULL) ++ goto cleanup; ++ memcpy(s->base, BHDR(bs->bh), bs->bh->b_size); ++ s->first = ENTRY(header(s->base)+1); ++ header(s->base)->h_refcount = cpu_to_le32(1); ++ s->here = ENTRY(s->base + offset); ++ s->end = s->base + bs->bh->b_size; ++ ++ /* ++ * If existing entry points to an xattr inode, we need ++ * to prevent ext4_xattr_set_entry() from decrementing ++ * ref count on it because the reference belongs to the ++ * original block. In this case, make the entry look ++ * like it has an empty value. ++ */ ++ if (!s->not_found && s->here->e_value_inum) { ++ ea_ino = le32_to_cpu(s->here->e_value_inum); ++ error = ext4_xattr_inode_iget(inode, ea_ino, ++ le32_to_cpu(s->here->e_hash), ++ &tmp_inode); ++ if (error) + goto cleanup; +- memcpy(s->base, BHDR(bs->bh), bs->bh->b_size); +- s->first = ENTRY(header(s->base)+1); +- header(s->base)->h_refcount = cpu_to_le32(1); +- s->here = ENTRY(s->base + offset); +- s->end = s->base + bs->bh->b_size; + +- /* +- * If existing entry points to an xattr inode, we need +- * to prevent ext4_xattr_set_entry() from decrementing +- * ref count on it because the reference belongs to the +- * original block. In this case, make the entry look +- * like it has an empty value. +- */ +- if (!s->not_found && s->here->e_value_inum) { +- ea_ino = le32_to_cpu(s->here->e_value_inum); +- error = ext4_xattr_inode_iget(inode, ea_ino, +- le32_to_cpu(s->here->e_hash), +- &tmp_inode); +- if (error) +- goto cleanup; +- +- if (!ext4_test_inode_state(tmp_inode, +- EXT4_STATE_LUSTRE_EA_INODE)) { +- /* +- * Defer quota free call for previous +- * inode until success is guaranteed. +- */ +- old_ea_inode_quota = le32_to_cpu( +- s->here->e_value_size); +- } +- iput(tmp_inode); +- +- s->here->e_value_inum = 0; +- s->here->e_value_size = 0; ++ if (!ext4_test_inode_state(tmp_inode, ++ EXT4_STATE_LUSTRE_EA_INODE)) { ++ /* ++ * Defer quota free call for previous ++ * inode until success is guaranteed. ++ */ ++ old_ea_inode_quota = le32_to_cpu( ++ s->here->e_value_size); + } ++ iput(tmp_inode); ++ ++ s->here->e_value_inum = 0; ++ s->here->e_value_size = 0; + } + } else { + /* Allocate a buffer where we construct the new block. */ --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-update-s_journal_inum-if-it-changes-after-journ.patch @@ -0,0 +1,53 @@ +From 3039d8b8692408438a618fac2776b629852663c3 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Sat, 7 Jan 2023 11:21:26 +0800 +Subject: [PATCH] ext4: update s_journal_inum if it changes after journal + replay +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 3039d8b8692408438a618fac2776b629852663c3 +Patch-mainline: v6.3-rc1 +References: bsc#1213094 + +When mounting a crafted ext4 image, s_journal_inum may change after journal +replay, which is obviously unreasonable because we have successfully loaded +and replayed the journal through the old s_journal_inum. And the new +s_journal_inum bypasses some of the checks in ext4_get_journal(), which +may trigger a null pointer dereference problem. So if s_journal_inum +changes after the journal replay, we ignore the change, and rewrite the +current journal_inum to the superblock. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216541 +Reported-by: LuÃs Henriques <lhenriques@suse.de> +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20230107032126.4165860-3-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/super.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 3b9e30e1afd9..45bcfd35e559 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5953,8 +5953,11 @@ static int ext4_load_journal(struct super_block *sb, + if (!really_read_only && journal_devnum && + journal_devnum != le32_to_cpu(es->s_journal_dev)) { + es->s_journal_dev = cpu_to_le32(journal_devnum); +- +- /* Make sure we flush the recovery flag to disk. */ ++ ext4_commit_super(sb); ++ } ++ if (!really_read_only && journal_inum && ++ journal_inum != le32_to_cpu(es->s_journal_inum)) { ++ es->s_journal_inum = cpu_to_le32(journal_inum); + ext4_commit_super(sb); + } + +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-update-state-fc_regions_size-after-successful-m.patch @@ -0,0 +1,51 @@ +From 27cd49780381c6ccbf248798e5e8fd076200ffba Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Wed, 21 Sep 2022 14:40:40 +0800 +Subject: [PATCH] ext4: update 'state->fc_regions_size' after successful memory + allocation +Git-commit: 27cd49780381c6ccbf248798e5e8fd076200ffba +Patch-mainline: v6.1-rc1 +References: bsc#1207613 + +To avoid to 'state->fc_regions_size' mismatch with 'state->fc_regions' +when fail to reallocate 'fc_reqions',only update 'state->fc_regions_size' +after 'state->fc_regions' is allocated successfully. + +Cc: stable@kernel.org +Signed-off-by: Ye Bin <yebin10@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220921064040.3693255-4-yebin10@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c +index 5ab58cb4ce8d..9549d89b3519 100644 +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -1681,14 +1681,15 @@ int ext4_fc_record_regions(struct super_block *sb, int ino, + if (state->fc_regions_used == state->fc_regions_size) { + struct ext4_fc_alloc_region *fc_regions; + +- state->fc_regions_size += +- EXT4_FC_REPLAY_REALLOC_INCREMENT; + fc_regions = krealloc(state->fc_regions, +- state->fc_regions_size * +- sizeof(struct ext4_fc_alloc_region), ++ sizeof(struct ext4_fc_alloc_region) * ++ (state->fc_regions_size + ++ EXT4_FC_REPLAY_REALLOC_INCREMENT), + GFP_KERNEL); + if (!fc_regions) + return -ENOMEM; ++ state->fc_regions_size += ++ EXT4_FC_REPLAY_REALLOC_INCREMENT; + state->fc_regions = fc_regions; + } + region = &state->fc_regions[state->fc_regions_used++]; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-use-ext4_ext_remove_space-for-fast-commit-repla.patch @@ -0,0 +1,66 @@ +From 0b5b5a62b945a141e64011b2f90ee7e46f14be98 Mon Sep 17 00:00:00 2001 +From: Xin Yin <yinxin.x@bytedance.com> +Date: Thu, 23 Dec 2021 11:23:36 +0800 +Subject: [PATCH] ext4: use ext4_ext_remove_space() for fast commit replay + delete range +Git-commit: 0b5b5a62b945a141e64011b2f90ee7e46f14be98 +Patch-mainline: v5.17-rc1 +References: bsc#1202758 + +For now ,we use ext4_punch_hole() during fast commit replay delete range +procedure. But it will be affected by inode->i_size, which may not +correct during fast commit replay procedure. The following test will +failed. + +-create & write foo (len 1000K) +-falloc FALLOC_FL_ZERO_RANGE foo (range 400K - 600K) +-create & fsync bar +-falloc FALLOC_FL_PUNCH_HOLE foo (range 300K-500K) +-fsync foo +-crash before a full commit + +After the fast_commit reply procedure, the range 400K-500K will not be +removed. Because in this case, when calling ext4_punch_hole() the +inode->i_size is 0, and it just retruns with doing nothing. + +Change to use ext4_ext_remove_space() instead of ext4_punch_hole() +to remove blocks of inode directly. + +Signed-off-by: Xin Yin <yinxin.x@bytedance.com> +Reviewed-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com> +Link: https://lore.kernel.org/r/20211223032337.5198-2-yinxin.x@bytedance.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c +index dd002facf6c9..28ddeb1d6afb 100644 +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -1770,11 +1770,14 @@ ext4_fc_replay_del_range(struct super_block *sb, struct ext4_fc_tl *tl, + } + } + +- ret = ext4_punch_hole(inode, +- le32_to_cpu(lrange.fc_lblk) << sb->s_blocksize_bits, +- le32_to_cpu(lrange.fc_len) << sb->s_blocksize_bits); +- if (ret) +- jbd_debug(1, "ext4_punch_hole returned %d", ret); ++ down_write(&EXT4_I(inode)->i_data_sem); ++ ret = ext4_ext_remove_space(inode, lrange.fc_lblk, ++ lrange.fc_lblk + lrange.fc_len - 1); ++ up_write(&EXT4_I(inode)->i_data_sem); ++ if (ret) { ++ iput(inode); ++ return 0; ++ } + ext4_ext_replay_shrink_inode(inode, + i_size_read(inode) >> sb->s_blocksize_bits); + ext4_mark_inode_dirty(NULL, inode); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-use-ext4_fc_tl_mem-in-fast-commit-replay-path.patch @@ -0,0 +1,143 @@ +From 11768cfd98136dd8399480c60b7a5d3d3c7b109b Mon Sep 17 00:00:00 2001 +From: Eric Biggers <ebiggers@google.com> +Date: Fri, 16 Dec 2022 21:02:12 -0800 +Subject: [PATCH] ext4: use ext4_fc_tl_mem in fast-commit replay path +Git-commit: 11768cfd98136dd8399480c60b7a5d3d3c7b109b +Patch-mainline: v6.3-rc1 +References: bsc#1213092 + +To avoid 'sparse' warnings about missing endianness conversions, don't +store native endianness values into struct ext4_fc_tl. Instead, use a +separate struct type, ext4_fc_tl_mem. + +Fixes: dcc5827484d6 ("ext4: factor out ext4_fc_get_tl()") +Cc: Ye Bin <yebin10@huawei.com> +Signed-off-by: Eric Biggers <ebiggers@google.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20221217050212.150665-1-ebiggers@kernel.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/fast_commit.c | 44 +++++++++++++++++++++++++------------------ + 1 file changed, 26 insertions(+), 18 deletions(-) + +diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c +index 4594b62f147b..b06de728b3b6 100644 +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -1332,8 +1332,14 @@ struct dentry_info_args { + char *dname; + }; + ++/* Same as struct ext4_fc_tl, but uses native endianness fields */ ++struct ext4_fc_tl_mem { ++ u16 fc_tag; ++ u16 fc_len; ++}; ++ + static inline void tl_to_darg(struct dentry_info_args *darg, +- struct ext4_fc_tl *tl, u8 *val) ++ struct ext4_fc_tl_mem *tl, u8 *val) + { + struct ext4_fc_dentry_info fcd; + +@@ -1345,16 +1351,18 @@ static inline void tl_to_darg(struct dentry_info_args *darg, + darg->dname_len = tl->fc_len - sizeof(struct ext4_fc_dentry_info); + } + +-static inline void ext4_fc_get_tl(struct ext4_fc_tl *tl, u8 *val) ++static inline void ext4_fc_get_tl(struct ext4_fc_tl_mem *tl, u8 *val) + { +- memcpy(tl, val, EXT4_FC_TAG_BASE_LEN); +- tl->fc_len = le16_to_cpu(tl->fc_len); +- tl->fc_tag = le16_to_cpu(tl->fc_tag); ++ struct ext4_fc_tl tl_disk; ++ ++ memcpy(&tl_disk, val, EXT4_FC_TAG_BASE_LEN); ++ tl->fc_len = le16_to_cpu(tl_disk.fc_len); ++ tl->fc_tag = le16_to_cpu(tl_disk.fc_tag); + } + + /* Unlink replay function */ +-static int ext4_fc_replay_unlink(struct super_block *sb, struct ext4_fc_tl *tl, +- u8 *val) ++static int ext4_fc_replay_unlink(struct super_block *sb, ++ struct ext4_fc_tl_mem *tl, u8 *val) + { + struct inode *inode, *old_parent; + struct qstr entry; +@@ -1451,8 +1459,8 @@ static int ext4_fc_replay_link_internal(struct super_block *sb, + } + + /* Link replay function */ +-static int ext4_fc_replay_link(struct super_block *sb, struct ext4_fc_tl *tl, +- u8 *val) ++static int ext4_fc_replay_link(struct super_block *sb, ++ struct ext4_fc_tl_mem *tl, u8 *val) + { + struct inode *inode; + struct dentry_info_args darg; +@@ -1506,8 +1514,8 @@ static int ext4_fc_record_modified_inode(struct super_block *sb, int ino) + /* + * Inode replay function + */ +-static int ext4_fc_replay_inode(struct super_block *sb, struct ext4_fc_tl *tl, +- u8 *val) ++static int ext4_fc_replay_inode(struct super_block *sb, ++ struct ext4_fc_tl_mem *tl, u8 *val) + { + struct ext4_fc_inode fc_inode; + struct ext4_inode *raw_inode; +@@ -1609,8 +1617,8 @@ static int ext4_fc_replay_inode(struct super_block *sb, struct ext4_fc_tl *tl, + * inode for which we are trying to create a dentry here, should already have + * been replayed before we start here. + */ +-static int ext4_fc_replay_create(struct super_block *sb, struct ext4_fc_tl *tl, +- u8 *val) ++static int ext4_fc_replay_create(struct super_block *sb, ++ struct ext4_fc_tl_mem *tl, u8 *val) + { + int ret = 0; + struct inode *inode = NULL; +@@ -1708,7 +1716,7 @@ int ext4_fc_record_regions(struct super_block *sb, int ino, + + /* Replay add range tag */ + static int ext4_fc_replay_add_range(struct super_block *sb, +- struct ext4_fc_tl *tl, u8 *val) ++ struct ext4_fc_tl_mem *tl, u8 *val) + { + struct ext4_fc_add_range fc_add_ex; + struct ext4_extent newex, *ex; +@@ -1828,8 +1836,8 @@ static int ext4_fc_replay_add_range(struct super_block *sb, + + /* Replay DEL_RANGE tag */ + static int +-ext4_fc_replay_del_range(struct super_block *sb, struct ext4_fc_tl *tl, +- u8 *val) ++ext4_fc_replay_del_range(struct super_block *sb, ++ struct ext4_fc_tl_mem *tl, u8 *val) + { + struct inode *inode; + struct ext4_fc_del_range lrange; +@@ -2025,7 +2033,7 @@ static int ext4_fc_replay_scan(journal_t *journal, + struct ext4_fc_replay_state *state; + int ret = JBD2_FC_REPLAY_CONTINUE; + struct ext4_fc_add_range ext; +- struct ext4_fc_tl tl; ++ struct ext4_fc_tl_mem tl; + struct ext4_fc_tail tail; + __u8 *start, *end, *cur, *val; + struct ext4_fc_head head; +@@ -2144,7 +2152,7 @@ static int ext4_fc_replay(journal_t *journal, struct buffer_head *bh, + { + struct super_block *sb = journal->j_private; + struct ext4_sb_info *sbi = EXT4_SB(sb); +- struct ext4_fc_tl tl; ++ struct ext4_fc_tl_mem tl; + __u8 *start, *end, *cur, *val; + int ret = JBD2_FC_REPLAY_CONTINUE; + struct ext4_fc_replay_state *state = &sbi->s_fc_replay_state; +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-verify-dir-block-before-splitting-it.patch @@ -0,0 +1,93 @@ +From 46c116b920ebec58031f0a78c5ea9599b0d2a371 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Wed, 18 May 2022 11:33:28 +0200 +Subject: [PATCH] ext4: verify dir block before splitting it +Git-commit: 46c116b920ebec58031f0a78c5ea9599b0d2a371 +Patch-mainline: v5.19-rc1 +References: bsc#1198577 CVE-2022-1184 + +Before splitting a directory block verify its directory entries are sane +so that the splitting code does not access memory it should not. + +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20220518093332.13986-1-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/namei.c | 32 +++++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 7aca8944901d..7286472e9558 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -277,9 +277,9 @@ static struct dx_frame *dx_probe(struct ext4_filename *fname, + struct dx_hash_info *hinfo, + struct dx_frame *frame); + static void dx_release(struct dx_frame *frames); +-static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de, +- unsigned blocksize, struct dx_hash_info *hinfo, +- struct dx_map_entry map[]); ++static int dx_make_map(struct inode *dir, struct buffer_head *bh, ++ struct dx_hash_info *hinfo, ++ struct dx_map_entry *map_tail); + static void dx_sort_map(struct dx_map_entry *map, unsigned count); + static struct ext4_dir_entry_2 *dx_move_dirents(struct inode *dir, char *from, + char *to, struct dx_map_entry *offsets, +@@ -1249,15 +1249,23 @@ static inline int search_dirblock(struct buffer_head *bh, + * Create map of hash values, offsets, and sizes, stored at end of block. + * Returns number of entries mapped. + */ +-static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de, +- unsigned blocksize, struct dx_hash_info *hinfo, ++static int dx_make_map(struct inode *dir, struct buffer_head *bh, ++ struct dx_hash_info *hinfo, + struct dx_map_entry *map_tail) + { + int count = 0; +- char *base = (char *) de; ++ struct ext4_dir_entry_2 *de = (struct ext4_dir_entry_2 *)bh->b_data; ++ unsigned int buflen = bh->b_size; ++ char *base = bh->b_data; + struct dx_hash_info h = *hinfo; + +- while ((char *) de < base + blocksize) { ++ if (ext4_has_metadata_csum(dir->i_sb)) ++ buflen -= sizeof(struct ext4_dir_entry_tail); ++ ++ while ((char *) de < base + buflen) { ++ if (ext4_check_dir_entry(dir, NULL, de, bh, base, buflen, ++ ((char *)de) - base)) ++ return -EFSCORRUPTED; + if (de->name_len && de->inode) { + if (ext4_hash_in_dirent(dir)) + h.hash = EXT4_DIRENT_HASH(de); +@@ -1270,8 +1278,7 @@ static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de, + count++; + cond_resched(); + } +- /* XXX: do we need to check rec_len == 0 case? -Chris */ +- de = ext4_next_entry(de, blocksize); ++ de = ext4_next_entry(de, dir->i_sb->s_blocksize); + } + return count; + } +@@ -1943,8 +1950,11 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, + + /* create map in the end of data2 block */ + map = (struct dx_map_entry *) (data2 + blocksize); +- count = dx_make_map(dir, (struct ext4_dir_entry_2 *) data1, +- blocksize, hinfo, map); ++ count = dx_make_map(dir, *bh, hinfo, map); ++ if (count < 0) { ++ err = count; ++ goto journal_error; ++ } + map -= count; + dx_sort_map(map, count); + /* Ensure that neither split block is over half full */ +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/ext4-zero-i_disksize-when-initializing-the-bootloade.patch @@ -0,0 +1,65 @@ +From f5361da1e60d54ec81346aee8e3d8baf1be0b762 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng <chengzhihao1@huawei.com> +Date: Wed, 8 Mar 2023 11:26:43 +0800 +Subject: [PATCH] ext4: zero i_disksize when initializing the bootloader inode +Git-commit: f5361da1e60d54ec81346aee8e3d8baf1be0b762 +Patch-mainline: v6.3-rc2 +References: bsc#1213013 + +If the boot loader inode has never been used before, the +EXT4_IOC_SWAP_BOOT inode will initialize it, including setting the +i_size to 0. However, if the "never before used" boot loader has a +non-zero i_size, then i_disksize will be non-zero, and the +inconsistency between i_size and i_disksize can trigger a kernel +Warning: + + WARNING: CPU: 0 PID: 2580 at fs/ext4/file.c:319 + CPU: 0 PID: 2580 Comm: bb Not tainted 6.3.0-rc1-00004-g703695902cfa + RIP: 0010:ext4_file_write_iter+0xbc7/0xd10 + Call Trace: + vfs_write+0x3b1/0x5c0 + ksys_write+0x77/0x160 + __x64_sys_write+0x22/0x30 + do_syscall_64+0x39/0x80 + +Reproducer: 1. create corrupted image and mount it: + mke2fs -t ext4 /tmp/foo.img 200 + debugfs -wR "sif <5> size 25700" /tmp/foo.img + mount -t ext4 /tmp/foo.img /mnt + cd /mnt + echo 123 > file + 2. Run the reproducer program: + posix_memalign(&buf, 1024, 1024) + fd = open("file", O_RDWR | O_DIRECT); + ioctl(fd, EXT4_IOC_SWAP_BOOT); + write(fd, buf, 1024); + +Fix this by setting i_disksize as well as i_size to zero when +initiaizing the boot loader inode. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217159 +Cc: stable@kernel.org +Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com> +Link: https://lore.kernel.org/r/20230308032643.641113-1-chengzhihao1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/ioctl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index 2e8c34036313..cc17205f7f49 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -431,6 +431,7 @@ static long swap_inode_boot_loader(struct super_block *sb, + ei_bl->i_flags = 0; + inode_set_iversion(inode_bl, 1); + i_size_write(inode_bl, 0); ++ EXT4_I(inode_bl)->i_disksize = inode_bl->i_size; + inode_bl->i_mode = S_IFREG; + if (ext4_has_feature_extents(sb)) { + ext4_set_inode_flag(inode_bl, EXT4_INODE_EXTENTS); +-- +2.35.3 + --- /dev/null +++ b/ldiskfs/kernel_patches/patches/patches.suse/fs-ext4-initialize-fsdata-in-pagecache_write.patch @@ -0,0 +1,38 @@ +From 956510c0c7439e90b8103aaeaf4da92878c622f0 Mon Sep 17 00:00:00 2001 +From: Alexander Potapenko <glider@google.com> +Date: Mon, 21 Nov 2022 12:21:30 +0100 +Subject: [PATCH] fs: ext4: initialize fsdata in pagecache_write() +Git-commit: 956510c0c7439e90b8103aaeaf4da92878c622f0 +Patch-mainline: v6.2-rc1 +References: bsc#1207632 + +When aops->write_begin() does not initialize fsdata, KMSAN reports +an error passing the latter to aops->write_end(). + +Fix this by unconditionally initializing fsdata. + +Cc: Eric Biggers <ebiggers@kernel.org> +Fixes: c93d8f885809 ("ext4: add basic fs-verity support") +Reported-by: syzbot+9767be679ef5016b6082@syzkaller.appspotmail.com +Signed-off-by: Alexander Potapenko <glider@google.com> +Reviewed-by: Eric Biggers <ebiggers@google.com> +Link: https://lore.kernel.org/r/20221121112134.407362-1-glider@google.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/ext4/verity.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/verity.c ++++ b/fs/ext4/verity.c +@@ -76,7 +76,7 @@ static int pagecache_write(struct inode + size_t n = min_t(size_t, count, + PAGE_SIZE - offset_in_page(pos)); + struct page *page; +- void *fsdata; ++ void *fsdata = NULL; + int res; + + res = pagecache_write_begin(NULL, inode->i_mapping, pos, n, 0, --- a/ldiskfs/kernel_patches/patches/sles15sp4/ext4-data-in-dirent.patch +++ b/ldiskfs/kernel_patches/patches/sles15sp4/ext4-data-in-dirent.patch @@ -8,19 +8,17 @@ data is present. This uses dentry->d_fsdata to pass fid to ext4. so no changes in ext4_add_entry() interface required. --- - fs/ext4/dir.c | 9 +- - fs/ext4/ext4.h | 106 ++++++++++++++++-- - fs/ext4/fast_commit.c | 2 +- - fs/ext4/inline.c | 8 +- - fs/ext4/namei.c | 249 ++++++++++++++++++++++++++++++++---------- - fs/ext4/super.c | 4 +- + fs/ext4/dir.c | 9 + + fs/ext4/ext4.h | 106 +++++++++++++++++++-- + fs/ext4/fast_commit.c | 2 + fs/ext4/inline.c | 8 - + fs/ext4/namei.c | 249 +++++++++++++++++++++++++++++++++++++------------- + fs/ext4/super.c | 4 6 files changed, 303 insertions(+), 75 deletions(-) -diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c -index 74b172a..c6afabc 100644 --- a/fs/ext4/dir.c +++ b/fs/ext4/dir.c -@@ -466,12 +466,17 @@ int ext4_htree_store_dirent(struct file *dir_file, __u32 hash, +@@ -466,12 +466,17 @@ int ext4_htree_store_dirent(struct file struct fname *fname, *new_fn; struct dir_private_info *info; int len; @@ -39,7 +37,7 @@ index 74b172a..c6afabc 100644 new_fn = kzalloc(len, GFP_KERNEL); if (!new_fn) return -ENOMEM; -@@ -480,7 +485,7 @@ int ext4_htree_store_dirent(struct file *dir_file, __u32 hash, +@@ -480,7 +485,7 @@ int ext4_htree_store_dirent(struct file new_fn->inode = le32_to_cpu(dirent->inode); new_fn->name_len = ent_name->len; new_fn->file_type = dirent->file_type; @@ -48,11 +46,9 @@ index 74b172a..c6afabc 100644 while (*p) { parent = *p; -diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index 0791a8b..f1bc21d 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h -@@ -1165,6 +1165,7 @@ struct ext4_inode_info { +@@ -1168,6 +1168,7 @@ struct ext4_inode_info { __u32 i_csum_seed; kprojid_t i_projid; @@ -60,7 +56,7 @@ index 0791a8b..f1bc21d 100644 }; /* -@@ -1186,6 +1187,7 @@ struct ext4_inode_info { +@@ -1189,6 +1190,7 @@ struct ext4_inode_info { * Mount flags set via mount options or defaults */ #define EXT4_MOUNT_NO_MBCACHE 0x00001 /* Do not use mbcache */ @@ -68,7 +64,7 @@ index 0791a8b..f1bc21d 100644 #define EXT4_MOUNT_GRPID 0x00004 /* Create files with directory's group */ #define EXT4_MOUNT_DEBUG 0x00008 /* Some debugging messages */ #define EXT4_MOUNT_ERRORS_CONT 0x00010 /* Continue on errors */ -@@ -2117,6 +2119,7 @@ EXT4_FEATURE_INCOMPAT_FUNCS(casefold, CASEFOLD) +@@ -2145,6 +2147,7 @@ EXT4_FEATURE_INCOMPAT_FUNCS(casefold, C EXT4_FEATURE_INCOMPAT_FLEX_BG| \ EXT4_FEATURE_INCOMPAT_EA_INODE| \ EXT4_FEATURE_INCOMPAT_MMP | \ @@ -76,7 +72,7 @@ index 0791a8b..f1bc21d 100644 EXT4_FEATURE_INCOMPAT_INLINE_DATA | \ EXT4_FEATURE_INCOMPAT_ENCRYPT | \ EXT4_FEATURE_INCOMPAT_CASEFOLD | \ -@@ -2326,6 +2329,42 @@ struct ext4_dir_entry_tail { +@@ -2354,6 +2357,42 @@ struct ext4_dir_entry_tail { #define EXT4_FT_SYMLINK 7 #define EXT4_FT_MAX 8 @@ -119,7 +115,7 @@ index 0791a8b..f1bc21d 100644 #define EXT4_FT_DIR_CSUM 0xDE -@@ -2337,6 +2376,17 @@ struct ext4_dir_entry_tail { +@@ -2365,6 +2404,17 @@ struct ext4_dir_entry_tail { #define EXT4_DIR_PAD 4 #define EXT4_DIR_ROUND (EXT4_DIR_PAD - 1) #define EXT4_MAX_REC_LEN ((1<<16)-1) @@ -137,7 +133,7 @@ index 0791a8b..f1bc21d 100644 /* * The rec_len is dependent on the type of directory. Directories that are -@@ -2344,10 +2394,10 @@ struct ext4_dir_entry_tail { +@@ -2372,10 +2422,10 @@ struct ext4_dir_entry_tail { * ext4_extended_dir_entry_2. For all entries related to '.' or '..' you should * pass NULL for dir, as those entries do not use the extra fields. */ @@ -150,7 +146,7 @@ index 0791a8b..f1bc21d 100644 if (dir && ext4_hash_in_dirent(dir)) rec_len += sizeof(struct ext4_dir_entry_hash); -@@ -2821,11 +2871,13 @@ extern int ext4_find_dest_de(struct inode *dir, struct inode *inode, +@@ -2849,11 +2899,13 @@ extern int ext4_find_dest_de(struct inod struct buffer_head *bh, void *buf, int buf_size, struct ext4_filename *fname, @@ -166,7 +162,7 @@ index 0791a8b..f1bc21d 100644 static inline void ext4_update_dx_flag(struct inode *inode) { if (!ext4_has_feature_dir_index(inode->i_sb) && -@@ -2841,10 +2893,17 @@ static const unsigned char ext4_filetype_table[] = { +@@ -2869,10 +2921,17 @@ static const unsigned char ext4_filetype static inline unsigned char get_dtype(struct super_block *sb, int filetype) { @@ -186,7 +182,7 @@ index 0791a8b..f1bc21d 100644 } extern int ext4_check_all_de(struct inode *dir, struct buffer_head *bh, void *buf, int buf_size); -@@ -3048,7 +3107,8 @@ extern int ext4_ind_migrate(struct inode *inode); +@@ -3078,7 +3137,8 @@ extern int ext4_ind_migrate(struct inode /* namei.c */ extern int ext4_init_new_dir(handle_t *handle, struct inode *dir, @@ -196,7 +192,7 @@ index 0791a8b..f1bc21d 100644 extern int ext4_dirblock_csum_verify(struct inode *inode, struct buffer_head *bh); extern int ext4_orphan_add(handle_t *, struct inode *); -@@ -3059,6 +3119,8 @@ extern struct inode *ext4_create_inode(handle_t *handle, +@@ -3089,6 +3149,8 @@ extern struct inode *ext4_create_inode(h extern int ext4_delete_entry(handle_t *handle, struct inode * dir, struct ext4_dir_entry_2 *de_del, struct buffer_head *bh); @@ -205,7 +201,7 @@ index 0791a8b..f1bc21d 100644 extern int ext4_htree_fill_tree(struct file *dir_file, __u32 start_hash, __u32 start_minor_hash, __u32 *next_hash); extern int ext4_search_dir(struct buffer_head *bh, -@@ -3862,6 +3924,36 @@ static inline int ext4_buffer_uptodate(struct buffer_head *bh) +@@ -3892,6 +3954,36 @@ static inline int ext4_buffer_uptodate(s return buffer_uptodate(bh); } @@ -242,11 +238,9 @@ index 0791a8b..f1bc21d 100644 #endif /* __KERNEL__ */ #define EFSBADCRC EBADMSG /* Bad CRC detected */ -diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c -index 276d9e6..3be0f08 100644 --- a/fs/ext4/fast_commit.c +++ b/fs/ext4/fast_commit.c -@@ -1596,7 +1596,7 @@ static int ext4_fc_replay_create(struct super_block *sb, struct ext4_fc_tl *tl, +@@ -1632,7 +1632,7 @@ static int ext4_fc_replay_create(struct jbd_debug(1, "Dir %d not found.", darg.ino); goto out; } @@ -255,11 +249,9 @@ index 276d9e6..3be0f08 100644 iput(dir); if (ret) { ret = 0; -diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c -index 9626c31..ed31b5c 100644 --- a/fs/ext4/inline.c +++ b/fs/ext4/inline.c -@@ -1029,7 +1029,7 @@ static int ext4_add_dirent_to_inline(handle_t *handle, +@@ -1028,7 +1028,7 @@ static int ext4_add_dirent_to_inline(han struct ext4_dir_entry_2 *de; err = ext4_find_dest_de(dir, inode, iloc->bh, inline_start, @@ -268,7 +260,7 @@ index 9626c31..ed31b5c 100644 if (err) return err; -@@ -1038,7 +1038,7 @@ static int ext4_add_dirent_to_inline(handle_t *handle, +@@ -1037,7 +1037,7 @@ static int ext4_add_dirent_to_inline(han EXT4_JTR_NONE); if (err) return err; @@ -277,7 +269,7 @@ index 9626c31..ed31b5c 100644 ext4_show_inline_dir(dir, iloc->bh, inline_start, inline_size); -@@ -1396,7 +1396,7 @@ int ext4_inlinedir_to_tree(struct file *dir_file, +@@ -1396,7 +1396,7 @@ int ext4_inlinedir_to_tree(struct file * fake.name_len = 1; strcpy(fake.name, "."); fake.rec_len = ext4_rec_len_to_disk( @@ -286,7 +278,7 @@ index 9626c31..ed31b5c 100644 inline_size); ext4_set_de_type(inode->i_sb, &fake, S_IFDIR); de = &fake; -@@ -1406,7 +1406,7 @@ int ext4_inlinedir_to_tree(struct file *dir_file, +@@ -1406,7 +1406,7 @@ int ext4_inlinedir_to_tree(struct file * fake.name_len = 2; strcpy(fake.name, ".."); fake.rec_len = ext4_rec_len_to_disk( @@ -295,11 +287,9 @@ index 9626c31..ed31b5c 100644 inline_size); ext4_set_de_type(inode->i_sb, &fake, S_IFDIR); de = &fake; -diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c -index 7f00dc3..51c950b 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c -@@ -285,13 +285,14 @@ static unsigned dx_get_count(struct dx_entry *entries); +@@ -290,13 +290,14 @@ static unsigned dx_get_count(struct dx_e static unsigned dx_get_limit(struct dx_entry *entries); static void dx_set_count(struct dx_entry *entries, unsigned value); static void dx_set_limit(struct dx_entry *entries, unsigned value); @@ -316,7 +306,7 @@ index 7f00dc3..51c950b 100644 static int dx_make_map(struct inode *dir, struct buffer_head *bh, struct dx_hash_info *hinfo, struct dx_map_entry *map_tail); -@@ -431,22 +432,23 @@ static struct dx_countlimit *get_dx_countlimit(struct inode *inode, +@@ -436,22 +437,23 @@ static struct dx_countlimit *get_dx_coun { struct ext4_dir_entry *dp; struct dx_root_info *root; @@ -348,7 +338,7 @@ index 7f00dc3..51c950b 100644 if (offset) *offset = count_offset; -@@ -549,13 +551,14 @@ ext4_next_entry(struct ext4_dir_entry_2 *p, unsigned long blocksize) +@@ -554,13 +556,14 @@ ext4_next_entry(struct ext4_dir_entry_2 * Future: use high four bits of block for coalesce-on-delete flags * Mask them off for now. */ @@ -366,7 +356,7 @@ index 7f00dc3..51c950b 100644 return (struct dx_root_info *)de; } -@@ -600,11 +603,16 @@ static inline void dx_set_limit(struct dx_entry *entries, unsigned value) +@@ -605,11 +608,16 @@ static inline void dx_set_limit(struct d ((struct dx_countlimit *) entries)->limit = cpu_to_le16(value); } @@ -387,7 +377,7 @@ index 7f00dc3..51c950b 100644 if (ext4_has_metadata_csum(dir->i_sb)) entry_space -= sizeof(struct dx_tail); -@@ -722,7 +730,7 @@ static struct stats dx_show_leaf(struct inode *dir, +@@ -729,7 +737,7 @@ static struct stats dx_show_leaf(struct (unsigned) ((char *) de - base)); #endif } @@ -396,7 +386,7 @@ index 7f00dc3..51c950b 100644 names++; } de = ext4_next_entry(de, size); -@@ -816,7 +824,7 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, +@@ -823,7 +831,7 @@ dx_probe(struct ext4_filename *fname, st if (IS_ERR(frame->bh)) return (struct dx_frame *) frame->bh; @@ -405,7 +395,7 @@ index 7f00dc3..51c950b 100644 if (info->hash_version != DX_HASH_TEA && info->hash_version != DX_HASH_HALF_MD4 && info->hash_version != DX_HASH_LEGACY && -@@ -872,11 +880,14 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, +@@ -885,11 +893,14 @@ dx_probe(struct ext4_filename *fname, st entries = (struct dx_entry *)(((char *)info) + info->info_length); @@ -423,7 +413,7 @@ index 7f00dc3..51c950b 100644 goto fail; } -@@ -953,7 +964,7 @@ fail: +@@ -966,7 +977,7 @@ fail: return ret_err; } @@ -432,7 +422,7 @@ index 7f00dc3..51c950b 100644 { struct dx_root_info *info; int i; -@@ -962,7 +973,7 @@ static void dx_release(struct dx_frame *frames) +@@ -975,7 +986,7 @@ static void dx_release(struct dx_frame * if (frames[0].bh == NULL) return; @@ -441,7 +431,7 @@ index 7f00dc3..51c950b 100644 /* save local copy, "info" may be freed after brelse() */ indirect_levels = info->indirect_levels; for (i = 0; i <= indirect_levels; i++) { -@@ -1263,12 +1274,12 @@ int ext4_htree_fill_tree(struct file *dir_file, __u32 start_hash, +@@ -1281,12 +1292,12 @@ int ext4_htree_fill_tree(struct file *di (count && ((hashval & 1) == 0))) break; } @@ -456,7 +446,7 @@ index 7f00dc3..51c950b 100644 return (err); } -@@ -1801,7 +1812,7 @@ static struct buffer_head * ext4_dx_find_entry(struct inode *dir, +@@ -1821,7 +1832,7 @@ static struct buffer_head * ext4_dx_find errout: dxtrace(printk(KERN_DEBUG "%s not found\n", fname->usr_fname->name)); success: @@ -465,7 +455,7 @@ index 7f00dc3..51c950b 100644 return bh; } -@@ -1925,7 +1936,7 @@ dx_move_dirents(struct inode *dir, char *from, char *to, +@@ -1945,7 +1956,7 @@ dx_move_dirents(struct inode *dir, char while (count--) { struct ext4_dir_entry_2 *de = (struct ext4_dir_entry_2 *) (from + (map->offs<<2)); @@ -474,7 +464,7 @@ index 7f00dc3..51c950b 100644 memcpy (to, de, rec_len); ((struct ext4_dir_entry_2 *) to)->rec_len = -@@ -1958,7 +1969,7 @@ static struct ext4_dir_entry_2 *dx_pack_dirents(struct inode *dir, char *base, +@@ -1978,7 +1989,7 @@ static struct ext4_dir_entry_2 *dx_pack_ while ((char*)de < base + blocksize) { next = ext4_next_entry(de, blocksize); if (de->inode && de->name_len) { @@ -483,7 +473,7 @@ index 7f00dc3..51c950b 100644 if (de > to) memmove(to, de, rec_len); to->rec_len = ext4_rec_len_to_disk(rec_len, blocksize); -@@ -2101,14 +2112,21 @@ int ext4_find_dest_de(struct inode *dir, struct inode *inode, +@@ -2121,14 +2132,21 @@ int ext4_find_dest_de(struct inode *dir, struct buffer_head *bh, void *buf, int buf_size, struct ext4_filename *fname, @@ -507,7 +497,7 @@ index 7f00dc3..51c950b 100644 de = (struct ext4_dir_entry_2 *)buf; top = buf + buf_size - reclen; while ((char *) de <= top) { -@@ -2117,10 +2135,31 @@ int ext4_find_dest_de(struct inode *dir, struct inode *inode, +@@ -2137,10 +2155,31 @@ int ext4_find_dest_de(struct inode *dir, return -EFSCORRUPTED; if (ext4_match(dir, fname, de)) return -EEXIST; @@ -540,7 +530,7 @@ index 7f00dc3..51c950b 100644 de = (struct ext4_dir_entry_2 *)((char *)de + rlen); offset += rlen; } -@@ -2135,12 +2174,13 @@ void ext4_insert_dentry(struct inode *dir, +@@ -2155,12 +2194,13 @@ void ext4_insert_dentry(struct inode *di struct inode *inode, struct ext4_dir_entry_2 *de, int buf_size, @@ -556,7 +546,7 @@ index 7f00dc3..51c950b 100644 rlen = ext4_rec_len_from_disk(de->rec_len, buf_size); if (de->inode) { struct ext4_dir_entry_2 *de1 = -@@ -2161,6 +2201,12 @@ void ext4_insert_dentry(struct inode *dir, +@@ -2181,6 +2221,12 @@ void ext4_insert_dentry(struct inode *di EXT4_DIRENT_HASHES(de)->minor_hash = cpu_to_le32(hinfo->minor_hash); } @@ -569,7 +559,7 @@ index 7f00dc3..51c950b 100644 } /* -@@ -2178,14 +2224,19 @@ static int add_dirent_to_buf(handle_t *handle, struct ext4_filename *fname, +@@ -2198,14 +2244,19 @@ static int add_dirent_to_buf(handle_t *h { unsigned int blocksize = dir->i_sb->s_blocksize; int csum_size = 0; @@ -591,7 +581,7 @@ index 7f00dc3..51c950b 100644 if (err) return err; } -@@ -2198,7 +2249,10 @@ static int add_dirent_to_buf(handle_t *handle, struct ext4_filename *fname, +@@ -2218,7 +2269,10 @@ static int add_dirent_to_buf(handle_t *h } /* By now the buffer is marked for journaling */ @@ -603,7 +593,7 @@ index 7f00dc3..51c950b 100644 /* * XXX shouldn't update any times until successful -@@ -2296,7 +2350,7 @@ static int make_indexed_dir(handle_t *handle, struct ext4_filename *fname, +@@ -2324,7 +2378,7 @@ static int make_indexed_dir(handle_t *ha blocksize); /* initialize hashing info */ @@ -612,7 +602,7 @@ index 7f00dc3..51c950b 100644 memset(dx_info, 0, sizeof(*dx_info)); dx_info->info_length = sizeof(*dx_info); if (ext4_hash_in_dirent(dir)) -@@ -2307,7 +2361,8 @@ static int make_indexed_dir(handle_t *handle, struct ext4_filename *fname, +@@ -2335,7 +2389,8 @@ static int make_indexed_dir(handle_t *ha entries = (void *)dx_info + sizeof(*dx_info); dx_set_block(entries, 1); dx_set_count(entries, 1); @@ -622,7 +612,7 @@ index 7f00dc3..51c950b 100644 /* Initialize as for dx_probe */ fname->hinfo.hash_version = dx_info->hash_version; -@@ -2348,7 +2403,7 @@ out_frames: +@@ -2381,7 +2436,7 @@ out_frames: */ if (retval) ext4_mark_inode_dirty(handle, dir); @@ -631,7 +621,7 @@ index 7f00dc3..51c950b 100644 brelse(bh2); return retval; } -@@ -2361,6 +2416,8 @@ static int ext4_update_dotdot(handle_t *handle, struct dentry *dentry, +@@ -2394,6 +2449,8 @@ static int ext4_update_dotdot(handle_t * struct buffer_head *dir_block; struct ext4_dir_entry_2 *de; int len, journal = 0, err = 0; @@ -640,7 +630,7 @@ index 7f00dc3..51c950b 100644 if (IS_ERR(handle)) return PTR_ERR(handle); -@@ -2376,21 +2433,25 @@ static int ext4_update_dotdot(handle_t *handle, struct dentry *dentry, +@@ -2409,21 +2466,25 @@ static int ext4_update_dotdot(handle_t * de = (struct ext4_dir_entry_2 *)dir_block->b_data; /* the first item must be "." */ @@ -672,7 +662,7 @@ index 7f00dc3..51c950b 100644 de = (struct ext4_dir_entry_2 *) ((char *) de + le16_to_cpu(de->rec_len)); if (!journal) { -@@ -2404,10 +2465,15 @@ static int ext4_update_dotdot(handle_t *handle, struct dentry *dentry, +@@ -2437,10 +2498,15 @@ static int ext4_update_dotdot(handle_t * if (len > 0) de->rec_len = cpu_to_le16(len); else @@ -690,7 +680,7 @@ index 7f00dc3..51c950b 100644 out_journal: if (journal) { -@@ -2445,6 +2511,7 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry, +@@ -2478,6 +2544,7 @@ static int ext4_add_entry(handle_t *hand ext4_lblk_t block, blocks; int csum_size = 0; @@ -698,7 +688,7 @@ index 7f00dc3..51c950b 100644 if (ext4_has_metadata_csum(inode->i_sb)) csum_size = sizeof(struct ext4_dir_entry_tail); -@@ -2687,7 +2754,7 @@ again: +@@ -2720,7 +2787,7 @@ again: dx_set_count(entries, 1); dx_set_block(entries + 0, newblock); info = dx_get_dx_info((struct ext4_dir_entry_2 *) @@ -707,7 +697,7 @@ index 7f00dc3..51c950b 100644 info->indirect_levels = 1; dxtrace(printk(KERN_DEBUG "Creating %d level index...\n", -@@ -2713,7 +2780,7 @@ journal_error: +@@ -2746,7 +2813,7 @@ journal_error: ext4_std_error(dir->i_sb, err); /* this is a no-op if err == 0 */ cleanup: brelse(bh); @@ -716,7 +706,7 @@ index 7f00dc3..51c950b 100644 /* @restart is true means htree-path has been changed, we need to * repeat dx_probe() to find out valid htree-path */ -@@ -3016,38 +3083,73 @@ err_unlock_inode: +@@ -3049,38 +3116,73 @@ err_unlock_inode: return err; } @@ -798,7 +788,7 @@ index 7f00dc3..51c950b 100644 struct buffer_head *dir_block = NULL; struct ext4_dir_entry_2 *de; ext4_lblk_t block = 0; -@@ -3071,7 +3173,11 @@ int ext4_init_new_dir(handle_t *handle, struct inode *dir, +@@ -3104,7 +3206,11 @@ int ext4_init_new_dir(handle_t *handle, if (IS_ERR(dir_block)) return PTR_ERR(dir_block); de = (struct ext4_dir_entry_2 *)dir_block->b_data; @@ -811,7 +801,7 @@ index 7f00dc3..51c950b 100644 set_nlink(inode, 2); if (csum_size) ext4_initialize_dirent_tail(dir_block, blocksize); -@@ -3086,6 +3192,29 @@ out: +@@ -3119,6 +3225,29 @@ out: return err; } @@ -841,7 +831,7 @@ index 7f00dc3..51c950b 100644 static int ext4_mkdir(struct user_namespace *mnt_userns, struct inode *dir, struct dentry *dentry, umode_t mode) { -@@ -3113,7 +3242,7 @@ retry: +@@ -3146,7 +3275,7 @@ retry: inode->i_op = &ext4_dir_inode_operations; inode->i_fop = &ext4_dir_operations; @@ -850,20 +840,18 @@ index 7f00dc3..51c950b 100644 if (err) goto out_clear_inode; err = ext4_mark_inode_dirty(handle, inode); -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 4be1994..a2fcbf8 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c -@@ -1672,7 +1672,7 @@ enum { +@@ -1667,7 +1667,7 @@ enum { Opt_inlinecrypt, Opt_usrjquota, Opt_grpjquota, Opt_offusrjquota, Opt_offgrpjquota, Opt_jqfmt_vfsold, Opt_jqfmt_vfsv0, Opt_jqfmt_vfsv1, Opt_quota, - Opt_noquota, Opt_barrier, Opt_nobarrier, Opt_err, + Opt_noquota, Opt_barrier, Opt_nobarrier, Opt_err, Opt_dirdata, - Opt_usrquota, Opt_grpquota, Opt_prjquota, Opt_i_version, + Opt_usrquota, Opt_grpquota, Opt_prjquota, Opt_dax, Opt_dax_always, Opt_dax_inode, Opt_dax_never, Opt_stripe, Opt_delalloc, Opt_nodelalloc, Opt_warn_on_error, -@@ -1756,6 +1756,7 @@ static const match_table_t tokens = { +@@ -1751,6 +1751,7 @@ static const match_table_t tokens = { {Opt_nolazytime, "nolazytime"}, {Opt_debug_want_extra_isize, "debug_want_extra_isize=%u"}, {Opt_nodelalloc, "nodelalloc"}, @@ -871,7 +859,7 @@ index 4be1994..a2fcbf8 100644 {Opt_removed, "mblk_io_submit"}, {Opt_removed, "nomblk_io_submit"}, {Opt_block_validity, "block_validity"}, -@@ -2000,6 +2001,7 @@ static const struct mount_opts { +@@ -1995,6 +1996,7 @@ static const struct mount_opts { {Opt_usrjquota, 0, MOPT_Q | MOPT_STRING}, {Opt_grpjquota, 0, MOPT_Q | MOPT_STRING}, {Opt_offusrjquota, 0, MOPT_Q}, @@ -879,6 +867,3 @@ index 4be1994..a2fcbf8 100644 {Opt_offgrpjquota, 0, MOPT_Q}, {Opt_jqfmt_vfsold, QFMT_VFS_OLD, MOPT_QFMT}, {Opt_jqfmt_vfsv0, QFMT_VFS_V0, MOPT_QFMT}, --- -2.34.1 - --- a/ldiskfs/kernel_patches/patches/sles15sp4/ext4-pdirop.patch +++ b/ldiskfs/kernel_patches/patches/sles15sp4/ext4-pdirop.patch @@ -17,14 +17,12 @@ This patch contains: - integrate with osd-ldiskfs --- - fs/ext4/Makefile | 1 + - fs/ext4/ext4.h | 78 ++++++++ - fs/ext4/namei.c | 465 ++++++++++++++++++++++++++++++++++++++++++----- - fs/ext4/super.c | 1 + + fs/ext4/Makefile | 1 + fs/ext4/ext4.h | 78 +++++++++ + fs/ext4/namei.c | 465 ++++++++++++++++++++++++++++++++++++++++++++++++++----- + fs/ext4/super.c | 1 4 files changed, 504 insertions(+), 41 deletions(-) -diff --git a/fs/ext4/Makefile b/fs/ext4/Makefile -index 49e7af6..f7ced03 100644 --- a/fs/ext4/Makefile +++ b/fs/ext4/Makefile @@ -7,6 +7,7 @@ obj-$(CONFIG_EXT4_FS) += ext4.o @@ -35,8 +33,6 @@ index 49e7af6..f7ced03 100644 indirect.o inline.o inode.o ioctl.o mballoc.o migrate.o \ mmp.o move_extent.o namei.o page-io.o readpage.o resize.o \ super.o symlink.o sysfs.o xattr.o xattr_hurd.o xattr_trusted.o \ -diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index 54734be..fa5d5d6 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -28,6 +28,7 @@ @@ -47,7 +43,7 @@ index 54734be..fa5d5d6 100644 #include <linux/sched/signal.h> #include <linux/blockgroup_lock.h> #include <linux/percpu_counter.h> -@@ -1020,6 +1021,9 @@ struct ext4_inode_info { +@@ -1023,6 +1024,9 @@ struct ext4_inode_info { __u32 i_dtime; ext4_fsblk_t i_file_acl; @@ -57,7 +53,7 @@ index 54734be..fa5d5d6 100644 /* * i_block_group is the number of the block group which contains * this file's inode. Constant across the lifetime of the inode, -@@ -2509,6 +2513,72 @@ struct dx_hash_info +@@ -2537,6 +2541,72 @@ struct dx_hash_info */ #define HASH_NB_ALWAYS 1 @@ -130,7 +126,7 @@ index 54734be..fa5d5d6 100644 struct ext4_filename { const struct qstr *usr_fname; struct fscrypt_str disk_name; -@@ -2887,12 +2957,20 @@ void ext4_insert_dentry(struct inode *dir, struct inode *inode, +@@ -2915,12 +2985,20 @@ void ext4_insert_dentry(struct inode *di void *data); static inline void ext4_update_dx_flag(struct inode *inode) { @@ -151,11 +147,9 @@ index 54734be..fa5d5d6 100644 } static const unsigned char ext4_filetype_table[] = { DT_UNKNOWN, DT_REG, DT_DIR, DT_CHR, DT_BLK, DT_FIFO, DT_SOCK, DT_LNK -diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c -index 51c950b..1b8c80e 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c -@@ -56,6 +56,7 @@ struct buffer_head *ext4_append(handle_t *handle, +@@ -56,6 +56,7 @@ struct buffer_head *ext4_append(handle_t { struct ext4_map_blocks map; struct buffer_head *bh; @@ -163,7 +157,7 @@ index 51c950b..1b8c80e 100644 int err; if (unlikely(EXT4_SB(inode->i_sb)->s_max_dir_size_kb && -@@ -63,6 +64,10 @@ struct buffer_head *ext4_append(handle_t *handle, +@@ -63,6 +64,10 @@ struct buffer_head *ext4_append(handle_t EXT4_SB(inode->i_sb)->s_max_dir_size_kb))) return ERR_PTR(-ENOSPC); @@ -174,7 +168,7 @@ index 51c950b..1b8c80e 100644 *block = inode->i_size >> inode->i_sb->s_blocksize_bits; map.m_lblk = *block; map.m_len = 1; -@@ -73,21 +78,27 @@ struct buffer_head *ext4_append(handle_t *handle, +@@ -73,16 +78,21 @@ struct buffer_head *ext4_append(handle_t * directory. */ err = ext4_map_blocks(NULL, inode, &map, 0); @@ -197,14 +191,16 @@ index 51c950b..1b8c80e 100644 + } inode->i_size += inode->i_sb->s_blocksize; EXT4_I(inode)->i_disksize = inode->i_size; + err = ext4_mark_inode_dirty(handle, inode); +@@ -91,6 +101,7 @@ struct buffer_head *ext4_append(handle_t BUFFER_TRACE(bh, "get_write_access"); err = ext4_journal_get_write_access(handle, inode->i_sb, bh, EXT4_JTR_NONE); + up(&ei->i_append_sem); - if (err) { - brelse(bh); - ext4_std_error(inode->i_sb, err); -@@ -291,7 +302,8 @@ static unsigned dx_node_limit(struct inode *dir); + if (err) + goto out; + return bh; +@@ -296,7 +307,8 @@ static unsigned dx_node_limit(struct ino static struct dx_frame *dx_probe(struct ext4_filename *fname, struct inode *dir, struct dx_hash_info *hinfo, @@ -214,7 +210,7 @@ index 51c950b..1b8c80e 100644 static void dx_release(struct dx_frame *frames, struct inode *dir); static int dx_make_map(struct inode *dir, struct buffer_head *bh, struct dx_hash_info *hinfo, -@@ -307,12 +319,13 @@ static void dx_insert_block(struct dx_frame *frame, +@@ -312,12 +324,13 @@ static void dx_insert_block(struct dx_fr static int ext4_htree_next_block(struct inode *dir, __u32 hash, struct dx_frame *frame, struct dx_frame *frames, @@ -231,7 +227,7 @@ index 51c950b..1b8c80e 100644 /* checksumming functions */ void ext4_initialize_dirent_tail(struct buffer_head *bh, -@@ -797,6 +810,227 @@ static inline void htree_rep_invariant_check(struct dx_entry *at, +@@ -804,6 +817,227 @@ static inline void htree_rep_invariant_c } #endif /* DX_DEBUG */ @@ -459,7 +455,7 @@ index 51c950b..1b8c80e 100644 /* * Probe for a directory leaf block to search. * -@@ -808,10 +1042,11 @@ static inline void htree_rep_invariant_check(struct dx_entry *at, +@@ -815,10 +1049,11 @@ static inline void htree_rep_invariant_c */ static struct dx_frame * dx_probe(struct ext4_filename *fname, struct inode *dir, @@ -473,7 +469,7 @@ index 51c950b..1b8c80e 100644 struct dx_root_info *info; struct dx_frame *frame = frame_in; struct dx_frame *ret_err = ERR_PTR(ERR_BAD_DX_DIR); -@@ -895,8 +1130,16 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, +@@ -908,8 +1143,16 @@ dx_probe(struct ext4_filename *fname, st level = 0; blocks[0] = 0; while (1) { @@ -490,7 +486,7 @@ index 51c950b..1b8c80e 100644 ext4_warning_inode(dir, "dx entry: count %u beyond limit %u", count, dx_get_limit(entries)); -@@ -923,6 +1166,74 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, +@@ -936,6 +1179,74 @@ dx_probe(struct ext4_filename *fname, st frame->entries = entries; frame->at = at; @@ -565,7 +561,7 @@ index 51c950b..1b8c80e 100644 block = dx_get_block(at); for (i = 0; i <= level; i++) { if (blocks[i] == block) { -@@ -932,8 +1243,7 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, +@@ -945,8 +1256,7 @@ dx_probe(struct ext4_filename *fname, st goto fail; } } @@ -575,7 +571,7 @@ index 51c950b..1b8c80e 100644 blocks[level] = block; frame++; frame->bh = ext4_read_dirblock(dir, block, INDEX); -@@ -1004,7 +1314,7 @@ static void dx_release(struct dx_frame *frames, struct inode *dir) +@@ -1017,7 +1327,7 @@ static void dx_release(struct dx_frame * static int ext4_htree_next_block(struct inode *dir, __u32 hash, struct dx_frame *frame, struct dx_frame *frames, @@ -584,7 +580,7 @@ index 51c950b..1b8c80e 100644 { struct dx_frame *p; struct buffer_head *bh; -@@ -1019,12 +1329,22 @@ static int ext4_htree_next_block(struct inode *dir, __u32 hash, +@@ -1032,12 +1342,22 @@ static int ext4_htree_next_block(struct * this loop, num_frames indicates the number of interior * nodes need to be read. */ @@ -609,7 +605,7 @@ index 51c950b..1b8c80e 100644 p--; } -@@ -1047,6 +1367,13 @@ static int ext4_htree_next_block(struct inode *dir, __u32 hash, +@@ -1060,6 +1380,13 @@ static int ext4_htree_next_block(struct * block so no check is necessary */ while (num_frames--) { @@ -623,7 +619,7 @@ index 51c950b..1b8c80e 100644 bh = ext4_read_dirblock(dir, dx_get_block(p->at), INDEX); if (IS_ERR(bh)) return PTR_ERR(bh); -@@ -1055,6 +1382,7 @@ static int ext4_htree_next_block(struct inode *dir, __u32 hash, +@@ -1068,6 +1395,7 @@ static int ext4_htree_next_block(struct p->bh = bh; p->at = p->entries = ((struct dx_node *) bh->b_data)->entries; } @@ -631,7 +627,7 @@ index 51c950b..1b8c80e 100644 return 1; } -@@ -1216,10 +1544,10 @@ int ext4_htree_fill_tree(struct file *dir_file, __u32 start_hash, +@@ -1234,10 +1562,10 @@ int ext4_htree_fill_tree(struct file *di } hinfo.hash = start_hash; hinfo.minor_hash = 0; @@ -644,7 +640,7 @@ index 51c950b..1b8c80e 100644 /* Add '.' and '..' from the htree header */ if (!start_hash && !start_minor_hash) { de = (struct ext4_dir_entry_2 *) frames[0].bh->b_data; -@@ -1259,7 +1587,7 @@ int ext4_htree_fill_tree(struct file *dir_file, __u32 start_hash, +@@ -1277,7 +1605,7 @@ int ext4_htree_fill_tree(struct file *di count += ret; hashval = ~0; ret = ext4_htree_next_block(dir, HASH_NB_ALWAYS, @@ -653,7 +649,7 @@ index 51c950b..1b8c80e 100644 *next_hash = hashval; if (ret < 0) { err = ret; -@@ -1579,7 +1907,7 @@ static int is_dx_internal_node(struct inode *dir, ext4_lblk_t block, +@@ -1600,7 +1928,7 @@ static int is_dx_internal_node(struct in static struct buffer_head *__ext4_find_entry(struct inode *dir, struct ext4_filename *fname, struct ext4_dir_entry_2 **res_dir, @@ -662,7 +658,7 @@ index 51c950b..1b8c80e 100644 { struct super_block *sb; struct buffer_head *bh_use[NAMEI_RA_SIZE]; -@@ -1621,7 +1949,7 @@ static struct buffer_head *__ext4_find_entry(struct inode *dir, +@@ -1641,7 +1969,7 @@ static struct buffer_head *__ext4_find_e goto restart; } if (is_dx(dir)) { @@ -671,7 +667,7 @@ index 51c950b..1b8c80e 100644 /* * On success, or if the error was file not found, * return. Otherwise, fall back to doing a search the -@@ -1631,6 +1959,7 @@ static struct buffer_head *__ext4_find_entry(struct inode *dir, +@@ -1651,6 +1979,7 @@ static struct buffer_head *__ext4_find_e goto cleanup_and_exit; dxtrace(printk(KERN_DEBUG "ext4_find_entry: dx failed, " "falling back\n")); @@ -679,7 +675,7 @@ index 51c950b..1b8c80e 100644 ret = NULL; } nblocks = dir->i_size >> EXT4_BLOCK_SIZE_BITS(sb); -@@ -1721,10 +2050,10 @@ cleanup_and_exit: +@@ -1741,10 +2070,10 @@ cleanup_and_exit: return ret; } @@ -692,7 +688,7 @@ index 51c950b..1b8c80e 100644 { int err; struct ext4_filename fname; -@@ -1736,12 +2065,14 @@ static struct buffer_head *ext4_find_entry(struct inode *dir, +@@ -1756,12 +2085,14 @@ static struct buffer_head *ext4_find_ent if (err) return ERR_PTR(err); @@ -708,7 +704,7 @@ index 51c950b..1b8c80e 100644 static struct buffer_head *ext4_lookup_entry(struct inode *dir, struct dentry *dentry, struct ext4_dir_entry_2 **res_dir) -@@ -1757,7 +2088,7 @@ static struct buffer_head *ext4_lookup_entry(struct inode *dir, +@@ -1777,7 +2108,7 @@ static struct buffer_head *ext4_lookup_e if (err) return ERR_PTR(err); @@ -717,7 +713,7 @@ index 51c950b..1b8c80e 100644 ext4_fname_free_filename(&fname); return bh; -@@ -1765,7 +2096,8 @@ static struct buffer_head *ext4_lookup_entry(struct inode *dir, +@@ -1785,7 +2116,8 @@ static struct buffer_head *ext4_lookup_e static struct buffer_head * ext4_dx_find_entry(struct inode *dir, struct ext4_filename *fname, @@ -727,7 +723,7 @@ index 51c950b..1b8c80e 100644 { struct super_block * sb = dir->i_sb; struct dx_frame frames[EXT4_HTREE_LEVEL], *frame; -@@ -1776,7 +2108,7 @@ static struct buffer_head * ext4_dx_find_entry(struct inode *dir, +@@ -1796,7 +2128,7 @@ static struct buffer_head * ext4_dx_find #ifdef CONFIG_FS_ENCRYPTION *res_dir = NULL; #endif @@ -736,7 +732,7 @@ index 51c950b..1b8c80e 100644 if (IS_ERR(frame)) return (struct buffer_head *) frame; do { -@@ -1798,7 +2130,7 @@ static struct buffer_head * ext4_dx_find_entry(struct inode *dir, +@@ -1818,7 +2150,7 @@ static struct buffer_head * ext4_dx_find /* Check to see if we should continue to search */ retval = ext4_htree_next_block(dir, fname->hinfo.hash, frame, @@ -745,7 +741,7 @@ index 51c950b..1b8c80e 100644 if (retval < 0) { ext4_warning_inode(dir, "error %d reading directory index block", -@@ -1987,8 +2319,9 @@ static struct ext4_dir_entry_2 *dx_pack_dirents(struct inode *dir, char *base, +@@ -2007,8 +2339,9 @@ static struct ext4_dir_entry_2 *dx_pack_ * Returns pointer to de in block into which the new entry will be inserted. */ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, @@ -757,7 +753,7 @@ index 51c950b..1b8c80e 100644 { unsigned blocksize = dir->i_sb->s_blocksize; unsigned continued; -@@ -2065,8 +2398,14 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, +@@ -2085,8 +2418,14 @@ static struct ext4_dir_entry_2 *do_split hash2, split, count-split)); /* Fancy dance to stay within two buffers */ @@ -774,7 +770,7 @@ index 51c950b..1b8c80e 100644 de = dx_pack_dirents(dir, data1, blocksize); de->rec_len = ext4_rec_len_to_disk(data1 + (blocksize - csum_size) - (char *) de, -@@ -2084,12 +2423,21 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, +@@ -2104,12 +2443,21 @@ static struct ext4_dir_entry_2 *do_split dxtrace(dx_show_leaf(dir, hinfo, (struct ext4_dir_entry_2 *) data2, blocksize, 1)); @@ -801,7 +797,7 @@ index 51c950b..1b8c80e 100644 err = ext4_handle_dirty_dirblock(handle, dir, bh2); if (err) goto journal_error; -@@ -2388,7 +2736,7 @@ static int make_indexed_dir(handle_t *handle, struct ext4_filename *fname, +@@ -2421,7 +2769,7 @@ static int make_indexed_dir(handle_t *ha if (retval) goto out_frames; @@ -810,7 +806,7 @@ index 51c950b..1b8c80e 100644 if (IS_ERR(de)) { retval = PTR_ERR(de); goto out_frames; -@@ -2497,8 +2845,8 @@ out: +@@ -2530,8 +2878,8 @@ out: * may not sleep between calling this and putting something into * the entry, as someone else might have used it while you slept. */ @@ -821,7 +817,7 @@ index 51c950b..1b8c80e 100644 { struct inode *dir = d_inode(dentry->d_parent); struct buffer_head *bh = NULL; -@@ -2547,9 +2895,10 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry, +@@ -2580,9 +2928,10 @@ static int ext4_add_entry(handle_t *hand if (dentry->d_name.len == 2 && memcmp(dentry->d_name.name, "..", 2) == 0) return ext4_update_dotdot(handle, dentry, inode); @@ -833,7 +829,7 @@ index 51c950b..1b8c80e 100644 /* Can we just ignore htree data? */ if (ext4_has_metadata_csum(sb)) { EXT4_ERROR_INODE(dir, -@@ -2612,12 +2961,14 @@ out: +@@ -2645,12 +2994,14 @@ out: ext4_set_inode_state(inode, EXT4_STATE_NEWENTRY); return retval; } @@ -849,7 +845,7 @@ index 51c950b..1b8c80e 100644 { struct dx_frame frames[EXT4_HTREE_LEVEL], *frame; struct dx_entry *entries, *at; -@@ -2629,7 +2980,7 @@ static int ext4_dx_add_entry(handle_t *handle, struct ext4_filename *fname, +@@ -2662,7 +3013,7 @@ static int ext4_dx_add_entry(handle_t *h again: restart = 0; @@ -858,7 +854,7 @@ index 51c950b..1b8c80e 100644 if (IS_ERR(frame)) return PTR_ERR(frame); entries = frame->entries; -@@ -2664,6 +3015,12 @@ again: +@@ -2697,6 +3048,12 @@ again: struct dx_node *node2; struct buffer_head *bh2; @@ -871,7 +867,7 @@ index 51c950b..1b8c80e 100644 while (frame > frames) { if (dx_get_count((frame - 1)->entries) < dx_get_limit((frame - 1)->entries)) { -@@ -2767,8 +3124,32 @@ again: +@@ -2800,8 +3157,32 @@ again: restart = 1; goto journal_error; } @@ -905,7 +901,7 @@ index 51c950b..1b8c80e 100644 if (IS_ERR(de)) { err = PTR_ERR(de); goto cleanup; -@@ -2779,6 +3160,8 @@ again: +@@ -2812,6 +3193,8 @@ again: journal_error: ext4_std_error(dir->i_sb, err); /* this is a no-op if err == 0 */ cleanup: @@ -914,18 +910,13 @@ index 51c950b..1b8c80e 100644 brelse(bh); dx_release(frames, dir); /* @restart is true means htree-path has been changed, we need to -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index a2fcbf8..82ea5f6 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c -@@ -1291,6 +1291,7 @@ static struct inode *ext4_alloc_inode(struct super_block *sb) - +@@ -1286,6 +1286,7 @@ static struct inode *ext4_alloc_inode(st inode_set_iversion(&ei->vfs_inode, 1); + ei->i_flags = 0; spin_lock_init(&ei->i_raw_lock); + sema_init(&ei->i_append_sem, 1); INIT_LIST_HEAD(&ei->i_prealloc_list); atomic_set(&ei->i_prealloc_active, 0); spin_lock_init(&ei->i_prealloc_lock); --- -2.34.1 - --- a/ldiskfs/kernel_patches/series/ldiskfs-5.14.21-sles15sp4.series +++ b/ldiskfs/kernel_patches/series/ldiskfs-5.14.21-sles15sp4.series @@ -1,3 +1,130 @@ +patches.suse/ext4-add-new-helper-interface-ext4_try_to_trim_range.patch +patches.suse/ext4-fix-fast-commit-may-miss-tracking-range-for-FAL.patch +patches.suse/ext4-use-ext4_ext_remove_space-for-fast-commit-repla.patch +patches.suse/ext4-fast-commit-may-miss-tracking-unwritten-range-d.patch +patches.suse/ext4-destroy-ext4_fc_dentry_cachep-kmemcache-on-modu.patch +patches.suse/ext4-Fix-BUG_ON-in-ext4_bread-when-write-quota-data.patch +patches.suse/ext4-make-sure-quota-gets-properly-shutdown-on-error.patch +patches.suse/ext4-make-sure-to-reset-inode-lockdep-class-when-quo.patch +patches.suse/ext4-fix-a-possible-ABBA-deadlock-due-to-busy-PA.patch +patches.suse/ext4-initialize-err_blk-before-calling-__ext4_get_in.patch +patches.suse/ext4-fix-null-ptr-deref-in-__ext4_journal_ensure_cre.patch +patches.suse/ext4-fix-an-use-after-free-issue-about-data-journal-.patch +patches.suse/ext4-avoid-trim-error-on-fs-with-small-groups.patch +patches.suse/ext4-don-t-use-the-orphan-list-when-migrating-an-ino.patch +patches.suse/ext4-prevent-used-blocks-from-being-allocated-during.patch +patches.suse/ext4-modify-the-logic-of-ext4_mb_new_blocks_simple.patch +patches.suse/ext4-fix-error-handling-in-ext4_restore_inline_data.patch +patches.suse/ext4-fix-error-handling-in-ext4_fc_record_modified_i.patch +patches.suse/ext4-fix-incorrect-type-issue-during-replay_del_rang.patch +patches.suse/ext4-fix-fs-corruption-when-tring-to-remove-a-non-em.patch +patches.suse/ext4-fix-ext4_fc_stats-trace-point.patch +patches.suse/ext4-fix-fallocate-to-use-file_modified-to-update-pe.patch +patches.suse/ext4-fix-symlink-file-size-not-match-to-file-content.patch +patches.suse/ext4-fix-use-after-free-in-ext4_search_dir.patch +patches.suse/ext4-limit-length-to-bitmap_maxbytes-blocksize-in-pu.patch +patches.suse/ext4-fix-overhead-calculation-to-account-for-the-res.patch +patches.suse/ext4-force-overhead-calculation-if-the-s_overhead_cl.patch +patches.suse/ext4-fix-warning-in-ext4_handle_inode_extension.patch +patches.suse/ext4-fix-use-after-free-in-ext4_rename_dir_prepare.patch +patches.suse/ext4-mark-group-as-trimmed-only-if-it-was-fully-scan.patch +patches.suse/ext4-fix-race-condition-between-ext4_write-and-ext4_.patch +patches.suse/ext4-reject-the-commit-option-on-ext2-filesystems.patch +patches.suse/ext4-fix-bug_on-in-ext4_writepages.patch +patches.suse/ext4-filter-out-EXT4_FC_REPLAY-from-on-disk-superblo.patch +patches.suse/ext4-verify-dir-block-before-splitting-it.patch +patches.suse/ext4-avoid-cycles-in-directory-h-tree.patch +patches.suse/ext4-fix-bug_on-in-__es_tree_search.patch +patches.suse/ext4-fix-super-block-checksum-incorrect-after-mount.patch +patches.suse/ext4-fix-bug_on-ext4_mb_use_inode_pa.patch +patches.suse/ext4-make-variable-count-signed.patch +patches.suse/ext4-add-reserved-GDT-blocks-check.patch +patches.suse/ext4-recover-csum-seed-of-tmp_inode-after-migrating-.patch +patches.suse/ext4-check-if-directory-block-is-within-i_size.patch +patches.suse/ext4-make-sure-ext4_append-always-allocates-new-bloc.patch +patches.suse/ext4-remove-EA-inode-entry-from-mbcache-on-inode-evi.patch +patches.suse/ext4-unindent-codeblock-in-ext4_xattr_block_set.patch +patches.suse/ext4-Fix-check-for-block-being-out-of-directory-size.patch +patches.suse/ext4-don-t-increase-iversion-counter-for-ea_inodes.patch +patches.suse/ext4-unconditionally-enable-the-i_version-counter.patch +patches.suse/ext4-ext4_read_bh_lock-should-submit-IO-if-the-buffe.patch +patches.suse/ext4-place-buffer-head-allocation-before-handle-star.patch +patches.suse/ext4-fix-dir-corruption-when-ext4_dx_add_entry-fails.patch +patches.suse/ext4-fix-miss-release-buffer-head-in-ext4_fc_write_i.patch +patches.suse/ext4-goto-right-label-failed_mount3a.patch +patches.suse/ext4-fix-potential-memory-leak-in-ext4_fc_record_mod.patch +patches.suse/ext4-fix-potential-memory-leak-in-ext4_fc_record_reg.patch +patches.suse/ext4-update-state-fc_regions_size-after-successful-m.patch +patches.suse/ext4-introduce-EXT4_FC_TAG_BASE_LEN-helper.patch +patches.suse/ext4-factor-out-ext4_fc_get_tl.patch +patches.suse/ext4-fix-potential-out-of-bound-read-in-ext4_fc_repl.patch +patches.suse/ext4-f2fs-fix-readahead-of-verity-data.patch +patches.suse/ext4-fix-BUG_ON-when-directory-entry-has-invalid-rec.patch +patches.suse/ext4-fix-warning-in-ext4_da_release_space.patch +patches.suse/ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch +patches.suse/ext4-silence-the-warning-when-evicting-inode-with-di.patch +patches.suse/ext4-add-inode-table-check-in-__ext4_get_inode_loc-t.patch +patches.suse/ext4-add-helper-to-check-quota-inums.patch +patches.suse/ext4-add-EXT4_IGET_BAD-flag-to-prevent-unexpected-ba.patch +patches.suse/ext4-fix-bug_on-in-__es_tree_search-caused-by-bad-bo.patch +patches.suse/ext4-fix-undefined-behavior-in-bit-shift-for-ext4_ch.patch +patches.suse/ext4-don-t-allow-journal-inode-to-have-encrypt-flag.patch +patches.suse/ext4-fix-use-after-free-in-ext4_orphan_cleanup.patch +patches.suse/ext4-don-t-set-up-encryption-key-during-jbd2-transac.patch +patches.suse/ext4-fix-leaking-uninitialized-memory-in-fast-commit.patch +patches.suse/ext4-add-missing-validation-of-fast-commit-record-le.patch +patches.suse/ext4-fix-unaligned-memory-access-in-ext4_fc_reserve_.patch +patches.suse/ext4-fix-off-by-one-errors-in-fast-commit-block-fill.patch +patches.suse/ext4-init-quota-for-old.inode-in-ext4_rename.patch +patches.suse/ext4-fix-error-code-return-to-user-space-in-ext4_get.patch +patches.suse/ext4-fix-bad-checksum-after-online-resize.patch +patches.suse/ext4-fix-corruption-when-online-resizing-a-1K-bigall.patch +patches.suse/ext4-fix-uninititialized-value-in-ext4_evict_inode.patch +patches.suse/ext4-fix-delayed-allocation-bug-in-ext4_clu_mapped-f.patch +patches.suse/fs-ext4-initialize-fsdata-in-pagecache_write.patch +patches.suse/ext4-avoid-BUG_ON-when-creating-xattrs.patch +patches.suse/ext4-fix-deadlock-due-to-mbcache-entry-corruption.patch +patches.suse/ext4-fix-kernel-BUG-in-ext4_write_inline_data_end.patch +patches.suse/ext4-initialize-quota-before-expanding-inode-in-setp.patch +patches.suse/ext4-avoid-unaccounted-block-allocation-when-expandi.patch +patches.suse/ext4-allocate-extended-attribute-value-in-vmalloc-ar.patch +patches.suse/ext4-fix-inode-leak-in-ext4_xattr_inode_create-on-an.patch +patches.suse/ext4-fix-reserved-cluster-accounting-in-__es_remove_.patch +patches.suse/ext4-use-ext4_fc_tl_mem-in-fast-commit-replay-path.patch +patches.suse/ext4-refuse-to-create-ea-block-when-umounted.patch +patches.suse/ext4-fail-ext4_iget-if-special-inode-unallocated.patch +patches.suse/ext4-update-s_journal_inum-if-it-changes-after-journ.patch +patches.suse/ext4-fix-task-hung-in-ext4_xattr_delete_inode.patch +patches.suse/ext4-Fix-possible-corruption-when-moving-a-directory.patch +patches.suse/ext4-fix-incorrect-options-show-of-original-mount_op.patch +patches.suse/ext4-fix-cgroup-writeback-accounting-with-fs-layer-e.patch +patches.suse/ext4-fix-RENAME_WHITEOUT-handling-for-inline-directo.patch +patches.suse/ext4-fix-another-off-by-one-fsmap-error-on-1k-block-.patch +patches.suse/ext4-Fix-deadlock-during-directory-rename.patch +patches.suse/ext4-move-where-set-the-MAY_INLINE_DATA-flag-is-set.patch +patches.suse/ext4-fix-WARNING-in-ext4_update_inline_data.patch +patches.suse/ext4-zero-i_disksize-when-initializing-the-bootloade.patch +patches.suse/ext4-fix-possible-double-unlock-when-moving-a-direct.patch +patches.suse/ext4-fix-i_disksize-exceeding-i_size-problem-in-pari.patch +patches.suse/ext4-fix-use-after-free-read-in-ext4_find_extent-for.patch +patches.suse/ext4-fix-WARNING-in-mb_find_extent.patch +patches.suse/ext4-fix-lockdep-warning-when-enabling-MMP.patch +patches.suse/ext4-avoid-deadlock-in-fs-reclaim-with-page-writebac.patch +patches.suse/ext4-fix-data-races-when-using-cached-status-extents.patch +patches.suse/ext4-check-iomap-type-only-if-ext4_iomap_begin-does-.patch +patches.suse/ext4-improve-error-handling-from-ext4_dirhash.patch +patches.suse/ext4-improve-error-recovery-code-paths-in-__ext4_rem.patch +patches.suse/ext4-fix-deadlock-when-converting-an-inline-director.patch +patches.suse/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-.patch +patches.suse/ext4-add-EA_INODE-checking-to-ext4_iget.patch +patches.suse/ext4-set-lockdep-subclass-for-the-ea_inode-in-ext4_x.patch +patches.suse/ext4-disallow-ea_inodes-with-extended-attributes.patch +patches.suse/ext4-add-lockdep-annotations-for-i_data_sem-for-ea_i.patch +patches.suse/ext4-only-update-i_reserved_data_blocks-on-successfu.patch +patches.suse/ext4-Fix-reusing-stale-buffer-heads-from-last-failed.patch +patches.suse/ext4-turn-quotas-off-if-mount-failed-after-enabling-.patch +patches.suse/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext.patch +patches.suse/ext4-fixup-pages-without-buffers.patch rhel8/ext4-inode-version.patch linux-5.4/ext4-lookup-dotdot.patch linux-5.14/ext4-print-inum-in-htree-warning.patch
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
