linux-yocto

mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-08-21 16:31:14 +02:00

History

Zhang Yi a4d60ba277 ext4: fix out of bounds punch offset [ Upstream commit `b5e58bcd79` ] Punching a hole with a start offset that exceeds max_end is not permitted and will result in a negative length in the truncate_inode_partial_folio() function while truncating the page cache, potentially leading to undesirable consequences. A simple reproducer: truncate -s 9895604649994 /mnt/foo xfs_io -c "pwrite 8796093022208 4096" /mnt/foo xfs_io -c "fpunch 8796093022213 25769803777" /mnt/foo kernel BUG at include/linux/highmem.h:275! Oops: invalid opcode: 0000 [#1] SMP PTI CPU: 3 UID: 0 PID: 710 Comm: xfs_io Not tainted 6.15.0-rc3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:zero_user_segments.constprop.0+0xd7/0x110 RSP: 0018:ffffc90001cf3b38 EFLAGS: 00010287 RAX: 0000000000000005 RBX: ffffea0001485e40 RCX: 0000000000001000 RDX: 000000000040b000 RSI: 0000000000000005 RDI: 000000000040b000 RBP: 000000000040affb R08: ffff888000000000 R09: ffffea0000000000 R10: 0000000000000003 R11: 00000000fffc7fc5 R12: 0000000000000005 R13: 000000000040affb R14: ffffea0001485e40 R15: ffff888031cd3000 FS: 00007f4f63d0b780(0000) GS:ffff8880d337d000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000001ae0b038 CR3: 00000000536aa000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> truncate_inode_partial_folio+0x3dd/0x620 truncate_inode_pages_range+0x226/0x720 ? bdev_getblk+0x52/0x3e0 ? ext4_get_group_desc+0x78/0x150 ? crc32c_arch+0xfd/0x180 ? __ext4_get_inode_loc+0x18c/0x840 ? ext4_inode_csum+0x117/0x160 ? jbd2_journal_dirty_metadata+0x61/0x390 ? __ext4_handle_dirty_metadata+0xa0/0x2b0 ? kmem_cache_free+0x90/0x5a0 ? jbd2_journal_stop+0x1d5/0x550 ? __ext4_journal_stop+0x49/0x100 truncate_pagecache_range+0x50/0x80 ext4_truncate_page_cache_block_range+0x57/0x3a0 ext4_punch_hole+0x1fe/0x670 ext4_fallocate+0x792/0x17d0 ? __count_memcg_events+0x175/0x2a0 vfs_fallocate+0x121/0x560 ksys_fallocate+0x51/0xc0 __x64_sys_fallocate+0x24/0x40 x64_sys_call+0x18d2/0x4170 do_syscall_64+0xa7/0x220 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix this by filtering out cases where the punching start offset exceeds max_end. Fixes: `982bf37da0` ("ext4: refactor ext4_punch_hole()") Reported-by: Liebes Wang <wanghaichi0403@gmail.com> Closes: https://lore.kernel.org/linux-ext4/ac3a58f6-e686-488b-a9ee-fc041024e43d@huawei.com/ Tested-by: Liebes Wang <wanghaichi0403@gmail.com> Signed-off-by: Zhang Yi <yi.zhang@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Reviewed-by: Baokun Li <libaokun1@huawei.com> Link: https://patch.msgid.link/20250506012009.3896990-1-yi.zhang@huaweicloud.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2025-08-01 09:48:46 +01:00
..
9p	9p: Add a migrate_folio method	2025-06-19 15:32:36 +02:00
adfs	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
affs	affs: don't write overlarge OFS data block size fields	2025-04-10 14:39:29 +02:00
afs	afs: Give an afs_server object a ref on the afs_cell object it points to	2025-03-07 18:25:29 +01:00
autofs	autofs: fix thinko in validate_dev_ioctl()	2024-10-28 13:16:56 +01:00
bcachefs	add a string-to-qstr constructor	2025-07-10 16:05:08 +02:00
befs
bfs
btrfs	btrfs: fix block group refcount race in btrfs_create_pending_block_groups()	2025-07-24 08:56:36 +02:00
cachefiles	cachefiles: Fix the incorrect return value in __cachefiles_write()	2025-07-24 08:56:30 +02:00
ceph	ceph: fix possible integer overflow in ceph_zero_objects()	2025-07-06 11:01:36 +02:00
coda
configfs	configfs: Do not override creating attribute file failure in populate_attrs()	2025-06-27 11:11:12 +01:00
cramfs
crypto	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
debugfs	[tree-wide] finally take no_llseek out	2024-09-27 08:18:43 -07:00
devpts
dlm	dlm: make tcp still work in multi-link env	2025-05-29 11:02:14 +02:00
ecryptfs	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
efivarfs	efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths	2025-07-24 08:56:36 +02:00
efs	efs: fix the efs new mount api implementation	2024-12-05 14:01:10 +01:00
erofs	erofs: fix large fragment handling	2025-08-01 09:48:45 +01:00
exfat	exfat: call bh_read in get_block only when necessary	2025-05-29 11:02:03 +02:00
exportfs
ext2	vfs-6.12.file	2024-09-16 09:14:02 +02:00
ext4	ext4: fix out of bounds punch offset	2025-08-01 09:48:46 +01:00
f2fs	f2fs: zone: fix to calculate first_zoned_segno correctly	2025-07-10 16:04:59 +02:00
fat	fat: fix uninitialized variable	2024-10-17 00:28:06 -07:00
freevxfs
fuse	fuse: fix race between concurrent setattrs from multiple nodes	2025-07-06 11:01:32 +02:00
gfs2	gfs2: Don't start unnecessary transactions during log flush	2025-07-10 16:04:57 +02:00
hfs	hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key	2025-04-25 10:47:52 +02:00
hfsplus	hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key	2025-04-25 10:47:52 +02:00
hostfs	um: hostfs: avoid issues on inode number reuse by host	2025-04-10 14:39:25 +02:00
hpfs	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
hugetlbfs	mm: use aligned address in clear_gigantic_page()	2024-12-27 14:02:20 +01:00
iomap	iomap: skip unnecessary ifs_block_is_uptodate check	2025-05-02 07:59:27 +02:00
isofs	isofs: Verify inode mode when loading from disk	2025-07-24 08:56:25 +02:00
jbd2	jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()	2025-06-27 11:11:16 +01:00
jffs2	jffs2: check jffs2_prealloc_raw_node_refs() result in few other places	2025-06-27 11:11:37 +01:00
jfs	jfs: reject on-disk inodes of an unsupported type	2025-08-01 09:48:44 +01:00
kernfs	add a string-to-qstr constructor	2025-07-10 16:05:08 +02:00
lockd	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
minix
netfs	netfs: Fix ref leak on inserted extra subreq in write retry	2025-07-17 18:37:16 +02:00
nfs	NFSv4/flexfiles: Fix handling of NFS level errors in I/O	2025-07-10 16:05:09 +02:00
nfs_common	nfs: fix incorrect error handling in LOCALIO	2025-02-08 09:57:59 +01:00
nfsd	nfsd: use threads array as-is in netlink interface	2025-06-27 11:11:40 +01:00
nilfs2	nilfs2: reject invalid file types when reading inodes	2025-08-01 09:48:43 +01:00
nls	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
notify	fix a leak in fcntl_dirnotify()	2025-07-24 08:56:30 +02:00
ntfs3	fs/ntfs3: Add missing direct_IO in ntfs_aops_cmpr	2025-06-19 15:31:36 +02:00
ocfs2	ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery	2025-06-19 15:32:01 +02:00
omfs
openpromfs
orangefs	orangefs: Do not truncate file size	2025-05-29 11:02:28 +02:00
overlayfs	ovl: Check for NULL d_inode() in ovl_dentry_upper()	2025-07-06 11:01:36 +02:00
proc	mm: fix the inaccurate memory statistics issue for users	2025-07-17 18:37:13 +02:00
pstore	pstore: Change kmsg_bytes storage size to u32	2025-05-29 11:02:58 +02:00
qnx4
qnx6	fs/qnx6: Fix building with GCC 15	2025-01-23 17:22:55 +01:00
quota	quota: flush quota_release_work upon quota writeback	2024-12-09 10:40:55 +01:00
ramfs
reiserfs	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
romfs
smb	smb: client: let smbd_post_send_iter() respect the peers max_send_size and transmit all data	2025-07-24 08:56:38 +02:00
squashfs	Squashfs: check return result of sb_min_blocksize	2025-06-19 15:32:01 +02:00
sysfs
sysv
tests
tracefs	tracing: Fix tracefs mount options	2024-11-01 08:38:14 -04:00
ubifs	ubifs: skip dumping tnc tree when zroot is null	2025-02-08 09:58:01 +01:00
udf	udf: Make sure i_lenExtents is uptodate on inode eviction	2025-05-22 14:29:44 +02:00
ufs	ufs_rename(): fix bogus argument of folio_release_kmap()	2024-10-02 00:05:09 -04:00
unicode	Revert "unicode: Don't special case ignorable code points"	2024-12-14 20:04:13 +01:00
vboxsf	vboxsf: fix building with GCC 15	2025-03-22 12:54:15 -07:00
verity
xfs	xfs: don't assume perags are initialised when trimming AGs	2025-06-19 15:32:36 +02:00
zonefs	zonefs fixes for 6.12-rc2	2024-10-02 12:02:15 -07:00
aio.c
anon_inodes.c	fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass	2025-07-10 16:05:09 +02:00
attr.c
backing-file.c	fs: pass offset and result to backing_file end_write() callback	2024-10-16 13:17:45 +02:00
bad_inode.c
binfmt_elf_fdpic.c	Revert "fs: don't block i_writecount during exec"	2024-12-05 14:02:50 +01:00
binfmt_elf.c	binfmt_elf: Move brk for static PIE even if ASLR disabled	2025-05-22 14:29:35 +02:00
binfmt_flat.c	binfmt_flat: Fix integer overflow bug on 32 bit systems	2025-02-17 10:05:04 +01:00
binfmt_misc.c	Revert "fs: don't block i_writecount during exec"	2024-12-05 14:02:50 +01:00
binfmt_script.c
bpf_fs_kfuncs.c
buffer.c	fs/buffer: use sleeping version of __find_get_block()	2025-05-29 11:02:00 +02:00
char_dev.c
compat_binfmt_elf.c
coredump.c	coredump: hand a pidfd to the usermode coredump helper	2025-06-04 14:43:52 +02:00
d_path.c
dax.c	fsdax: dax_unshare_iter needs to copy entire blocks	2024-10-07 13:51:47 +02:00
dcache.c	vfs-6.12.misc	2024-09-16 08:35:09 +02:00
direct-io.c
drop_caches.c
eventfd.c
eventpoll.c	eventpoll: don't decrement ep refcount while still holding the ep mutex	2025-07-17 18:37:01 +02:00
exec.c	exec: fix the racy usage of fs_struct->in_exec	2025-04-10 14:39:40 +02:00
fcntl.c	fcntl: make F_DUPFD_QUERY associative	2024-12-05 14:02:47 +01:00
fhandle.c	struct fd layout change (and conversion to accessor helpers)	2024-09-23 09:35:36 -07:00
file_table.c	add a string-to-qstr constructor	2025-07-10 16:05:08 +02:00
file.c	fs: consistently deref the files table with rcu_dereference_raw()	2025-04-20 10:15:10 +02:00
filesystems.c	fs/filesystems: Fix potential unsigned integer underflow in fs_name()	2025-06-19 15:32:32 +02:00
fs_context.c
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c	fs/writeback: convert wbc_account_cgroup_owner to take a folio	2025-01-17 13:40:33 +01:00
fsopen.c	[tree-wide] finally take no_llseek out	2024-09-27 08:18:43 -07:00
init.c
inode.c	bcachefs: do not use PF_MEMALLOC_NORECLAIM	2024-10-09 12:47:18 -07:00
internal.h
ioctl.c
Kconfig	nfs: add missing selections of CONFIG_CRC32	2025-04-25 10:47:50 +02:00
Kconfig.binfmt
kernel_read_file.c
libfs.c	libfs: Fix duplicate directory entry in offset_dir_lookup	2025-03-28 22:03:28 +01:00
locks.c	struct fd layout change (and conversion to accessor helpers)	2024-09-23 09:35:36 -07:00
Makefile
mbcache.c
mnt_idmapping.c	fuse update for 6.12	2024-09-24 15:29:42 -07:00
mount.h	fs: kill MNT_ONRB	2025-01-17 13:40:50 +01:00
mpage.c	fs/writeback: convert wbc_account_cgroup_owner to take a folio	2025-01-17 13:40:33 +01:00
namei.c	fuse: don't truncate cached, mutated symlink	2025-03-22 12:54:20 -07:00
namespace.c	clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns	2025-07-24 08:56:36 +02:00
nsfs.c	[tree-wide] finally take no_llseek out	2024-09-27 08:18:43 -07:00
open.c	openat2: explicitly return -E2BIG for (usize > PAGE_SIZE)	2024-10-10 12:09:03 +02:00
pidfs.c	pidfs: improve multi-threaded exec and premature thread-group leader exit polling	2025-05-29 11:02:09 +02:00
pipe.c	[tree-wide] finally take no_llseek out	2024-09-27 08:18:43 -07:00
pnode.c
pnode.h
posix_acl.c	fs: Use in_group_or_capable() helper to simplify the code	2024-08-30 08:22:37 +02:00
proc_namespace.c
read_write.c	fs/block: Check for IOCB_DIRECT in generic_atomic_write_valid()	2024-12-05 14:01:11 +01:00
readdir.c
remap_range.c
select.c	select: Fix unbalanced user_access_end()	2025-02-08 09:56:53 +01:00
seq_file.c
signalfd.c	struct fd layout change (and conversion to accessor helpers)	2024-09-23 09:35:36 -07:00
splice.c	splice: remove duplicate noinline from pipe_clear_nowait	2025-05-02 07:59:04 +02:00
stack.c
stat.c
statfs.c
super.c	fs/super.c: introduce get_tree_bdev_flags()	2024-10-21 14:30:26 +02:00
sync.c
sysctls.c
timerfd.c
userfaultfd.c	mm/userfaultfd: fix uninitialized output field for -EAGAIN race	2025-05-18 08:24:52 +02:00
utimes.c
xattr.c	fs/xattr.c: fix simple_xattr_list()	2025-06-27 11:11:36 +01:00