diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26704.patch')
| -rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26704.patch | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26704.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26704.patch new file mode 100644 index 000000000..0fb6d112d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26704.patch @@ -0,0 +1,71 @@ +From 185eab30486ba3e7bf8b9c2e049c79a06ffd2bc1 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Thu, 4 Jan 2024 22:20:33 +0800 +Subject: ext4: fix double-free of blocks due to wrong extents moved_len + +commit 55583e899a5357308274601364741a83e78d6ac4 upstream. + +In ext4_move_extents(), moved_len is only updated when all moves are +successfully executed, and only discards orig_inode and donor_inode +preallocations when moved_len is not zero. When the loop fails to exit +after successfully moving some extents, moved_len is not updated and +remains at 0, so it does not discard the preallocations. + +If the moved extents overlap with the preallocated extents, the +overlapped extents are freed twice in ext4_mb_release_inode_pa() and +ext4_process_freed_data() (as described in commit 94d7c16cbbbd ("ext4: +Fix double-free of blocks with EXT4_IOC_MOVE_EXT")), and bb_free is +incremented twice. Hence when trim is executed, a zero-division bug is +triggered in mb_update_avg_fragment_size() because bb_free is not zero +and bb_fragments is zero. + +Therefore, update move_len after each extent move to avoid the issue. + +Reported-by: Wei Chen <harperchen1110@gmail.com> +Reported-by: xingwei lee <xrivendell7@gmail.com> +Closes: https://lore.kernel.org/r/CAO4mrferzqBUnCag8R3m2zf897ts9UEuhjFQGPtODT92rYyR2Q@mail.gmail.com +Fixes: fcf6b1b729bc ("ext4: refactor ext4_move_extents code base") +CC: <stable@vger.kernel.org> # 3.18 +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20240104142040.2835097-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/ext4/move_extent.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c +index dedc9d445f2433..8e3ff150bc36b1 100644 +--- a/fs/ext4/move_extent.c ++++ b/fs/ext4/move_extent.c +@@ -621,6 +621,7 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk, + goto out; + o_end = o_start + len; + ++ *moved_len = 0; + while (o_start < o_end) { + struct ext4_extent *ex; + ext4_lblk_t cur_blk, next_blk; +@@ -675,7 +676,7 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk, + */ + ext4_double_up_write_data_sem(orig_inode, donor_inode); + /* Swap original branches with new branches */ +- move_extent_per_page(o_filp, donor_inode, ++ *moved_len += move_extent_per_page(o_filp, donor_inode, + orig_page_index, donor_page_index, + offset_in_page, cur_len, + unwritten, &ret); +@@ -685,9 +686,6 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk, + o_start += cur_len; + d_start += cur_len; + } +- *moved_len = o_start - orig_blk; +- if (*moved_len > len) +- *moved_len = len; + + out: + if (*moved_len) { +-- +cgit 1.2.3-korg + |