January 2023 - Linux-stable-mirror

FAILED: patch "[PATCH] btrfs: fix extent map use-after-free when handling missing" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: 1742e1c90c3d ("btrfs: fix extent map use-after-free when handling missing device in read_one_chunk") ff37c89f94be ("btrfs: move missing device handling in a dedicate function") 562d7b1512f7 ("btrfs: handle device lookup with btrfs_dev_lookup_args") 1a9fd4172d5c ("btrfs: fix typos in comments") e9306ad4ef5c ("btrfs: more graceful errors/warnings on 32bit systems when reaching limits") bc03f39ec3c1 ("btrfs: use a bit to track the existence of tree mod log users") 406808ab2f0b ("btrfs: use booleans where appropriate for the tree mod log functions") f3a84ccd28d0 ("btrfs: move the tree mod log code into its own file") dbcc7d57bffc ("btrfs: fix race when cloning extent buffer during rewind of an old root") cac06d843f25 ("btrfs: introduce the skeleton of btrfs_subpage structure") 2f96e40212d4 ("btrfs: fix possible free space tree corruption with online conversion") 1aaac38c83a2 ("btrfs: don't allow tree block to cross page boundary for subpage support") 948462294577 ("btrfs: keep sb cache_generation consistent with space_cache") 8b228324a8ce ("btrfs: clear free space tree on ro->rw remount") 8cd2908846d1 ("btrfs: clear oneshot options on mount and remount") 5011139a4718 ("btrfs: create free space tree on ro->rw remount") 8f1c21d7490f ("btrfs: start orphan cleanup on ro->rw remount") 44c0ca211a4d ("btrfs: lift read-write mount setup from mount and remount") 5297199a8bca ("btrfs: remove inode number cache feature") ec7d6dfd73b2 ("btrfs: move btrfs_find_highest_objectid/btrfs_find_free_objectid to disk-io.c") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1742e1c90c3da344f3bb9b1f1309b3f47482756a Mon Sep 17 00:00:00 2001 From: void0red <void0red(a)gmail.com> Date: Wed, 23 Nov 2022 22:39:45 +0800 Subject: [PATCH] btrfs: fix extent map use-after-free when handling missing device in read_one_chunk Store the error code before freeing the extent_map. Though it's reference counted structure, in that function it's the first and last allocation so this would lead to a potential use-after-free. The error can happen eg. when chunk is stored on a missing device and the degraded mount option is missing. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216721 Reported-by: eriri <1527030098(a)qq.com> Fixes: adfb69af7d8c ("btrfs: add_missing_dev() should return the actual error") CC: stable(a)vger.kernel.org # 4.9+ Signed-off-by: void0red <void0red(a)gmail.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index acab20f2863d..aa25fa335d3e 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -6976,8 +6976,9 @@ static int read_one_chunk(struct btrfs_key *key, struct extent_buffer *leaf, map->stripes[i].dev = handle_missing_device(fs_info, devid, uuid); if (IS_ERR(map->stripes[i].dev)) { + ret = PTR_ERR(map->stripes[i].dev); free_extent_map(em); - return PTR_ERR(map->stripes[i].dev); + return ret; } }

2 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix extent map use-after-free when handling missing" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: 1742e1c90c3d ("btrfs: fix extent map use-after-free when handling missing device in read_one_chunk") ff37c89f94be ("btrfs: move missing device handling in a dedicate function") 562d7b1512f7 ("btrfs: handle device lookup with btrfs_dev_lookup_args") 1a9fd4172d5c ("btrfs: fix typos in comments") e9306ad4ef5c ("btrfs: more graceful errors/warnings on 32bit systems when reaching limits") bc03f39ec3c1 ("btrfs: use a bit to track the existence of tree mod log users") 406808ab2f0b ("btrfs: use booleans where appropriate for the tree mod log functions") f3a84ccd28d0 ("btrfs: move the tree mod log code into its own file") dbcc7d57bffc ("btrfs: fix race when cloning extent buffer during rewind of an old root") cac06d843f25 ("btrfs: introduce the skeleton of btrfs_subpage structure") 2f96e40212d4 ("btrfs: fix possible free space tree corruption with online conversion") 1aaac38c83a2 ("btrfs: don't allow tree block to cross page boundary for subpage support") 948462294577 ("btrfs: keep sb cache_generation consistent with space_cache") 8b228324a8ce ("btrfs: clear free space tree on ro->rw remount") 8cd2908846d1 ("btrfs: clear oneshot options on mount and remount") 5011139a4718 ("btrfs: create free space tree on ro->rw remount") 8f1c21d7490f ("btrfs: start orphan cleanup on ro->rw remount") 44c0ca211a4d ("btrfs: lift read-write mount setup from mount and remount") 5297199a8bca ("btrfs: remove inode number cache feature") ec7d6dfd73b2 ("btrfs: move btrfs_find_highest_objectid/btrfs_find_free_objectid to disk-io.c") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1742e1c90c3da344f3bb9b1f1309b3f47482756a Mon Sep 17 00:00:00 2001 From: void0red <void0red(a)gmail.com> Date: Wed, 23 Nov 2022 22:39:45 +0800 Subject: [PATCH] btrfs: fix extent map use-after-free when handling missing device in read_one_chunk Store the error code before freeing the extent_map. Though it's reference counted structure, in that function it's the first and last allocation so this would lead to a potential use-after-free. The error can happen eg. when chunk is stored on a missing device and the degraded mount option is missing. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216721 Reported-by: eriri <1527030098(a)qq.com> Fixes: adfb69af7d8c ("btrfs: add_missing_dev() should return the actual error") CC: stable(a)vger.kernel.org # 4.9+ Signed-off-by: void0red <void0red(a)gmail.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index acab20f2863d..aa25fa335d3e 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -6976,8 +6976,9 @@ static int read_one_chunk(struct btrfs_key *key, struct extent_buffer *leaf, map->stripes[i].dev = handle_missing_device(fs_info, devid, uuid); if (IS_ERR(map->stripes[i].dev)) { + ret = PTR_ERR(map->stripes[i].dev); free_extent_map(em); - return PTR_ERR(map->stripes[i].dev); + return ret; } }

2 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix extent map use-after-free when handling missing" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: 1742e1c90c3d ("btrfs: fix extent map use-after-free when handling missing device in read_one_chunk") ff37c89f94be ("btrfs: move missing device handling in a dedicate function") 562d7b1512f7 ("btrfs: handle device lookup with btrfs_dev_lookup_args") 1a9fd4172d5c ("btrfs: fix typos in comments") e9306ad4ef5c ("btrfs: more graceful errors/warnings on 32bit systems when reaching limits") bc03f39ec3c1 ("btrfs: use a bit to track the existence of tree mod log users") 406808ab2f0b ("btrfs: use booleans where appropriate for the tree mod log functions") f3a84ccd28d0 ("btrfs: move the tree mod log code into its own file") dbcc7d57bffc ("btrfs: fix race when cloning extent buffer during rewind of an old root") cac06d843f25 ("btrfs: introduce the skeleton of btrfs_subpage structure") 2f96e40212d4 ("btrfs: fix possible free space tree corruption with online conversion") 1aaac38c83a2 ("btrfs: don't allow tree block to cross page boundary for subpage support") 948462294577 ("btrfs: keep sb cache_generation consistent with space_cache") 8b228324a8ce ("btrfs: clear free space tree on ro->rw remount") 8cd2908846d1 ("btrfs: clear oneshot options on mount and remount") 5011139a4718 ("btrfs: create free space tree on ro->rw remount") 8f1c21d7490f ("btrfs: start orphan cleanup on ro->rw remount") 44c0ca211a4d ("btrfs: lift read-write mount setup from mount and remount") 5297199a8bca ("btrfs: remove inode number cache feature") ec7d6dfd73b2 ("btrfs: move btrfs_find_highest_objectid/btrfs_find_free_objectid to disk-io.c") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1742e1c90c3da344f3bb9b1f1309b3f47482756a Mon Sep 17 00:00:00 2001 From: void0red <void0red(a)gmail.com> Date: Wed, 23 Nov 2022 22:39:45 +0800 Subject: [PATCH] btrfs: fix extent map use-after-free when handling missing device in read_one_chunk Store the error code before freeing the extent_map. Though it's reference counted structure, in that function it's the first and last allocation so this would lead to a potential use-after-free. The error can happen eg. when chunk is stored on a missing device and the degraded mount option is missing. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216721 Reported-by: eriri <1527030098(a)qq.com> Fixes: adfb69af7d8c ("btrfs: add_missing_dev() should return the actual error") CC: stable(a)vger.kernel.org # 4.9+ Signed-off-by: void0red <void0red(a)gmail.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index acab20f2863d..aa25fa335d3e 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -6976,8 +6976,9 @@ static int read_one_chunk(struct btrfs_key *key, struct extent_buffer *leaf, map->stripes[i].dev = handle_missing_device(fs_info, devid, uuid); if (IS_ERR(map->stripes[i].dev)) { + ret = PTR_ERR(map->stripes[i].dev); free_extent_map(em); - return PTR_ERR(map->stripes[i].dev); + return ret; } }

2 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix extent map use-after-free when handling missing" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: 1742e1c90c3d ("btrfs: fix extent map use-after-free when handling missing device in read_one_chunk") ff37c89f94be ("btrfs: move missing device handling in a dedicate function") 562d7b1512f7 ("btrfs: handle device lookup with btrfs_dev_lookup_args") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1742e1c90c3da344f3bb9b1f1309b3f47482756a Mon Sep 17 00:00:00 2001 From: void0red <void0red(a)gmail.com> Date: Wed, 23 Nov 2022 22:39:45 +0800 Subject: [PATCH] btrfs: fix extent map use-after-free when handling missing device in read_one_chunk Store the error code before freeing the extent_map. Though it's reference counted structure, in that function it's the first and last allocation so this would lead to a potential use-after-free. The error can happen eg. when chunk is stored on a missing device and the degraded mount option is missing. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216721 Reported-by: eriri <1527030098(a)qq.com> Fixes: adfb69af7d8c ("btrfs: add_missing_dev() should return the actual error") CC: stable(a)vger.kernel.org # 4.9+ Signed-off-by: void0red <void0red(a)gmail.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index acab20f2863d..aa25fa335d3e 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -6976,8 +6976,9 @@ static int read_one_chunk(struct btrfs_key *key, struct extent_buffer *leaf, map->stripes[i].dev = handle_missing_device(fs_info, devid, uuid); if (IS_ERR(map->stripes[i].dev)) { + ret = PTR_ERR(map->stripes[i].dev); free_extent_map(em); - return PTR_ERR(map->stripes[i].dev); + return ret; } }

2 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: replace strncpy() with strscpy()" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: 63d5429f68a3 ("btrfs: replace strncpy() with strscpy()") cb3e217bdb39 ("btrfs: use btrfs_dev_name() helper to handle missing devices better") 947a629988f1 ("btrfs: move tree block parentness check into validate_extent_buffer()") 789d6a3a876e ("btrfs: concentrate all tree block parentness check parameters into one structure") ab2072b2921e ("btrfs: change how submit bio callback is passed to btrfs_wq_submit_bio") 7920b773bd8a ("btrfs: drop parameter compression_type from btrfs_submit_dio_repair_bio") 19af6a7d345a ("btrfs: change how repair action is passed to btrfs_repair_one_sector") a2c8d27e5ee8 ("btrfs: use a structure to pass arguments to backref walking functions") 6ce6ba534418 ("btrfs: use a single argument for extent offset in backref walking functions") 22a3c0ac8ed0 ("btrfs: send: avoid unnecessary backref lookups when finding clone source") 2885fd632050 ("btrfs: move inode prototypes to btrfs_inode.h") b31bed170d52 ("btrfs: move btrfs_chunk_item_size out of ctree.h") 911bd75aca73 ("btrfs: remove unused function prototypes") a56159d4080b ("btrfs: move btrfs_fs_info declarations into fs.h") 6db75318823a ("btrfs: use struct fscrypt_str instead of struct qstr") ab3c5c18e8fa ("btrfs: setup qstr from dentrys using fscrypt helper") e43eec81c516 ("btrfs: use struct qstr instead of name and namelen pairs") e9c83077d2be ("btrfs: remove temporary btrfs_map_token declaration in ctree.h") ad1ac5012c2b ("btrfs: move btrfs_map_token to accessors") d83eb482b727 ("btrfs: move the compat/incompat flag masks to fs.h") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 63d5429f68a3d4c4aa27e65a05196c17f86c41d6 Mon Sep 17 00:00:00 2001 From: Artem Chernyshev <artem.chernyshev(a)red-soft.ru> Date: Sat, 19 Nov 2022 11:13:29 +0300 Subject: [PATCH] btrfs: replace strncpy() with strscpy() Using strncpy() on NUL-terminated strings are deprecated. To avoid possible forming of non-terminated string strscpy() should be used. Found by Linux Verification Center (linuxtesting.org) with SVACE. CC: stable(a)vger.kernel.org # 4.9+ Signed-off-by: Artem Chernyshev <artem.chernyshev(a)red-soft.ru> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index bed74a3ff574..4fd6b61b06a4 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -2859,13 +2859,10 @@ static long btrfs_ioctl_dev_info(struct btrfs_fs_info *fs_info, di_args->bytes_used = btrfs_device_get_bytes_used(dev); di_args->total_bytes = btrfs_device_get_total_bytes(dev); memcpy(di_args->uuid, dev->uuid, sizeof(di_args->uuid)); - if (dev->name) { - strncpy(di_args->path, btrfs_dev_name(dev), - sizeof(di_args->path) - 1); - di_args->path[sizeof(di_args->path) - 1] = 0; - } else { + if (dev->name) + strscpy(di_args->path, btrfs_dev_name(dev), sizeof(di_args->path)); + else di_args->path[0] = '\0'; - } out: rcu_read_unlock(); diff --git a/fs/btrfs/rcu-string.h b/fs/btrfs/rcu-string.h index 5c1a617eb25d..5c2b66d155ef 100644 --- a/fs/btrfs/rcu-string.h +++ b/fs/btrfs/rcu-string.h @@ -18,7 +18,11 @@ static inline struct rcu_string *rcu_string_strdup(const char *src, gfp_t mask) (len * sizeof(char)), mask); if (!ret) return ret; - strncpy(ret->str, src, len); + /* Warn if the source got unexpectedly truncated. */ + if (WARN_ON(strscpy(ret->str, src, len) < 0)) { + kfree(ret); + return NULL; + } return ret; }

2 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: replace strncpy() with strscpy()" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: 63d5429f68a3 ("btrfs: replace strncpy() with strscpy()") cb3e217bdb39 ("btrfs: use btrfs_dev_name() helper to handle missing devices better") 947a629988f1 ("btrfs: move tree block parentness check into validate_extent_buffer()") 789d6a3a876e ("btrfs: concentrate all tree block parentness check parameters into one structure") ab2072b2921e ("btrfs: change how submit bio callback is passed to btrfs_wq_submit_bio") 7920b773bd8a ("btrfs: drop parameter compression_type from btrfs_submit_dio_repair_bio") 19af6a7d345a ("btrfs: change how repair action is passed to btrfs_repair_one_sector") a2c8d27e5ee8 ("btrfs: use a structure to pass arguments to backref walking functions") 6ce6ba534418 ("btrfs: use a single argument for extent offset in backref walking functions") 22a3c0ac8ed0 ("btrfs: send: avoid unnecessary backref lookups when finding clone source") 2885fd632050 ("btrfs: move inode prototypes to btrfs_inode.h") b31bed170d52 ("btrfs: move btrfs_chunk_item_size out of ctree.h") 911bd75aca73 ("btrfs: remove unused function prototypes") a56159d4080b ("btrfs: move btrfs_fs_info declarations into fs.h") 6db75318823a ("btrfs: use struct fscrypt_str instead of struct qstr") ab3c5c18e8fa ("btrfs: setup qstr from dentrys using fscrypt helper") e43eec81c516 ("btrfs: use struct qstr instead of name and namelen pairs") e9c83077d2be ("btrfs: remove temporary btrfs_map_token declaration in ctree.h") ad1ac5012c2b ("btrfs: move btrfs_map_token to accessors") d83eb482b727 ("btrfs: move the compat/incompat flag masks to fs.h") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 63d5429f68a3d4c4aa27e65a05196c17f86c41d6 Mon Sep 17 00:00:00 2001 From: Artem Chernyshev <artem.chernyshev(a)red-soft.ru> Date: Sat, 19 Nov 2022 11:13:29 +0300 Subject: [PATCH] btrfs: replace strncpy() with strscpy() Using strncpy() on NUL-terminated strings are deprecated. To avoid possible forming of non-terminated string strscpy() should be used. Found by Linux Verification Center (linuxtesting.org) with SVACE. CC: stable(a)vger.kernel.org # 4.9+ Signed-off-by: Artem Chernyshev <artem.chernyshev(a)red-soft.ru> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index bed74a3ff574..4fd6b61b06a4 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -2859,13 +2859,10 @@ static long btrfs_ioctl_dev_info(struct btrfs_fs_info *fs_info, di_args->bytes_used = btrfs_device_get_bytes_used(dev); di_args->total_bytes = btrfs_device_get_total_bytes(dev); memcpy(di_args->uuid, dev->uuid, sizeof(di_args->uuid)); - if (dev->name) { - strncpy(di_args->path, btrfs_dev_name(dev), - sizeof(di_args->path) - 1); - di_args->path[sizeof(di_args->path) - 1] = 0; - } else { + if (dev->name) + strscpy(di_args->path, btrfs_dev_name(dev), sizeof(di_args->path)); + else di_args->path[0] = '\0'; - } out: rcu_read_unlock(); diff --git a/fs/btrfs/rcu-string.h b/fs/btrfs/rcu-string.h index 5c1a617eb25d..5c2b66d155ef 100644 --- a/fs/btrfs/rcu-string.h +++ b/fs/btrfs/rcu-string.h @@ -18,7 +18,11 @@ static inline struct rcu_string *rcu_string_strdup(const char *src, gfp_t mask) (len * sizeof(char)), mask); if (!ret) return ret; - strncpy(ret->str, src, len); + /* Warn if the source got unexpectedly truncated. */ + if (WARN_ON(strscpy(ret->str, src, len) < 0)) { + kfree(ret); + return NULL; + } return ret; }

2 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: replace strncpy() with strscpy()" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: 63d5429f68a3 ("btrfs: replace strncpy() with strscpy()") cb3e217bdb39 ("btrfs: use btrfs_dev_name() helper to handle missing devices better") 947a629988f1 ("btrfs: move tree block parentness check into validate_extent_buffer()") 789d6a3a876e ("btrfs: concentrate all tree block parentness check parameters into one structure") ab2072b2921e ("btrfs: change how submit bio callback is passed to btrfs_wq_submit_bio") 7920b773bd8a ("btrfs: drop parameter compression_type from btrfs_submit_dio_repair_bio") 19af6a7d345a ("btrfs: change how repair action is passed to btrfs_repair_one_sector") a2c8d27e5ee8 ("btrfs: use a structure to pass arguments to backref walking functions") 6ce6ba534418 ("btrfs: use a single argument for extent offset in backref walking functions") 22a3c0ac8ed0 ("btrfs: send: avoid unnecessary backref lookups when finding clone source") 2885fd632050 ("btrfs: move inode prototypes to btrfs_inode.h") b31bed170d52 ("btrfs: move btrfs_chunk_item_size out of ctree.h") 911bd75aca73 ("btrfs: remove unused function prototypes") a56159d4080b ("btrfs: move btrfs_fs_info declarations into fs.h") 6db75318823a ("btrfs: use struct fscrypt_str instead of struct qstr") ab3c5c18e8fa ("btrfs: setup qstr from dentrys using fscrypt helper") e43eec81c516 ("btrfs: use struct qstr instead of name and namelen pairs") e9c83077d2be ("btrfs: remove temporary btrfs_map_token declaration in ctree.h") ad1ac5012c2b ("btrfs: move btrfs_map_token to accessors") d83eb482b727 ("btrfs: move the compat/incompat flag masks to fs.h") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 63d5429f68a3d4c4aa27e65a05196c17f86c41d6 Mon Sep 17 00:00:00 2001 From: Artem Chernyshev <artem.chernyshev(a)red-soft.ru> Date: Sat, 19 Nov 2022 11:13:29 +0300 Subject: [PATCH] btrfs: replace strncpy() with strscpy() Using strncpy() on NUL-terminated strings are deprecated. To avoid possible forming of non-terminated string strscpy() should be used. Found by Linux Verification Center (linuxtesting.org) with SVACE. CC: stable(a)vger.kernel.org # 4.9+ Signed-off-by: Artem Chernyshev <artem.chernyshev(a)red-soft.ru> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index bed74a3ff574..4fd6b61b06a4 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -2859,13 +2859,10 @@ static long btrfs_ioctl_dev_info(struct btrfs_fs_info *fs_info, di_args->bytes_used = btrfs_device_get_bytes_used(dev); di_args->total_bytes = btrfs_device_get_total_bytes(dev); memcpy(di_args->uuid, dev->uuid, sizeof(di_args->uuid)); - if (dev->name) { - strncpy(di_args->path, btrfs_dev_name(dev), - sizeof(di_args->path) - 1); - di_args->path[sizeof(di_args->path) - 1] = 0; - } else { + if (dev->name) + strscpy(di_args->path, btrfs_dev_name(dev), sizeof(di_args->path)); + else di_args->path[0] = '\0'; - } out: rcu_read_unlock(); diff --git a/fs/btrfs/rcu-string.h b/fs/btrfs/rcu-string.h index 5c1a617eb25d..5c2b66d155ef 100644 --- a/fs/btrfs/rcu-string.h +++ b/fs/btrfs/rcu-string.h @@ -18,7 +18,11 @@ static inline struct rcu_string *rcu_string_strdup(const char *src, gfp_t mask) (len * sizeof(char)), mask); if (!ret) return ret; - strncpy(ret->str, src, len); + /* Warn if the source got unexpectedly truncated. */ + if (WARN_ON(strscpy(ret->str, src, len) < 0)) { + kfree(ret); + return NULL; + } return ret; }

2 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: replace strncpy() with strscpy()" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: 63d5429f68a3 ("btrfs: replace strncpy() with strscpy()") cb3e217bdb39 ("btrfs: use btrfs_dev_name() helper to handle missing devices better") 947a629988f1 ("btrfs: move tree block parentness check into validate_extent_buffer()") 789d6a3a876e ("btrfs: concentrate all tree block parentness check parameters into one structure") ab2072b2921e ("btrfs: change how submit bio callback is passed to btrfs_wq_submit_bio") 7920b773bd8a ("btrfs: drop parameter compression_type from btrfs_submit_dio_repair_bio") 19af6a7d345a ("btrfs: change how repair action is passed to btrfs_repair_one_sector") a2c8d27e5ee8 ("btrfs: use a structure to pass arguments to backref walking functions") 6ce6ba534418 ("btrfs: use a single argument for extent offset in backref walking functions") 22a3c0ac8ed0 ("btrfs: send: avoid unnecessary backref lookups when finding clone source") 2885fd632050 ("btrfs: move inode prototypes to btrfs_inode.h") b31bed170d52 ("btrfs: move btrfs_chunk_item_size out of ctree.h") 911bd75aca73 ("btrfs: remove unused function prototypes") a56159d4080b ("btrfs: move btrfs_fs_info declarations into fs.h") 6db75318823a ("btrfs: use struct fscrypt_str instead of struct qstr") ab3c5c18e8fa ("btrfs: setup qstr from dentrys using fscrypt helper") e43eec81c516 ("btrfs: use struct qstr instead of name and namelen pairs") e9c83077d2be ("btrfs: remove temporary btrfs_map_token declaration in ctree.h") ad1ac5012c2b ("btrfs: move btrfs_map_token to accessors") d83eb482b727 ("btrfs: move the compat/incompat flag masks to fs.h") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 63d5429f68a3d4c4aa27e65a05196c17f86c41d6 Mon Sep 17 00:00:00 2001 From: Artem Chernyshev <artem.chernyshev(a)red-soft.ru> Date: Sat, 19 Nov 2022 11:13:29 +0300 Subject: [PATCH] btrfs: replace strncpy() with strscpy() Using strncpy() on NUL-terminated strings are deprecated. To avoid possible forming of non-terminated string strscpy() should be used. Found by Linux Verification Center (linuxtesting.org) with SVACE. CC: stable(a)vger.kernel.org # 4.9+ Signed-off-by: Artem Chernyshev <artem.chernyshev(a)red-soft.ru> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index bed74a3ff574..4fd6b61b06a4 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -2859,13 +2859,10 @@ static long btrfs_ioctl_dev_info(struct btrfs_fs_info *fs_info, di_args->bytes_used = btrfs_device_get_bytes_used(dev); di_args->total_bytes = btrfs_device_get_total_bytes(dev); memcpy(di_args->uuid, dev->uuid, sizeof(di_args->uuid)); - if (dev->name) { - strncpy(di_args->path, btrfs_dev_name(dev), - sizeof(di_args->path) - 1); - di_args->path[sizeof(di_args->path) - 1] = 0; - } else { + if (dev->name) + strscpy(di_args->path, btrfs_dev_name(dev), sizeof(di_args->path)); + else di_args->path[0] = '\0'; - } out: rcu_read_unlock(); diff --git a/fs/btrfs/rcu-string.h b/fs/btrfs/rcu-string.h index 5c1a617eb25d..5c2b66d155ef 100644 --- a/fs/btrfs/rcu-string.h +++ b/fs/btrfs/rcu-string.h @@ -18,7 +18,11 @@ static inline struct rcu_string *rcu_string_strdup(const char *src, gfp_t mask) (len * sizeof(char)), mask); if (!ret) return ret; - strncpy(ret->str, src, len); + /* Warn if the source got unexpectedly truncated. */ + if (WARN_ON(strscpy(ret->str, src, len) < 0)) { + kfree(ret); + return NULL; + } return ret; }

2 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: replace strncpy() with strscpy()" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: 63d5429f68a3 ("btrfs: replace strncpy() with strscpy()") cb3e217bdb39 ("btrfs: use btrfs_dev_name() helper to handle missing devices better") 947a629988f1 ("btrfs: move tree block parentness check into validate_extent_buffer()") 789d6a3a876e ("btrfs: concentrate all tree block parentness check parameters into one structure") ab2072b2921e ("btrfs: change how submit bio callback is passed to btrfs_wq_submit_bio") 7920b773bd8a ("btrfs: drop parameter compression_type from btrfs_submit_dio_repair_bio") 19af6a7d345a ("btrfs: change how repair action is passed to btrfs_repair_one_sector") a2c8d27e5ee8 ("btrfs: use a structure to pass arguments to backref walking functions") 6ce6ba534418 ("btrfs: use a single argument for extent offset in backref walking functions") 22a3c0ac8ed0 ("btrfs: send: avoid unnecessary backref lookups when finding clone source") 2885fd632050 ("btrfs: move inode prototypes to btrfs_inode.h") b31bed170d52 ("btrfs: move btrfs_chunk_item_size out of ctree.h") 911bd75aca73 ("btrfs: remove unused function prototypes") a56159d4080b ("btrfs: move btrfs_fs_info declarations into fs.h") 6db75318823a ("btrfs: use struct fscrypt_str instead of struct qstr") ab3c5c18e8fa ("btrfs: setup qstr from dentrys using fscrypt helper") e43eec81c516 ("btrfs: use struct qstr instead of name and namelen pairs") e9c83077d2be ("btrfs: remove temporary btrfs_map_token declaration in ctree.h") ad1ac5012c2b ("btrfs: move btrfs_map_token to accessors") d83eb482b727 ("btrfs: move the compat/incompat flag masks to fs.h") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 63d5429f68a3d4c4aa27e65a05196c17f86c41d6 Mon Sep 17 00:00:00 2001 From: Artem Chernyshev <artem.chernyshev(a)red-soft.ru> Date: Sat, 19 Nov 2022 11:13:29 +0300 Subject: [PATCH] btrfs: replace strncpy() with strscpy() Using strncpy() on NUL-terminated strings are deprecated. To avoid possible forming of non-terminated string strscpy() should be used. Found by Linux Verification Center (linuxtesting.org) with SVACE. CC: stable(a)vger.kernel.org # 4.9+ Signed-off-by: Artem Chernyshev <artem.chernyshev(a)red-soft.ru> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index bed74a3ff574..4fd6b61b06a4 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -2859,13 +2859,10 @@ static long btrfs_ioctl_dev_info(struct btrfs_fs_info *fs_info, di_args->bytes_used = btrfs_device_get_bytes_used(dev); di_args->total_bytes = btrfs_device_get_total_bytes(dev); memcpy(di_args->uuid, dev->uuid, sizeof(di_args->uuid)); - if (dev->name) { - strncpy(di_args->path, btrfs_dev_name(dev), - sizeof(di_args->path) - 1); - di_args->path[sizeof(di_args->path) - 1] = 0; - } else { + if (dev->name) + strscpy(di_args->path, btrfs_dev_name(dev), sizeof(di_args->path)); + else di_args->path[0] = '\0'; - } out: rcu_read_unlock(); diff --git a/fs/btrfs/rcu-string.h b/fs/btrfs/rcu-string.h index 5c1a617eb25d..5c2b66d155ef 100644 --- a/fs/btrfs/rcu-string.h +++ b/fs/btrfs/rcu-string.h @@ -18,7 +18,11 @@ static inline struct rcu_string *rcu_string_strdup(const char *src, gfp_t mask) (len * sizeof(char)), mask); if (!ret) return ret; - strncpy(ret->str, src, len); + /* Warn if the source got unexpectedly truncated. */ + if (WARN_ON(strscpy(ret->str, src, len) < 0)) { + kfree(ret); + return NULL; + } return ret; }

2 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: replace strncpy() with strscpy()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Possible dependencies: 63d5429f68a3 ("btrfs: replace strncpy() with strscpy()") cb3e217bdb39 ("btrfs: use btrfs_dev_name() helper to handle missing devices better") 947a629988f1 ("btrfs: move tree block parentness check into validate_extent_buffer()") 789d6a3a876e ("btrfs: concentrate all tree block parentness check parameters into one structure") ab2072b2921e ("btrfs: change how submit bio callback is passed to btrfs_wq_submit_bio") 7920b773bd8a ("btrfs: drop parameter compression_type from btrfs_submit_dio_repair_bio") 19af6a7d345a ("btrfs: change how repair action is passed to btrfs_repair_one_sector") a2c8d27e5ee8 ("btrfs: use a structure to pass arguments to backref walking functions") 6ce6ba534418 ("btrfs: use a single argument for extent offset in backref walking functions") 22a3c0ac8ed0 ("btrfs: send: avoid unnecessary backref lookups when finding clone source") 2885fd632050 ("btrfs: move inode prototypes to btrfs_inode.h") b31bed170d52 ("btrfs: move btrfs_chunk_item_size out of ctree.h") 911bd75aca73 ("btrfs: remove unused function prototypes") a56159d4080b ("btrfs: move btrfs_fs_info declarations into fs.h") 6db75318823a ("btrfs: use struct fscrypt_str instead of struct qstr") ab3c5c18e8fa ("btrfs: setup qstr from dentrys using fscrypt helper") e43eec81c516 ("btrfs: use struct qstr instead of name and namelen pairs") e9c83077d2be ("btrfs: remove temporary btrfs_map_token declaration in ctree.h") ad1ac5012c2b ("btrfs: move btrfs_map_token to accessors") d83eb482b727 ("btrfs: move the compat/incompat flag masks to fs.h") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 63d5429f68a3d4c4aa27e65a05196c17f86c41d6 Mon Sep 17 00:00:00 2001 From: Artem Chernyshev <artem.chernyshev(a)red-soft.ru> Date: Sat, 19 Nov 2022 11:13:29 +0300 Subject: [PATCH] btrfs: replace strncpy() with strscpy() Using strncpy() on NUL-terminated strings are deprecated. To avoid possible forming of non-terminated string strscpy() should be used. Found by Linux Verification Center (linuxtesting.org) with SVACE. CC: stable(a)vger.kernel.org # 4.9+ Signed-off-by: Artem Chernyshev <artem.chernyshev(a)red-soft.ru> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index bed74a3ff574..4fd6b61b06a4 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -2859,13 +2859,10 @@ static long btrfs_ioctl_dev_info(struct btrfs_fs_info *fs_info, di_args->bytes_used = btrfs_device_get_bytes_used(dev); di_args->total_bytes = btrfs_device_get_total_bytes(dev); memcpy(di_args->uuid, dev->uuid, sizeof(di_args->uuid)); - if (dev->name) { - strncpy(di_args->path, btrfs_dev_name(dev), - sizeof(di_args->path) - 1); - di_args->path[sizeof(di_args->path) - 1] = 0; - } else { + if (dev->name) + strscpy(di_args->path, btrfs_dev_name(dev), sizeof(di_args->path)); + else di_args->path[0] = '\0'; - } out: rcu_read_unlock(); diff --git a/fs/btrfs/rcu-string.h b/fs/btrfs/rcu-string.h index 5c1a617eb25d..5c2b66d155ef 100644 --- a/fs/btrfs/rcu-string.h +++ b/fs/btrfs/rcu-string.h @@ -18,7 +18,11 @@ static inline struct rcu_string *rcu_string_strdup(const char *src, gfp_t mask) (len * sizeof(char)), mask); if (!ret) return ret; - strncpy(ret->str, src, len); + /* Warn if the source got unexpectedly truncated. */ + if (WARN_ON(strscpy(ret->str, src, len) < 0)) { + kfree(ret); + return NULL; + } return ret; }

2 years, 3 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2023