Commit 230fb3a3 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'erofs-for-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs 

Pull erofs updates from Gao Xiang:

 - Validate xattr h_shared_count to report -EFSCORRUPTED explicitly for
   crafted images

 - Verify metadata accesses for file-backed mounts via rw_verify_area()

 - Fix FS_IOC_GETFSLABEL to include the trailing NUL byte, consistent
   with ext4 and xfs

 - Properly handle 48-bit on-disk blocks/uniaddr for extra devices

 - Fix an index underflow in the LZ4 in-place decompression that can
   cause out-of-bounds accesses with crafted images

 - Minor fixes and cleanups

* tag 'erofs-for-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs:
  erofs: error out obviously illegal extents in advance
  erofs: clean up encoded map flags
  erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
  erofs: handle 48-bit blocks/uniaddr for extra devices
  erofs: include the trailing NUL in FS_IOC_GETFSLABEL
  erofs: ensure all folios are managed in erofs_try_to_free_all_cached_folios()
  erofs: verify metadata accesses for file-backed mounts
  erofs: harden h_shared_count in erofs_init_inode_xattrs()
parents a62fe210 a5242d37

fs/erofs/data.c

+14 −0
Original line number Diff line number Diff line
@@ -30,6 +30,20 @@ void *erofs_bread(struct erofs_buf *buf, erofs_off_t offset, bool need_kmap) 
{

	pgoff_t index = (buf->off + offset) >> PAGE_SHIFT;

	struct folio *folio = NULL;

	loff_t fpos;

	int err;



	/*

	 * Metadata access for file-backed mounts reuses page cache of backing

	 * fs inodes (only folio data will be needed) to prevent double caching.

	 * However, the data access range must be verified here in advance.

	 */

	if (buf->file) {

		fpos = index << PAGE_SHIFT;

		err = rw_verify_area(READ, buf->file, &fpos, PAGE_SIZE);

		if (err < 0)

			return ERR_PTR(err);

	}



	if (buf->page) {

		folio = page_folio(buf->page);

fs/erofs/erofs_fs.h

+2 −2
Original line number Diff line number Diff line
@@ -44,9 +44,9 @@ struct erofs_deviceslot { 
	u8 tag[64];		/* digest(sha256), etc. */

	__le32 blocks_lo;	/* total blocks count of this device */

	__le32 uniaddr_lo;	/* unified starting block of this device */

	__le32 blocks_hi;	/* total blocks count MSB */

	__le16 blocks_hi;	/* total blocks count MSB */

	__le16 uniaddr_hi;	/* unified starting block MSB */

	u8 reserved[50];

	u8 reserved[52];

};

#define EROFS_DEVT_SLOT_SIZE	sizeof(struct erofs_deviceslot)

fs/erofs/inode.c

+1 −1
Original line number Diff line number Diff line
@@ -351,7 +351,7 @@ static int erofs_ioctl_get_volume_label(struct inode *inode, void __user *arg) 
		ret = clear_user(arg, 1);

	else

		ret = copy_to_user(arg, sbi->volume_name,

				   strlen(sbi->volume_name));

				   strlen(sbi->volume_name) + 1);

	return ret ? -EFAULT : 0;

}

fs/erofs/internal.h

+11 −12
Original line number Diff line number Diff line
@@ -360,20 +360,19 @@ static inline struct folio *erofs_grab_folio_nowait(struct address_space *as, 
			readahead_gfp_mask(as) & ~__GFP_RECLAIM);

}



/* Has a disk mapping */

/* Allocated on disk at @m_pa (e.g. NOT a fragment extent) */

#define EROFS_MAP_MAPPED		0x0001

/* Located in metadata (could be copied from bd_inode) */

#define EROFS_MAP_META			0x0002

/* The extent is encoded */

#define EROFS_MAP_ENCODED	0x0004

/* The length of extent is full */

#define EROFS_MAP_FULL_MAPPED	0x0008

/* @m_llen may be truncated by the runtime compared to the on-disk record */

#define EROFS_MAP_PARTIAL_MAPPED	0x0004

/* The on-disk @m_llen may cover only part of the encoded data */

#define EROFS_MAP_PARTIAL_REF		0x0008

/* Located in the special packed inode */

#define __EROFS_MAP_FRAGMENT	0x0010

/* The extent refers to partial decompressed data */

#define EROFS_MAP_PARTIAL_REF	0x0020



#define EROFS_MAP_FRAGMENT	(EROFS_MAP_MAPPED | __EROFS_MAP_FRAGMENT)

#define EROFS_MAP_FRAGMENT		0x0010

/* The encoded on-disk data will be fully handled (decompressed) */

#define EROFS_MAP_FULL(f)	(!((f) & (EROFS_MAP_PARTIAL_MAPPED | \

					  EROFS_MAP_PARTIAL_REF)))



struct erofs_map_blocks {

	struct erofs_buf buf;

fs/erofs/super.c

+6 −2
Original line number Diff line number Diff line
@@ -129,6 +129,7 @@ static int erofs_init_device(struct erofs_buf *buf, struct super_block *sb, 
	struct erofs_fscache *fscache;

	struct erofs_deviceslot *dis;

	struct file *file;

	bool _48bit;



	dis = erofs_read_metabuf(buf, sb, *pos, false);

	if (IS_ERR(dis))
@@ -175,8 +176,11 @@ static int erofs_init_device(struct erofs_buf *buf, struct super_block *sb, 
		dif->file = file;

	}



	dif->blocks = le32_to_cpu(dis->blocks_lo);

	dif->uniaddr = le32_to_cpu(dis->uniaddr_lo);

	_48bit = erofs_sb_has_48bit(sbi);

	dif->blocks = le32_to_cpu(dis->blocks_lo) |

		(_48bit ? (u64)le16_to_cpu(dis->blocks_hi) << 32 : 0);

	dif->uniaddr = le32_to_cpu(dis->uniaddr_lo) |

		(_48bit ? (u64)le16_to_cpu(dis->uniaddr_hi) << 32 : 0);

	sbi->total_blocks += dif->blocks;

	*pos += EROFS_DEVT_SLOT_SIZE;

	return 0;