The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.

To reproduce the conflict and resubmit, you may use the following commands:

git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x a90d4471146de21745980cba51ce88e7926bcc4f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to 'stable@vger.kernel.org' --in-reply-to '2024072927-stubbly-curler-09c4@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^..

Possible dependencies:

a90d4471146d ("udf: Avoid using corrupted block bitmap buffer") 1e0d4adf17e7 ("udf: Check consistency of Space Bitmap Descriptor") 101ee137d32a ("udf: Drop VARCONV support") a27b2923de7e ("udf: Move udf_expand_dir_adinicb() to its callsite") 57bda9fb169d ("udf: Convert udf_expand_dir_adinicb() to new directory iteration") d16076d9b684 ("udf: New directory iteration code") e4ae4735f7c2 ("udf: use sb_bdev_nr_blocks") b64533344371 ("udf: Fix iocharset=utf8 mount option") 979a6e28dd96 ("udf: Get rid of 0-length arrays in struct fileIdentDesc") fa236c2b2d44 ("udf: Fix NULL pointer dereference in udf_symlink function") 382a2287bf9c ("udf: Remove pointless union in udf_inode_info") 044e2e26f214 ("udf: Avoid accessing uninitialized data on failed inode read") 8b075e5ba459 ("udf: stop using ioctl_by_bdev") 4eb09e111218 ("fs-udf: Delete an unnecessary check before brelse()") ab9a3a737284 ("udf: reduce leakage of blocks related to named streams") a768a9abc625 ("udf: Explain handling of load_nls() failure")

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

From a90d4471146de21745980cba51ce88e7926bcc4f Mon Sep 17 00:00:00 2001 From: Jan Kara jack@suse.cz Date: Mon, 17 Jun 2024 17:41:52 +0200 Subject: [PATCH] udf: Avoid using corrupted block bitmap buffer

When the filesystem block bitmap is corrupted, we detect the corruption while loading the bitmap and fail the allocation with error. However the next allocation from the same bitmap will notice the bitmap buffer is already loaded and tries to allocate from the bitmap with mixed results (depending on the exact nature of the bitmap corruption). Fix the problem by using BH_verified bit to indicate whether the bitmap is valid or not.

Reported-by: syzbot+5f682cd029581f9edfd1@syzkaller.appspotmail.com CC: stable@vger.kernel.org Link: https://patch.msgid.link/20240617154201.29512-2-jack@suse.cz Fixes: 1e0d4adf17e7 ("udf: Check consistency of Space Bitmap Descriptor") Signed-off-by: Jan Kara jack@suse.cz

diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c index ab3ffc355949..558ad046972a 100644 --- a/fs/udf/balloc.c +++ b/fs/udf/balloc.c @@ -64,8 +64,12 @@ static int read_block_bitmap(struct super_block *sb, }

for (i = 0; i < count; i++) - if (udf_test_bit(i + off, bh->b_data)) + if (udf_test_bit(i + off, bh->b_data)) { + bitmap->s_block_bitmap[bitmap_nr] = + ERR_PTR(-EFSCORRUPTED); + brelse(bh); return -EFSCORRUPTED; + } return 0; }

@@ -81,8 +85,15 @@ static int __load_block_bitmap(struct super_block *sb, block_group, nr_groups); }

- if (bitmap->s_block_bitmap[block_group]) + if (bitmap->s_block_bitmap[block_group]) { + /* + * The bitmap failed verification in the past. No point in + * trying again. + */ + if (IS_ERR(bitmap->s_block_bitmap[block_group])) + return PTR_ERR(bitmap->s_block_bitmap[block_group]); return block_group; + }

retval = read_block_bitmap(sb, bitmap, block_group, block_group); if (retval < 0) diff --git a/fs/udf/super.c b/fs/udf/super.c index 9381a66c6ce5..92d477053905 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -336,7 +336,8 @@ static void udf_sb_free_bitmap(struct udf_bitmap *bitmap) int nr_groups = bitmap->s_nr_groups;

for (i = 0; i < nr_groups; i++) - brelse(bitmap->s_block_bitmap[i]); + if (!IS_ERR_OR_NULL(bitmap->s_block_bitmap[i])) + brelse(bitmap->s_block_bitmap[i]);

kvfree(bitmap); }