Kernel/linux-next
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-16 21:35:07 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
linux-next/fs
History
Dmitry Antipov cb11e33358 ocfs2: fix directory entry check in ocfs2_search_dirblock() 
Syzbot has reported the following KASAN splat:

BUG: KASAN: slab-use-after-free in ocfs2_search_dirblock+0x26b/0x830
Read of size 1 at addr ffff888012009982 by task repro/5388
...
Call Trace:
 <TASK>
 dump_stack_lvl+0x241/0x360
 ? __pfx_dump_stack_lvl+0x10/0x10
 ? __pfx__printk+0x10/0x10
 ? _printk+0xd5/0x120
 ? __virt_addr_valid+0x183/0x530
 ? __virt_addr_valid+0x183/0x530
 print_report+0x169/0x550
 ? __virt_addr_valid+0x183/0x530
 ? __virt_addr_valid+0x183/0x530
 ? __virt_addr_valid+0x45f/0x530
 ? __phys_addr+0xba/0x170
 ? ocfs2_search_dirblock+0x26b/0x830
 kasan_report+0x143/0x180
 ? ocfs2_search_dirblock+0x26b/0x830
 ocfs2_search_dirblock+0x26b/0x830
 ? ocfs2_read_inode_block+0x14c/0x1e0
 ? __pfx_ocfs2_search_dirblock+0x10/0x10
 ? validate_chain+0x11e/0x5900
 ocfs2_find_entry+0x1169/0x2780
 ? mark_lock+0x9a/0x350
 ? __lock_acquire+0x137a/0x2040
 ? __pfx_ocfs2_find_entry+0x10/0x10
 ? __pfx_lock_acquire+0x10/0x10
 ? ocfs2_inode_lock_full_nested+0x17b/0x1c10
 ? __pfx_lock_release+0x10/0x10
 ? do_raw_spin_lock+0x14f/0x370
 ? do_raw_spin_unlock+0x58/0x8b0
 ? _raw_spin_unlock+0x28/0x50
 ? ocfs2_inode_lock_full_nested+0xb2f/0x1c10
 ? __pfx_ocfs2_inode_lock_full_nested+0x10/0x10
 ocfs2_find_files_on_disk+0xff/0x360
 ocfs2_lookup_ino_from_name+0xb1/0x1e0
 ? __pfx_ocfs2_lookup_ino_from_name+0x10/0x10
 ocfs2_lookup+0x292/0xa60
 ? __pfx_ocfs2_lookup+0x10/0x10
 ? from_kgid+0x1a7/0x730
 ? make_vfsgid+0x46/0x90
 ? HAS_UNMAPPED_ID+0xf9/0x150
 ? inode_permission+0xff/0x460
 ? __pfx_ocfs2_permission+0x10/0x10
 ? bpf_lsm_inode_create+0x9/0x10
 ? security_inode_create+0xc2/0x110
 ? __pfx_ocfs2_lookup+0x10/0x10
 path_openat+0x11ce/0x3470
 ? __pfx_path_openat+0x10/0x10
 do_filp_open+0x235/0x490
 ? __pfx_do_filp_open+0x10/0x10
 ? _raw_spin_unlock+0x28/0x50
 ? alloc_fd+0x5a1/0x640
 do_sys_openat2+0x13e/0x1d0
 ? mntput_no_expire+0xc2/0x850
 ? __pfx_do_sys_openat2+0x10/0x10
 ? __pfx_mntput_no_expire+0x10/0x10
 __x64_sys_openat+0x247/0x2a0
 ? __pfx___x64_sys_openat+0x10/0x10
 ? do_syscall_64+0x100/0x230
 ? do_syscall_64+0xb6/0x230
 do_syscall_64+0xf3/0x230
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
 </TASK>

This happens when 'ocfs2_search_dirblock()' makes an attempt to jump over
(presumably invalid) on-disk directory entry which size exceeds
'sizeof(struct ocfs2_dir_entry)', thus touching memory used by others
(including the previously freed one).  So just bail out if such a
directory entry is found.

Link: https://lkml.kernel.org/r/20241119170745.464799-1-dmantipov@yandex.ru
Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
Reported-by: syzbot+b9704899e166798d57c9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b9704899e166798d57c9
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2024-12-18 19:49:55 -08:00
..
9p
fs/9p: replace functions v9fs_cache_{register|unregister} with direct calls
2024-11-16 17:23:19 +09:00
adfs
Merge patch series "adfs, affs, befs, hfs, hfsplus: convert to new mount api"
2024-10-08 14:41:53 +02:00
affs
Merge patch series "adfs, affs, befs, hfs, hfsplus: convert to new mount api"
2024-10-08 14:41:53 +02:00
afs
vfs-6.12-rc6.fixes
2024-11-01 07:37:10 -10:00
autofs
autofs: fix thinko in validate_dev_ioctl()
2024-10-28 13:16:56 +01:00
bcachefs
- The series "resource: A couple of cleanups" from Andy Shevchenko
2024-11-25 16:09:48 -08:00
befs
befs: convert befs to use the new mount api
2024-09-18 11:44:43 +02:00
bfs
fs: Convert aops->write_begin to take a folio
2024-08-07 11:33:21 +02:00
btrfs
for-6.13-rc2-tag
2024-12-10 18:18:01 -08:00
cachefiles
cachefiles: Fix NULL pointer dereference in object->file
2024-11-11 14:39:38 +01:00
ceph
A fix for the mount "device" string parser from Patrick and two cred
2024-11-30 10:22:38 -08:00
coda
coda: use param->file for FSCONFIG_SET_FD
2024-08-19 13:45:03 +02:00
configfs
configfs: improve item creation performance
2024-11-14 07:45:20 +01:00
cramfs
vfs-6.11.module.description
2024-07-15 11:14:59 -07:00
crypto
Random number generator updates for Linux 6.13-rc1.
2024-11-19 10:43:44 -08:00
debugfs
debugfs: add small file operations for most files
2024-10-23 16:47:01 +02:00
devpts
dlm
dlm: fix dlm_recover_members refcount on error
2024-11-18 10:05:57 -06:00
ecryptfs
vfs-6.13.ecryptfs.mount.api
2024-11-26 13:39:02 -08:00
efivarfs
First batch of EFI fixes for v6.13
2024-12-15 15:33:41 -08:00
efs
efs: fix the efs new mount api implementation
2024-10-15 15:58:36 +02:00
erofs
erofs: handle NONHEAD !delta[1] lclusters gracefully
2024-11-18 18:50:14 +08:00
exfat
exfat: reduce FAT chain traversal
2024-11-25 17:08:27 +09:00
exportfs
fs: prepare for "explicit connectable" file handles
2024-11-15 11:34:57 +01:00
ext2
vfs-6.12.file
2024-09-16 09:14:02 +02:00
ext4
A lot of miscellaneous ext4 bug fixes and cleanups this cycle, most
2024-11-18 16:32:58 -08:00
f2fs
f2fs-for-6.13-rc1
2024-11-26 12:50:58 -08:00
fat
fat: fix uninitialized variable
2024-10-17 00:28:06 -07:00
freevxfs
freevxfs: Replace one-element array with flexible array member
2024-11-06 10:42:06 +01:00
fuse
virtio: features, fixes, cleanups
2024-11-27 13:11:58 -08:00
gfs2
gfs2 changes
2024-11-26 12:34:50 -08:00
hfs
hfs: convert hfs to use the new mount api
2024-10-08 14:41:46 +02:00
hfsplus
vfs-6.13.misc
2024-11-18 09:35:30 -08:00
hostfs
hostfs: Fix the NULL vs IS_ERR() bug for __filemap_get_folio()
2024-11-15 20:55:32 +01:00
hpfs
hpfs: convert hpfs to use the new mount api
2024-10-08 14:41:53 +02:00
hugetlbfs
mm: use aligned address in clear_gigantic_page()
2024-12-18 19:04:42 -08:00
iomap
Merge branch 'ovl.fixes'
2024-11-26 18:15:06 +01:00
isofs
isofs: avoid memory leak in iocharset
2024-11-06 20:24:41 +01:00
jbd2
jbd2: Fix comment describing journal_init_common()
2024-11-13 12:56:48 -05:00
jffs2
jffs2: Fix rtime decompressor
2024-12-05 12:31:40 +01:00
jfs
A few more patches to add sanity checks in jfs
2024-11-21 09:59:59 -08:00
kernfs
lockd
NFSD 6.13 Release Notes
2024-11-26 12:59:30 -08:00
minix
buffer: Convert __block_write_begin() to take a folio
2024-08-07 11:33:36 +02:00
netfs
fscache: Remove duplicate included header
2024-11-21 09:35:25 +01:00
nfs
NFS client updates for Linux 6.13
2024-11-30 10:17:53 -08:00
nfs_common
nfs_common: must not hold RCU while calling nfsd_file_put_local
2024-11-18 20:23:12 -05:00
nfsd
NFSD 6.13 Release Notes
2024-11-26 12:59:30 -08:00
nilfs2
nilfs2: fix buffer head leaks in calls to truncate_inode_pages()
2024-12-18 19:04:45 -08:00
nls
move asm/unaligned.h to linux/unaligned.h
2024-10-02 17:23:23 -04:00
notify
\n
2024-11-21 09:55:45 -08:00
ntfs3
fs/ntfs3: Accumulated refactoring changes
2024-11-01 11:19:53 +03:00
ocfs2
ocfs2: fix directory entry check in ocfs2_search_dirblock()
2024-12-18 19:49:55 -08:00
omfs
fs: Convert aops->write_begin to take a folio
2024-08-07 11:33:21 +02:00
openpromfs
openpromfs: add missing MODULE_DESCRIPTION() macro
2024-06-20 09:46:01 +02:00
orangefs
move asm/unaligned.h to linux/unaligned.h
2024-10-02 17:23:23 -04:00
overlayfs
overlayfs updates for 6.13
2024-11-22 20:55:42 -08:00
proc
fs/proc/vmcore.c: fix warning when CONFIG_MMU=n
2024-12-05 19:54:42 -08:00
pstore
Get rid of 'remove_new' relic from platform driver struct
2024-12-01 15:12:43 -08:00
qnx4
qnx4: add MODULE_DESCRIPTION()
2024-05-28 11:52:53 +02:00
qnx6
qnx6: Convert directory handling to use kmap_local
2024-08-07 11:31:56 +02:00
quota
quota: flush quota_release_work upon quota writeback
2024-11-26 22:54:00 +01:00
ramfs
romfs
romfs: fix romfs_read_folio()
2024-08-21 22:32:58 +02:00
smb
four SMB3 client fixes, most also for stable
2024-12-13 17:36:02 -08:00
squashfs
Squashfs: fix variable overflow in squashfs_readpage_block
2024-10-30 20:14:12 -07:00
sysfs
sysfs: bin_attribute: add const read/write callback variants
2024-11-05 14:00:28 +01:00
sysv
buffer: Convert __block_write_begin() to take a folio
2024-08-07 11:33:36 +02:00
tests
execve: Move KUnit tests to tests/ subdirectory
2024-07-22 18:25:47 -07:00
tracefs
tracing: Fix tracefs mount options
2024-11-01 08:38:14 -04:00
ubifs
This pull request contains updates for JFFS2, UBI and UBIFS:
2024-11-30 10:32:47 -08:00
udf
udf: Verify inode link counts before performing rename
2024-11-26 22:54:24 +01:00
ufs
ufs: ufs_sb_private_info: remove unused s_{2,3}apb fields
2024-11-12 19:02:12 -05:00
unicode
Revert "unicode: Don't special case ignorable code points"
2024-12-11 14:11:23 -08:00
vboxsf
fs: Convert aops->write_end to take a folio
2024-08-07 11:32:02 +02:00
verity
fsverity: expose verified fsverity built-in signatures to LSMs
2024-08-20 14:03:18 -04:00
xfs
xfs: port xfs_ioc_start_commit to multigrain timestamps
2024-12-12 17:45:13 -08:00
zonefs
zonefs fixes for 6.12-rc2
2024-10-02 12:02:15 -07:00
aio.c
A rather large update for timekeeping and timers:
2024-11-19 16:35:06 -08:00
anon_inodes.c
attr.c
fs: handle delegated timestamps in setattr_copy_mgtime
2024-10-10 10:20:51 +02:00
backing-file.c
fs/backing_file: fix wrong argument in callback
2024-11-26 18:13:29 +01:00
bad_inode.c
binfmt_elf_fdpic.c
Revert "fs: don't block i_writecount during exec"
2024-11-27 12:51:30 +01:00
binfmt_elf.c
Revert "fs: don't block i_writecount during exec"
2024-11-27 12:51:30 +01:00
binfmt_flat.c
move asm/unaligned.h to linux/unaligned.h
2024-10-02 17:23:23 -04:00
binfmt_misc.c
Revert "fs: don't block i_writecount during exec"
2024-11-27 12:51:30 +01:00
binfmt_script.c
fs: binfmt: add missing MODULE_DESCRIPTION() macros
2024-05-28 12:06:51 +02:00
bpf_fs_kfuncs.c
bpf: Add kfunc bpf_get_dentry_xattr() to read xattr from dentry
2024-08-07 11:26:54 -07:00
buffer.c
- The series "zram: optimal post-processing target selection" from
2024-11-23 09:58:07 -08:00
char_dev.c
fs: Reorganize kerneldoc parameter names
2024-10-22 11:16:57 +02:00
compat_binfmt_elf.c
binfmt_elf: Wire up AT_HWCAP3 at AT_HWCAP4
2024-10-17 18:38:49 +01:00
coredump.c
coredump: add cond_resched() to dump_user_range
2024-10-22 11:16:58 +02:00
d_path.c
dax.c
fsdax: dax_unshare_iter needs to copy entire blocks
2024-10-07 13:51:47 +02:00
dcache.c
- The series "zram: optimal post-processing target selection" from
2024-11-23 09:58:07 -08:00
direct-io.c
fs/direct-io: Remove linux/prefetch.h include
2024-08-19 13:45:02 +02:00
drop_caches.c
sysctl: treewide: constify the ctl_table argument of proc_handlers
2024-07-24 20:59:29 +02:00
eventfd.c
fdget(), trivial conversions
2024-11-03 01:28:06 -05:00
eventpoll.c
Networking changes for 6.13.
2024-11-21 08:28:08 -08:00
exec.c
Revert "fs: don't block i_writecount during exec"
2024-11-27 12:51:30 +01:00
fcntl.c
fs: require inode_owner_or_capable for F_SET_RW_HINT
2024-11-25 15:16:49 +01:00
fhandle.c
vfs-6.13.exportfs
2024-11-26 13:26:15 -08:00
file_table.c
Merge branch 'work.fdtable' into vfs.file
2024-10-30 09:58:02 +01:00
file.c
vfs-6.13.file
2024-11-18 10:30:29 -08:00
filesystems.c
fs_context.c
fs_parser.c
vfs-6.13.ovl
2024-11-18 10:45:06 -08:00
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c
Merge patch series "two little writeback cleanups v2"
2024-11-13 14:08:34 +01:00
fsopen.c
fdget(), more trivial conversions
2024-11-03 01:28:06 -05:00
init.c
inode.c
- The series "zram: optimal post-processing target selection" from
2024-11-23 09:58:07 -08:00
internal.h
sanitize struct filename and lookup flags handling in statx
2024-11-18 14:54:10 -08:00
ioctl.c
fdget(), trivial conversions
2024-11-03 01:28:06 -05:00
Kconfig
reiserfs: The last commit
2024-10-21 16:29:38 +02:00
Kconfig.binfmt
exec: Add KUnit test for bprm_stack_limits()
2024-06-19 13:13:55 -07:00
kernel_read_file.c
fdget(), trivial conversions
2024-11-03 01:28:06 -05:00
libfs.c
sanitize struct filename and lookup flags handling in statx
2024-11-18 14:54:10 -08:00
locks.c
fdget(), more trivial conversions
2024-11-03 01:28:06 -05:00
Makefile
reiserfs: The last commit
2024-10-21 16:29:38 +02:00
mbcache.c
mnt_idmapping.c
fuse update for 6.12
2024-09-24 15:29:42 -07:00
mount.h
vfs-6.12.mount
2024-09-16 11:15:26 +02:00
mpage.c
fs/writeback: convert wbc_account_cgroup_owner to take a folio
2024-10-28 13:26:54 +01:00
namei.c
sanitize xattr and io_uring interactions with it,
2024-11-18 12:44:25 -08:00
namespace.c
statmount: fix security option retrieval
2024-11-21 09:35:31 +01:00
nsfs.c
[tree-wide] finally take no_llseek out
2024-09-27 08:18:43 -07:00
open.c
\n
2024-11-21 09:55:45 -08:00
pidfs.c
pidfd: add ioctl to retrieve pid info
2024-10-24 13:54:51 +02:00
pipe.c
[tree-wide] finally take no_llseek out
2024-09-27 08:18:43 -07:00
pnode.c
pnode.h
posix_acl.c
acl: Annotate struct posix_acl with __counted_by()
2024-10-22 11:16:59 +02:00
proc_namespace.c
fs: rename show_mnt_opts -> show_vfsmnt_opts
2024-06-28 14:36:43 +02:00
read_write.c
the bulk of struct fd memory safety stuff
2024-11-18 12:24:06 -08:00
readdir.c
introduce "fd_pos" class, convert fdget_pos() users to it.
2024-11-03 01:28:06 -05:00
remap_range.c
convert vfs_dedupe_file_range().
2024-11-03 01:28:07 -05:00
select.c
do_pollfd(): convert to CLASS(fd)
2024-11-03 01:28:07 -05:00
seq_file.c
fs: Reorganize kerneldoc parameter names
2024-10-22 11:16:57 +02:00
signalfd.c
fdget(), trivial conversions
2024-11-03 01:28:06 -05:00
splice.c
fdget(), more trivial conversions
2024-11-03 01:28:06 -05:00
stack.c
stat.c
sanitize struct filename and lookup flags handling in statx
2024-11-18 14:54:10 -08:00
statfs.c
fdget_raw() users: switch to CLASS(fd_raw)
2024-11-03 01:28:06 -05:00
super.c
fs/super.c: introduce get_tree_bdev_flags()
2024-10-21 14:30:26 +02:00
sync.c
fdget(), trivial conversions
2024-11-03 01:28:06 -05:00
sysctls.c
timerfd.c
A rather large update for timekeeping and timers:
2024-11-19 16:35:06 -08:00
userfaultfd.c
fork: do not invoke uffd on fork if error occurs
2024-10-28 21:40:38 -07:00
utimes.c
fdget(), more trivial conversions
2024-11-03 01:28:06 -05:00
xattr.c
xattr: remove redundant check on variable err
2024-11-06 13:00:01 -05:00