linux-next

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-04 04:02:26 +00:00

History

Dmitry Antipov cb11e33358 ocfs2: fix directory entry check in ocfs2_search_dirblock() Syzbot has reported the following KASAN splat: BUG: KASAN: slab-use-after-free in ocfs2_search_dirblock+0x26b/0x830 Read of size 1 at addr ffff888012009982 by task repro/5388 ... Call Trace: <TASK> dump_stack_lvl+0x241/0x360 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? _printk+0xd5/0x120 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x183/0x530 print_report+0x169/0x550 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x183/0x530 ? __virt_addr_valid+0x45f/0x530 ? __phys_addr+0xba/0x170 ? ocfs2_search_dirblock+0x26b/0x830 kasan_report+0x143/0x180 ? ocfs2_search_dirblock+0x26b/0x830 ocfs2_search_dirblock+0x26b/0x830 ? ocfs2_read_inode_block+0x14c/0x1e0 ? __pfx_ocfs2_search_dirblock+0x10/0x10 ? validate_chain+0x11e/0x5900 ocfs2_find_entry+0x1169/0x2780 ? mark_lock+0x9a/0x350 ? __lock_acquire+0x137a/0x2040 ? __pfx_ocfs2_find_entry+0x10/0x10 ? __pfx_lock_acquire+0x10/0x10 ? ocfs2_inode_lock_full_nested+0x17b/0x1c10 ? __pfx_lock_release+0x10/0x10 ? do_raw_spin_lock+0x14f/0x370 ? do_raw_spin_unlock+0x58/0x8b0 ? _raw_spin_unlock+0x28/0x50 ? ocfs2_inode_lock_full_nested+0xb2f/0x1c10 ? __pfx_ocfs2_inode_lock_full_nested+0x10/0x10 ocfs2_find_files_on_disk+0xff/0x360 ocfs2_lookup_ino_from_name+0xb1/0x1e0 ? __pfx_ocfs2_lookup_ino_from_name+0x10/0x10 ocfs2_lookup+0x292/0xa60 ? __pfx_ocfs2_lookup+0x10/0x10 ? from_kgid+0x1a7/0x730 ? make_vfsgid+0x46/0x90 ? HAS_UNMAPPED_ID+0xf9/0x150 ? inode_permission+0xff/0x460 ? __pfx_ocfs2_permission+0x10/0x10 ? bpf_lsm_inode_create+0x9/0x10 ? security_inode_create+0xc2/0x110 ? __pfx_ocfs2_lookup+0x10/0x10 path_openat+0x11ce/0x3470 ? __pfx_path_openat+0x10/0x10 do_filp_open+0x235/0x490 ? __pfx_do_filp_open+0x10/0x10 ? _raw_spin_unlock+0x28/0x50 ? alloc_fd+0x5a1/0x640 do_sys_openat2+0x13e/0x1d0 ? mntput_no_expire+0xc2/0x850 ? __pfx_do_sys_openat2+0x10/0x10 ? __pfx_mntput_no_expire+0x10/0x10 __x64_sys_openat+0x247/0x2a0 ? __pfx___x64_sys_openat+0x10/0x10 ? do_syscall_64+0x100/0x230 ? do_syscall_64+0xb6/0x230 do_syscall_64+0xf3/0x230 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... </TASK> This happens when 'ocfs2_search_dirblock()' makes an attempt to jump over (presumably invalid) on-disk directory entry which size exceeds 'sizeof(struct ocfs2_dir_entry)', thus touching memory used by others (including the previously freed one). So just bail out if such a directory entry is found. Link: https://lkml.kernel.org/r/20241119170745.464799-1-dmantipov@yandex.ru Fixes: `ccd979bdbc` ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") Reported-by: syzbot+b9704899e166798d57c9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=b9704899e166798d57c9 Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Joseph Qi <jiangqi903@gmail.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Jun Piao <piaojun@huawei.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>		2024-12-18 19:49:55 -08:00
..
cluster	- The series "resource: A couple of cleanups" from Andy Shevchenko	2024-11-25 16:09:48 -08:00
dlm	ocfs2: remove unused errmsg function and table	2024-11-05 17:12:41 -08:00
dlmfs	ocfs2: remove SLAB_MEM_SPREAD flag usage	2024-03-14 09:17:29 -07:00
acl.c	ocfs2: convert to new timestamp accessors	2023-10-18 14:08:24 +02:00
acl.h	fs: port ->set_acl() to pass mnt_idmap	2023-01-19 09:24:27 +01:00
alloc.c	ocfs2: fix typo in comment	2024-11-05 17:12:27 -08:00
alloc.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
aops.c	ocfs2: fix uninit-value in ocfs2_get_block()	2024-09-26 14:01:45 -07:00
aops.h	ocfs2: fix uninitialized value in ocfs2_file_read_iter()	2024-11-11 17:17:04 -08:00
blockcheck.c	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
blockcheck.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
buffer_head_io.c	ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate	2024-09-09 15:15:54 -07:00
buffer_head_io.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
dcache.c	ocfs2_find_match(): there's no such thing as NULL or negative ->d_parent	2023-12-21 12:53:30 -05:00
dcache.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
dir.c	ocfs2: fix directory entry check in ocfs2_search_dirblock()	2024-12-18 19:49:55 -08:00
dir.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
dlmglue.c	ocfs2: update seq_file index in ocfs2_dlm_seq_next	2024-12-05 19:54:45 -08:00
dlmglue.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
export.c	exportfs: Remove EXPORT_OP_ASYNC_LOCK	2024-10-01 17:01:08 +02:00
export.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
extent_map.c	ocfs2: fix deadlock in ocfs2_get_system_file_inode	2024-09-26 14:01:44 -07:00
extent_map.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
file.c	- The series "resource: A couple of cleanups" from Andy Shevchenko	2024-11-25 16:09:48 -08:00
file.h	ocfs2: store cookie in private data	2024-09-12 11:58:44 +02:00
filecheck.c	ocfs2: use default_groups in kobj_type	2022-01-15 16:30:24 +02:00
filecheck.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
heartbeat.c	ocfs2: fix a typo in a comment	2022-07-29 18:12:36 -07:00
heartbeat.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
inode.c	ocfs2: fix sparse warnings	2024-04-25 21:07:04 -07:00
inode.h	quota: Properly annotate i_dquot arrays with __rcu	2024-02-08 12:04:59 +01:00
ioctl.c	ocfs2: update inode ctime in ocfs2_fileattr_set	2024-04-25 21:07:01 -07:00
ioctl.h	fs: port ->fileattr_set() to pass mnt_idmap	2023-01-19 09:24:27 +01:00
journal.c	ocfs2: fix null-ptr-deref when journal load failed.	2024-09-09 15:15:53 -07:00
journal.h	ocfs2: fix DIO failure due to insufficient transaction credits	2024-06-24 20:52:10 -07:00
Kconfig	fs: add CONFIG_BUFFER_HEAD	2023-08-02 09:13:09 -06:00
localalloc.c	ocfs2: fix the space leak in LA when releasing LA	2024-12-18 19:04:41 -08:00
localalloc.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
locks.c	ocfs2: adapt to breakup of struct file_lock	2024-02-05 13:11:43 +01:00
locks.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
Makefile	ocfs2: improve ocfs2 Makefile	2018-12-28 12:11:45 -08:00
mmap.c	fs: Convert aops->write_begin to take a folio	2024-08-07 11:33:21 +02:00
mmap.h	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
move_extents.c	ocfs2: improve write IO performance when fragmentation is high	2024-04-25 21:07:03 -07:00
move_extents.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
namei.c	ocfs2: free inode when ocfs2_get_init_inode() fails	2024-12-05 19:54:43 -08:00
namei.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
ocfs1_fs_compat.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
ocfs2_fs.h	ocfs2: improve write IO performance when fragmentation is high	2024-04-25 21:07:03 -07:00
ocfs2_ioctl.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
ocfs2_lockid.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
ocfs2_lockingver.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
ocfs2_trace.h	ocfs2: fix DIO failure due to insufficient transaction credits	2024-06-24 20:52:10 -07:00
ocfs2.h	ocfs2: constify struct ocfs2_lock_res_ops	2024-06-24 22:25:10 -07:00
quota_global.c	ocfs2: cleanup return value and mlog in ocfs2_global_read_info()	2024-09-09 16:47:43 -07:00
quota_local.c	ocfs2: cancel dqi_sync_work before freeing oinfo	2024-09-09 15:15:54 -07:00
quota.h	ocfs2: remove unused declaration in header file	2024-11-05 17:12:26 -08:00
refcounttree.c	ocfs2: reserve space for inline xattr before attaching reflink tree	2024-09-26 14:01:44 -07:00
refcounttree.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
reservations.c	ocfs2: correctly use ocfs2_find_next_zero_bit()	2024-04-25 21:07:01 -07:00
reservations.h	ocfs2: change return type of ocfs2_resmap_init	2022-04-29 14:37:58 -07:00
resize.c	ocfs2: uncache inode which has failed entering the group	2024-11-14 22:43:48 -08:00
resize.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
slot_map.c	ocfs2: Annotate struct ocfs2_slot_info with __counted_by	2023-10-02 09:48:52 -07:00
slot_map.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
stack_o2cb.c	ocfs2: constify struct ocfs2_stack_operations	2024-06-24 22:25:10 -07:00
stack_user.c	ocfs2: constify struct ocfs2_stack_operations	2024-06-24 22:25:10 -07:00
stackglue.c	fs: Remove the now superfluous sentinel elements from ctl_table array	2023-12-28 04:57:57 -08:00
stackglue.h	ocfs2: constify struct ocfs2_stack_operations	2024-06-24 22:25:10 -07:00
suballoc.c	ocfs2: speed up chain-list searching	2024-04-25 21:07:04 -07:00
suballoc.h	ocfs2: improve write IO performance when fragmentation is high	2024-04-25 21:07:03 -07:00
super.c	ocfs2: fix UBSAN warning in ocfs2_verify_volume()	2024-11-11 17:20:23 -08:00
super.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
symlink.c	ocfs2: Convert ocfs2 to read_folio	2022-05-09 16:21:46 -04:00
symlink.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
sysfile.c	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
sysfile.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
uptodate.c	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
uptodate.h	treewide: remove editor modelines and cruft	2021-05-07 00:26:34 -07:00
xattr.c	ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()	2024-11-07 14:14:59 -08:00
xattr.h	ocfs2: move ocfs2_xattr_handlers and ocfs2_xattr_handler_map to .rodata	2023-10-09 16:24:20 +02:00