Namjae Jeon 8ff006e57a exfat: fix use of uninitialized spinlock on error path
syzbot reported warning message:

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d6/0x29e lib/dump_stack.c:118
 register_lock_class+0xf06/0x1520 kernel/locking/lockdep.c:893
 __lock_acquire+0xfd/0x2ae0 kernel/locking/lockdep.c:4320
 lock_acquire+0x148/0x720 kernel/locking/lockdep.c:5029
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
 spin_lock include/linux/spinlock.h:354 [inline]
 exfat_cache_inval_inode+0x30/0x280 fs/exfat/cache.c:226
 exfat_evict_inode+0x124/0x270 fs/exfat/inode.c:660
 evict+0x2bb/0x6d0 fs/inode.c:576
 exfat_fill_super+0x1e07/0x27d0 fs/exfat/super.c:681
 get_tree_bdev+0x3e9/0x5f0 fs/super.c:1342
 vfs_get_tree+0x88/0x270 fs/super.c:1547
 do_new_mount fs/namespace.c:2875 [inline]
 path_mount+0x179d/0x29e0 fs/namespace.c:3192
 do_mount fs/namespace.c:3205 [inline]
 __do_sys_mount fs/namespace.c:3413 [inline]
 __se_sys_mount+0x126/0x180 fs/namespace.c:3390
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

If exfat_read_root() returns an error, spinlock is used in
exfat_evict_inode() without initialization. This patch combines
exfat_cache_init_inode() with exfat_inode_init_once() to initialize
spinlock by slab constructor.

Fixes: c35b6810c495 ("exfat: add exfat cache")
Cc: stable@vger.kernel.org # v5.7+
Reported-by: syzbot <syzbot+b91107320911a26c9a95@syzkaller.appspotmail.com>
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
2020-10-07 14:27:13 +09:00

315 lines
7.4 KiB
C

// SPDX-License-Identifier: GPL-2.0-or-later
/*
* linux/fs/fat/cache.c
*
* Written 1992,1993 by Werner Almesberger
*
* Mar 1999. AV. Changed cache, so that it uses the starting cluster instead
* of inode number.
* May 1999. AV. Fixed the bogosity with FAT32 (read "FAT28"). Fscking lusers.
* Copyright (C) 2012-2013 Samsung Electronics Co., Ltd.
*/
#include <linux/slab.h>
#include <asm/unaligned.h>
#include <linux/buffer_head.h>
#include "exfat_raw.h"
#include "exfat_fs.h"
#define EXFAT_MAX_CACHE 16
struct exfat_cache {
struct list_head cache_list;
unsigned int nr_contig; /* number of contiguous clusters */
unsigned int fcluster; /* cluster number in the file. */
unsigned int dcluster; /* cluster number on disk. */
};
struct exfat_cache_id {
unsigned int id;
unsigned int nr_contig;
unsigned int fcluster;
unsigned int dcluster;
};
static struct kmem_cache *exfat_cachep;
static void exfat_cache_init_once(void *c)
{
struct exfat_cache *cache = (struct exfat_cache *)c;
INIT_LIST_HEAD(&cache->cache_list);
}
int exfat_cache_init(void)
{
exfat_cachep = kmem_cache_create("exfat_cache",
sizeof(struct exfat_cache),
0, SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
exfat_cache_init_once);
if (!exfat_cachep)
return -ENOMEM;
return 0;
}
void exfat_cache_shutdown(void)
{
if (!exfat_cachep)
return;
kmem_cache_destroy(exfat_cachep);
}
static inline struct exfat_cache *exfat_cache_alloc(void)
{
return kmem_cache_alloc(exfat_cachep, GFP_NOFS);
}
static inline void exfat_cache_free(struct exfat_cache *cache)
{
WARN_ON(!list_empty(&cache->cache_list));
kmem_cache_free(exfat_cachep, cache);
}
static inline void exfat_cache_update_lru(struct inode *inode,
struct exfat_cache *cache)
{
struct exfat_inode_info *ei = EXFAT_I(inode);
if (ei->cache_lru.next != &cache->cache_list)
list_move(&cache->cache_list, &ei->cache_lru);
}
static unsigned int exfat_cache_lookup(struct inode *inode,
unsigned int fclus, struct exfat_cache_id *cid,
unsigned int *cached_fclus, unsigned int *cached_dclus)
{
struct exfat_inode_info *ei = EXFAT_I(inode);
static struct exfat_cache nohit = { .fcluster = 0, };
struct exfat_cache *hit = &nohit, *p;
unsigned int offset = EXFAT_EOF_CLUSTER;
spin_lock(&ei->cache_lru_lock);
list_for_each_entry(p, &ei->cache_lru, cache_list) {
/* Find the cache of "fclus" or nearest cache. */
if (p->fcluster <= fclus && hit->fcluster < p->fcluster) {
hit = p;
if (hit->fcluster + hit->nr_contig < fclus) {
offset = hit->nr_contig;
} else {
offset = fclus - hit->fcluster;
break;
}
}
}
if (hit != &nohit) {
exfat_cache_update_lru(inode, hit);
cid->id = ei->cache_valid_id;
cid->nr_contig = hit->nr_contig;
cid->fcluster = hit->fcluster;
cid->dcluster = hit->dcluster;
*cached_fclus = cid->fcluster + offset;
*cached_dclus = cid->dcluster + offset;
}
spin_unlock(&ei->cache_lru_lock);
return offset;
}
static struct exfat_cache *exfat_cache_merge(struct inode *inode,
struct exfat_cache_id *new)
{
struct exfat_inode_info *ei = EXFAT_I(inode);
struct exfat_cache *p;
list_for_each_entry(p, &ei->cache_lru, cache_list) {
/* Find the same part as "new" in cluster-chain. */
if (p->fcluster == new->fcluster) {
if (new->nr_contig > p->nr_contig)
p->nr_contig = new->nr_contig;
return p;
}
}
return NULL;
}
static void exfat_cache_add(struct inode *inode,
struct exfat_cache_id *new)
{
struct exfat_inode_info *ei = EXFAT_I(inode);
struct exfat_cache *cache, *tmp;
if (new->fcluster == EXFAT_EOF_CLUSTER) /* dummy cache */
return;
spin_lock(&ei->cache_lru_lock);
if (new->id != EXFAT_CACHE_VALID &&
new->id != ei->cache_valid_id)
goto unlock; /* this cache was invalidated */
cache = exfat_cache_merge(inode, new);
if (cache == NULL) {
if (ei->nr_caches < EXFAT_MAX_CACHE) {
ei->nr_caches++;
spin_unlock(&ei->cache_lru_lock);
tmp = exfat_cache_alloc();
if (!tmp) {
spin_lock(&ei->cache_lru_lock);
ei->nr_caches--;
spin_unlock(&ei->cache_lru_lock);
return;
}
spin_lock(&ei->cache_lru_lock);
cache = exfat_cache_merge(inode, new);
if (cache != NULL) {
ei->nr_caches--;
exfat_cache_free(tmp);
goto out_update_lru;
}
cache = tmp;
} else {
struct list_head *p = ei->cache_lru.prev;
cache = list_entry(p,
struct exfat_cache, cache_list);
}
cache->fcluster = new->fcluster;
cache->dcluster = new->dcluster;
cache->nr_contig = new->nr_contig;
}
out_update_lru:
exfat_cache_update_lru(inode, cache);
unlock:
spin_unlock(&ei->cache_lru_lock);
}
/*
* Cache invalidation occurs rarely, thus the LRU chain is not updated. It
* fixes itself after a while.
*/
static void __exfat_cache_inval_inode(struct inode *inode)
{
struct exfat_inode_info *ei = EXFAT_I(inode);
struct exfat_cache *cache;
while (!list_empty(&ei->cache_lru)) {
cache = list_entry(ei->cache_lru.next,
struct exfat_cache, cache_list);
list_del_init(&cache->cache_list);
ei->nr_caches--;
exfat_cache_free(cache);
}
/* Update. The copy of caches before this id is discarded. */
ei->cache_valid_id++;
if (ei->cache_valid_id == EXFAT_CACHE_VALID)
ei->cache_valid_id++;
}
void exfat_cache_inval_inode(struct inode *inode)
{
struct exfat_inode_info *ei = EXFAT_I(inode);
spin_lock(&ei->cache_lru_lock);
__exfat_cache_inval_inode(inode);
spin_unlock(&ei->cache_lru_lock);
}
static inline int cache_contiguous(struct exfat_cache_id *cid,
unsigned int dclus)
{
cid->nr_contig++;
return cid->dcluster + cid->nr_contig == dclus;
}
static inline void cache_init(struct exfat_cache_id *cid,
unsigned int fclus, unsigned int dclus)
{
cid->id = EXFAT_CACHE_VALID;
cid->fcluster = fclus;
cid->dcluster = dclus;
cid->nr_contig = 0;
}
int exfat_get_cluster(struct inode *inode, unsigned int cluster,
unsigned int *fclus, unsigned int *dclus,
unsigned int *last_dclus, int allow_eof)
{
struct super_block *sb = inode->i_sb;
struct exfat_sb_info *sbi = EXFAT_SB(sb);
unsigned int limit = sbi->num_clusters;
struct exfat_inode_info *ei = EXFAT_I(inode);
struct exfat_cache_id cid;
unsigned int content;
if (ei->start_clu == EXFAT_FREE_CLUSTER) {
exfat_fs_error(sb,
"invalid access to exfat cache (entry 0x%08x)",
ei->start_clu);
return -EIO;
}
*fclus = 0;
*dclus = ei->start_clu;
*last_dclus = *dclus;
/*
* Don`t use exfat_cache if zero offset or non-cluster allocation
*/
if (cluster == 0 || *dclus == EXFAT_EOF_CLUSTER)
return 0;
cache_init(&cid, EXFAT_EOF_CLUSTER, EXFAT_EOF_CLUSTER);
if (exfat_cache_lookup(inode, cluster, &cid, fclus, dclus) ==
EXFAT_EOF_CLUSTER) {
/*
* dummy, always not contiguous
* This is reinitialized by cache_init(), later.
*/
WARN_ON(cid.id != EXFAT_CACHE_VALID ||
cid.fcluster != EXFAT_EOF_CLUSTER ||
cid.dcluster != EXFAT_EOF_CLUSTER ||
cid.nr_contig != 0);
}
if (*fclus == cluster)
return 0;
while (*fclus < cluster) {
/* prevent the infinite loop of cluster chain */
if (*fclus > limit) {
exfat_fs_error(sb,
"detected the cluster chain loop (i_pos %u)",
(*fclus));
return -EIO;
}
if (exfat_ent_get(sb, *dclus, &content))
return -EIO;
*last_dclus = *dclus;
*dclus = content;
(*fclus)++;
if (content == EXFAT_EOF_CLUSTER) {
if (!allow_eof) {
exfat_fs_error(sb,
"invalid cluster chain (i_pos %u, last_clus 0x%08x is EOF)",
*fclus, (*last_dclus));
return -EIO;
}
break;
}
if (!cache_contiguous(&cid, *dclus))
cache_init(&cid, *fclus, *dclus);
}
exfat_cache_add(inode, &cid);
return 0;
}