[ 24/46] ext4: check bh in ext4_read_block_bitmap()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Eryu Guan <guaneryu@gmail.com>,
	"Theodore Tso" <tytso@mit.edu>
Subject: [ 24/46] ext4: check bh in ext4_read_block_bitmap()
Date: Fri,  1 Mar 2013 11:45:12 -0800	[thread overview]
Message-ID: <20130301194434.776456568@linuxfoundation.org> (raw)
In-Reply-To: <20130301194432.263409302@linuxfoundation.org>

3.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eryu Guan <guaneryu@gmail.com>

commit 15b49132fc972c63894592f218ea5a9a61b1a18f upstream.

Validate the bh pointer before using it, since
ext4_read_block_bitmap_nowait() might return NULL.

I've seen this in fsfuzz testing.

 EXT4-fs error (device loop0): ext4_read_block_bitmap_nowait:385: comm touch: Cannot get buffer for block bitmap - block_group = 0, block_bitmap = 3925999616
 BUG: unable to handle kernel NULL pointer dereference at           (null)
 IP: [<ffffffff8121de25>] ext4_wait_block_bitmap+0x25/0xe0
 ...
 Call Trace:
  [<ffffffff8121e1e5>] ext4_read_block_bitmap+0x35/0x60
  [<ffffffff8125e9c6>] ext4_free_blocks+0x236/0xb80
  [<ffffffff811d0d36>] ? __getblk+0x36/0x70
  [<ffffffff811d0a5f>] ? __find_get_block+0x8f/0x210
  [<ffffffff81191ef3>] ? kmem_cache_free+0x33/0x140
  [<ffffffff812678e5>] ext4_xattr_release_block+0x1b5/0x1d0
  [<ffffffff812679be>] ext4_xattr_delete_inode+0xbe/0x100
  [<ffffffff81222a7c>] ext4_free_inode+0x7c/0x4d0
  [<ffffffff812277b8>] ? ext4_mark_inode_dirty+0x88/0x230
  [<ffffffff8122993c>] ext4_evict_inode+0x32c/0x490
  [<ffffffff811b8cd7>] evict+0xa7/0x1c0
  [<ffffffff811b8ed3>] iput_final+0xe3/0x170
  [<ffffffff811b8f9e>] iput+0x3e/0x50
  [<ffffffff812316fd>] ext4_add_nondir+0x4d/0x90
  [<ffffffff81231d0b>] ext4_create+0xeb/0x170
  [<ffffffff811aae9c>] vfs_create+0xac/0xd0
  [<ffffffff811ac845>] lookup_open+0x185/0x1c0
  [<ffffffff8129e3b9>] ? selinux_inode_permission+0xa9/0x170
  [<ffffffff811acb54>] do_last+0x2d4/0x7a0
  [<ffffffff811af743>] path_openat+0xb3/0x480
  [<ffffffff8116a8a1>] ? handle_mm_fault+0x251/0x3b0
  [<ffffffff811afc49>] do_filp_open+0x49/0xa0
  [<ffffffff811bbaad>] ? __alloc_fd+0xdd/0x150
  [<ffffffff8119da28>] do_sys_open+0x108/0x1f0
  [<ffffffff8119db51>] sys_open+0x21/0x30
  [<ffffffff81618959>] system_call_fastpath+0x16/0x1b

Also fix comment for ext4_read_block_bitmap_nowait()

Signed-off-by: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/balloc.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
@@ -326,7 +326,7 @@ err_out:
 	return 0;
 }
 /**
- * ext4_read_block_bitmap()
+ * ext4_read_block_bitmap_nowait()
  * @sb:			super block
  * @block_group:	given block group
  *
@@ -422,6 +422,8 @@ ext4_read_block_bitmap(struct super_bloc
 	struct buffer_head *bh;
 
 	bh = ext4_read_block_bitmap_nowait(sb, block_group);
+	if (!bh)
+		return NULL;
 	if (ext4_wait_block_bitmap(sb, block_group, bh)) {
 		put_bh(bh);
 		return NULL;

next prev parent reply	other threads:[~2013-03-01 19:46 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-01 19:44 [ 00/46] 3.4.35-stable review Greg Kroah-Hartman
2013-03-01 19:44 ` [ 01/46] ALSA: hda - hdmi: Make jacks phantom, if theyre not detectable Greg Kroah-Hartman
2013-03-01 19:44 ` [ 02/46] quota: autoload the quota_v2 module for QFMT_VFS_V1 quota format Greg Kroah-Hartman
2013-03-01 19:44 ` [ 03/46] iommu/amd: Initialize device table after dma_ops Greg Kroah-Hartman
2013-03-01 19:44 ` [ 04/46] posix-timer: Dont call idr_find() with out-of-range ID Greg Kroah-Hartman
2013-03-01 19:44 ` [ 05/46] ftrace: Call ftrace cleanup module notifier after all other notifiers Greg Kroah-Hartman
2013-03-01 19:44 ` [ 06/46] x86, efi: Make "noefi" really disable EFI runtime serivces Greg Kroah-Hartman
2013-03-01 19:44 ` [ 07/46] doc, xen: Mention earlyprintk=xen in the documentation Greg Kroah-Hartman
2013-03-01 19:44 ` [ 08/46] doc, kernel-parameters: Document console=hvc<n> Greg Kroah-Hartman
2013-03-01 19:44 ` [ 09/46] x86: Make sure we can boot in the case the BDA contains pure garbage Greg Kroah-Hartman
2013-03-01 19:44 ` [ 10/46] target: Fix lookup of dynamic NodeACLs during cached demo-mode operation Greg Kroah-Hartman
2013-03-01 19:44 ` [ 11/46] target: Add missing mapped_lun bounds checking during make_mappedlun setup Greg Kroah-Hartman
2013-03-01 19:45 ` [ 12/46] ocfs2: fix possible use-after-free with AIO Greg Kroah-Hartman
2013-03-01 19:45 ` [ 13/46] ocfs2: fix ocfs2_init_security_and_acl() to initialize acl correctly Greg Kroah-Hartman
2013-03-01 19:45 ` [ 14/46] ocfs2: ac->ac_allow_chain_relink=0 wont disable group relink Greg Kroah-Hartman
2013-03-01 19:45 ` [ 15/46] block: fix ext_devt_idr handling Greg Kroah-Hartman
2013-03-01 19:45 ` [ 16/46] xen-blkback: do not leak mode property Greg Kroah-Hartman
2013-03-01 19:45 ` [ 17/46] xen/blkback: Dont trust the handle from the frontend Greg Kroah-Hartman
2013-03-01 19:45 ` [ 18/46] idr: fix a subtle bug in idr_get_next() Greg Kroah-Hartman
2013-03-01 19:45 ` [ 19/46] block: fix synchronization and limit check in blk_alloc_devt() Greg Kroah-Hartman
2013-03-01 19:45 ` [ 20/46] firewire: add minor number range check to fw_device_init() Greg Kroah-Hartman
2013-03-01 19:45 ` [ 21/46] sysctl: fix null checking in bin_dn_node_address() Greg Kroah-Hartman
2013-03-01 19:45 ` [ 22/46] fs: Fix possible use-after-free with AIO Greg Kroah-Hartman
2013-03-01 19:45 ` [ 23/46] media: rc: unlock on error in show_protocols() Greg Kroah-Hartman
2013-03-01 19:45 ` Greg Kroah-Hartman [this message]
2013-03-01 19:45 ` [ 25/46] ext4: fix race in ext4_mb_add_n_trim() Greg Kroah-Hartman
2013-03-01 19:45 ` [ 26/46] ext4: fix xattr block allocation/release with bigalloc Greg Kroah-Hartman
2013-03-01 19:45 ` [ 27/46] ext4: fix free clusters calculation in bigalloc filesystem Greg Kroah-Hartman
2013-03-01 19:45 ` [ 28/46] nfsd: Fix memleak Greg Kroah-Hartman
2013-03-01 19:45 ` [ 29/46] svcrpc: make svc_age_temp_xprts enqueue under sv_lock Greg Kroah-Hartman
2013-03-01 19:45 ` [ 30/46] vhost: fix length for cross region descriptor Greg Kroah-Hartman
2013-03-01 19:45 ` [ 31/46] fuse: dont WARN when nlink is zero Greg Kroah-Hartman
2013-03-01 19:45 ` [ 32/46] unbreak automounter support on 64-bit kernel with 32-bit userspace (v2) Greg Kroah-Hartman
2013-03-01 19:45 ` [ 33/46] ath9k_hw: fix calibration issues on chainmask that dont include chain 0 Greg Kroah-Hartman
2013-03-01 19:45 ` [ 34/46] pstore: Avoid deadlock in panic and emergency-restart path Greg Kroah-Hartman
2013-03-01 19:45 ` [ 35/46] cpuset: fix cpuset_print_task_mems_allowed() vs rename() race Greg Kroah-Hartman
2013-03-01 19:45 ` [ 36/46] cgroup: fix exit() vs rmdir() race Greg Kroah-Hartman
2013-03-01 19:45 ` [ 37/46] ab8500-chargalg: Only root should have write permission on sysfs file Greg Kroah-Hartman
2013-03-01 19:45 ` [ 38/46] ab8500_btemp: Demote initcall sequence Greg Kroah-Hartman
2013-03-01 19:45 ` [ 39/46] ACPI: Add DMI entry for Sony VGN-FW41E_H Greg Kroah-Hartman
2013-03-01 19:45 ` [ 40/46] staging: comedi: ni_labpc: correct differential channel sequence for AI commands Greg Kroah-Hartman
2013-03-01 19:45 ` [ 41/46] staging: comedi: ni_labpc: set up command4 register *after* command3 Greg Kroah-Hartman
2013-03-01 19:45 ` [ 42/46] staging: comedi: check s->async for poll(), read() and write() Greg Kroah-Hartman
2013-03-01 19:45 ` [ 43/46] perf tools: Fix build with bison 2.3 and older Greg Kroah-Hartman
2013-03-01 19:45 ` [ 44/46] ata_piix: IDE-mode SATA patch for Intel Avoton DeviceIDs Greg Kroah-Hartman
2013-03-01 19:45 ` [ 45/46] ata_piix: Add Device IDs for Intel Wellsburg PCH Greg Kroah-Hartman
2013-03-01 19:45 ` [ 46/46] [hid] usb hid quirks for Masterkit MA901 usb radio Greg Kroah-Hartman
2013-03-02  3:59 ` [ 00/46] 3.4.35-stable review Shuah Khan
2013-03-03 11:48 ` Satoru Takeuchi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130301194434.776456568@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=guaneryu@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.