[PATCH AUTOSEL 4.9 01/11] fs: jfs: fix possible NULL pointer dereference in dbFree()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Zixuan Fu <r33s3n6@gmail.com>, TOTE Robot <oslab@tsinghua.edu.cn>,
	Dave Kleikamp <dave.kleikamp@oracle.com>,
	Sasha Levin <sashal@kernel.org>,
	shaggy@kernel.org, jfs-discussion@lists.sourceforge.net
Subject: [PATCH AUTOSEL 4.9 01/11] fs: jfs: fix possible NULL pointer dereference in dbFree()
Date: Wed,  1 Jun 2022 10:00:50 -0400	[thread overview]
Message-ID: <20220601140100.2005469-1-sashal@kernel.org> (raw)

From: Zixuan Fu <r33s3n6@gmail.com>

[ Upstream commit 0d4837fdb796f99369cf7691d33de1b856bcaf1f ]

In our fault-injection testing, the variable "nblocks" in dbFree() can be
zero when kmalloc_array() fails in dtSearch(). In this case, the variable
 "mp" in dbFree() would be NULL and then it is dereferenced in
"write_metapage(mp)".

The failure log is listed as follows:

[   13.824137] BUG: kernel NULL pointer dereference, address: 0000000000000020
...
[   13.827416] RIP: 0010:dbFree+0x5f7/0x910 [jfs]
[   13.834341] Call Trace:
[   13.834540]  <TASK>
[   13.834713]  txFreeMap+0x7b4/0xb10 [jfs]
[   13.835038]  txUpdateMap+0x311/0x650 [jfs]
[   13.835375]  jfs_lazycommit+0x5f2/0xc70 [jfs]
[   13.835726]  ? sched_dynamic_update+0x1b0/0x1b0
[   13.836092]  kthread+0x3c2/0x4a0
[   13.836355]  ? txLockFree+0x160/0x160 [jfs]
[   13.836763]  ? kthread_unuse_mm+0x160/0x160
[   13.837106]  ret_from_fork+0x1f/0x30
[   13.837402]  </TASK>
...

This patch adds a NULL check of "mp" before "write_metapage(mp)" is called.

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Zixuan Fu <r33s3n6@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/jfs/jfs_dmap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 6dac48e29d28..a07fbb60ac3c 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -398,7 +398,8 @@ int dbFree(struct inode *ip, s64 blkno, s64 nblocks)
 	}
 
 	/* write the last buffer. */
-	write_metapage(mp);
+	if (mp)
+		write_metapage(mp);
 
 	IREAD_UNLOCK(ipbmap);
 
-- 
2.35.1

next             reply	other threads:[~2022-06-01 14:11 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-01 14:00 Sasha Levin [this message]
2022-06-01 14:00 ` [PATCH AUTOSEL 4.9 02/11] ARM: OMAP1: clock: Fix UART rate reporting algorithm Sasha Levin
2022-06-01 14:00   ` Sasha Levin
2022-06-01 14:00 ` [PATCH AUTOSEL 4.9 03/11] selftests/resctrl: Change the default limited time to 120 seconds Sasha Levin
2022-06-01 17:19   ` Reinette Chatre
2022-06-05 13:40     ` Sasha Levin
2022-06-01 14:00 ` [PATCH AUTOSEL 4.9 04/11] fat: add ratelimit to fat*_ent_bread() Sasha Levin
2022-06-01 14:00 ` [PATCH AUTOSEL 4.9 05/11] ARM: versatile: Add missing of_node_put in dcscb_init Sasha Levin
2022-06-01 14:00   ` Sasha Levin
2022-06-01 14:00 ` [PATCH AUTOSEL 4.9 06/11] ARM: dts: exynos: add atmel,24c128 fallback to Samsung EEPROM Sasha Levin
2022-06-01 14:00   ` Sasha Levin
2022-06-01 14:00 ` [PATCH AUTOSEL 4.9 07/11] ARM: hisi: Add missing of_node_put after of_find_compatible_node Sasha Levin
2022-06-01 14:00   ` Sasha Levin
2022-06-01 14:00 ` [PATCH AUTOSEL 4.9 08/11] PCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store() Sasha Levin
2022-06-01 14:00 ` [PATCH AUTOSEL 4.9 09/11] powerpc/xics: fix refcount leak in icp_opal_init() Sasha Levin
2022-06-01 14:00   ` Sasha Levin
2022-06-01 14:00 ` [PATCH AUTOSEL 4.9 10/11] macintosh/via-pmu: Fix build failure when CONFIG_INPUT is disabled Sasha Levin
2022-06-01 14:00   ` Sasha Levin
2022-06-01 14:01 ` [PATCH AUTOSEL 4.9 11/11] drm: fix EDID struct for old ARM OABI format Sasha Levin
2022-06-01 14:01   ` Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:6dac48e29d2 dfblob:a07fbb60ac3 )
 OR (
bs:"[PATCH AUTOSEL 4.9 01/11] fs: jfs: fix possible NULL pointer dereference in dbFree()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220601140100.2005469-1-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=dave.kleikamp@oracle.com \
    --cc=jfs-discussion@lists.sourceforge.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=oslab@tsinghua.edu.cn \
    --cc=r33s3n6@gmail.com \
    --cc=shaggy@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.