From: Long Li <leo.lilong@huawei.com>
To: <patchwork@huawei.com>, <liuyongqiang13@huawei.com>
Cc: <yi.zhang@huawei.com>, <houtao1@huawei.com>,
Ryusuke Konishi <konishi.ryusuke@gmail.com>,
<syzbot+2b32eb36c1a825b7a74c@syzkaller.appspotmail.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
<stable@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH openEuler-22.03-LTS] nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level()
Date: Tue, 1 Nov 2022 19:58:17 +0800 [thread overview]
Message-ID: <20221101115817.GA747250@ceph-admin> (raw)
In-Reply-To: <20221101114337.726788-1-leo.lilong@huawei.com>
On Tue, Nov 01, 2022 at 07:43:37PM +0800, Long Li wrote:
> From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
>
> mainline inclusion
> from mainline-v6.0-rc3
> commit 21a87d88c2253350e115029f14fe2a10a7e6c856
> category: bugfix
> bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5X1Z4
> CVE: CVE-2022-3621
>
> Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=21a87d88c2253350e115029f14fe2a10a7e6c856
>
> --------------------------------
>
> If the i_mode field in inode of metadata files is corrupted on disk, it
> can cause the initialization of bmap structure, which should have been
> called from nilfs_read_inode_common(), not to be called. This causes a
> lockdep warning followed by a NULL pointer dereference at
> nilfs_bmap_lookup_at_level().
>
> This patch fixes these issues by adding a missing sanitiy check for the
> i_mode field of metadata file's inode.
>
> Link: https://lkml.kernel.org/r/20221002030804.29978-1-konishi.ryusuke@gmail.com
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> Reported-by: syzbot+2b32eb36c1a825b7a74c@syzkaller.appspotmail.com
> Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Long Li <leo.lilong@huawei.com>
> ---
> fs/nilfs2/inode.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c
> index ca380c6d7825..bfe3c7ccdf50 100644
> --- a/fs/nilfs2/inode.c
> +++ b/fs/nilfs2/inode.c
> @@ -462,6 +462,8 @@ int nilfs_read_inode_common(struct inode *inode,
> inode->i_atime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec);
> inode->i_ctime.tv_nsec = le32_to_cpu(raw_inode->i_ctime_nsec);
> inode->i_mtime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec);
> + if (nilfs_is_metadata_file_inode(inode) && !S_ISREG(inode->i_mode))
> + return -EIO; /* this inode is for metadata and corrupted */
> if (inode->i_nlink == 0)
> return -ESTALE; /* this inode is deleted */
>
> --
> 2.31.1
>
Please skip this email, I made a mistake in my email, I'm very sorry
for my misoperation.
next prev parent reply other threads:[~2022-11-01 11:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-01 11:43 [PATCH openEuler-22.03-LTS] nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level() Long Li
2022-11-01 11:58 ` Long Li [this message]
2022-11-01 12:43 ` Bagas Sanjaya
-- strict thread matches above, loose matches on Subject: below --
2022-11-01 11:39 Long Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221101115817.GA747250@ceph-admin \
--to=leo.lilong@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=houtao1@huawei.com \
--cc=konishi.ryusuke@gmail.com \
--cc=liuyongqiang13@huawei.com \
--cc=patchwork@huawei.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=stable@vger.kernel.org \
--cc=syzbot+2b32eb36c1a825b7a74c@syzkaller.appspotmail.com \
--cc=yi.zhang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.