From: Greg KH <gregkh@linuxfoundation.org>
To: Sasha Levin <sashal@kernel.org>
Cc: Leah Rumancik <leah.rumancik@gmail.com>,
stable@vger.kernel.org, linux-xfs@vger.kernel.org,
amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com,
ChenXiaoSong <chenxiaosong2@huawei.com>,
Guo Xuenan <guoxuenan@huawei.com>,
"Darrick J . Wong" <djwong@kernel.org>,
Chandan Babu R <chandanbabu@kernel.org>
Subject: Re: [PATCH 5.15 09/17] xfs: fix NULL pointer dereference in xfs_getbmap()
Date: Tue, 21 Nov 2023 06:17:05 +0100 [thread overview]
Message-ID: <2023112134-hydrogen-length-1663@gregkh> (raw)
In-Reply-To: <ZVwbBaNExKrc35jw@sashalap>
On Mon, Nov 20, 2023 at 09:50:45PM -0500, Sasha Levin wrote:
> On Mon, Nov 20, 2023 at 04:38:24PM +0100, Greg KH wrote:
> > On Wed, Nov 15, 2023 at 06:28:25PM -0800, Leah Rumancik wrote:
> > > From: ChenXiaoSong <chenxiaosong2@huawei.com>
> > >
> > > [ Upstream commit 001c179c4e26d04db8c9f5e3fef9558b58356be6 ]
> > >
> > > Reproducer:
> > > 1. fallocate -l 100M image
> > > 2. mkfs.xfs -f image
> > > 3. mount image /mnt
> > > 4. setxattr("/mnt", "trusted.overlay.upper", NULL, 0, XATTR_CREATE)
> > > 5. char arg[32] = "\x01\xff\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00"
> > > "\x00\x00\x00\x00\x00\x08\x00\x00\x00\xc6\x2a\xf7";
> > > fd = open("/mnt", O_RDONLY|O_DIRECTORY);
> > > ioctl(fd, _IOC(_IOC_READ|_IOC_WRITE, 0x58, 0x2c, 0x20), arg);
> > >
> > > NULL pointer dereference will occur when race happens between xfs_getbmap()
> > > and xfs_bmap_set_attrforkoff():
> > >
> > > ioctl | setxattr
> > > ----------------------------|---------------------------
> > > xfs_getbmap |
> > > xfs_ifork_ptr |
> > > xfs_inode_has_attr_fork |
> > > ip->i_forkoff == 0 |
> > > return NULL |
> > > ifp == NULL |
> > > | xfs_bmap_set_attrforkoff
> > > | ip->i_forkoff > 0
> > > xfs_inode_has_attr_fork |
> > > ip->i_forkoff > 0 |
> > > ifp == NULL |
> > > ifp->if_format |
> > >
> > > Fix this by locking i_lock before xfs_ifork_ptr().
> > >
> > > Fixes: abbf9e8a4507 ("xfs: rewrite getbmap using the xfs_iext_* helpers")
> > > Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
> > > Signed-off-by: Guo Xuenan <guoxuenan@huawei.com>
> > > Reviewed-by: Darrick J. Wong <djwong@kernel.org>
> > > [djwong: added fixes tag]
> > > Signed-off-by: Darrick J. Wong <djwong@kernel.org>
> > > Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
> > > Acked-by: Chandan Babu R <chandanbabu@kernel.org>
> > > ---
> > > fs/xfs/xfs_bmap_util.c | 17 +++++++++--------
> > > 1 file changed, 9 insertions(+), 8 deletions(-)
> > >
> > > diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
> > > index fd2ad6a3019c..bea6cc26abf9 100644
> > > --- a/fs/xfs/xfs_bmap_util.c
> > > +++ b/fs/xfs/xfs_bmap_util.c
> > > @@ -439,29 +439,28 @@ xfs_getbmap(
> > > whichfork = XFS_COW_FORK;
> > > else
> > > whichfork = XFS_DATA_FORK;
> > > - ifp = XFS_IFORK_PTR(ip, whichfork);
> > >
> > > xfs_ilock(ip, XFS_IOLOCK_SHARED);
> > > switch (whichfork) {
> > > case XFS_ATTR_FORK:
> > > + lock = xfs_ilock_attr_map_shared(ip);
> > > if (!XFS_IFORK_Q(ip))
> > > - goto out_unlock_iolock;
> > > + goto out_unlock_ilock;
> > >
> > > max_len = 1LL << 32;
> > > - lock = xfs_ilock_attr_map_shared(ip);
> > > break;
> > > case XFS_COW_FORK:
> > > + lock = XFS_ILOCK_SHARED;
> > > + xfs_ilock(ip, lock);
> > > +
> > > /* No CoW fork? Just return */
> > > - if (!ifp)
> > > - goto out_unlock_iolock;
> > > + if (!XFS_IFORK_PTR(ip, whichfork))
> > > + goto out_unlock_ilock;
> > >
> > > if (xfs_get_cowextsz_hint(ip))
> > > max_len = mp->m_super->s_maxbytes;
> > > else
> > > max_len = XFS_ISIZE(ip);
> > > -
> > > - lock = XFS_ILOCK_SHARED;
> > > - xfs_ilock(ip, lock);
> > > break;
> > > case XFS_DATA_FORK:
> > > if (!(iflags & BMV_IF_DELALLOC) &&
> > > @@ -491,6 +490,8 @@ xfs_getbmap(
> > > break;
> > > }
> > >
> > > + ifp = XFS_IFORK_PTR(ip, whichfork);
> > > +
> > > switch (ifp->if_format) {
> > > case XFS_DINODE_FMT_EXTENTS:
> > > case XFS_DINODE_FMT_BTREE:
> > > --
> > > 2.43.0.rc0.421.g78406f8d94-goog
> > >
> >
> > This patch breaks the build, how was it tested?
> >
> > fs/xfs/xfs_bmap_util.c: In function ‘xfs_getbmap’:
> > fs/xfs/xfs_bmap_util.c:457:21: error: the comparison will always evaluate as ‘true’ for the address of ‘i_df’ will never be NULL [-Werror=address]
> > 457 | if (!XFS_IFORK_PTR(ip, whichfork))
> > | ^
> > In file included from fs/xfs/xfs_bmap_util.c:16:
> > fs/xfs/xfs_inode.h:38:33: note: ‘i_df’ declared here
> > 38 | struct xfs_ifork i_df; /* data fork */
> > | ^~~~
> > cc1: all warnings being treated as errors
>
> That's odd. I actually ended up queueing these patches earlier, and I
> don't see any such warnings.
>
> Looking at the code, this is a bit weird too - do you see these warnings
> with the current 5.15 queue?
I did, that's where I saw this, so I dropped this commit from there, it
failed my builds using gcc-12.
thanks,
greg k-h
next prev parent reply other threads:[~2023-11-21 5:17 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-16 2:28 [PATCH 5.15 01/17] xfs: refactor buffer cancellation table allocation Leah Rumancik
2023-11-16 2:28 ` [PATCH 5.15 02/17] xfs: don't leak xfs_buf_cancel structures when recovery fails Leah Rumancik
2023-11-16 2:28 ` [PATCH 5.15 03/17] xfs: convert buf_cancel_table allocation to kmalloc_array Leah Rumancik
2023-11-16 2:28 ` [PATCH 5.15 04/17] xfs: use invalidate_lock to check the state of mmap_lock Leah Rumancik
2023-11-16 2:28 ` [PATCH 5.15 05/17] xfs: prevent a UAF when log IO errors race with unmount Leah Rumancik
2023-11-16 2:28 ` [PATCH 5.15 06/17] xfs: flush inode gc workqueue before clearing agi bucket Leah Rumancik
2023-11-16 2:28 ` [PATCH 5.15 07/17] xfs: fix use-after-free in xattr node block inactivation Leah Rumancik
2023-11-16 2:28 ` [PATCH 5.15 08/17] xfs: don't leak memory when attr fork loading fails Leah Rumancik
2023-11-16 2:28 ` [PATCH 5.15 09/17] xfs: fix NULL pointer dereference in xfs_getbmap() Leah Rumancik
2023-11-20 15:38 ` Greg KH
2023-11-20 19:11 ` Darrick J. Wong
2023-11-21 5:18 ` Greg KH
2023-11-21 2:50 ` Sasha Levin
2023-11-21 5:17 ` Greg KH [this message]
2023-11-16 2:28 ` [PATCH 5.15 10/17] xfs: fix intermittent hang during quotacheck Leah Rumancik
2023-11-16 2:28 ` [PATCH 5.15 11/17] xfs: add missing cmap->br_state = XFS_EXT_NORM update Leah Rumancik
2023-11-16 2:28 ` [PATCH 5.15 12/17] xfs: Fix false ENOSPC when performing direct write on a delalloc extent in cow fork Leah Rumancik
2023-11-16 2:28 ` [PATCH 5.15 13/17] xfs: fix inode reservation space for removing transaction Leah Rumancik
2023-11-16 2:28 ` [PATCH 5.15 14/17] xfs: avoid a UAF when log intent item recovery fails Leah Rumancik
2023-11-16 2:28 ` [PATCH 5.15 15/17] xfs: fix exception caused by unexpected illegal bestcount in leaf dir Leah Rumancik
2023-11-16 2:28 ` [PATCH 5.15 16/17] xfs: fix memory leak in xfs_errortag_init Leah Rumancik
2023-11-16 2:28 ` [PATCH 5.15 17/17] xfs: Fix unreferenced object reported by kmemleak in xfs_sysfs_init() Leah Rumancik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2023112134-hydrogen-length-1663@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=amir73il@gmail.com \
--cc=chandan.babu@oracle.com \
--cc=chandanbabu@kernel.org \
--cc=chenxiaosong2@huawei.com \
--cc=djwong@kernel.org \
--cc=fred@cloudflare.com \
--cc=guoxuenan@huawei.com \
--cc=leah.rumancik@gmail.com \
--cc=linux-xfs@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.