From: Anand Jain <anand.jain@oracle.com>
To: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>, linux-btrfs@vger.kernel.org
Subject: Re: [PATCH 1/3] btrfs: Fix wrong check in btrfs_free_dummy_root()
Date: Tue, 1 Nov 2022 12:10:43 +0800 [thread overview]
Message-ID: <93a2df66-a60b-47a7-11af-24861fb22d86@oracle.com> (raw)
In-Reply-To: <20221101025356.1643836-2-zhangxiaoxu5@huawei.com>
On 11/1/22 10:53, Zhang Xiaoxu wrote:
> The btrfs_alloc_dummy_root() use ERR_PTR as the error return value
> rather than NULL, if error happened, there will be a null-ptr-deref
> when free the dummy root:
>
> BUG: KASAN: null-ptr-deref in btrfs_free_dummy_root+0x21/0x50 [btrfs]
> Read of size 8 at addr 000000000000002c by task insmod/258926
>
> CPU: 2 PID: 258926 Comm: insmod Tainted: G W 6.1.0-rc2+ #5
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
> Call Trace:
> <TASK>
> dump_stack_lvl+0x34/0x44
> kasan_report+0xb7/0x140
> kasan_check_range+0x145/0x1a0
> btrfs_free_dummy_root+0x21/0x50 [btrfs]
> btrfs_test_free_space_cache+0x1a8c/0x1add [btrfs]
> btrfs_run_sanity_tests+0x65/0x80 [btrfs]
> init_btrfs_fs+0xec/0x154 [btrfs]
> do_one_initcall+0x87/0x2a0
> do_init_module+0xdf/0x320
> load_module+0x3006/0x3390
> __do_sys_finit_module+0x113/0x1b0
> do_syscall_64+0x35/0x80
> entry_SYSCALL_64_after_hwframe+0x46/0xb0
>
> Fixes: aaedb55bc08f ("Btrfs: add tests for btrfs_get_extent")
> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
> ---
> fs/btrfs/tests/btrfs-tests.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/btrfs/tests/btrfs-tests.c b/fs/btrfs/tests/btrfs-tests.c
> index 9c478fa256f6..d43cb5242fec 100644
> --- a/fs/btrfs/tests/btrfs-tests.c
> +++ b/fs/btrfs/tests/btrfs-tests.c
> @@ -200,7 +200,7 @@ void btrfs_free_dummy_fs_info(struct btrfs_fs_info *fs_info)
>
> void btrfs_free_dummy_root(struct btrfs_root *root)
> {
> - if (!root)
> + if (IS_ERR_OR_NULL(root))
> return;
> /* Will be freed by btrfs_free_fs_roots */
> if (WARN_ON(test_bit(BTRFS_ROOT_IN_RADIX, &root->state)))
next prev parent reply other threads:[~2022-11-01 4:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-01 2:53 [PATCH 0/3] Fix UAF and kmemleak when sanity test Zhang Xiaoxu
2022-11-01 2:53 ` [PATCH 1/3] btrfs: Fix wrong check in btrfs_free_dummy_root() Zhang Xiaoxu
2022-11-01 4:10 ` Anand Jain [this message]
2022-11-03 16:44 ` David Sterba
2022-11-04 1:09 ` zhangxiaoxu (A)
2022-11-01 2:53 ` [PATCH 2/3] btrfs: Fix uaf of the ulist in test_multiple_refs() Zhang Xiaoxu
2022-11-01 8:18 ` Filipe Manana
2022-11-01 2:53 ` [PATCH 3/3] btrfs: Fix ulist memory leak " Zhang Xiaoxu
2022-11-01 8:15 ` Filipe Manana
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=93a2df66-a60b-47a7-11af-24861fb22d86@oracle.com \
--to=anand.jain@oracle.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=zhangxiaoxu5@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).