* [PATCH] exfat: bail out on -EIO in exfat_find_empty_entry()
@ 2024-12-13 16:17 Dmitry Antipov
2024-12-16 23:36 ` Namjae Jeon
0 siblings, 1 reply; 2+ messages in thread
From: Dmitry Antipov @ 2024-12-13 16:17 UTC (permalink / raw)
To: Namjae Jeon, Sungjong Seo
Cc: Yuezhang Mo, linux-fsdevel, lvc-project, Dmitry Antipov,
syzbot+8f8fe64a30c50b289a18
Syzbot has reported the following KASAN splat:
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
...
Call Trace:
<TASK>
...
? exfat_get_dentry_cached+0xb6/0x1b0
? exfat_get_dentry_cached+0x11a/0x1b0
? exfat_get_dentry_cached+0xb6/0x1b0
exfat_init_ext_entry+0x1b6/0x3b0
exfat_add_entry+0x321/0x7a0
? __pfx_exfat_add_entry+0x10/0x10
? __lock_acquire+0x15a9/0x3c40
? __pfx___lock_acquire+0x10/0x10
? _raw_spin_unlock_irqrestore+0x52/0x80
? do_raw_spin_unlock+0x53/0x230
? _raw_spin_unlock+0x28/0x50
? exfat_set_vol_flags+0x23f/0x2f0
exfat_create+0x1cf/0x5c0
...
path_openat+0x904/0x2d60
? __pfx_path_openat+0x10/0x10
? __pfx___lock_acquire+0x10/0x10
? lock_acquire.part.0+0x11b/0x380
? find_held_lock+0x2d/0x110
do_filp_open+0x20c/0x470
? __pfx_do_filp_open+0x10/0x10
? find_held_lock+0x2d/0x110
? _raw_spin_unlock+0x28/0x50
? alloc_fd+0x41f/0x760
do_sys_openat2+0x17a/0x1e0
? __pfx_do_sys_openat2+0x10/0x10
? __pfx_sigprocmask+0x10/0x10
__x64_sys_creat+0xcd/0x120
...
</TASK>
On exFAT with damaged directory structure, 'exfat_search_empty_slot()'
may issue an attempt to access beyond end of device and return -EIO.
So catch this error in 'exfat_find_empty_entry()', do not create an
invalid in-memory directory structure and do not confuse the rest
of the filesystem code further.
Reported-by: syzbot+8f8fe64a30c50b289a18@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8f8fe64a30c50b289a18
Fixes: 5f2aa075070c ("exfat: add inode operations")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
fs/exfat/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c
index 97d2774760fe..73dbc5cdf388 100644
--- a/fs/exfat/namei.c
+++ b/fs/exfat/namei.c
@@ -331,7 +331,7 @@ static int exfat_find_empty_entry(struct inode *inode,
while ((dentry = exfat_search_empty_slot(sb, &hint_femp, p_dir,
num_entries, es)) < 0) {
if (dentry == -EIO)
- break;
+ return -EIO;
if (exfat_check_max_dentries(inode))
return -ENOSPC;
--
2.47.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] exfat: bail out on -EIO in exfat_find_empty_entry()
2024-12-13 16:17 [PATCH] exfat: bail out on -EIO in exfat_find_empty_entry() Dmitry Antipov
@ 2024-12-16 23:36 ` Namjae Jeon
0 siblings, 0 replies; 2+ messages in thread
From: Namjae Jeon @ 2024-12-16 23:36 UTC (permalink / raw)
To: Dmitry Antipov
Cc: Sungjong Seo, Yuezhang Mo, linux-fsdevel, lvc-project,
syzbot+8f8fe64a30c50b289a18
On Sat, Dec 14, 2024 at 1:18 AM Dmitry Antipov <dmantipov@yandex.ru> wrote:
>
> Syzbot has reported the following KASAN splat:
>
> KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
> ...
> Call Trace:
> <TASK>
> ...
> ? exfat_get_dentry_cached+0xb6/0x1b0
> ? exfat_get_dentry_cached+0x11a/0x1b0
> ? exfat_get_dentry_cached+0xb6/0x1b0
> exfat_init_ext_entry+0x1b6/0x3b0
> exfat_add_entry+0x321/0x7a0
> ? __pfx_exfat_add_entry+0x10/0x10
> ? __lock_acquire+0x15a9/0x3c40
> ? __pfx___lock_acquire+0x10/0x10
> ? _raw_spin_unlock_irqrestore+0x52/0x80
> ? do_raw_spin_unlock+0x53/0x230
> ? _raw_spin_unlock+0x28/0x50
> ? exfat_set_vol_flags+0x23f/0x2f0
> exfat_create+0x1cf/0x5c0
> ...
> path_openat+0x904/0x2d60
> ? __pfx_path_openat+0x10/0x10
> ? __pfx___lock_acquire+0x10/0x10
> ? lock_acquire.part.0+0x11b/0x380
> ? find_held_lock+0x2d/0x110
> do_filp_open+0x20c/0x470
> ? __pfx_do_filp_open+0x10/0x10
> ? find_held_lock+0x2d/0x110
> ? _raw_spin_unlock+0x28/0x50
> ? alloc_fd+0x41f/0x760
> do_sys_openat2+0x17a/0x1e0
> ? __pfx_do_sys_openat2+0x10/0x10
> ? __pfx_sigprocmask+0x10/0x10
> __x64_sys_creat+0xcd/0x120
> ...
> </TASK>
>
> On exFAT with damaged directory structure, 'exfat_search_empty_slot()'
> may issue an attempt to access beyond end of device and return -EIO.
> So catch this error in 'exfat_find_empty_entry()', do not create an
> invalid in-memory directory structure and do not confuse the rest
> of the filesystem code further.
>
> Reported-by: syzbot+8f8fe64a30c50b289a18@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=8f8fe64a30c50b289a18
> Fixes: 5f2aa075070c ("exfat: add inode operations")
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
> ---
> fs/exfat/namei.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c
> index 97d2774760fe..73dbc5cdf388 100644
> --- a/fs/exfat/namei.c
> +++ b/fs/exfat/namei.c
> @@ -331,7 +331,7 @@ static int exfat_find_empty_entry(struct inode *inode,
> while ((dentry = exfat_search_empty_slot(sb, &hint_femp, p_dir,
> num_entries, es)) < 0) {
> if (dentry == -EIO)
> - break;
> + return -EIO;
Sorry, I have already applied Yuezhang's patch that fixed this issue.
https://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat.git/commit/?h=dev&id=744e50c7e25a0e743f30003137f8413dcd107bb0
Thanks.
>
> if (exfat_check_max_dentries(inode))
> return -ENOSPC;
> --
> 2.47.1
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-12-16 23:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-12-13 16:17 [PATCH] exfat: bail out on -EIO in exfat_find_empty_entry() Dmitry Antipov
2024-12-16 23:36 ` Namjae Jeon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).