[RFC PATCH] quota: Fix possible GFP due to uninitialised pointers

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [RFC PATCH] quota: Fix possible GFP due to uninitialised pointers
@ 2016-03-02 16:19 Nikolay Borisov
  2016-03-03 10:00 ` Jan Kara
  0 siblings, 1 reply; 2+ messages in thread
From: Nikolay Borisov @ 2016-03-02 16:19 UTC (permalink / raw)
  To: jack; +Cc: linux-kernel

While debugging some issues with quota I realized that
it's possible to pass array with bogus dquot pointers from
__dquot_initialize to dqput. This can happen if the initialisation
of the dquot objects for an inode fail and the control flow is
transferred to the out_put label. In case only the USR or GRP quota
are initialised then the PRJ pointer in the "got" array would remain
uninitialised. This will cause the NULL ptr check in dqput to pass
but actually the pointer is going to be invalid. Eventually this would
cause a GFP.

To fix this just zero out the got array

Signed-off-by: Nikolay Borisov <kernel@kyup.com>
---
 fs/quota/dquot.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
index ef0d64b2a6d9..a0ab58fd85ae 100644
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -1408,6 +1408,8 @@ static int __dquot_initialize(struct inode *inode, int type)

 	dquots = i_dquot(inode);

+	memset(got, 0, 3 * sizeof(struct dquot *));
+
 	/* First get references to structures we might need. */
 	for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
 		struct kqid qid;
-- 
2.5.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [RFC PATCH] quota: Fix possible GFP due to uninitialised pointers
  2016-03-02 16:19 [RFC PATCH] quota: Fix possible GFP due to uninitialised pointers Nikolay Borisov
@ 2016-03-03 10:00 ` Jan Kara
  0 siblings, 0 replies; 2+ messages in thread
From: Jan Kara @ 2016-03-03 10:00 UTC (permalink / raw)
  To: Nikolay Borisov; +Cc: jack, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 1642 bytes --]

On Wed 02-03-16 18:19:29, Nikolay Borisov wrote:
> While debugging some issues with quota I realized that
> it's possible to pass array with bogus dquot pointers from
> __dquot_initialize to dqput. This can happen if the initialisation
> of the dquot objects for an inode fail and the control flow is
> transferred to the out_put label. In case only the USR or GRP quota
> are initialised then the PRJ pointer in the "got" array would remain
> uninitialised. This will cause the NULL ptr check in dqput to pass
> but actually the pointer is going to be invalid. Eventually this would
> cause a GFP.
> 
> To fix this just zero out the got array
> 
> Signed-off-by: Nikolay Borisov <kernel@kyup.com>

Thanks for spotting this and for the fix. There are couple of issues with
your patch:

a) You should use MAXQUOTAS instead of hardcoded 3 in the memset(). Even
better just leave, specify proper initializer directly.

b) You could remove the array initialization from the for loop.

I have cleaned up the patch as attached and merged it into my tree.

								Honza

> ---
>  fs/quota/dquot.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
> index ef0d64b2a6d9..a0ab58fd85ae 100644
> --- a/fs/quota/dquot.c
> +++ b/fs/quota/dquot.c
> @@ -1408,6 +1408,8 @@ static int __dquot_initialize(struct inode *inode, int type)
>  
>  	dquots = i_dquot(inode);
>  
> +	memset(got, 0, 3 * sizeof(struct dquot *));
> +
>  	/* First get references to structures we might need. */
>  	for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
>  		struct kqid qid;
> -- 
> 2.5.0
> 
> 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

[-- Attachment #2: 0001-quota-Fix-possible-GPF-due-to-uninitialised-pointers.patch --]
[-- Type: text/x-patch, Size: 1299 bytes --]

>From 130248216a62ab08b628d7c35b33842fb213fc7b Mon Sep 17 00:00:00 2001
From: Nikolay Borisov <kernel@kyup.com>
Date: Thu, 3 Mar 2016 10:54:57 +0100
Subject: [PATCH] quota: Fix possible GPF due to uninitialised pointers

When dqget() in __dquot_initialize() fails e.g. due to IO error,
__dquot_initialize() will pass an array of uninitialized pointers to
dqput_all() and thus can lead to deference of random data. Fix the
problem by properly initializing the array.

Signed-off-by: Nikolay Borisov <kernel@kyup.com>
Signed-off-by: Jan Kara <jack@suse.cz>
---
 fs/quota/dquot.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
index e8467dc90c7e..dcec1edf579f 100644
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -1410,7 +1410,7 @@ static int dquot_active(const struct inode *inode)
 static int __dquot_initialize(struct inode *inode, int type)
 {
 	int cnt, init_needed = 0;
-	struct dquot **dquots, *got[MAXQUOTAS];
+	struct dquot **dquots, *got[MAXQUOTAS] = {};
 	struct super_block *sb = inode->i_sb;
 	qsize_t rsv;
 	int ret = 0;
@@ -1427,7 +1427,6 @@ static int __dquot_initialize(struct inode *inode, int type)
 		int rc;
 		struct dquot *dquot;
 
-		got[cnt] = NULL;
 		if (type != -1 && cnt != type)
 			continue;
 		/*
-- 
2.6.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-03-03 10:00 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-02 16:19 [RFC PATCH] quota: Fix possible GFP due to uninitialised pointers Nikolay Borisov
2016-03-03 10:00 ` Jan Kara

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).