From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jan Kara <jack@suse.cz>,
syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.14 30/52] udf: Avoid accessing uninitialized data on failed inode read
Date: Sun, 18 Oct 2020 15:25:07 -0400 [thread overview]
Message-ID: <20201018192530.4055730-30-sashal@kernel.org> (raw)
In-Reply-To: <20201018192530.4055730-1-sashal@kernel.org>
From: Jan Kara <jack@suse.cz>
[ Upstream commit 044e2e26f214e5ab26af85faffd8d1e4ec066931 ]
When we fail to read inode, some data accessed in udf_evict_inode() may
be uninitialized. Move the accesses to !is_bad_inode() branch.
Reported-by: syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/udf/inode.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 3c1b54091d6cc..dd57bd446340c 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -132,21 +132,24 @@ void udf_evict_inode(struct inode *inode)
struct udf_inode_info *iinfo = UDF_I(inode);
int want_delete = 0;
- if (!inode->i_nlink && !is_bad_inode(inode)) {
- want_delete = 1;
- udf_setsize(inode, 0);
- udf_update_inode(inode, IS_SYNC(inode));
+ if (!is_bad_inode(inode)) {
+ if (!inode->i_nlink) {
+ want_delete = 1;
+ udf_setsize(inode, 0);
+ udf_update_inode(inode, IS_SYNC(inode));
+ }
+ if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB &&
+ inode->i_size != iinfo->i_lenExtents) {
+ udf_warn(inode->i_sb,
+ "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n",
+ inode->i_ino, inode->i_mode,
+ (unsigned long long)inode->i_size,
+ (unsigned long long)iinfo->i_lenExtents);
+ }
}
truncate_inode_pages_final(&inode->i_data);
invalidate_inode_buffers(inode);
clear_inode(inode);
- if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB &&
- inode->i_size != iinfo->i_lenExtents) {
- udf_warn(inode->i_sb, "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n",
- inode->i_ino, inode->i_mode,
- (unsigned long long)inode->i_size,
- (unsigned long long)iinfo->i_lenExtents);
- }
kfree(iinfo->i_ext.i_data);
iinfo->i_ext.i_data = NULL;
udf_clear_extent_cache(inode);
--
2.25.1
next prev parent reply other threads:[~2020-10-18 19:34 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-18 19:24 [PATCH AUTOSEL 4.14 01/52] crypto: ccp - fix error handling Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 02/52] media: firewire: fix memory leak Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 03/52] media: ati_remote: sanity check for both endpoints Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 04/52] media: st-delta: Fix reference count leak in delta_run_work Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 05/52] media: sti: Fix reference count leaks Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 06/52] media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 07/52] media: exynos4-is: Fix a reference count leak " Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 08/52] media: exynos4-is: Fix a reference count leak Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 09/52] media: vsp1: Fix runtime PM imbalance on error Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 10/52] media: platform: s3c-camif: " Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 11/52] media: platform: sti: hva: " Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 12/52] media: bdisp: " Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 13/52] media: media/pci: prevent memory leak in bttv_probe Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 14/52] media: uvcvideo: Ensure all probed info is returned to v4l2 Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 15/52] seccomp: kill process instead of thread for unknown actions Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 16/52] mmc: sdio: Check for CISTPL_VERS_1 buffer size Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 17/52] media: saa7134: avoid a shift overflow Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 18/52] fs: dlm: fix configfs memory leak Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 19/52] media: venus: core: Fix runtime PM imbalance in venus_probe Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 20/52] ipv6/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2) Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 21/52] ntfs: add check for mft record size in superblock Sasha Levin
2020-10-18 19:24 ` [PATCH AUTOSEL 4.14 22/52] mac80211: handle lack of sband->bitrates in rates Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 23/52] PM: hibernate: remove the bogus call to get_gendisk() in software_resume() Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 24/52] scsi: mvumi: Fix error return in mvumi_io_attach() Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 25/52] scsi: target: core: Add CONTROL field for trace events Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 26/52] mic: vop: copy data to kernel space then write to io memory Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 27/52] misc: vop: add round_up(x,4) for vring_size to avoid kernel panic Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 28/52] usb: gadget: function: printer: fix use-after-free in __lock_acquire Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 29/52] udf: Limit sparing table size Sasha Levin
2020-10-18 19:25 ` Sasha Levin [this message]
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 31/52] USB: cdc-acm: handle broken union descriptors Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 32/52] can: flexcan: flexcan_chip_stop(): add error handling and propagate error value Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 33/52] ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 34/52] misc: rtsx: Fix memory leak in rtsx_pci_probe Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 35/52] reiserfs: only call unlock_new_inode() if I_NEW Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 36/52] xfs: make sure the rt allocator doesn't run off the end Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 37/52] usb: ohci: Default to per-port over-current protection Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 38/52] Bluetooth: Only mark socket zapped after unlocking Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 39/52] scsi: ibmvfc: Fix error return in ibmvfc_probe() Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 40/52] brcmsmac: fix memory leak in wlc_phy_attach_lcnphy Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 41/52] rtl8xxxu: prevent potential memory leak Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 42/52] Fix use after free in get_capset_info callback Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 43/52] scsi: qedi: Protect active command list to avoid list corruption Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 44/52] scsi: qedi: Fix list_del corruption while removing active I/O Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 45/52] tty: ipwireless: fix error handling Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 46/52] ipvs: Fix uninit-value in do_ip_vs_set_ctl() Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 47/52] reiserfs: Fix memory leak in reiserfs_parse_options() Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 48/52] mwifiex: don't call del_timer_sync() on uninitialized timer Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 49/52] brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 50/52] usb: core: Solve race condition in anchor cleanup functions Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 51/52] scsi: ufs: ufs-qcom: Fix race conditions caused by ufs_qcom_testbus_config() Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.14 52/52] ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201018192530.4055730-30-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox