From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jan Kara <jack@suse.cz>,
syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.9 24/41] udf: Avoid accessing uninitialized data on failed inode read
Date: Sun, 18 Oct 2020 15:26:18 -0400 [thread overview]
Message-ID: <20201018192635.4056198-24-sashal@kernel.org> (raw)
In-Reply-To: <20201018192635.4056198-1-sashal@kernel.org>
From: Jan Kara <jack@suse.cz>
[ Upstream commit 044e2e26f214e5ab26af85faffd8d1e4ec066931 ]
When we fail to read inode, some data accessed in udf_evict_inode() may
be uninitialized. Move the accesses to !is_bad_inode() branch.
Reported-by: syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/udf/inode.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 9e66d85021fcb..149baf5f3d195 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -140,21 +140,24 @@ void udf_evict_inode(struct inode *inode)
struct udf_inode_info *iinfo = UDF_I(inode);
int want_delete = 0;
- if (!inode->i_nlink && !is_bad_inode(inode)) {
- want_delete = 1;
- udf_setsize(inode, 0);
- udf_update_inode(inode, IS_SYNC(inode));
+ if (!is_bad_inode(inode)) {
+ if (!inode->i_nlink) {
+ want_delete = 1;
+ udf_setsize(inode, 0);
+ udf_update_inode(inode, IS_SYNC(inode));
+ }
+ if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB &&
+ inode->i_size != iinfo->i_lenExtents) {
+ udf_warn(inode->i_sb,
+ "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n",
+ inode->i_ino, inode->i_mode,
+ (unsigned long long)inode->i_size,
+ (unsigned long long)iinfo->i_lenExtents);
+ }
}
truncate_inode_pages_final(&inode->i_data);
invalidate_inode_buffers(inode);
clear_inode(inode);
- if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB &&
- inode->i_size != iinfo->i_lenExtents) {
- udf_warn(inode->i_sb, "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n",
- inode->i_ino, inode->i_mode,
- (unsigned long long)inode->i_size,
- (unsigned long long)iinfo->i_lenExtents);
- }
kfree(iinfo->i_ext.i_data);
iinfo->i_ext.i_data = NULL;
udf_clear_extent_cache(inode);
--
2.25.1
next prev parent reply other threads:[~2020-10-18 19:32 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-18 19:25 [PATCH AUTOSEL 4.9 01/41] crypto: ccp - fix error handling Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.9 02/41] media: firewire: fix memory leak Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.9 03/41] media: ati_remote: sanity check for both endpoints Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.9 04/41] media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.9 05/41] media: exynos4-is: Fix a reference count leak " Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 06/41] media: exynos4-is: Fix a reference count leak Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 07/41] media: vsp1: Fix runtime PM imbalance on error Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 08/41] media: platform: s3c-camif: " Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 09/41] media: platform: sti: hva: " Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 10/41] media: bdisp: " Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 11/41] media: media/pci: prevent memory leak in bttv_probe Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 12/41] media: uvcvideo: Ensure all probed info is returned to v4l2 Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 13/41] mmc: sdio: Check for CISTPL_VERS_1 buffer size Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 14/41] media: saa7134: avoid a shift overflow Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 15/41] fs: dlm: fix configfs memory leak Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 16/41] ntfs: add check for mft record size in superblock Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 17/41] PM: hibernate: remove the bogus call to get_gendisk() in software_resume() Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 18/41] scsi: mvumi: Fix error return in mvumi_io_attach() Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 19/41] scsi: target: core: Add CONTROL field for trace events Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 20/41] mic: vop: copy data to kernel space then write to io memory Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 21/41] misc: vop: add round_up(x,4) for vring_size to avoid kernel panic Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 22/41] usb: gadget: function: printer: fix use-after-free in __lock_acquire Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 23/41] udf: Limit sparing table size Sasha Levin
2020-10-18 19:26 ` Sasha Levin [this message]
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 25/41] USB: cdc-acm: handle broken union descriptors Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 26/41] ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 27/41] misc: rtsx: Fix memory leak in rtsx_pci_probe Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 28/41] reiserfs: only call unlock_new_inode() if I_NEW Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 29/41] xfs: make sure the rt allocator doesn't run off the end Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 30/41] usb: ohci: Default to per-port over-current protection Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 31/41] Bluetooth: Only mark socket zapped after unlocking Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 32/41] scsi: ibmvfc: Fix error return in ibmvfc_probe() Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 33/41] brcmsmac: fix memory leak in wlc_phy_attach_lcnphy Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 34/41] rtl8xxxu: prevent potential memory leak Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 35/41] Fix use after free in get_capset_info callback Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 36/41] tty: ipwireless: fix error handling Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 37/41] ipvs: Fix uninit-value in do_ip_vs_set_ctl() Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 38/41] reiserfs: Fix memory leak in reiserfs_parse_options() Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 39/41] brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 40/41] usb: core: Solve race condition in anchor cleanup functions Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 41/41] ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201018192635.4056198-24-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox