From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jan Kara <jack@suse.cz>,
syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.4 17/33] udf: Avoid accessing uninitialized data on failed inode read
Date: Sun, 18 Oct 2020 15:27:12 -0400 [thread overview]
Message-ID: <20201018192728.4056577-17-sashal@kernel.org> (raw)
In-Reply-To: <20201018192728.4056577-1-sashal@kernel.org>
From: Jan Kara <jack@suse.cz>
[ Upstream commit 044e2e26f214e5ab26af85faffd8d1e4ec066931 ]
When we fail to read inode, some data accessed in udf_evict_inode() may
be uninitialized. Move the accesses to !is_bad_inode() branch.
Reported-by: syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/udf/inode.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 3876448ec0dcb..2c39c1c81196c 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -140,21 +140,24 @@ void udf_evict_inode(struct inode *inode)
struct udf_inode_info *iinfo = UDF_I(inode);
int want_delete = 0;
- if (!inode->i_nlink && !is_bad_inode(inode)) {
- want_delete = 1;
- udf_setsize(inode, 0);
- udf_update_inode(inode, IS_SYNC(inode));
+ if (!is_bad_inode(inode)) {
+ if (!inode->i_nlink) {
+ want_delete = 1;
+ udf_setsize(inode, 0);
+ udf_update_inode(inode, IS_SYNC(inode));
+ }
+ if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB &&
+ inode->i_size != iinfo->i_lenExtents) {
+ udf_warn(inode->i_sb,
+ "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n",
+ inode->i_ino, inode->i_mode,
+ (unsigned long long)inode->i_size,
+ (unsigned long long)iinfo->i_lenExtents);
+ }
}
truncate_inode_pages_final(&inode->i_data);
invalidate_inode_buffers(inode);
clear_inode(inode);
- if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB &&
- inode->i_size != iinfo->i_lenExtents) {
- udf_warn(inode->i_sb, "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n",
- inode->i_ino, inode->i_mode,
- (unsigned long long)inode->i_size,
- (unsigned long long)iinfo->i_lenExtents);
- }
kfree(iinfo->i_ext.i_data);
iinfo->i_ext.i_data = NULL;
udf_clear_extent_cache(inode);
--
2.25.1
next prev parent reply other threads:[~2020-10-18 19:29 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-18 19:26 [PATCH AUTOSEL 4.4 01/33] media: firewire: fix memory leak Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.4 02/33] media: ati_remote: sanity check for both endpoints Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.4 03/33] media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.4 04/33] media: exynos4-is: Fix a reference count leak " Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 05/33] media: exynos4-is: Fix a reference count leak Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 06/33] media: bdisp: Fix runtime PM imbalance on error Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 07/33] media: media/pci: prevent memory leak in bttv_probe Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 08/33] media: uvcvideo: Ensure all probed info is returned to v4l2 Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 09/33] mmc: sdio: Check for CISTPL_VERS_1 buffer size Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 10/33] media: saa7134: avoid a shift overflow Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 11/33] ntfs: add check for mft record size in superblock Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 12/33] PM: hibernate: remove the bogus call to get_gendisk() in software_resume() Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 13/33] scsi: mvumi: Fix error return in mvumi_io_attach() Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 14/33] scsi: target: core: Add CONTROL field for trace events Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 15/33] usb: gadget: function: printer: fix use-after-free in __lock_acquire Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 16/33] udf: Limit sparing table size Sasha Levin
2020-10-18 19:27 ` Sasha Levin [this message]
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 18/33] ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 19/33] misc: rtsx: Fix memory leak in rtsx_pci_probe Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 20/33] reiserfs: only call unlock_new_inode() if I_NEW Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 21/33] xfs: make sure the rt allocator doesn't run off the end Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 22/33] usb: ohci: Default to per-port over-current protection Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 23/33] Bluetooth: Only mark socket zapped after unlocking Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 24/33] scsi: ibmvfc: Fix error return in ibmvfc_probe() Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 25/33] brcmsmac: fix memory leak in wlc_phy_attach_lcnphy Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 26/33] rtl8xxxu: prevent potential memory leak Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 27/33] Fix use after free in get_capset_info callback Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 28/33] tty: ipwireless: fix error handling Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 29/33] ipvs: Fix uninit-value in do_ip_vs_set_ctl() Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 30/33] reiserfs: Fix memory leak in reiserfs_parse_options() Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 31/33] brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 32/33] usb: core: Solve race condition in anchor cleanup functions Sasha Levin
2020-10-18 19:27 ` [PATCH AUTOSEL 4.4 33/33] ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201018192728.4056577-17-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox