[PATCH] afs: Set vllist to NULL if addr parsing fails

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] afs: Set vllist to NULL if addr parsing fails
  2025-04-13  3:41 [syzbot] [afs?] BUG: unable to handle kernel paging request in afs_put_vlserverlist syzbot
@ 2025-04-13  6:12 ` Edward Adam Davis
  0 siblings, 0 replies; 3+ messages in thread
From: Edward Adam Davis @ 2025-04-13  6:12 UTC (permalink / raw)
  To: syzbot+5c042fbab0b292c98fc6
  Cc: dhowells, linux-afs, linux-kernel, marc.dionne, syzkaller-bugs

syzbot reported a bug in in afs_put_vlserverlist. [1]

Because afs_parse_text_addrs() parses incorrectly, its return value -EINVAL
is assigned to vllist, which results in -EINVAL being used as the vllist
address when afs_put_vlserverlist() is executed.

Set the vllist value to NULL when a parsing error occurs to avoid this issue.

[1]
kAFS: bad VL server IP address
BUG: unable to handle page fault for address: fffffffffffffffa
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD e186067 P4D e186067 PUD e188067 PMD 0
Oops: Oops: 0002 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 5834 Comm: syz-executor362 Not tainted 6.15.0-rc1-syzkaller-00025-gbec7dcbc242c #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:arch_atomic_fetch_add arch/x86/include/asm/atomic.h:93 [inline]
RIP: 0010:raw_atomic_fetch_sub_release include/linux/atomic/atomic-arch-fallback.h:949 [inline]
RIP: 0010:atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:401 [inline]
RIP: 0010:__refcount_sub_and_test include/linux/refcount.h:389 [inline]
RIP: 0010:__refcount_dec_and_test include/linux/refcount.h:432 [inline]
RIP: 0010:refcount_dec_and_test include/linux/refcount.h:450 [inline]
RIP: 0010:afs_put_vlserverlist+0x3a/0x220 fs/afs/vl_list.c:67
Code: 53 48 83 ec 18 e8 e6 35 2f fe 48 85 ed 74 43 e8 dc 35 2f fe 4c 8d 65 10 be 04 00 00 00 bb ff ff ff ff 4c 89 e7 e8 76 ad 93 fe <f0> 0f c1 5d 10 31 ff 89 de e8 f8 30 2f fe 85 db 7e 29 e8 af 35 2f
RSP: 0018:ffffc90003e5fae0 EFLAGS: 00010246
RAX: 0000000000000001 RBX: 00000000ffffffff RCX: ffffffff838c071a
RDX: fffffc0000000000 RSI: 0000000000000004 RDI: fffffffffffffffa
RBP: ffffffffffffffea R08: 0000000000000001 R09: fffffbffffffffff
R10: fffffffffffffffd R11: 0000000000000001 R12: fffffffffffffffa
R13: ffffffffffffffea R14: ffff8880216ad700 R15: ffff888034ec2000
FS:  0000555561d3e380(0000) GS:ffff888124ab9000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffffa CR3: 000000007a922000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 afs_alloc_cell fs/afs/cell.c:218 [inline]
 afs_lookup_cell+0x12a5/0x1680 fs/afs/cell.c:264
 afs_cell_init+0x17a/0x380 fs/afs/cell.c:386
 afs_proc_rootcell_write+0x21f/0x290 fs/afs/proc.c:247
 proc_simple_write+0x114/0x1b0 fs/proc/generic.c:825
 pde_write fs/proc/inode.c:330 [inline]
 proc_reg_write+0x23d/0x330 fs/proc/inode.c:342
 vfs_write+0x25c/0x1180 fs/read_write.c:682
 ksys_write+0x12a/0x240 fs/read_write.c:736
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Fixes: e2c2cb8ef07a ("afs: Simplify cell record handling")
Reported-by: syzbot+5c042fbab0b292c98fc6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5c042fbab0b292c98fc6
Tested-by: syzbot+5c042fbab0b292c98fc6@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/afs/cell.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/afs/cell.c b/fs/afs/cell.c
index 0168bbf53fe0..f31359922e98 100644
--- a/fs/afs/cell.c
+++ b/fs/afs/cell.c
@@ -177,6 +177,7 @@ static struct afs_cell *afs_alloc_cell(struct afs_net *net,
 					      VL_SERVICE, AFS_VL_PORT);
 		if (IS_ERR(vllist)) {
 			ret = PTR_ERR(vllist);
+			vllist = NULL;
 			goto parse_failed;
 		}
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH] afs: Set vllist to NULL if addr parsing fails
@ 2025-07-21 14:26 David Howells
  2025-07-23 11:54 ` Christian Brauner
  0 siblings, 1 reply; 3+ messages in thread
From: David Howells @ 2025-07-21 14:26 UTC (permalink / raw)
  To: Christian Brauner
  Cc: dhowells, syzbot+5c042fbab0b292c98fc6, Edward Adam Davis,
	Marc Dionne, linux-afs, linux-fsdevel, linux-kernel

From: Edward Adam Davis <eadavis@qq.com>

syzbot reported a bug in in afs_put_vlserverlist.

  kAFS: bad VL server IP address
  BUG: unable to handle page fault for address: fffffffffffffffa
  ...
  Oops: Oops: 0002 [#1] SMP KASAN PTI
  ...
  RIP: 0010:refcount_dec_and_test include/linux/refcount.h:450 [inline]
  RIP: 0010:afs_put_vlserverlist+0x3a/0x220 fs/afs/vl_list.c:67
  ...
  Call Trace:
   <TASK>
   afs_alloc_cell fs/afs/cell.c:218 [inline]
   afs_lookup_cell+0x12a5/0x1680 fs/afs/cell.c:264
   afs_cell_init+0x17a/0x380 fs/afs/cell.c:386
   afs_proc_rootcell_write+0x21f/0x290 fs/afs/proc.c:247
   proc_simple_write+0x114/0x1b0 fs/proc/generic.c:825
   pde_write fs/proc/inode.c:330 [inline]
   proc_reg_write+0x23d/0x330 fs/proc/inode.c:342
   vfs_write+0x25c/0x1180 fs/read_write.c:682
   ksys_write+0x12a/0x240 fs/read_write.c:736
   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
   do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

Because afs_parse_text_addrs() parses incorrectly, its return value -EINVAL
is assigned to vllist, which results in -EINVAL being used as the vllist
address when afs_put_vlserverlist() is executed.

Set the vllist value to NULL when a parsing error occurs to avoid this
issue.

Fixes: e2c2cb8ef07a ("afs: Simplify cell record handling")
Reported-by: syzbot+5c042fbab0b292c98fc6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5c042fbab0b292c98fc6
Tested-by: syzbot+5c042fbab0b292c98fc6@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
cc: linux-fsdevel@vger.kernel.org
---
 fs/afs/cell.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/afs/cell.c b/fs/afs/cell.c
index 0168bbf53fe0..f31359922e98 100644
--- a/fs/afs/cell.c
+++ b/fs/afs/cell.c
@@ -177,6 +177,7 @@ static struct afs_cell *afs_alloc_cell(struct afs_net *net,
 					      VL_SERVICE, AFS_VL_PORT);
 		if (IS_ERR(vllist)) {
 			ret = PTR_ERR(vllist);
+			vllist = NULL;
 			goto parse_failed;
 		}

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] afs: Set vllist to NULL if addr parsing fails
  2025-07-21 14:26 [PATCH] afs: Set vllist to NULL if addr parsing fails David Howells
@ 2025-07-23 11:54 ` Christian Brauner
  0 siblings, 0 replies; 3+ messages in thread
From: Christian Brauner @ 2025-07-23 11:54 UTC (permalink / raw)
  To: David Howells
  Cc: Christian Brauner, syzbot+5c042fbab0b292c98fc6, Edward Adam Davis,
	Marc Dionne, linux-afs, linux-fsdevel, linux-kernel

On Mon, 21 Jul 2025 15:26:51 +0100, David Howells wrote:
> syzbot reported a bug in in afs_put_vlserverlist.
> 
>   kAFS: bad VL server IP address
>   BUG: unable to handle page fault for address: fffffffffffffffa
>   ...
>   Oops: Oops: 0002 [#1] SMP KASAN PTI
>   ...
>   RIP: 0010:refcount_dec_and_test include/linux/refcount.h:450 [inline]
>   RIP: 0010:afs_put_vlserverlist+0x3a/0x220 fs/afs/vl_list.c:67
>   ...
>   Call Trace:
>    <TASK>
>    afs_alloc_cell fs/afs/cell.c:218 [inline]
>    afs_lookup_cell+0x12a5/0x1680 fs/afs/cell.c:264
>    afs_cell_init+0x17a/0x380 fs/afs/cell.c:386
>    afs_proc_rootcell_write+0x21f/0x290 fs/afs/proc.c:247
>    proc_simple_write+0x114/0x1b0 fs/proc/generic.c:825
>    pde_write fs/proc/inode.c:330 [inline]
>    proc_reg_write+0x23d/0x330 fs/proc/inode.c:342
>    vfs_write+0x25c/0x1180 fs/read_write.c:682
>    ksys_write+0x12a/0x240 fs/read_write.c:736
>    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>    do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
>    entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> [...]

Applied to the vfs.fixes branch of the vfs/vfs.git tree.
Patches in the vfs.fixes branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs.fixes

[1/1] afs: Set vllist to NULL if addr parsing fails
      https://git.kernel.org/vfs/vfs/c/8b3c655fa240

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-07-23 11:54 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-21 14:26 [PATCH] afs: Set vllist to NULL if addr parsing fails David Howells
2025-07-23 11:54 ` Christian Brauner
  -- strict thread matches above, loose matches on Subject: below --
2025-04-13  3:41 [syzbot] [afs?] BUG: unable to handle kernel paging request in afs_put_vlserverlist syzbot
2025-04-13  6:12 ` [PATCH] afs: Set vllist to NULL if addr parsing fails Edward Adam Davis

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).