From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27547C3276D for ; Thu, 2 Jan 2020 22:17:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E632C2253D for ; Thu, 2 Jan 2020 22:17:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578003469; bh=lSE00O/CEuOUfS3S5Xv/5UPawzE8FOPYyp+aO5AaB3Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Snr1EJ1Nizi34xAsMMIrjfbg7viojgIzmGg7VzijwxUbR7aQ0toyFQMaK4Shof0XH UiTHAKHZCZWvk931y4S8MxprAaymgGk6aK179SguW+YL0uxHHejaryPyV36OsdQOyj YzCXqJyYmv//XfXE+ZWz31fXcskJmBXRjDVEH9A8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727937AbgABWRr (ORCPT ); Thu, 2 Jan 2020 17:17:47 -0500 Received: from mail.kernel.org ([198.145.29.99]:60608 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727931AbgABWRr (ORCPT ); Thu, 2 Jan 2020 17:17:47 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2B66B227BF; Thu, 2 Jan 2020 22:17:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578003466; bh=lSE00O/CEuOUfS3S5Xv/5UPawzE8FOPYyp+aO5AaB3Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vjBzFkyrrBELUiILc3jCZ1uLypowdIfLGQ1vtYas4D4Z3ZY/NWgNZhCadqL8hhogw QonsOmWy9Mgf3qYlF4nhBZsGOwuWLoVHj0d8ZdIekf/T6vbUjAwEeTSibXDKp94K5y 1HsG9pRPVAFubEYz7qxjf4ysCV60jHR/fMp4c824= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+c732f8644185de340492@syzkaller.appspotmail.com, Brian Foster , "Darrick J. Wong" Subject: [PATCH 5.4 146/191] xfs: fix mount failure crash on invalid iclog memory access Date: Thu, 2 Jan 2020 23:07:08 +0100 Message-Id: <20200102215845.170620568@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200102215829.911231638@linuxfoundation.org> References: <20200102215829.911231638@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Brian Foster commit 798a9cada4694ca8d970259f216cec47e675bfd5 upstream. syzbot (via KASAN) reports a use-after-free in the error path of xlog_alloc_log(). Specifically, the iclog freeing loop doesn't handle the case of a fully initialized ->l_iclog linked list. Instead, it assumes that the list is partially constructed and NULL terminated. This bug manifested because there was no possible error scenario after iclog list setup when the original code was added. Subsequent code and associated error conditions were added some time later, while the original error handling code was never updated. Fix up the error loop to terminate either on a NULL iclog or reaching the end of the list. Reported-by: syzbot+c732f8644185de340492@syzkaller.appspotmail.com Signed-off-by: Brian Foster Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Greg Kroah-Hartman --- fs/xfs/xfs_log.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/xfs/xfs_log.c +++ b/fs/xfs/xfs_log.c @@ -1495,6 +1495,8 @@ out_free_iclog: prev_iclog = iclog->ic_next; kmem_free(iclog->ic_data); kmem_free(iclog); + if (prev_iclog == log->l_iclog) + break; } out_free_log: kmem_free(log);