From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+9b33c9b118d77ff59b6f@syzkaller.appspotmail.com,
Jan Kara <jack@suse.cz>
Subject: [PATCH 5.9 12/15] reiserfs: Fix oops during mount
Date: Fri, 16 Oct 2020 11:08:14 +0200 [thread overview]
Message-ID: <20201016090437.772584754@linuxfoundation.org> (raw)
In-Reply-To: <20201016090437.170032996@linuxfoundation.org>
From: Jan Kara <jack@suse.cz>
commit c2bb80b8bdd04dfe32364b78b61b6a47f717af52 upstream.
With suitably crafted reiserfs image and mount command reiserfs will
crash when trying to verify that XATTR_ROOT directory can be looked up
in / as that recurses back to xattr code like:
xattr_lookup+0x24/0x280 fs/reiserfs/xattr.c:395
reiserfs_xattr_get+0x89/0x540 fs/reiserfs/xattr.c:677
reiserfs_get_acl+0x63/0x690 fs/reiserfs/xattr_acl.c:209
get_acl+0x152/0x2e0 fs/posix_acl.c:141
check_acl fs/namei.c:277 [inline]
acl_permission_check fs/namei.c:309 [inline]
generic_permission+0x2ba/0x550 fs/namei.c:353
do_inode_permission fs/namei.c:398 [inline]
inode_permission+0x234/0x4a0 fs/namei.c:463
lookup_one_len+0xa6/0x200 fs/namei.c:2557
reiserfs_lookup_privroot+0x85/0x1e0 fs/reiserfs/xattr.c:972
reiserfs_fill_super+0x2b51/0x3240 fs/reiserfs/super.c:2176
mount_bdev+0x24f/0x360 fs/super.c:1417
Fix the problem by bailing from reiserfs_xattr_get() when xattrs are not
yet initialized.
CC: stable@vger.kernel.org
Reported-by: syzbot+9b33c9b118d77ff59b6f@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/reiserfs/xattr.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/fs/reiserfs/xattr.c
+++ b/fs/reiserfs/xattr.c
@@ -674,6 +674,13 @@ reiserfs_xattr_get(struct inode *inode,
if (get_inode_sd_version(inode) == STAT_DATA_V1)
return -EOPNOTSUPP;
+ /*
+ * priv_root needn't be initialized during mount so allow initial
+ * lookups to succeed.
+ */
+ if (!REISERFS_SB(inode->i_sb)->priv_root)
+ return 0;
+
dentry = xattr_lookup(inode, name, XATTR_REPLACE);
if (IS_ERR(dentry)) {
err = PTR_ERR(dentry);
next prev parent reply other threads:[~2020-10-16 9:13 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-16 9:08 [PATCH 5.9 00/15] 5.9.1-rc1 review Greg Kroah-Hartman
2020-10-16 9:08 ` [PATCH 5.9 01/15] Bluetooth: A2MP: Fix not initializing all members Greg Kroah-Hartman
2020-10-16 9:08 ` [PATCH 5.9 02/15] Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel Greg Kroah-Hartman
2020-10-16 9:08 ` [PATCH 5.9 03/15] Bluetooth: MGMT: Fix not checking if BT_HS is enabled Greg Kroah-Hartman
2020-10-16 9:08 ` [PATCH 5.9 04/15] media: usbtv: Fix refcounting mixup Greg Kroah-Hartman
2020-10-16 9:08 ` [PATCH 5.9 05/15] USB: serial: option: add Cellient MPL200 card Greg Kroah-Hartman
2020-10-16 9:08 ` [PATCH 5.9 06/15] USB: serial: option: Add Telit FT980-KS composition Greg Kroah-Hartman
2020-10-16 9:08 ` [PATCH 5.9 07/15] staging: comedi: check validity of wMaxPacketSize of usb endpoints found Greg Kroah-Hartman
2020-10-16 9:08 ` [PATCH 5.9 08/15] USB: serial: pl2303: add device-id for HP GC device Greg Kroah-Hartman
2020-10-16 9:08 ` [PATCH 5.9 09/15] USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters Greg Kroah-Hartman
2020-10-16 9:08 ` [PATCH 5.9 10/15] vt_ioctl: make VT_RESIZEX behave like VT_RESIZE Greg Kroah-Hartman
2020-10-16 9:08 ` [PATCH 5.9 11/15] reiserfs: Initialize inode keys properly Greg Kroah-Hartman
2020-10-16 9:08 ` Greg Kroah-Hartman [this message]
2020-10-16 9:08 ` [PATCH 5.9 13/15] Revert "drm/amdgpu: Fix NULL dereference in dpm sysfs handlers" Greg Kroah-Hartman
2020-10-16 9:08 ` [PATCH 5.9 14/15] crypto: bcm - Verify GCM/CCM key length in setkey Greg Kroah-Hartman
2020-10-16 9:08 ` [PATCH 5.9 15/15] crypto: qat - check cipher length for aead AES-CBC-HMAC-SHA Greg Kroah-Hartman
2020-10-16 12:21 ` [PATCH 5.9 00/15] 5.9.1-rc1 review Jeffrin Jose T
2020-10-16 16:45 ` Jon Hunter
2020-10-17 11:34 ` Greg Kroah-Hartman
2020-10-16 19:03 ` Naresh Kamboju
2020-10-17 11:34 ` Greg Kroah-Hartman
2020-10-16 21:09 ` Guenter Roeck
2020-10-17 11:34 ` Greg Kroah-Hartman
2020-10-17 16:02 ` Shuah Khan
2020-10-18 6:00 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201016090437.772584754@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+9b33c9b118d77ff59b6f@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).