From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Edward Lo <edward.lo@ambergroup.io>,
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.0 28/74] fs/ntfs3: Add null pointer check for inode operations
Date: Mon, 2 Jan 2023 12:22:01 +0100 [thread overview]
Message-ID: <20230102110553.268891748@linuxfoundation.org> (raw)
In-Reply-To: <20230102110552.061937047@linuxfoundation.org>
From: Edward Lo <edward.lo@ambergroup.io>
[ Upstream commit c1ca8ef0262b25493631ecbd9cb8c9893e1481a1 ]
This adds a sanity check for the i_op pointer of the inode which is
returned after reading Root directory MFT record. We should check the
i_op is valid before trying to create the root dentry, otherwise we may
encounter a NPD while mounting a image with a funny Root directory MFT
record.
[ 114.484325] BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 114.484811] #PF: supervisor read access in kernel mode
[ 114.485084] #PF: error_code(0x0000) - not-present page
[ 114.485606] PGD 0 P4D 0
[ 114.485975] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 114.486570] CPU: 0 PID: 237 Comm: mount Tainted: G B 6.0.0-rc4 #28
[ 114.486977] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 114.488169] RIP: 0010:d_flags_for_inode+0xe0/0x110
[ 114.488816] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241
[ 114.490326] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296
[ 114.490695] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea
[ 114.490986] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff87abd020
[ 114.491364] RBP: ffff8880065e7ac8 R08: 0000000000000001 R09: fffffbfff0f57a05
[ 114.491675] R10: ffffffff87abd027 R11: fffffbfff0f57a04 R12: 0000000000000000
[ 114.491954] R13: 0000000000000008 R14: 0000000000000000 R15: ffff888008ccd750
[ 114.492397] FS: 00007fdc8a627e40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000
[ 114.492797] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 114.493150] CR2: 0000000000000008 CR3: 00000000013ba000 CR4: 00000000000006f0
[ 114.493671] Call Trace:
[ 114.493890] <TASK>
[ 114.494075] __d_instantiate+0x24/0x1c0
[ 114.494505] d_instantiate.part.0+0x35/0x50
[ 114.494754] d_make_root+0x53/0x80
[ 114.494998] ntfs_fill_super+0x1232/0x1b50
[ 114.495260] ? put_ntfs+0x1d0/0x1d0
[ 114.495499] ? vsprintf+0x20/0x20
[ 114.495723] ? set_blocksize+0x95/0x150
[ 114.495964] get_tree_bdev+0x232/0x370
[ 114.496272] ? put_ntfs+0x1d0/0x1d0
[ 114.496502] ntfs_fs_get_tree+0x15/0x20
[ 114.496859] vfs_get_tree+0x4c/0x130
[ 114.497099] path_mount+0x654/0xfe0
[ 114.497507] ? putname+0x80/0xa0
[ 114.497933] ? finish_automount+0x2e0/0x2e0
[ 114.498362] ? putname+0x80/0xa0
[ 114.498571] ? kmem_cache_free+0x1c4/0x440
[ 114.498819] ? putname+0x80/0xa0
[ 114.499069] do_mount+0xd6/0xf0
[ 114.499343] ? path_mount+0xfe0/0xfe0
[ 114.499683] ? __kasan_check_write+0x14/0x20
[ 114.500133] __x64_sys_mount+0xca/0x110
[ 114.500592] do_syscall_64+0x3b/0x90
[ 114.500930] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 114.501294] RIP: 0033:0x7fdc898e948a
[ 114.501542] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
[ 114.502716] RSP: 002b:00007ffd793e58f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[ 114.503175] RAX: ffffffffffffffda RBX: 0000564b2228f060 RCX: 00007fdc898e948a
[ 114.503588] RDX: 0000564b2228f260 RSI: 0000564b2228f2e0 RDI: 0000564b22297ce0
[ 114.504925] RBP: 0000000000000000 R08: 0000564b2228f280 R09: 0000000000000020
[ 114.505484] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564b22297ce0
[ 114.505823] R13: 0000564b2228f260 R14: 0000000000000000 R15: 00000000ffffffff
[ 114.506562] </TASK>
[ 114.506887] Modules linked in:
[ 114.507648] CR2: 0000000000000008
[ 114.508884] ---[ end trace 0000000000000000 ]---
[ 114.509675] RIP: 0010:d_flags_for_inode+0xe0/0x110
[ 114.510140] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241
[ 114.511762] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296
[ 114.512401] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea
[ 114.513103] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff87abd020
[ 114.513512] RBP: ffff8880065e7ac8 R08: 0000000000000001 R09: fffffbfff0f57a05
[ 114.513831] R10: ffffffff87abd027 R11: fffffbfff0f57a04 R12: 0000000000000000
[ 114.514757] R13: 0000000000000008 R14: 0000000000000000 R15: ffff888008ccd750
[ 114.515411] FS: 00007fdc8a627e40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000
[ 114.515794] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 114.516208] CR2: 0000000000000008 CR3: 00000000013ba000 CR4: 00000000000006f0
Signed-off-by: Edward Lo <edward.lo@ambergroup.io>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/super.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index 170682c2bf67..94f9e4b775a7 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -1260,9 +1260,9 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
ref.low = cpu_to_le32(MFT_REC_ROOT);
ref.seq = cpu_to_le16(MFT_REC_ROOT);
inode = ntfs_iget5(sb, &ref, &NAME_ROOT);
- if (IS_ERR(inode)) {
+ if (IS_ERR(inode) || !inode->i_op) {
ntfs_err(sb, "Failed to load root.");
- err = PTR_ERR(inode);
+ err = IS_ERR(inode) ? PTR_ERR(inode) : -EINVAL;
goto out;
}
--
2.35.1
next prev parent reply other threads:[~2023-01-02 11:29 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-02 11:21 [PATCH 6.0 00/74] 6.0.17-rc1 review Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 01/74] usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 02/74] blk-cgroup: fix error unwinding in blkcg_init_queue Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 03/74] blk-cgroup: remove blk_queue_root_blkg Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 04/74] blk-cgroup: remove open coded blkg_lookup instances Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 05/74] blk-cgroup: cleanup the blkg_lookup family of functions Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 06/74] blk-cgroup: pass a gendisk to blkcg_init_queue and blkcg_exit_queue Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 07/74] blk-throttle: pass a gendisk to blk_throtl_init and blk_throtl_exit Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 08/74] blk-cgroup: pass a gendisk to blkg_destroy_all Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 09/74] blk-iolatency: Fix memory leak on add_disk() failures Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 10/74] cifs: fix static checker warning Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 11/74] cifs: dont leak -ENOMEM in smb2_open_file() Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 12/74] nvme-pci: fix doorbell buffer value endianness Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 13/74] nvme-pci: fix mempool alloc size Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 14/74] nvme-pci: fix page size checks Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 15/74] ACPI: resource: Skip IRQ override on Asus Vivobook K3402ZA/K3502ZA Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 16/74] ACPI: resource: do IRQ override on LENOVO IdeaPad Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 17/74] ACPI: resource: do IRQ override on XMG Core 15 Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 18/74] ACPI: resource: do IRQ override on Lenovo 14ALC7 Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 19/74] block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 20/74] ata: ahci: Fix PCS quirk application for suspend Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 21/74] nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 22/74] nvmet: dont defer passthrough commands with trivial effects to the workqueue Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 23/74] fs/ntfs3: Validate BOOT record_size Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 24/74] fs/ntfs3: Add overflow check for attribute size Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 25/74] fs/ntfs3: Validate data run offset Greg Kroah-Hartman
2023-01-02 11:21 ` [PATCH 6.0 26/74] fs/ntfs3: Add null pointer check to attr_load_runs_vcn Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 27/74] fs/ntfs3: Fix memory leak on ntfs_fill_super() error path Greg Kroah-Hartman
2023-01-02 11:22 ` Greg Kroah-Hartman [this message]
2023-01-02 11:22 ` [PATCH 6.0 29/74] fs/ntfs3: Validate attribute name offset Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 30/74] fs/ntfs3: Validate buffer length while parsing index Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 31/74] fs/ntfs3: Validate resident attribute name Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 32/74] fs/ntfs3: Fix slab-out-of-bounds read in run_unpack Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 33/74] soundwire: dmi-quirks: add quirk variant for LAPBC710 NUC15 Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 34/74] fs/ntfs3: Validate index root when initialize NTFS security Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 35/74] fs/ntfs3: Use __GFP_NOWARN allocation at wnd_init() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 36/74] fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_fill_super() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 37/74] fs/ntfs3: Delete duplicate condition in ntfs_read_mft() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 38/74] fs/ntfs3: Fix slab-out-of-bounds in r_page Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 39/74] objtool: Fix SEGFAULT Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 40/74] iommu/mediatek: Fix crash on isr after kexec() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 41/74] powerpc/rtas: avoid device tree lookups in rtas_os_term() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 42/74] powerpc/rtas: avoid scheduling " Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 43/74] rtc: msc313: Fix function prototype mismatch in msc313_rtc_probe() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 44/74] kprobes: kretprobe events missing on 2-core KVM guest Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 45/74] HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 46/74] HID: plantronics: Additional PIDs for double volume key presses quirk Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 47/74] futex: Fix futex_waitv() hrtimer debug object leak on kcalloc error Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 48/74] rtmutex: Add acquire semantics for rtmutex lock acquisition slow path Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 49/74] mm/mempolicy: fix memory leak in set_mempolicy_home_node system call Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 50/74] pstore: Properly assign mem_type property Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 51/74] pstore/zone: Use GFP_ATOMIC to allocate zone buffer Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 52/74] hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 53/74] eventpoll: add EPOLL_URING_WAKE poll wakeup flag Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 54/74] eventfd: provide a eventfd_signal_mask() helper Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 55/74] io_uring: dont remove file from msg_ring reqs Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 56/74] binfmt: Fix error return code in load_elf_fdpic_binary() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 57/74] ovl: Use ovl mounters fsuid and fsgid in ovl_link() Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 58/74] ovl: update ->f_iocb_flags when ovl_change_flags() modifies ->f_flags Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 59/74] ALSA: line6: correct midi status byte when receiving data from podxt Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 60/74] ALSA: line6: fix stack overflow in line6_midi_transmit Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 61/74] ALSA: hda/hdmi: Static PCM mapping again with AMD HDMI codecs Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 62/74] pnode: terminate at peers of source Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 63/74] mfd: mt6360: Add bounds checking in Regmap read/write call-backs Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 64/74] md: fix a crash in mempool_free Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 65/74] mm, compaction: fix fast_isolate_around() to stay within boundaries Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 66/74] f2fs: should put a page when checking the summary info Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 67/74] f2fs: allow to read node block after shutdown Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 68/74] block: Do not reread partition table on exclusively open device Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 69/74] mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 70/74] tpm: acpi: Call acpi_put_table() to fix memory leak Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 71/74] tpm: tpm_crb: Add the missed " Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 72/74] tpm: tpm_tis: " Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 73/74] SUNRPC: Dont leak netobj memory when gss_read_proxy_verf() fails Greg Kroah-Hartman
2023-01-02 11:22 ` [PATCH 6.0 74/74] kcsan: Instrument memcpy/memset/memmove with newer Clang Greg Kroah-Hartman
2023-01-03 0:28 ` [PATCH 6.0 00/74] 6.0.17-rc1 review Shuah Khan
2023-01-03 1:13 ` Guenter Roeck
2023-01-03 8:33 ` Naresh Kamboju
2023-01-03 10:37 ` Sudip Mukherjee (Codethink)
2023-01-03 22:59 ` Sudip Mukherjee
2023-01-04 11:08 ` Greg Kroah-Hartman
2023-01-03 12:07 ` Bagas Sanjaya
2023-01-03 13:23 ` Allen Pais
2023-01-03 19:02 ` Florian Fainelli
2023-01-03 22:11 ` Ron Economos
2023-01-04 1:38 ` Justin Forbes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230102110553.268891748@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=edward.lo@ambergroup.io \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).