From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+57b25da729eb0b88177d@syzkaller.appspotmail.com,
Ye Bin <yebin10@huawei.com>, Jan Kara <jack@suse.cz>,
Eric Biggers <ebiggers@google.com>, Theodore Tso <tytso@mit.edu>,
stable@kernel.org, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 33/64] ext4: fix uninititialized value in ext4_evict_inode
Date: Mon, 16 Jan 2023 16:51:40 +0100 [thread overview]
Message-ID: <20230116154744.720046420@linuxfoundation.org> (raw)
In-Reply-To: <20230116154743.577276578@linuxfoundation.org>
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 7ea71af94eaaaf6d9aed24bc94a05b977a741cb9 ]
Syzbot found the following issue:
=====================================================
BUG: KMSAN: uninit-value in ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180
ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180
evict+0x365/0x9a0 fs/inode.c:664
iput_final fs/inode.c:1747 [inline]
iput+0x985/0xdd0 fs/inode.c:1773
__ext4_new_inode+0xe54/0x7ec0 fs/ext4/ialloc.c:1361
ext4_mknod+0x376/0x840 fs/ext4/namei.c:2844
vfs_mknod+0x79d/0x830 fs/namei.c:3914
do_mknodat+0x47d/0xaa0
__do_sys_mknodat fs/namei.c:3992 [inline]
__se_sys_mknodat fs/namei.c:3989 [inline]
__ia32_sys_mknodat+0xeb/0x150 fs/namei.c:3989
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246
entry_SYSENTER_compat_after_hwframe+0x70/0x82
Uninit was created at:
__alloc_pages+0x9f1/0xe80 mm/page_alloc.c:5578
alloc_pages+0xaae/0xd80 mm/mempolicy.c:2285
alloc_slab_page mm/slub.c:1794 [inline]
allocate_slab+0x1b5/0x1010 mm/slub.c:1939
new_slab mm/slub.c:1992 [inline]
___slab_alloc+0x10c3/0x2d60 mm/slub.c:3180
__slab_alloc mm/slub.c:3279 [inline]
slab_alloc_node mm/slub.c:3364 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc_lru+0x6f3/0xb30 mm/slub.c:3429
alloc_inode_sb include/linux/fs.h:3117 [inline]
ext4_alloc_inode+0x5f/0x860 fs/ext4/super.c:1321
alloc_inode+0x83/0x440 fs/inode.c:259
new_inode_pseudo fs/inode.c:1018 [inline]
new_inode+0x3b/0x430 fs/inode.c:1046
__ext4_new_inode+0x2a7/0x7ec0 fs/ext4/ialloc.c:959
ext4_mkdir+0x4d5/0x1560 fs/ext4/namei.c:2992
vfs_mkdir+0x62a/0x870 fs/namei.c:4035
do_mkdirat+0x466/0x7b0 fs/namei.c:4060
__do_sys_mkdirat fs/namei.c:4075 [inline]
__se_sys_mkdirat fs/namei.c:4073 [inline]
__ia32_sys_mkdirat+0xc4/0x120 fs/namei.c:4073
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246
entry_SYSENTER_compat_after_hwframe+0x70/0x82
CPU: 1 PID: 4625 Comm: syz-executor.2 Not tainted 6.1.0-rc4-syzkaller-62821-gcb231e2f67ec #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
=====================================================
Now, 'ext4_alloc_inode()' didn't init 'ei->i_flags'. If new inode failed
before set 'ei->i_flags' in '__ext4_new_inode()', then do 'iput()'. As after
6bc0d63dad7f commit will access 'ei->i_flags' in 'ext4_evict_inode()' which
will lead to access uninit-value.
To solve above issue just init 'ei->i_flags' in 'ext4_alloc_inode()'.
Reported-by: syzbot+57b25da729eb0b88177d@syzkaller.appspotmail.com
Signed-off-by: Ye Bin <yebin10@huawei.com>
Fixes: 6bc0d63dad7f ("ext4: remove EA inode entry from mbcache on inode eviction")
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20221117073603.2598882-1-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/super.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 935589579b8f..e940fb07ef2e 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1279,6 +1279,7 @@ static struct inode *ext4_alloc_inode(struct super_block *sb)
return NULL;
inode_set_iversion(&ei->vfs_inode, 1);
+ ei->i_flags = 0;
spin_lock_init(&ei->i_raw_lock);
INIT_LIST_HEAD(&ei->i_prealloc_list);
atomic_set(&ei->i_prealloc_active, 0);
--
2.35.1
next prev parent reply other threads:[~2023-01-16 16:11 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-16 15:51 [PATCH 5.10 00/64] 5.10.164-rc1 review Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 01/64] netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 02/64] ALSA: hda/realtek: Enable mute/micmute LEDs on HP Spectre x360 13-aw0xxx Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 03/64] KVM: arm64: Fix S1PTW handling on RO memslots Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 04/64] efi: tpm: Avoid READ_ONCE() for accessing the event log Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 05/64] docs: Fix the docs build with Sphinx 6.0 Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 06/64] perf auxtrace: Fix address filter duplicate symbol selection Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 07/64] s390/kexec: fix ipl report address for kdump Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 08/64] ASoC: qcom: lpass-cpu: Fix fallback SD line index handling Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 09/64] s390/cpum_sf: add READ_ONCE() semantics to compare and swap loops Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 10/64] s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 11/64] cifs: Fix uninitialized memory read for smb311 posix symlink create Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 12/64] drm/msm/adreno: Make adreno quirks not overwrite each other Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 13/64] drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 14/64] platform/x86: sony-laptop: Dont turn off 0x153 keyboard backlight during probe Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 15/64] ixgbe: fix pci device refcount leak Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 16/64] ipv6: raw: Deduct extension header length in rawv6_push_pending_frames Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 17/64] bus: mhi: host: Fix race between channel preparation and M0 event Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 18/64] iommu/amd: Add PCI segment support for ivrs_[ioapic/hpet/acpihid] commands Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 19/64] iommu/amd: Fix ill-formed ivrs_ioapic, ivrs_hpet and ivrs_acpihid options Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 20/64] clk: imx8mp: Add DISP2 pixel clock Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 21/64] clk: imx8mp: add clkout1/2 support Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 22/64] dt-bindings: clocks: imx8mp: Add ID for usb suspend clock Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 23/64] clk: imx: imx8mp: add shared clk gate for usb suspend clk Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 24/64] xhci: Avoid parsing transfer events several times Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 25/64] xhci: get isochronous ring directly from endpoint structure Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 26/64] xhci: adjust parameters passed to cleanup_halted_endpoint() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 27/64] xhci: Add xhci_reset_halted_ep() helper function Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 28/64] xhci: move xhci_td_cleanup so it can be called by more functions Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 29/64] xhci: store TD status in the td struct instead of passing it along Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 30/64] xhci: move and rename xhci_cleanup_halted_endpoint() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 31/64] xhci: Prevent infinite loop in transaction errors recovery for streams Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 32/64] usb: ulpi: defer ulpi_register on ulpi_read_id timeout Greg Kroah-Hartman
2023-01-16 15:51 ` Greg Kroah-Hartman [this message]
2023-01-16 15:51 ` [PATCH 5.10 34/64] xfrm: fix rcu lock in xfrm_notify_userpolicy() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 35/64] netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 36/64] powerpc/imc-pmu: Fix use of mutex in IRQs disabled section Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 37/64] x86/boot: Avoid using Intel mnemonics in AT&T syntax asm Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 38/64] EDAC/device: Fix period calculation in edac_device_reset_delay_period() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 39/64] regulator: da9211: Use irq handler when ready Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 40/64] ASoC: wm8904: fix wrong outputs volume after power reactivation Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 41/64] tipc: fix unexpected link reset due to discovery messages Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 42/64] octeontx2-af: Update get/set resource count functions Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 43/64] octeontx2-af: Map NIX block from CGX connection Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 44/64] octeontx2-af: Fix LMAC config in cgx_lmac_rx_tx_enable Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 45/64] hvc/xen: lock console list traversal Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 46/64] nfc: pn533: Wait for out_urbs completion in pn533_usb_send_frame() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 47/64] net/sched: act_mpls: Fix warning during failed attribute validation Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 48/64] net/mlx5: Fix ptp max frequency adjustment range Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 49/64] net/mlx5e: Dont support encap rules with gbp option Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 50/64] mm: Always release pages to the buddy allocator in memblock_free_late() Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 51/64] iommu/mediatek-v1: Add error handle for mtk_iommu_probe Greg Kroah-Hartman
2023-01-16 15:51 ` [PATCH 5.10 52/64] iommu/mediatek-v1: Fix an error handling path in mtk_iommu_v1_probe() Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 53/64] Documentation: KVM: add API issues section Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 54/64] KVM: x86: Do not return host topology information from KVM_GET_SUPPORTED_CPUID Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 55/64] x86/resctrl: Use task_curr() instead of task_struct->on_cpu to prevent unnecessary IPI Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 56/64] x86/resctrl: Fix task CLOSID/RMID update race Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 57/64] arm64: atomics: format whitespace consistently Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 58/64] arm64: atomics: remove LL/SC trampolines Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 59/64] arm64: cmpxchg_double*: hazard against entire exchange variable Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 60/64] efi: fix NULL-deref in init error path Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 61/64] drm/virtio: Fix GEM handle creation UAF Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 62/64] io_uring/io-wq: free worker if task_work creation is canceled Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 63/64] io_uring/io-wq: only free worker if it was allocated for creation Greg Kroah-Hartman
2023-01-16 15:52 ` [PATCH 5.10 64/64] Revert "usb: ulpi: defer ulpi_register on ulpi_read_id timeout" Greg Kroah-Hartman
2023-01-16 18:58 ` [PATCH 5.10 00/64] 5.10.164-rc1 review Daniel Díaz
2023-01-16 21:30 ` Pavel Machek
2023-01-17 9:32 ` Greg Kroah-Hartman
2023-01-16 23:58 ` Shuah Khan
2023-01-17 12:35 ` Sudip Mukherjee
2023-01-17 14:20 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230116154744.720046420@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ebiggers@google.com \
--cc=jack@suse.cz \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+57b25da729eb0b88177d@syzkaller.appspotmail.com \
--cc=tytso@mit.edu \
--cc=yebin10@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox