From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
To: stable@vger.kernel.org
Cc: Jan Kara <jack@suse.cz>,
kernel-dev@igalia.com,
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Subject: [PATCH 6.1 00/19] Fix NULL pointer dereference for corrupted UDF filesystems
Date: Thu, 17 Oct 2024 14:18:56 -0300 [thread overview]
Message-ID: <20241017171915.311132-1-cascardo@igalia.com> (raw)
UDF filesystems which have relocated blocks past the end of the device may
lead to a dcache without an inode that would lead to a NULL pointer
dereference, like this:
[ 65.938826] repro: attempt to access beyond end of device
[ 65.938826] loop0: rw=2049, sector=2052, nr_sectors = 2 limit=2048
[ 65.939476] Buffer I/O error on dev loop0, logical block 1026, lost async page write
[ 65.940426] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 65.940894] #PF: supervisor read access in kernel mode
[ 65.941280] #PF: error_code(0x0000) - not-present page
[ 65.941552] PGD 8691067 P4D 8691067 PUD 84cb067 PMD 0
[ 65.941830] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 65.942069] CPU: 0 PID: 460 Comm: repro Not tainted 6.1.113-rc2-00792-g7e3aa874350e #618
[ 65.942490] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
[ 65.942906] RIP: 0010:path_openat+0x3ae/0x5db
[ 65.943136] Code: 89 c0 b8 eb ff ff ff 45 84 c0 0f 85 50 ff ff ff 83 3d da 24 3d 01 00 48 8b 4a 70 44 8b ad e4 00 00 00 8b 95 e0 00 00 00 75 0c <8b> 01 66 25 00 f0 66 3d 00 10 74 95 83 3d b0 24 3d 01 00 75 0c 8b
[ 65.944078] RSP: 0018:ffffc900001c7d50 EFLAGS: 00010246
[ 65.944387] RAX: 00000000ffffffeb RBX: ffffc900001c7edc RCX: 0000000000000000
[ 65.945072] RDX: 0000000000000000 RSI: 0000000000000132 RDI: 0000000000000000
[ 65.945948] RBP: ffffc900001c7dc0 R08: 000000000622c100 R09: 0000000000000000
[ 65.946412] R10: ffffc900001c7b30 R11: 0000000000000002 R12: ffff888009533a00
[ 65.946833] R13: 00000000000041ed R14: 0000000000008241 R15: ffffffff82450ca0
[ 65.947257] FS: 00007c48054c4740(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000
[ 65.947702] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 65.947997] CR2: 0000000000000000 CR3: 0000000008c40000 CR4: 0000000000750ef0
[ 65.948361] PKRU: 55555554
[ 65.948503] Call Trace:
[ 65.948631] <TASK>
[ 65.948799] ? __die_body+0x1a/0x5d
[ 65.949079] ? page_fault_oops+0x2ca/0x358
[ 65.949370] ? exc_page_fault+0x15f/0x18b
[ 65.949654] ? asm_exc_page_fault+0x26/0x30
[ 65.949953] ? path_openat+0x3ae/0x5db
[ 65.950228] do_filp_open+0x52/0xb3
[ 65.950480] ? lock_release+0x17a/0x25f
[ 65.950759] ? _raw_spin_unlock+0x1e/0x32
[ 65.951044] do_sys_openat2+0x6d/0xe0
[ 65.951305] do_sys_open+0x39/0x57
[ 65.951479] do_syscall_64+0x71/0x88
[ 65.951660] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 65.951913] RIP: 0033:0x7c48055ecc7d
[ 65.952100] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 81 0d 00 f7 d8 64 89 01 48
[ 65.953002] RSP: 002b:00007fff38c48918 EFLAGS: 00000202 ORIG_RAX: 0000000000000055
[ 65.953378] RAX: ffffffffffffffda RBX: 00007fff38c48a48 RCX: 00007c48055ecc7d
[ 65.953733] RDX: 00007c48055ecc7d RSI: 0000000000000000 RDI: 0000000020000d00
[ 65.954128] RBP: 00007fff38c48930 R08: 0000000000000000 R09: 0000000000000000
[ 65.954492] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
[ 65.955122] R13: 00007fff38c48a58 R14: 00005661cd1ccd10 R15: 00007c480572d000
[ 65.955666] </TASK>
[ 65.955843] Modules linked in:
[ 65.956054] CR2: 0000000000000000
[ 65.956285] ---[ end trace 0000000000000000 ]---
[ 65.956610] RIP: 0010:path_openat+0x3ae/0x5db
[ 65.956886] Code: 89 c0 b8 eb ff ff ff 45 84 c0 0f 85 50 ff ff ff 83 3d da 24 3d 01 00 48 8b 4a 70 44 8b ad e4 00 00 00 8b 95 e0 00 00 00 75 0c <8b> 01 66 25 00 f0 66 3d 00 10 74 95 83 3d b0 24 3d 01 00 75 0c 8b
[ 65.957973] RSP: 0018:ffffc900001c7d50 EFLAGS: 00010246
[ 65.958255] RAX: 00000000ffffffeb RBX: ffffc900001c7edc RCX: 0000000000000000
[ 65.958636] RDX: 0000000000000000 RSI: 0000000000000132 RDI: 0000000000000000
[ 65.959111] RBP: ffffc900001c7dc0 R08: 000000000622c100 R09: 0000000000000000
[ 65.959601] R10: ffffc900001c7b30 R11: 0000000000000002 R12: ffff888009533a00
[ 65.960095] R13: 00000000000041ed R14: 0000000000008241 R15: ffffffff82450ca0
[ 65.960539] FS: 00007c48054c4740(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000
[ 65.960971] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 65.961283] CR2: 0000000000000000 CR3: 0000000008c40000 CR4: 0000000000750ef0
[ 65.961664] PKRU: 55555554
[ 65.961820] Kernel panic - not syncing: Fatal exception
Jan Kara (19):
udf: New directory iteration code
udf: Convert udf_expand_dir_adinicb() to new directory iteration
udf: Move udf_expand_dir_adinicb() to its callsite
udf: Implement searching for directory entry using new iteration code
udf: Provide function to mark entry as deleted using new directory
iteration code
udf: Convert udf_rename() to new directory iteration code
udf: Convert udf_readdir() to new directory iteration
udf: Convert udf_lookup() to use new directory iteration code
udf: Convert udf_get_parent() to new directory iteration code
udf: Convert empty_dir() to new directory iteration code
udf: Convert udf_rmdir() to new directory iteration code
udf: Convert udf_unlink() to new directory iteration code
udf: Implement adding of dir entries using new iteration code
udf: Convert udf_add_nondir() to new directory iteration
udf: Convert udf_mkdir() to new directory iteration code
udf: Convert udf_link() to new directory iteration code
udf: Remove old directory iteration code
udf: Handle error when expanding directory
udf: Don't return bh from udf_expand_dir_adinicb()
fs/udf/dir.c | 148 ++-----
fs/udf/directory.c | 564 ++++++++++++++++++------
fs/udf/inode.c | 90 ----
fs/udf/namei.c | 1049 +++++++++++++++-----------------------------
fs/udf/udfdecl.h | 45 +-
5 files changed, 823 insertions(+), 1073 deletions(-)
--
2.34.1
next reply other threads:[~2024-10-17 17:19 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-17 17:18 Thadeu Lima de Souza Cascardo [this message]
2024-10-17 17:18 ` [PATCH 6.1 01/19] udf: New directory iteration code Thadeu Lima de Souza Cascardo
2024-10-17 17:18 ` [PATCH 6.1 02/19] udf: Convert udf_expand_dir_adinicb() to new directory iteration Thadeu Lima de Souza Cascardo
2024-10-17 17:18 ` [PATCH 6.1 03/19] udf: Move udf_expand_dir_adinicb() to its callsite Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 04/19] udf: Implement searching for directory entry using new iteration code Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 05/19] udf: Provide function to mark entry as deleted using new directory " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 06/19] udf: Convert udf_rename() to " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 07/19] udf: Convert udf_readdir() to new directory iteration Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 08/19] udf: Convert udf_lookup() to use new directory iteration code Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 09/19] udf: Convert udf_get_parent() to " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 10/19] udf: Convert empty_dir() " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 11/19] udf: Convert udf_rmdir() " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 12/19] udf: Convert udf_unlink() " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 13/19] udf: Implement adding of dir entries using new " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 14/19] udf: Convert udf_add_nondir() to new directory iteration Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 15/19] udf: Convert udf_mkdir() to new directory iteration code Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 16/19] udf: Convert udf_link() " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 17/19] udf: Remove old " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 18/19] udf: Handle error when expanding directory Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 19/19] udf: Don't return bh from udf_expand_dir_adinicb() Thadeu Lima de Souza Cascardo
2024-10-18 6:41 ` [PATCH 6.1 00/19] Fix NULL pointer dereference for corrupted UDF filesystems Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241017171915.311132-1-cascardo@igalia.com \
--to=cascardo@igalia.com \
--cc=jack@suse.cz \
--cc=kernel-dev@igalia.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox