From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Ryusuke Konishi <konishi.ryusuke@gmail.com>,
syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 6.6 43/76] nilfs2: reject invalid file types when reading inodes
Date: Wed, 30 Jul 2025 11:35:36 +0200 [thread overview]
Message-ID: <20250730093228.506188643@linuxfoundation.org> (raw)
In-Reply-To: <20250730093226.854413920@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
commit 4aead50caf67e01020c8be1945c3201e8a972a27 upstream.
To prevent inodes with invalid file types from tripping through the vfs
and causing malfunctions or assertion failures, add a missing sanity check
when reading an inode from a block device. If the file type is not valid,
treat it as a filesystem error.
Link: https://lkml.kernel.org/r/20250710134952.29862-1-konishi.ryusuke@gmail.com
Fixes: 05fe58fdc10d ("nilfs2: inode operations")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/inode.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -517,11 +517,18 @@ static int __nilfs_read_inode(struct sup
inode->i_op = &nilfs_symlink_inode_operations;
inode_nohighmem(inode);
inode->i_mapping->a_ops = &nilfs_aops;
- } else {
+ } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) ||
+ S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
inode->i_op = &nilfs_special_inode_operations;
init_special_inode(
inode, inode->i_mode,
huge_decode_dev(le64_to_cpu(raw_inode->i_device_code)));
+ } else {
+ nilfs_error(sb,
+ "invalid file type bits in mode 0%o for inode %lu",
+ inode->i_mode, ino);
+ err = -EIO;
+ goto failed_unmap;
}
nilfs_ifile_unmap_inode(root->ifile, ino, bh);
brelse(bh);
next prev parent reply other threads:[~2025-07-30 9:39 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-30 9:34 [PATCH 6.6 00/76] 6.6.101-rc1 review Greg Kroah-Hartman
2025-07-30 9:34 ` [PATCH 6.6 01/76] Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT Greg Kroah-Hartman
2025-07-30 9:34 ` [PATCH 6.6 02/76] virtio_ring: Fix error reporting in virtqueue_resize Greg Kroah-Hartman
2025-07-30 9:34 ` [PATCH 6.6 03/76] regulator: core: fix NULL dereference on unbind due to stale coupling data Greg Kroah-Hartman
2025-07-30 9:34 ` [PATCH 6.6 04/76] RDMA/core: Rate limit GID cache warning messages Greg Kroah-Hartman
2025-07-30 9:34 ` [PATCH 6.6 05/76] interconnect: qcom: sc7280: Add missing num_links to xm_pcie3_1 node Greg Kroah-Hartman
2025-07-30 9:34 ` [PATCH 6.6 06/76] iio: adc: ad7949: use spi_is_bpw_supported() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 07/76] regmap: fix potential memory leak of regmap_bus Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 08/76] x86/hyperv: Fix usage of cpu_online_mask to get valid cpu Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 09/76] platform/x86: Fix initialization order for firmware_attributes_class Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 10/76] staging: vchiq_arm: Make vchiq_shutdown never fail Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 11/76] xfrm: interface: fix use-after-free after changing collect_md xfrm interface Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 12/76] net/mlx5: Fix memory leak in cmd_exec() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 13/76] net/mlx5: E-Switch, Fix peer miss rules to use peer eswitch Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 14/76] i40e: Add rx_missed_errors for buffer exhaustion Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 15/76] i40e: report VF tx_dropped with tx_errors instead of tx_discards Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 16/76] i40e: When removing VF MAC filters, only check PF-set MAC Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 17/76] net: appletalk: Fix use-after-free in AARP proxy probe Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 18/76] net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 19/76] can: dev: can_restart(): reverse logic to remove need for goto Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 20/76] can: dev: can_restart(): move debug message and stats after successful restart Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 21/76] can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 22/76] drm/bridge: ti-sn65dsi86: Remove extra semicolon in ti_sn_bridge_probe() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 23/76] s390/ism: fix concurrency management in ism_cmd() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 24/76] net: hns3: fix concurrent setting vlan filter issue Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 25/76] net: hns3: disable interrupt when ptp init failed Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 26/76] net: hns3: fixed vf get max channels bug Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 27/76] net: hns3: default enable tx bounce buffer when smmu enabled Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 28/76] platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 29/76] i2c: qup: jump out of the loop in case of timeout Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 30/76] i2c: tegra: Fix reset error handling with ACPI Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 31/76] i2c: virtio: Avoid hang by using interruptible completion wait Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 32/76] bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 33/76] sprintf.h requires stdarg.h Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 34/76] ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 35/76] arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 36/76] dpaa2-eth: Fix device reference count leak in MAC endpoint handling Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 37/76] dpaa2-switch: " Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 38/76] e1000e: disregard NVM checksum on tgp when valid checksum bit is not set Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 39/76] e1000e: ignore uninitialized checksum word on tgp Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 40/76] gve: Fix stuck TX queue for DQ queue format Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 41/76] ice: Fix a null pointer dereference in ice_copy_and_init_pkg() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 42/76] kasan: use vmalloc_dump_obj() for vmalloc error reports Greg Kroah-Hartman
2025-07-30 9:35 ` Greg Kroah-Hartman [this message]
2025-07-30 9:35 ` [PATCH 6.6 44/76] resource: fix false warning in __request_region() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 45/76] selftests: mptcp: connect: also cover alt modes Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 46/76] selftests: mptcp: connect: also cover checksum Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 47/76] mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 48/76] drm/amdkfd: Dont call mmput from MMU notifier callback Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 49/76] usb: typec: tcpm: allow to use sink in accessory mode Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 50/76] usb: typec: tcpm: allow switching to mode accessory to mux properly Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 51/76] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 52/76] x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 53/76] jfs: reject on-disk inodes of an unsupported type Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 54/76] comedi: comedi_test: Fix possible deletion of uninitialized timers Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 55/76] ALSA: hda/tegra: Add Tegra264 support Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 56/76] ALSA: hda: Add missing NVIDIA HDA codec IDs Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 57/76] drm/i915/dp: Fix 2.7 Gbps DP_LINK_BW value on g4x Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 58/76] mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 59/76] erofs: address D-cache aliasing Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 60/76] crypto: powerpc/poly1305 - add depends on BROKEN for now Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 61/76] crypto: qat - add shutdown handler to qat_dh895xcc Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 62/76] iio: hid-sensor-prox: Fix incorrect OFFSET calculation Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 63/76] iio: hid-sensor-prox: Restore lost scale assignments Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 64/76] ksmbd: fix use-after-free in __smb2_lease_break_noti() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 65/76] mtd: rawnand: qcom: Fix last codeword read in qcom_param_page_type_exec() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 66/76] perf/x86/intel: Fix crash in icl_update_topdown_event() Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 67/76] wifi: mt76: mt7921: prevent decap offload config before STA initialization Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 68/76] ksmbd: add free_transport ops in ksmbd connection Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 69/76] arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 register Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 70/76] mptcp: make fallback action and fallback decision atomic Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 71/76] mptcp: plug races between subflow fail and subflow creation Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 72/76] mptcp: reset fallback status gracefully at disconnect() time Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 73/76] ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 74/76] drm/sched: Remove optimization that causes hang when killing dependent jobs Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 75/76] spi: cadence-quadspi: fix cleanup of rx_chan on failure paths Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 76/76] Revert "selftests/bpf: Add a cgroup prog bpf_get_ns_current_pid_tgid() test" Greg Kroah-Hartman
2025-07-30 17:19 ` [PATCH 6.6 00/76] 6.6.101-rc1 review Brett A C Sheffield
2025-07-30 17:31 ` Peter Schneider
2025-07-30 17:38 ` Mark Brown
2025-07-30 20:10 ` Jon Hunter
2025-07-30 21:00 ` Shuah Khan
2025-07-30 22:12 ` Shuah Khan
2025-07-31 7:09 ` Harshit Mogalapalli
2025-07-31 8:54 ` Ron Economos
2025-07-31 10:38 ` Naresh Kamboju
2025-07-31 18:48 ` Miguel Ojeda
2025-08-01 1:28 ` Hardik Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250730093228.506188643@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=konishi.ryusuke@gmail.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox