From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Ryusuke Konishi <konishi.ryusuke@gmail.com>,
syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com,
Khalid Masum <khalid.masum.92@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 6.0 02/34] nilfs2: fix use-after-free bug of struct nilfs_root
Date: Thu, 13 Oct 2022 19:52:40 +0200 [thread overview]
Message-ID: <20221013175146.577263099@linuxfoundation.org> (raw)
In-Reply-To: <20221013175146.507746257@linuxfoundation.org>
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
commit d325dc6eb763c10f591c239550b8c7e5466a5d09 upstream.
If the beginning of the inode bitmap area is corrupted on disk, an inode
with the same inode number as the root inode can be allocated and fail
soon after. In this case, the subsequent call to nilfs_clear_inode() on
that bogus root inode will wrongly decrement the reference counter of
struct nilfs_root, and this will erroneously free struct nilfs_root,
causing kernel oopses.
This fixes the problem by changing nilfs_new_inode() to skip reserved
inode numbers while repairing the inode bitmap.
Link: https://lkml.kernel.org/r/20221003150519.39789-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com
Reported-by: Khalid Masum <khalid.masum.92@gmail.com>
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/inode.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -328,6 +328,7 @@ struct inode *nilfs_new_inode(struct ino
struct inode *inode;
struct nilfs_inode_info *ii;
struct nilfs_root *root;
+ struct buffer_head *bh;
int err = -ENOMEM;
ino_t ino;
@@ -343,11 +344,25 @@ struct inode *nilfs_new_inode(struct ino
ii->i_state = BIT(NILFS_I_NEW);
ii->i_root = root;
- err = nilfs_ifile_create_inode(root->ifile, &ino, &ii->i_bh);
+ err = nilfs_ifile_create_inode(root->ifile, &ino, &bh);
if (unlikely(err))
goto failed_ifile_create_inode;
/* reference count of i_bh inherits from nilfs_mdt_read_block() */
+ if (unlikely(ino < NILFS_USER_INO)) {
+ nilfs_warn(sb,
+ "inode bitmap is inconsistent for reserved inodes");
+ do {
+ brelse(bh);
+ err = nilfs_ifile_create_inode(root->ifile, &ino, &bh);
+ if (unlikely(err))
+ goto failed_ifile_create_inode;
+ } while (ino < NILFS_USER_INO);
+
+ nilfs_info(sb, "repaired inode bitmap for reserved inodes");
+ }
+ ii->i_bh = bh;
+
atomic64_inc(&root->inodes_count);
inode_init_owner(&init_user_ns, inode, dir, mode);
inode->i_ino = ino;
next prev parent reply other threads:[~2022-10-13 18:10 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-13 17:52 [PATCH 6.0 00/34] 6.0.2-rc1 review Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 01/34] nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level() Greg Kroah-Hartman
2022-10-13 17:52 ` Greg Kroah-Hartman [this message]
2022-10-13 17:52 ` [PATCH 6.0 03/34] nilfs2: fix leak of nilfs_root in case of writer thread creation failure Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 04/34] nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 05/34] nvme-pci: set min_align_mask before calculating max_hw_sectors Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 06/34] random: restore O_NONBLOCK support Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 07/34] random: clamp credited irq bits to maximum mixed Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 08/34] ALSA: hda: Fix position reporting on Poulsbo Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 09/34] ALSA: hda/realtek: Add quirk for HP Zbook Firefly 14 G9 model Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 10/34] efi: Correct Macmini DMI match in uefi cert quirk Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 11/34] scsi: qla2xxx: Revert "scsi: qla2xxx: Fix response queue handler reading stale packets" Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 12/34] scsi: qla2xxx: Fix response queue handler reading stale packets Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 13/34] scsi: stex: Properly zero out the passthrough command structure Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 14/34] USB: serial: qcserial: add new usb-id for Dell branded EM7455 Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 15/34] Revert "USB: fixup for merge issue with "usb: dwc3: Dont switch OTG -> peripheral if extcon is present"" Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 16/34] Revert "usb: dwc3: Dont switch OTG -> peripheral if extcon is present" Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 17/34] Revert "powerpc/rtas: Implement reentrant rtas call" Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 18/34] Revert "crypto: qat - reduce size of mapped region" Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 19/34] random: avoid reading two cache lines on irq randomness Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 20/34] random: use expired timer rather than wq for mixing fast pool Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 6.0 21/34] wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans() Greg Kroah-Hartman
2022-10-13 17:53 ` [PATCH 6.0 22/34] wifi: cfg80211/mac80211: reject bad MBSSID elements Greg Kroah-Hartman
2022-10-13 17:53 ` [PATCH 6.0 23/34] wifi: mac80211: fix MBSSID parsing use-after-free Greg Kroah-Hartman
2022-10-13 17:53 ` [PATCH 6.0 24/34] wifi: cfg80211: ensure length byte is present before access Greg Kroah-Hartman
2022-10-13 17:53 ` [PATCH 6.0 25/34] wifi: cfg80211: fix BSS refcounting bugs Greg Kroah-Hartman
2022-10-13 17:53 ` [PATCH 6.0 26/34] wifi: cfg80211: avoid nontransmitted BSS list corruption Greg Kroah-Hartman
2022-10-13 17:53 ` [PATCH 6.0 27/34] wifi: mac80211_hwsim: avoid mac80211 warning on bad rate Greg Kroah-Hartman
2022-10-13 17:53 ` [PATCH 6.0 28/34] wifi: mac80211: fix crash in beacon protection for P2P-device Greg Kroah-Hartman
2022-10-13 17:53 ` [PATCH 6.0 29/34] wifi: cfg80211: update hidden BSSes to avoid WARN_ON Greg Kroah-Hartman
2022-10-13 17:53 ` [PATCH 6.0 30/34] mctp: prevent double key removal and unref Greg Kroah-Hartman
2022-10-13 17:53 ` [PATCH 6.0 31/34] Input: xpad - add supported devices as contributed on github Greg Kroah-Hartman
2022-10-13 17:53 ` [PATCH 6.0 32/34] Input: xpad - fix wireless 360 controller breaking after suspend Greg Kroah-Hartman
2022-10-13 17:53 ` [PATCH 6.0 33/34] misc: pci_endpoint_test: Aggregate params checking for xfer Greg Kroah-Hartman
2022-10-13 17:53 ` [PATCH 6.0 34/34] misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic Greg Kroah-Hartman
2022-10-13 21:14 ` [PATCH 6.0 00/34] 6.0.2-rc1 review Justin Forbes
2022-10-13 21:28 ` Florian Fainelli
2022-10-14 0:09 ` Slade Watkins
2022-10-14 4:33 ` Ron Economos
2022-10-14 7:57 ` Bagas Sanjaya
2022-10-14 8:31 ` Naresh Kamboju
2022-10-14 12:15 ` Sudip Mukherjee (Codethink)
2022-10-14 12:23 ` Luna Jernberg
2022-10-14 14:51 ` Shuah Khan
2022-10-14 15:57 ` Jon Hunter
2022-10-14 18:17 ` Fenil Jain
2022-10-14 18:39 ` Allen Pais
2022-10-14 23:08 ` Guenter Roeck
2022-10-15 1:33 ` Rudi Heitbaum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221013175146.577263099@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=khalid.masum.92@gmail.com \
--cc=konishi.ryusuke@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).