From: Ritesh Harjani <riteshh@linux.ibm.com>
To: Jeffle Xu <jefflexu@linux.alibaba.com>, tytso@mit.edu, jack@suse.cz
Cc: linux-ext4@vger.kernel.org, joseph.qi@linux.alibaba.com
Subject: Re: [PATCH v2] ext4: fix error pointer dereference
Date: Thu, 23 Apr 2020 14:12:00 +0530 [thread overview]
Message-ID: <20200423084201.719DB4C040@d06av22.portsmouth.uk.ibm.com> (raw)
In-Reply-To: <1587628004-95123-1-git-send-email-jefflexu@linux.alibaba.com>
On 4/23/20 1:16 PM, Jeffle Xu wrote:
> Don't pass error pointers to brelse().
>
> commit 7159a986b420 ("ext4: fix some error pointer dereferences") has fixed
> some cases, fix the remaining one case.
>
> Once ext4_xattr_block_find()->ext4_sb_bread() failed, error pointer is
> stored in @bs->bh, which will be passed to brelse() in the cleanup
> routine of ext4_xattr_set_handle(). This will then cause a NULL panic
> crash in __brelse().
>
> BUG: unable to handle kernel NULL pointer dereference at 000000000000005b
> RIP: 0010:__brelse+0x1b/0x50
> Call Trace:
> ext4_xattr_set_handle+0x163/0x5d0
> ext4_xattr_set+0x95/0x110
> __vfs_setxattr+0x6b/0x80
> __vfs_setxattr_noperm+0x68/0x1b0
> vfs_setxattr+0xa0/0xb0
> setxattr+0x12c/0x1a0
> path_setxattr+0x8d/0xc0
> __x64_sys_setxattr+0x27/0x30
> do_syscall_64+0x60/0x250
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> In this case, @bs->bh stores '-EIO' actually.
>
> Fixes: fb265c9cb49e ("ext4: add ext4_sb_bread() to disambiguate ENOMEM cases")
> Signed-off-by: Jeffle Xu <jefflexu@linux.alibaba.com>
> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
> Cc: stable@kernel.org # 2.6.19
Thanks for your patch. Looks good to me.
Feel free to add:
Reviewed-by: Ritesh Harjani <riteshh@linux.ibm.com>
> ---
> fs/ext4/xattr.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
> index 21df43a..01ba663 100644
> --- a/fs/ext4/xattr.c
> +++ b/fs/ext4/xattr.c
> @@ -1800,8 +1800,11 @@ struct ext4_xattr_block_find {
> if (EXT4_I(inode)->i_file_acl) {
> /* The inode already has an extended attribute block. */
> bs->bh = ext4_sb_bread(sb, EXT4_I(inode)->i_file_acl, REQ_PRIO);
> - if (IS_ERR(bs->bh))
> - return PTR_ERR(bs->bh);
> + if (IS_ERR(bs->bh)) {
> + error = PTR_ERR(bs->bh);
> + bs->bh = NULL;
> + return error;
> + }
> ea_bdebug(bs->bh, "b_count=%d, refcount=%d",
> atomic_read(&(bs->bh->b_count)),
> le32_to_cpu(BHDR(bs->bh)->h_refcount));
>
next prev parent reply other threads:[~2020-04-23 8:42 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-23 7:46 [PATCH v2] ext4: fix error pointer dereference Jeffle Xu
2020-04-23 8:42 ` Ritesh Harjani [this message]
2020-04-23 11:07 ` Jan Kara
2020-05-14 14:59 ` Theodore Y. Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200423084201.719DB4C040@d06av22.portsmouth.uk.ibm.com \
--to=riteshh@linux.ibm.com \
--cc=jack@suse.cz \
--cc=jefflexu@linux.alibaba.com \
--cc=joseph.qi@linux.alibaba.com \
--cc=linux-ext4@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.