From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, ChenXiaoSong <chenxiaosong2@huawei.com>,
Anton Altaparmakov <anton@tuxera.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 5.10 17/52] ntfs: fix BUG_ON in ntfs_lookup_inode_by_name()
Date: Mon, 3 Oct 2022 09:11:24 +0200 [thread overview]
Message-ID: <20221003070719.240412661@linuxfoundation.org> (raw)
In-Reply-To: <20221003070718.687440096@linuxfoundation.org>
From: ChenXiaoSong <chenxiaosong2@huawei.com>
commit 1b513f613731e2afc05550e8070d79fac80c661e upstream.
Syzkaller reported BUG_ON as follows:
------------[ cut here ]------------
kernel BUG at fs/ntfs/dir.c:86!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 3 PID: 758 Comm: a.out Not tainted 5.19.0-next-20220808 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:ntfs_lookup_inode_by_name+0xd11/0x2d10
Code: ff e9 b9 01 00 00 e8 1e fe d6 fe 48 8b 7d 98 49 8d 5d 07 e8 91 85 29 ff 48 c7 45 98 00 00 00 00 e9 5a fb ff ff e8 ff fd d6 fe <0f> 0b e8 f8 fd d6 fe 0f 0b e8 f1 fd d6 fe 48 8b b5 50 ff ff ff 4c
RSP: 0018:ffff888079607978 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000008000 RCX: 0000000000000000
RDX: ffff88807cf10000 RSI: ffffffff82a4a081 RDI: 0000000000000003
RBP: ffff888079607a70 R08: 0000000000000001 R09: ffff88807a6d01d7
R10: ffffed100f4da03a R11: 0000000000000000 R12: ffff88800f0fb110
R13: ffff88800f0ee000 R14: ffff88800f0fb000 R15: 0000000000000001
FS: 00007f33b63c7540(0000) GS:ffff888108580000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f33b635c090 CR3: 000000000f39e005 CR4: 0000000000770ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
load_system_files+0x1f7f/0x3620
ntfs_fill_super+0xa01/0x1be0
mount_bdev+0x36a/0x440
ntfs_mount+0x3a/0x50
legacy_get_tree+0xfb/0x210
vfs_get_tree+0x8f/0x2f0
do_new_mount+0x30a/0x760
path_mount+0x4de/0x1880
__x64_sys_mount+0x2b3/0x340
do_syscall_64+0x38/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f33b62ff9ea
Code: 48 8b 0d a9 f4 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 76 f4 0b 00 f7 d8 64 89 01 48
RSP: 002b:00007ffd0c471aa8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f33b62ff9ea
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd0c471be0
RBP: 00007ffd0c471c60 R08: 00007ffd0c471ae0 R09: 00007ffd0c471c24
R10: 0000000000000000 R11: 0000000000000202 R12: 000055bac5afc160
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
Fix this by adding sanity check on extended system files' directory inode
to ensure that it is directory, just like ntfs_extend_init() when mounting
ntfs3.
Link: https://lkml.kernel.org/r/20220809064730.2316892-1-chenxiaosong2@huawei.com
Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
Cc: Anton Altaparmakov <anton@tuxera.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs/super.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/ntfs/super.c
+++ b/fs/ntfs/super.c
@@ -2092,7 +2092,8 @@ get_ctx_vol_failed:
// TODO: Initialize security.
/* Get the extended system files' directory inode. */
vol->extend_ino = ntfs_iget(sb, FILE_Extend);
- if (IS_ERR(vol->extend_ino) || is_bad_inode(vol->extend_ino)) {
+ if (IS_ERR(vol->extend_ino) || is_bad_inode(vol->extend_ino) ||
+ !S_ISDIR(vol->extend_ino->i_mode)) {
if (!IS_ERR(vol->extend_ino))
iput(vol->extend_ino);
ntfs_error(sb, "Failed to load $Extend.");
next prev parent reply other threads:[~2022-10-03 7:33 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-03 7:11 [PATCH 5.10 00/52] 5.10.147-rc1 review Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 01/52] thunderbolt: Add support for Intel Maple Ridge Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 02/52] thunderbolt: Add support for Intel Maple Ridge single port controller Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 03/52] ALSA: hda/tegra: Use clk_bulk helpers Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 04/52] ALSA: hda/tegra: Reset hardware Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 05/52] ALSA: hda/hdmi: let new platforms assign the pcm slot dynamically Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 06/52] ALSA: hda: Fix Nvidia dp infoframe Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 07/52] btrfs: fix hang during unmount when stopping a space reclaim worker Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 08/52] uas: add no-uas quirk for Hiksemi usb_disk Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 09/52] usb-storage: Add Hiksemi USB3-FW to IGNORE_UAS Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 10/52] uas: ignore UAS for Thinkplus chips Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 11/52] usb: typec: ucsi: Remove incorrect warning Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 12/52] thunderbolt: Explicitly reset plug events delay back to USB4 spec value Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 13/52] net: usb: qmi_wwan: Add new usb-id for Dell branded EM7455 Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 14/52] Input: snvs_pwrkey - fix SNVS_HPVIDR1 register address Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 15/52] clk: ingenic-tcu: Properly enable registers before accessing timers Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 16/52] ARM: dts: integrator: Tag PCI host with device_type Greg Kroah-Hartman
2022-10-03 7:11 ` Greg Kroah-Hartman [this message]
2022-10-03 7:11 ` [PATCH 5.10 18/52] net: mt7531: only do PLL once after the reset Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 19/52] powerpc/64s/radix: dont need to broadcast IPI for radix pmd collapse flush Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 20/52] libata: add ATA_HORKAGE_NOLPM for Pioneer BDR-207M and BDR-205 Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 21/52] mmc: moxart: fix 4-bit bus width and remove 8-bit bus width Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 22/52] mmc: hsq: Fix data stomping during mmc recovery Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 23/52] mm/page_alloc: fix race condition between build_all_zonelists and page allocation Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 24/52] mm: prevent page_frag_alloc() from corrupting the memory Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 25/52] mm/migrate_device.c: flush TLB while holding PTL Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 26/52] mm: fix madivse_pageout mishandling on non-LRU page Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 27/52] media: dvb_vb2: fix possible out of bound access Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 28/52] media: rkvdec: Disable H.264 error detection Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 29/52] swiotlb: max mapping size takes min align mask into account Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 30/52] scsi: hisi_sas: Revert "scsi: hisi_sas: Limit max hw sectors for v3 HW" Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 31/52] ARM: dts: am33xx: Fix MMCHS0 dma properties Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 32/52] reset: imx7: Fix the iMX8MP PCIe PHY PERST support Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 33/52] soc: sunxi: sram: Actually claim SRAM regions Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 34/52] soc: sunxi: sram: Prevent the driver from being unbound Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 35/52] soc: sunxi_sram: Make use of the helper function devm_platform_ioremap_resource() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 36/52] soc: sunxi: sram: Fix probe function ordering issues Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 37/52] soc: sunxi: sram: Fix debugfs info for A64 SRAM C Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 38/52] ASoC: tas2770: Reinit regcache on reset Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 39/52] Revert "drm: bridge: analogix/dp: add panel prepare/unprepare in suspend/resume time" Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 40/52] Input: melfas_mip4 - fix return value check in mip4_probe() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 41/52] usbnet: Fix memory leak in usbnet_disconnect() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 42/52] net: sched: act_ct: fix possible refcount leak in tcf_ct_init() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 43/52] cxgb4: fix missing unlock on ETHOFLD desc collect fail path Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 44/52] nvme: add new line after variable declatation Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 45/52] nvme: Fix IOC_PR_CLEAR and IOC_PR_RELEASE ioctls for nvme devices Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 46/52] net: stmmac: power up/down serdes in stmmac_open/release Greg Kroah-Hartman
2022-10-04 10:16 ` Pavel Machek
2022-10-03 7:11 ` [PATCH 5.10 47/52] selftests: Fix the if conditions of in test_extra_filter() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 48/52] clk: imx: imx6sx: remove the SET_RATE_PARENT flag for QSPI clocks Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 49/52] clk: iproc: Do not rely on node name for correct PLL setup Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 50/52] KVM: x86: Hide IA32_PLATFORM_DCA_CAP[31:0] from the guest Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 51/52] x86/alternative: Fix race in try_get_desc() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 52/52] ALSA: hda/hdmi: fix warning about PCM count when used with SOF Greg Kroah-Hartman
2022-10-03 11:31 ` [PATCH 5.10 00/52] 5.10.147-rc1 review Jon Hunter
2022-10-03 13:50 ` Pavel Machek
2022-10-03 16:43 ` Allen Pais
2022-10-03 17:52 ` Guenter Roeck
2022-10-03 18:14 ` Florian Fainelli
2022-10-03 20:41 ` Slade Watkins
2022-10-04 8:41 ` Naresh Kamboju
2022-10-04 11:39 ` Sudip Mukherjee (Codethink)
2022-10-07 14:44 ` zhouzhixiu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221003070719.240412661@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=anton@tuxera.com \
--cc=chenxiaosong2@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.