From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Shigeru Yoshida <syoshida@redhat.com>,
syzbot+7902cd7684bc35306224@syzkaller.appspotmail.com,
Jan Kara <jack@suse.cz>, Sasha Levin <sashal@kernel.org>,
jack@suse.com
Subject: [PATCH AUTOSEL 5.10 2/9] udf: Avoid double brelse() in udf_rename()
Date: Sat, 17 Dec 2022 10:29:19 -0500 [thread overview]
Message-ID: <20221217152927.99012-2-sashal@kernel.org> (raw)
In-Reply-To: <20221217152927.99012-1-sashal@kernel.org>
From: Shigeru Yoshida <syoshida@redhat.com>
[ Upstream commit c791730f2554a9ebb8f18df9368dc27d4ebc38c2 ]
syzbot reported a warning like below [1]:
VFS: brelse: Trying to free free buffer
WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0
...
Call Trace:
<TASK>
invalidate_bh_lru+0x99/0x150
smp_call_function_many_cond+0xe2a/0x10c0
? generic_remap_file_range_prep+0x50/0x50
? __brelse+0xa0/0xa0
? __mutex_lock+0x21c/0x12d0
? smp_call_on_cpu+0x250/0x250
? rcu_read_lock_sched_held+0xb/0x60
? lock_release+0x587/0x810
? __brelse+0xa0/0xa0
? generic_remap_file_range_prep+0x50/0x50
on_each_cpu_cond_mask+0x3c/0x80
blkdev_flush_mapping+0x13a/0x2f0
blkdev_put_whole+0xd3/0xf0
blkdev_put+0x222/0x760
deactivate_locked_super+0x96/0x160
deactivate_super+0xda/0x100
cleanup_mnt+0x222/0x3d0
task_work_run+0x149/0x240
? task_work_cancel+0x30/0x30
do_exit+0xb29/0x2a40
? reacquire_held_locks+0x4a0/0x4a0
? do_raw_spin_lock+0x12a/0x2b0
? mm_update_next_owner+0x7c0/0x7c0
? rwlock_bug.part.0+0x90/0x90
? zap_other_threads+0x234/0x2d0
do_group_exit+0xd0/0x2a0
__x64_sys_exit_group+0x3a/0x50
do_syscall_64+0x34/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The cause of the issue is that brelse() is called on both ofibh.sbh
and ofibh.ebh by udf_find_entry() when it returns NULL. However,
brelse() is called by udf_rename(), too. So, b_count on buffer_head
becomes unbalanced.
This patch fixes the issue by not calling brelse() by udf_rename()
when udf_find_entry() returns NULL.
Link: https://syzkaller.appspot.com/bug?id=8297f45698159c6bca8a1f87dc983667c1a1c851 [1]
Reported-by: syzbot+7902cd7684bc35306224@syzkaller.appspotmail.com
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221023095741.271430-1-syoshida@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/udf/namei.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/udf/namei.c b/fs/udf/namei.c
index aff5ca32e4f6..58120d2f265f 100644
--- a/fs/udf/namei.c
+++ b/fs/udf/namei.c
@@ -1090,8 +1090,9 @@ static int udf_rename(struct inode *old_dir, struct dentry *old_dentry,
return -EINVAL;
ofi = udf_find_entry(old_dir, &old_dentry->d_name, &ofibh, &ocfi);
- if (IS_ERR(ofi)) {
- retval = PTR_ERR(ofi);
+ if (!ofi || IS_ERR(ofi)) {
+ if (IS_ERR(ofi))
+ retval = PTR_ERR(ofi);
goto end_rename;
}
@@ -1100,8 +1101,7 @@ static int udf_rename(struct inode *old_dir, struct dentry *old_dentry,
brelse(ofibh.sbh);
tloc = lelb_to_cpu(ocfi.icb.extLocation);
- if (!ofi || udf_get_lb_pblock(old_dir->i_sb, &tloc, 0)
- != old_inode->i_ino)
+ if (udf_get_lb_pblock(old_dir->i_sb, &tloc, 0) != old_inode->i_ino)
goto end_rename;
nfi = udf_find_entry(new_dir, &new_dentry->d_name, &nfibh, &ncfi);
--
2.35.1
next prev parent reply other threads:[~2022-12-17 15:35 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-17 15:29 [PATCH AUTOSEL 5.10 1/9] fs: jfs: fix shift-out-of-bounds in dbAllocAG Sasha Levin
2022-12-17 15:29 ` Sasha Levin [this message]
2022-12-17 15:29 ` [PATCH AUTOSEL 5.10 3/9] fs: jfs: fix shift-out-of-bounds in dbDiscardAG Sasha Levin
2022-12-17 15:29 ` [PATCH AUTOSEL 5.10 4/9] ACPICA: Fix error code path in acpi_ds_call_control_method() Sasha Levin
2022-12-17 15:29 ` [PATCH AUTOSEL 5.10 5/9] proc/vmcore: fix potential memory leak in vmcore_init() Sasha Levin
2022-12-17 15:29 ` Sasha Levin
2022-12-17 15:29 ` [PATCH AUTOSEL 5.10 6/9] nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() Sasha Levin
2022-12-17 15:29 ` Sasha Levin
2022-12-17 15:29 ` [PATCH AUTOSEL 5.10 7/9] nilfs2: fix shift-out-of-bounds due to too large exponent of block size Sasha Levin
2022-12-17 15:29 ` Sasha Levin
2022-12-17 15:29 ` [PATCH AUTOSEL 5.10 8/9] acct: fix potential integer overflow in encode_comp_t() Sasha Levin
2022-12-17 15:29 ` [PATCH AUTOSEL 5.10 9/9] hfs: fix OOB Read in __hfs_brec_find Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221217152927.99012-2-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jack@suse.com \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syoshida@redhat.com \
--cc=syzbot+7902cd7684bc35306224@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.