From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from mail-qk0-f193.google.com ([209.85.220.193]:34760 "EHLO
        mail-qk0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751111AbeECWKl (ORCPT
        <rfc822;linux-fsdevel@vger.kernel.org>);
        Thu, 3 May 2018 18:10:41 -0400
Received: by mail-qk0-f193.google.com with SMTP id p186so15213566qkd.1
        for <linux-fsdevel@vger.kernel.org>; Thu, 03 May 2018 15:10:41 -0700 (PDT)
Date: Thu, 3 May 2018 19:10:36 -0300
From: Ernesto =?utf-8?Q?A=2E_Fern=C3=A1ndez?=
        <ernesto.mnd.fernandez@gmail.com>
To: syzbot <syzbot+4f2e5f086147d543ab03@syzkaller.appspotmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
        Christoph Hellwig <hch@lst.de>,
        Alexey Khoroshilov <khoroshilov@ispras.ru>,
        Artem Bityutskiy <artem.bityutskiy@linux.intel.com>,
        Ernesto =?utf-8?Q?A=2E_Fern=C3=A1ndez?=
        <ernesto.mnd.fernandez@gmail.com>, linux-fsdevel@vger.kernel.org
Subject: [PATCH 2/2] hfsplus: always return error if fill_super fails
Message-ID: <8285926250376eb393b69877251b0d6e743b7930.1525384742.git.ernesto.mnd.fernandez@gmail.com>
References: <dadb7856c5a0da0fa3c1f2c30f18f09fad62d45d.1525384741.git.ernesto.mnd.fernandez@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <dadb7856c5a0da0fa3c1f2c30f18f09fad62d45d.1525384741.git.ernesto.mnd.fernandez@gmail.com>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

If the filesystem is corrupted in such a way that the HFS+ Private Data
directory is not of type HFSPLUS_FOLDER, the mount will fail without
throwing an error code. The vfs layer is then forced to dereference a
NULL root dentry.

This bug was found by KASAN while running the reproducer provided by
syzbot+4f2e5f086147d543ab03@syzkaller.appspotmail.com for a separate
issue.

Fixes: 5bd9d99d107c ("hfsplus: add error checking for hfs_find_init()")
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
---
 fs/hfsplus/super.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
index 4bc49e3f171d..4f62634c5666 100644
--- a/fs/hfsplus/super.c
+++ b/fs/hfsplus/super.c
@@ -524,8 +524,10 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent)
 		goto out_put_root;
 	if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
 		hfs_find_exit(&fd);
-		if (entry.type != cpu_to_be16(HFSPLUS_FOLDER))
+		if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
+			err = -EINVAL;
 			goto out_put_root;
+		}
 		inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id));
 		if (IS_ERR(inode)) {
 			err = PTR_ERR(inode);
-- 
2.11.0