From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Eiichi Tsukata <devel@etsukata.com>,
"Darrick J . Wong" <darrick.wong@oracle.com>,
Sasha Levin <sashal@kernel.org>,
linux-xfs@vger.kernel.org
Subject: [PATCH AUTOSEL 5.8 24/27] xfs: Fix UBSAN null-ptr-deref in xfs_sysfs_init
Date: Wed, 19 Aug 2020 20:01:13 -0400 [thread overview]
Message-ID: <20200820000116.214821-24-sashal@kernel.org> (raw)
In-Reply-To: <20200820000116.214821-1-sashal@kernel.org>
From: Eiichi Tsukata <devel@etsukata.com>
[ Upstream commit 96cf2a2c75567ff56195fe3126d497a2e7e4379f ]
If xfs_sysfs_init is called with parent_kobj == NULL, UBSAN
shows the following warning:
UBSAN: null-ptr-deref in ./fs/xfs/xfs_sysfs.h:37:23
member access within null pointer of type 'struct xfs_kobj'
Call Trace:
dump_stack+0x10e/0x195
ubsan_type_mismatch_common+0x241/0x280
__ubsan_handle_type_mismatch_v1+0x32/0x40
init_xfs_fs+0x12b/0x28f
do_one_initcall+0xdd/0x1d0
do_initcall_level+0x151/0x1b6
do_initcalls+0x50/0x8f
do_basic_setup+0x29/0x2b
kernel_init_freeable+0x19f/0x20b
kernel_init+0x11/0x1e0
ret_from_fork+0x22/0x30
Fix it by checking parent_kobj before the code accesses its member.
Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
[darrick: minor whitespace edits]
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_sysfs.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/xfs/xfs_sysfs.h b/fs/xfs/xfs_sysfs.h
index e9f810fc67317..43585850f1546 100644
--- a/fs/xfs/xfs_sysfs.h
+++ b/fs/xfs/xfs_sysfs.h
@@ -32,9 +32,11 @@ xfs_sysfs_init(
struct xfs_kobj *parent_kobj,
const char *name)
{
+ struct kobject *parent;
+
+ parent = parent_kobj ? &parent_kobj->kobject : NULL;
init_completion(&kobj->complete);
- return kobject_init_and_add(&kobj->kobject, ktype,
- &parent_kobj->kobject, "%s", name);
+ return kobject_init_and_add(&kobj->kobject, ktype, parent, "%s", name);
}
static inline void
--
2.25.1
next prev parent reply other threads:[~2020-08-20 0:12 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-20 0:00 [PATCH AUTOSEL 5.8 01/27] scsi: ufs: Add DELAY_BEFORE_LPM quirk for Micron devices Sasha Levin
2020-08-20 0:00 ` [PATCH AUTOSEL 5.8 02/27] scsi: target: tcmu: Fix crash in tcmu_flush_dcache_range on ARM Sasha Levin
2020-08-20 0:00 ` [PATCH AUTOSEL 5.8 03/27] media: budget-core: Improve exception handling in budget_register() Sasha Levin
2020-08-20 0:00 ` [PATCH AUTOSEL 5.8 04/27] media: coda: jpeg: add NULL check after kmalloc Sasha Levin
2020-08-20 0:00 ` [PATCH AUTOSEL 5.8 05/27] f2fs: fix to check page dirty status before writeback Sasha Levin
2020-08-20 0:00 ` [PATCH AUTOSEL 5.8 06/27] rtc: goldfish: Enable interrupt in set_alarm() when necessary Sasha Levin
2020-08-20 0:00 ` [PATCH AUTOSEL 5.8 07/27] media: vpss: clean up resources in init Sasha Levin
2020-08-20 0:00 ` [PATCH AUTOSEL 5.8 08/27] f2fs: should avoid inode eviction in synchronous path Sasha Levin
2020-08-20 0:00 ` [PATCH AUTOSEL 5.8 09/27] Input: psmouse - add a newline when printing 'proto' by sysfs Sasha Levin
2020-08-20 0:00 ` [PATCH AUTOSEL 5.8 10/27] MIPS: Fix unable to reserve memory for Crash kernel Sasha Levin
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 11/27] m68knommu: fix overwriting of bits in ColdFire V3 cache control Sasha Levin
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 12/27] svcrdma: Fix another Receive buffer leak Sasha Levin
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 13/27] xfs: fix inode quota reservation checks Sasha Levin
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 14/27] drm/ttm: fix offset in VMAs with a pg_offs in ttm_bo_vm_access Sasha Levin
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 15/27] riscv: Fixup static_obj() fail Sasha Levin
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 16/27] jffs2: fix UAF problem Sasha Levin
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 17/27] ceph: fix use-after-free for fsc->mdsc Sasha Levin
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 18/27] swiotlb-xen: use vmalloc_to_page on vmalloc virt addresses Sasha Levin
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 19/27] cpufreq: intel_pstate: Fix cpuinfo_max_freq when MSR_TURBO_RATIO_LIMIT is 0 Sasha Levin
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 20/27] scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases Sasha Levin
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 21/27] virtio_ring: Avoid loop when vq is broken in virtqueue_poll Sasha Levin
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 22/27] media: camss: fix memory leaks on error handling paths in probe Sasha Levin
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 23/27] tools/testing/selftests/cgroup/cgroup_util.c: cg_read_strcmp: fix null pointer dereference Sasha Levin
2020-08-20 0:01 ` Sasha Levin [this message]
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 25/27] alpha: fix annotation of io{read,write}{16,32}be() Sasha Levin
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 26/27] fat: fix fat_ra_init() for data clusters == 0 Sasha Levin
2020-08-20 0:01 ` [PATCH AUTOSEL 5.8 27/27] fs/signalfd.c: fix inconsistent return codes for signalfd4 Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200820000116.214821-24-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=darrick.wong@oracle.com \
--cc=devel@etsukata.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).