linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Pavel Skripkin <paskripkin@gmail.com>,
	syzbot+0a89a7b56db04c21a656@syzkaller.appspotmail.com,
	Dave Kleikamp <dave.kleikamp@oracle.com>,
	Sasha Levin <sashal@kernel.org>,
	jfs-discussion@lists.sourceforge.net
Subject: [PATCH AUTOSEL 4.14 29/33] jfs: fix GPF in diFree
Date: Fri,  9 Jul 2021 22:35:11 -0400	[thread overview]
Message-ID: <20210710023516.3172075-29-sashal@kernel.org> (raw)
In-Reply-To: <20210710023516.3172075-1-sashal@kernel.org>

From: Pavel Skripkin <paskripkin@gmail.com>

[ Upstream commit 9d574f985fe33efd6911f4d752de6f485a1ea732 ]

Avoid passing inode with
JFS_SBI(inode->i_sb)->ipimap == NULL to
diFree()[1]. GFP will appear:

	struct inode *ipimap = JFS_SBI(ip->i_sb)->ipimap;
	struct inomap *imap = JFS_IP(ipimap)->i_imap;

JFS_IP() will return invalid pointer when ipimap == NULL

Call Trace:
 diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853 [1]
 jfs_evict_inode+0x2c9/0x370 fs/jfs/inode.c:154
 evict+0x2ed/0x750 fs/inode.c:578
 iput_final fs/inode.c:1654 [inline]
 iput.part.0+0x3fe/0x820 fs/inode.c:1680
 iput+0x58/0x70 fs/inode.c:1670

Reported-and-tested-by: syzbot+0a89a7b56db04c21a656@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/jfs/inode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/jfs/inode.c b/fs/jfs/inode.c
index 054cc761b426..87b41edc800d 100644
--- a/fs/jfs/inode.c
+++ b/fs/jfs/inode.c
@@ -161,7 +161,8 @@ void jfs_evict_inode(struct inode *inode)
 			if (test_cflag(COMMIT_Freewmap, inode))
 				jfs_free_zero_link(inode);
 
-			diFree(inode);
+			if (JFS_SBI(inode->i_sb)->ipimap)
+				diFree(inode);
 
 			/*
 			 * Free the inode from the quota allocation.
-- 
2.30.2


  parent reply	other threads:[~2021-07-10  2:37 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-10  2:34 [PATCH AUTOSEL 4.14 01/33] tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero Sasha Levin
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 02/33] misc/libmasm/module: Fix two use after free in ibmasm_init_one Sasha Levin
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 03/33] Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro" Sasha Levin
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 04/33] w1: ds2438: fixing bug that would always get page0 Sasha Levin
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 05/33] scsi: hisi_sas: Propagate errors in interrupt_init_v1_hw() Sasha Levin
2021-07-10  9:14   ` Sergey Shtylyov
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 06/33] scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology Sasha Levin
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 07/33] scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs Sasha Levin
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 08/33] scsi: core: Cap scsi_host cmd_per_lun at can_queue Sasha Levin
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 09/33] tty: serial: 8250: serial_cs: Fix a memory leak in error handling path Sasha Levin
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 10/33] fs/jfs: Fix missing error code in lmLogInit() Sasha Levin
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 11/33] scsi: iscsi: Add iscsi_cls_conn refcount helpers Sasha Levin
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 12/33] scsi: iscsi: Fix shost->max_id use Sasha Levin
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 13/33] scsi: qedi: Fix null ref during abort handling Sasha Levin
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 14/33] mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE Sasha Levin
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 15/33] s390/sclp_vt220: fix console name to match device Sasha Levin
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 16/33] USB: core: Avoid WARNings for 0-length descriptor requests Sasha Levin
2021-07-10  2:34 ` [PATCH AUTOSEL 4.14 17/33] ALSA: sb: Fix potential double-free of CSP mixer elements Sasha Levin
2021-07-10  2:35 ` [PATCH AUTOSEL 4.14 18/33] powerpc/ps3: Add dma_mask to ps3_dma_region Sasha Levin
2021-07-10  2:35 ` [PATCH AUTOSEL 4.14 19/33] gpio: zynq: Check return value of pm_runtime_get_sync Sasha Levin
2021-07-10  2:35 ` [PATCH AUTOSEL 4.14 20/33] ALSA: ppc: fix error return code in snd_pmac_probe() Sasha Levin
2021-07-10  2:35 ` [PATCH AUTOSEL 4.14 21/33] selftests/powerpc: Fix "no_handler" EBB selftest Sasha Levin
2021-07-10  2:35 ` [PATCH AUTOSEL 4.14 22/33] ASoC: soc-core: Fix the error return code in snd_soc_of_parse_audio_routing() Sasha Levin
2021-07-10  2:35 ` [PATCH AUTOSEL 4.14 23/33] ALSA: bebob: add support for ToneWeal FW66 Sasha Levin
2021-07-10  2:35 ` [PATCH AUTOSEL 4.14 24/33] usb: gadget: f_hid: fix endianness issue with descriptors Sasha Levin
2021-07-10  2:35 ` [PATCH AUTOSEL 4.14 25/33] usb: gadget: hid: fix error return code in hid_bind() Sasha Levin
2021-07-10  2:35 ` [PATCH AUTOSEL 4.14 26/33] powerpc/boot: Fixup device-tree on little endian Sasha Levin
2021-07-10  2:35 ` [PATCH AUTOSEL 4.14 27/33] backlight: lm3630a: Fix return code of .update_status() callback Sasha Levin
2021-07-10  2:35 ` [PATCH AUTOSEL 4.14 28/33] ALSA: hda: Add IRQ check for platform_get_irq() Sasha Levin
2021-07-10  2:35 ` Sasha Levin [this message]
2021-07-10  2:35 ` [PATCH AUTOSEL 4.14 30/33] staging: rtl8723bs: fix macro value for 2.4Ghz only device Sasha Levin
2021-07-10  2:35 ` [PATCH AUTOSEL 4.14 31/33] intel_th: Wait until port is in reset before programming it Sasha Levin
2021-07-10  2:35 ` [PATCH AUTOSEL 4.14 32/33] i2c: core: Disable client irq on reboot/shutdown Sasha Levin
2021-07-10  2:35 ` [PATCH AUTOSEL 4.14 33/33] lib/decompress_unlz4.c: correctly handle zero-padding around initrds Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210710023516.3172075-29-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=dave.kleikamp@oracle.com \
    --cc=jfs-discussion@lists.sourceforge.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=paskripkin@gmail.com \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+0a89a7b56db04c21a656@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).