From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Yu Kuai <yukuai3@huawei.com>,
Jan Kara <jack@suse.cz>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 50/54] reiserfs: add check for root_inode in reiserfs_fill_super
Date: Tue, 10 Aug 2021 19:30:44 +0200 [thread overview]
Message-ID: <20210810172945.853706935@linuxfoundation.org> (raw)
In-Reply-To: <20210810172944.179901509@linuxfoundation.org>
From: Yu Kuai <yukuai3@huawei.com>
[ Upstream commit 2acf15b94d5b8ea8392c4b6753a6ffac3135cd78 ]
Our syzcaller report a NULL pointer dereference:
BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 116e95067 P4D 116e95067 PUD 1080b5067 PMD 0
Oops: 0010 [#1] SMP KASAN
CPU: 7 PID: 592 Comm: a.out Not tainted 5.13.0-next-20210629-dirty #67
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-p4
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffff888114e779b8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff110229cef39 RCX: ffffffffaa67e1aa
RDX: 0000000000000000 RSI: ffff88810a58ee00 RDI: ffff8881233180b0
RBP: ffffffffac38e9c0 R08: ffffffffaa67e17e R09: 0000000000000001
R10: ffffffffb91c5557 R11: fffffbfff7238aaa R12: ffff88810a58ee00
R13: ffff888114e77aa0 R14: 0000000000000000 R15: ffff8881233180b0
FS: 00007f946163c480(0000) GS:ffff88839f1c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001099c1000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__lookup_slow+0x116/0x2d0
? page_put_link+0x120/0x120
? __d_lookup+0xfc/0x320
? d_lookup+0x49/0x90
lookup_one_len+0x13c/0x170
? __lookup_slow+0x2d0/0x2d0
? reiserfs_schedule_old_flush+0x31/0x130
reiserfs_lookup_privroot+0x64/0x150
reiserfs_fill_super+0x158c/0x1b90
? finish_unfinished+0xb10/0xb10
? bprintf+0xe0/0xe0
? __mutex_lock_slowpath+0x30/0x30
? __kasan_check_write+0x20/0x30
? up_write+0x51/0xb0
? set_blocksize+0x9f/0x1f0
mount_bdev+0x27c/0x2d0
? finish_unfinished+0xb10/0xb10
? reiserfs_kill_sb+0x120/0x120
get_super_block+0x19/0x30
legacy_get_tree+0x76/0xf0
vfs_get_tree+0x49/0x160
? capable+0x1d/0x30
path_mount+0xacc/0x1380
? putname+0x97/0xd0
? finish_automount+0x450/0x450
? kmem_cache_free+0xf8/0x5a0
? putname+0x97/0xd0
do_mount+0xe2/0x110
? path_mount+0x1380/0x1380
? copy_mount_options+0x69/0x140
__x64_sys_mount+0xf0/0x190
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
This is because 'root_inode' is initialized with wrong mode, and
it's i_op is set to 'reiserfs_special_inode_operations'. Thus add
check for 'root_inode' to fix the problem.
Link: https://lore.kernel.org/r/20210702040743.1918552-1-yukuai3@huawei.com
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/reiserfs/super.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
index ec5716dd58c2..831a542c22c6 100644
--- a/fs/reiserfs/super.c
+++ b/fs/reiserfs/super.c
@@ -2085,6 +2085,14 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent)
unlock_new_inode(root_inode);
}
+ if (!S_ISDIR(root_inode->i_mode) || !inode_get_bytes(root_inode) ||
+ !root_inode->i_size) {
+ SWARN(silent, s, "", "corrupt root inode, run fsck");
+ iput(root_inode);
+ errval = -EUCLEAN;
+ goto error;
+ }
+
s->s_root = d_make_root(root_inode);
if (!s->s_root)
goto error;
--
2.30.2
next prev parent reply other threads:[~2021-08-10 17:34 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-10 17:29 [PATCH 4.19 00/54] 4.19.203-rc1 review Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 4.19 01/54] Revert "ACPICA: Fix memory leak caused by _CID repair function" Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 4.19 02/54] ALSA: seq: Fix racy deletion of subscriber Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 4.19 03/54] ARM: imx: add missing iounmap() Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 4.19 04/54] ARM: dts: colibri-imx6ull: limit SDIO clock to 25MHz Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 4.19 05/54] ALSA: usb-audio: fix incorrect clock source setting Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 06/54] clk: stm32f4: fix post divisor setup for I2S/SAI PLLs Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 07/54] omap5-board-common: remove not physically existing vdds_1v8_main fixed-regulator Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 08/54] scsi: sr: Return correct event when media event code is 3 Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 09/54] media: videobuf2-core: dequeue if start_streaming fails Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 10/54] net: natsemi: Fix missing pci_disable_device() in probe and remove Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 11/54] sctp: move the active_key update after sh_keys is added Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 12/54] nfp: update ethtool reporting of pauseframe control Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 13/54] net: ipv6: fix returned variable type in ip6_skb_dst_mtu Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 14/54] mips: Fix non-POSIX regexp Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 15/54] bnx2x: fix an error code in bnx2x_nic_load() Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 16/54] net: pegasus: fix uninit-value in get_interrupt_interval Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 17/54] net: fec: fix use-after-free in fec_drv_remove Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 18/54] net: vxge: fix use-after-free in vxge_device_unregister Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 19/54] blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit() Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 20/54] Bluetooth: defer cleanup of resources in hci_unregister_dev() Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 21/54] USB: usbtmc: Fix RCU stall warning Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 22/54] USB: serial: option: add Telit FD980 composition 0x1056 Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 23/54] USB: serial: ch341: fix character loss at high transfer rates Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 24/54] USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 25/54] firmware_loader: use -ETIMEDOUT instead of -EAGAIN in fw_load_sysfs_fallback Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 26/54] firmware_loader: fix use-after-free in firmware_fallback_sysfs Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 27/54] ALSA: usb-audio: Add registration quirk for JBL Quantum 600 Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 28/54] usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 29/54] usb: gadget: f_hid: fixed NULL pointer dereference Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 30/54] usb: gadget: f_hid: idle uses the highest byte for duration Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 31/54] usb: otg-fsm: Fix hrtimer list corruption Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 32/54] scripts/tracing: fix the bug that cant parse raw_trace_func Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 33/54] tracing / histogram: Give calculation hist_fields a size Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 34/54] tracing/histogram: Rename "cpu" to "common_cpu" Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 35/54] optee: Clear stale cache entries during initialization Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 36/54] tee: add tee_shm_alloc_kernel_buf() Greg Kroah-Hartman
2021-08-11 7:24 ` Pavel Machek
2021-08-11 13:34 ` Tyler Hicks
2021-08-12 10:56 ` Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 37/54] staging: rtl8723bs: Fix a resource leak in sd_int_dpc Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 38/54] media: rtl28xxu: fix zero-length control request Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 39/54] pipe: increase minimum default pipe size to 2 pages Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 40/54] ext4: fix potential htree corruption when growing large_dir directories Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 41/54] serial: 8250: Mask out floating 16/32-bit bus bits Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 42/54] MIPS: Malta: Do not byte-swap accesses to the CBUS UART Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 43/54] pcmcia: i82092: fix a null pointer dereference bug Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 44/54] KVM: x86: accept userspace interrupt only if no event is injected Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 45/54] KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 46/54] spi: meson-spicc: fix memory leak in meson_spicc_remove Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 47/54] perf/x86/amd: Dont touch the AMD64_EVENTSEL_HOSTONLY bit inside the guest Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 48/54] qmi_wwan: add network device usage statistics for qmimux devices Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 49/54] libata: fix ata_pio_sector for CONFIG_HIGHMEM Greg Kroah-Hartman
2021-08-10 17:30 ` Greg Kroah-Hartman [this message]
2021-08-10 17:30 ` [PATCH 4.19 51/54] reiserfs: check directory items on read from disk Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 52/54] alpha: Send stop IPI to send to online CPUs Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 53/54] net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 4.19 54/54] ARM: imx: add mmdc ipg clock operation for mmdc Greg Kroah-Hartman
2021-08-11 1:07 ` [PATCH 4.19 00/54] 4.19.203-rc1 review Samuel Zou
2021-08-11 9:42 ` Sudip Mukherjee
2021-08-11 17:13 ` Naresh Kamboju
2021-08-11 19:58 ` Guenter Roeck
2021-08-11 22:22 ` Shuah Khan
2021-08-12 19:20 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210810172945.853706935@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).