linux

mirror of https://github.com/torvalds/linux.git synced 2024-11-14 16:12:02 +00:00

History

Ye Bin 298b5c5217 ext4: fix null-ptr-deref in '__ext4_journal_ensure_credits' We got issue as follows when run syzkaller test: [ 1901.130043] EXT4-fs error (device vda): ext4_remount:5624: comm syz-executor.5: Abort forced by user [ 1901.130901] Aborting journal on device vda-8. [ 1901.131437] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.16: Detected aborted journal [ 1901.131566] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.11: Detected aborted journal [ 1901.132586] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.18: Detected aborted journal [ 1901.132751] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.9: Detected aborted journal [ 1901.136149] EXT4-fs error (device vda) in ext4_reserve_inode_write:6035: Journal has aborted [ 1901.136837] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-fuzzer: Detected aborted journal [ 1901.136915] ================================================================== [ 1901.138175] BUG: KASAN: null-ptr-deref in __ext4_journal_ensure_credits+0x74/0x140 [ext4] [ 1901.138343] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.13: Detected aborted journal [ 1901.138398] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.1: Detected aborted journal [ 1901.138808] Read of size 8 at addr 0000000000000000 by task syz-executor.17/968 [ 1901.138817] [ 1901.138852] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.30: Detected aborted journal [ 1901.144779] CPU: 1 PID: 968 Comm: syz-executor.17 Not tainted 4.19.90-vhulk2111.1.0.h893.eulerosv2r10.aarch64+ #1 [ 1901.146479] Hardware name: linux,dummy-virt (DT) [ 1901.147317] Call trace: [ 1901.147552] dump_backtrace+0x0/0x2d8 [ 1901.147898] show_stack+0x28/0x38 [ 1901.148215] dump_stack+0xec/0x15c [ 1901.148746] kasan_report+0x108/0x338 [ 1901.149207] __asan_load8+0x58/0xb0 [ 1901.149753] __ext4_journal_ensure_credits+0x74/0x140 [ext4] [ 1901.150579] ext4_xattr_delete_inode+0xe4/0x700 [ext4] [ 1901.151316] ext4_evict_inode+0x524/0xba8 [ext4] [ 1901.151985] evict+0x1a4/0x378 [ 1901.152353] iput+0x310/0x428 [ 1901.152733] do_unlinkat+0x260/0x428 [ 1901.153056] __arm64_sys_unlinkat+0x6c/0xc0 [ 1901.153455] el0_svc_common+0xc8/0x320 [ 1901.153799] el0_svc_handler+0xf8/0x160 [ 1901.154265] el0_svc+0x10/0x218 [ 1901.154682] ================================================================== This issue may happens like this: Process1 Process2 ext4_evict_inode ext4_journal_start ext4_truncate ext4_ind_truncate ext4_free_branches ext4_ind_truncate_ensure_credits ext4_journal_ensure_credits_fn ext4_journal_restart handle->h_transaction = NULL; mount -o remount,abort /mnt -> trigger JBD abort start_this_handle -> will return failed ext4_xattr_delete_inode ext4_journal_ensure_credits ext4_journal_ensure_credits_fn __ext4_journal_ensure_credits jbd2_handle_buffer_credits journal = handle->h_transaction->t_journal; ->null-ptr-deref Now, indirect truncate process didn't handle error. To solve this issue maybe simply add check handle is abort in '__ext4_journal_ensure_credits' is enough, and i also think this is necessary. Cc: stable@kernel.org Signed-off-by: Ye Bin <yebin10@huawei.com> Link: https://lore.kernel.org/r/20211224100341.3299128-1-yebin10@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu>		2022-01-10 13:25:55 -05:00
..
.kunitconfig	ext4: add .kunitconfig fragment to enable ext4-specific tests	2021-02-11 23:16:30 -05:00
acl.c	ext4: use ext4_journal_start/stop for fast commit transactions	2021-12-23 18:13:25 -05:00
acl.h	vfs: add rcu argument to ->get_acl() callback	2021-08-18 22:08:24 +02:00
balloc.c	ext4: flush background discard kwork when retry allocation	2021-08-30 23:35:53 -04:00
bitmap.c	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
block_validity.c	ext4: standardize error message in ext4_protect_reserved_inode()	2020-12-17 13:30:55 -05:00
dir.c	ext4: fix potential infinite loop in ext4_dx_readdir()	2021-10-01 00:05:09 -04:00
ext4_extents.h	ext4: fix sparse warnings	2021-08-30 23:36:50 -04:00
ext4_jbd2.c	ext4: fix null-ptr-deref in '__ext4_journal_ensure_credits'	2022-01-10 13:25:55 -05:00
ext4_jbd2.h	ext4: Support for checksumming from journal triggers	2021-08-30 23:36:50 -04:00
ext4.h	ext4: destroy ext4_fc_dentry_cachep kmemcache on module removal	2022-01-10 13:25:54 -05:00
extents_status.c	ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit	2021-06-22 21:34:17 -04:00
extents_status.h	ext4: fix extent_status trace points	2020-01-25 02:03:03 -05:00
extents.c	ext4: fix fast commit may miss tracking range for FALLOC_FL_ZERO_RANGE	2022-01-10 13:25:44 -05:00
fast_commit.c	ext4: destroy ext4_fc_dentry_cachep kmemcache on module removal	2022-01-10 13:25:54 -05:00
fast_commit.h	ext4: simplify updating of fast commit stats	2021-12-23 18:13:25 -05:00
file.c	ext4: use ext4_journal_start/stop for fast commit transactions	2021-12-23 18:13:25 -05:00
fsmap.c	treewide: Change list_sort to use const pointers	2021-04-08 16:04:22 -07:00
fsmap.h	ext4: fsmap: fix the block/inode bitmap comment	2021-06-24 09:48:29 -04:00
fsync.c	block: use an on-stack bio in blkdev_issue_flush	2021-01-27 09:51:48 -07:00
hash.c	ext4: handle casefolding with encryption	2021-04-05 22:04:20 -04:00
ialloc.c	ext4: Support for checksumming from journal triggers	2021-08-30 23:36:50 -04:00
indirect.c	ext4: Support for checksumming from journal triggers	2021-08-30 23:36:50 -04:00
inline.c	ext4: remove extent cache entries when truncating inline data	2021-09-09 10:52:05 -04:00
inode-test.c	fs: ext4: Modify inode-test.c to use KUnit parameterized testing feature	2020-12-02 16:07:25 -07:00
inode.c	ext4: initialize err_blk before calling __ext4_get_inode_loc	2022-01-10 13:25:55 -05:00
ioctl.c	ext4: drop ineligible txn start stop APIs	2021-12-23 18:13:25 -05:00
Kconfig	ext: EXT4_KUNIT_TESTS should depend on EXT4_FS instead of selecting it	2021-02-11 23:12:59 -05:00
Makefile	ext4: Move orphan inode handling into a separate file	2021-08-30 23:36:51 -04:00
mballoc.c	ext4: fix a possible ABBA deadlock due to busy PA	2022-01-10 13:25:55 -05:00
mballoc.h	ext4: fix various seppling typos	2021-04-09 23:14:59 -04:00
migrate.c	ext4: fix various seppling typos	2021-04-09 23:14:59 -04:00
mmp.c	ext4: fix potential uninitialized access to retval in kmmpd	2021-07-23 07:31:29 -04:00
move_extent.c	ext4: use common helpers in all places reading metadata buffers	2020-10-18 10:37:14 -04:00
namei.c	ext4: fix boolreturn.cocci warnings in fs/ext4/name.c	2021-11-04 10:33:25 -04:00
orphan.c	ext4: Improve scalability of ext4 orphan file handling	2021-08-30 23:36:51 -04:00
page-io.c	ext4: convert from atomic_t to refcount_t on ext4_io_end->count	2021-11-04 10:33:24 -04:00
readpage.c	block: Add bio_max_segs	2021-02-26 15:49:51 -07:00
resize.c	ext4: Support for checksumming from journal triggers	2021-08-30 23:36:50 -04:00
super.c	ext4: make sure to reset inode lockdep class when quota enabling fails	2022-01-10 13:25:55 -05:00
symlink.c	ext4: report correct st_size for encrypted symlinks	2021-07-25 20:01:06 -07:00
sysfs.c	ext4: replace snprintf in show functions with sysfs_emit	2022-01-10 13:25:55 -05:00
truncate.h	ext4: Convert to use mapping->invalidate_lock	2021-07-13 14:29:00 +02:00
verity.c	New features for ext4 this cycle include support for encrypted	2021-04-30 15:35:30 -07:00
xattr_hurd.c	acl: handle idmapped mounts	2021-01-24 14:27:17 +01:00
xattr_security.c	acl: handle idmapped mounts	2021-01-24 14:27:17 +01:00
xattr_trusted.c	acl: handle idmapped mounts	2021-01-24 14:27:17 +01:00
xattr_user.c	acl: handle idmapped mounts	2021-01-24 14:27:17 +01:00
xattr.c	ext4: Support for checksumming from journal triggers	2021-08-30 23:36:50 -04:00
xattr.h	ext4: remove duplicate definition of ext4_xattr_ibody_inline_set()	2021-06-24 10:09:39 -04:00