korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-13 14:24:11 +08:00
Code Issues Packages Projects Releases Wiki Activity
88484bde6f
linux/fs
History
Liu Shixin via Jfs-discussion 88484bde6f jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount 
[ Upstream commit 6e2bda2c19 ]

syzbot found an invalid-free in diUnmount:

BUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline]
BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674
Free of addr ffff88806f410000 by task syz-executor131/3632

 CPU: 0 PID: 3632 Comm: syz-executor131 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
  print_address_description+0x74/0x340 mm/kasan/report.c:284
  print_report+0x107/0x1f0 mm/kasan/report.c:395
  kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:460
  ____kasan_slab_free+0xfb/0x120
  kasan_slab_free include/linux/kasan.h:177 [inline]
  slab_free_hook mm/slub.c:1724 [inline]
  slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750
  slab_free mm/slub.c:3661 [inline]
  __kmem_cache_free+0x71/0x110 mm/slub.c:3674
  diUnmount+0xef/0x100 fs/jfs/jfs_imap.c:195
  jfs_umount+0x108/0x370 fs/jfs/jfs_umount.c:63
  jfs_put_super+0x86/0x190 fs/jfs/super.c:194
  generic_shutdown_super+0x130/0x310 fs/super.c:492
  kill_block_super+0x79/0xd0 fs/super.c:1428
  deactivate_locked_super+0xa7/0xf0 fs/super.c:332
  cleanup_mnt+0x494/0x520 fs/namespace.c:1186
  task_work_run+0x243/0x300 kernel/task_work.c:179
  exit_task_work include/linux/task_work.h:38 [inline]
  do_exit+0x664/0x2070 kernel/exit.c:820
  do_group_exit+0x1fd/0x2b0 kernel/exit.c:950
  __do_sys_exit_group kernel/exit.c:961 [inline]
  __se_sys_exit_group kernel/exit.c:959 [inline]
  __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:959
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...]

JFS_IP(ipimap)->i_imap is not setting to NULL after free in diUnmount.
If jfs_remount() free JFS_IP(ipimap)->i_imap but then failed at diMount().
JFS_IP(ipimap)->i_imap will be freed once again.
Fix this problem by setting JFS_IP(ipimap)->i_imap to NULL after free.

Reported-by: syzbot+90a11e6b1e810785c6ff@syzkaller.appspotmail.com
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-09-23 11:14:26 +02:00
..
9p fs/9p: Remove unused extern declaration 2023-07-20 19:21:48 +00:00
adfs splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
affs splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
afs afs: Fix accidental truncation when storing data 2023-07-04 12:24:32 -07:00
autofs autofs: fix memory leak of waitqueues in autofs_catatonic_mode 2023-09-23 11:14:17 +02:00
befs befs: Replace all non-returning strlcpy with strscpy 2023-05-30 16:42:00 -07:00
bfs splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
btrfs btrfs: output extra debug info if we failed to find an inline backref 2023-09-23 11:14:17 +02:00
cachefiles v6.5/vfs.file 2023-06-26 10:14:36 -07:00
ceph vfs: get rid of old '->iterate' directory operation 2023-08-06 15:08:35 +02:00
coda vfs: get rid of old '->iterate' directory operation 2023-08-06 15:08:35 +02:00
configfs fs: consolidate duplicate dt_type helpers 2023-04-03 09:23:54 +02:00
cramfs splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
crypto fscrypt: Replace 1-element array with flexible array 2023-05-23 19:46:09 -07:00
debugfs debugfs: Correct the 'debugfs_create_str' docs 2023-05-31 19:02:14 +01:00
devpts devpts: simplify two-level sysctl registration for pty_kern_table 2023-03-13 12:36:34 +01:00
dlm dlm: fix plock lookup when using multiple lockspaces 2023-09-13 09:53:54 +02:00
ecryptfs splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
efivarfs efivarfs: expose used and total size 2023-05-17 18:21:34 +02:00
efs
erofs erofs: release ztailpacking pclusters properly 2023-09-13 09:52:58 +02:00
exfat vfs: get rid of old '->iterate' directory operation 2023-08-06 15:08:35 +02:00
exportfs vfs: get rid of old '->iterate' directory operation 2023-08-06 15:08:35 +02:00
ext2 ext2: fix datatype of block number in ext2_xattr_set2() 2023-09-23 11:14:26 +02:00
ext4 ext4: drop dio overwrite only flag and associated warning 2023-09-19 12:30:22 +02:00
f2fs f2fs: avoid false alarm of circular locking 2023-09-19 12:30:23 +02:00
fat splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
freevxfs There is no particular theme here - mainly quick hits all over the tree. 2023-02-23 17:55:40 -08:00
fscache fscache: Use clear_and_wake_up_bit() in fscache_create_volume_work() 2023-01-30 12:51:54 +00:00
fuse fuse: nlookup missing decrement in fuse_direntplus_link 2023-09-19 12:30:23 +02:00
gfs2 gfs2: low-memory forced flush fixes 2023-09-19 12:30:13 +02:00
hfs splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
hfsplus splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
hostfs Landlock updates for v6.5-rc1 2023-06-27 17:10:27 -07:00
hpfs splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
hugetlbfs hugetlb: revert use of page_cache_next_miss() 2023-06-23 16:59:32 -07:00
iomap iomap: Fix possible overflow condition in iomap_write_delalloc_scan 2023-09-23 11:14:17 +02:00
isofs
jbd2 jbd2: correct the end of the journal recovery scan range 2023-09-19 12:30:22 +02:00
jffs2 for-6.5/splice-2023-06-23 2023-06-26 11:52:12 -07:00
jfs jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount 2023-09-23 11:14:26 +02:00
kernfs kernfs: fix missing kernfs_iattr_rwsem locking 2023-09-19 12:30:09 +02:00
lockd fs: lockd: avoid possible wrong NULL parameter 2023-09-13 09:53:33 +02:00
minix splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
netfs Move netfs_extract_iter_to_sg() to lib/scatterlist.c 2023-06-08 13:42:33 +02:00
nfs NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info 2023-09-19 12:30:12 +02:00
nfs_common NFSv4.2: remove MODULE_LICENSE in non-modules 2023-04-13 13:13:52 -07:00
nfsd NFSD: da_addr_body field missing in some GETDEVICEINFO replies 2023-09-13 09:53:33 +02:00
nilfs2 nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse 2023-09-06 21:22:25 +01:00
nls fs/nls: make load_nls() take a const parameter 2023-07-25 00:30:02 -05:00
notify fanotify: disallow mount/sb marks on kernel internal pseudo fs 2023-07-04 13:29:29 +02:00
ntfs vfs: get rid of old '->iterate' directory operation 2023-08-06 15:08:35 +02:00
ntfs3 driver ntfs3 for linux 6.5 2023-07-07 14:59:38 -07:00
ocfs2 fs: ocfs2: namei: check return value of ocfs2_add_entry() 2023-09-13 09:53:08 +02:00
omfs splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
openpromfs
orangefs orangefs: Provide a splice-read wrapper 2023-05-24 08:42:16 -06:00
overlayfs vfs: get rid of old '->iterate' directory operation 2023-08-06 15:08:35 +02:00
proc procfs: block chmod on /proc/thread-self/comm 2023-09-13 09:53:54 +02:00
pstore pstore/ram: Check start of empty przs during init 2023-09-13 09:53:55 +02:00
qnx4 qnx4: credit contributors in CREDITS 2023-03-14 12:56:30 -06:00
qnx6 qnx6: credit contributor and mark filesystem orphan 2023-03-14 12:56:30 -06:00
quota quota: fix dqput() to follow the guarantees dquot_srcu should provide 2023-09-13 09:53:13 +02:00
ramfs - Yosry Ahmed brought back some cgroup v1 stats in OOM logs. 2023-06-28 10:28:11 -07:00
reiserfs reiserfs: Check the return value from __getblk() 2023-09-13 09:52:57 +02:00
romfs splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
smb smb: propagate error code of extract_sharename() 2023-09-19 12:30:16 +02:00
squashfs squashfs: fix cache race with migration 2023-07-08 09:29:30 -07:00
sysfs sysfs: Skip empty folders creation 2023-06-15 13:37:53 +02:00
sysv for-6.5/splice-2023-06-23 2023-06-26 11:52:12 -07:00
tracefs fs: port ->mkdir() to pass mnt_idmap 2023-01-19 09:24:26 +01:00
ubifs splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
udf \n 2023-06-29 13:39:51 -07:00
ufs splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
unicode unicode: remove MODULE_LICENSE in non-modules 2023-04-13 13:13:54 -07:00
vboxsf hardening fixes for v6.5-rc6 2023-08-08 14:59:49 -07:00
verity fsverity: skip PKCS#7 parser when keyring is empty 2023-09-13 09:53:55 +02:00
xfs xfs: convert flex-array declarations in xfs attr shortform objects 2023-07-17 08:48:56 -07:00
zonefs zonefs: fix synchronous direct writes to sequential files 2023-08-10 12:59:47 +09:00
aio.c fs/aio: Stop allocating aio rings from HIGHMEM 2023-06-15 09:22:23 +02:00
anon_inodes.c
attr.c nfs: use vfs setgid helper 2023-03-30 08:51:48 +02:00
bad_inode.c fs: port ->permission() to pass mnt_idmap 2023-01-19 09:24:28 +01:00
binfmt_elf_fdpic.c binfmt: Slightly simplify elf_fdpic_map_file() 2023-05-30 15:49:46 -07:00
binfmt_elf_test.c
binfmt_elf.c Merge branch 'expand-stack' 2023-06-28 20:35:21 -07:00
binfmt_flat.c
binfmt_misc.c binfmt_misc: fix shift-out-of-bounds in check_special_flags 2022-12-02 13:57:04 -08:00
binfmt_script.c
buffer.c \n 2023-06-29 13:39:51 -07:00
char_dev.c vfs: Replace all non-returning strlcpy with strscpy 2023-05-15 09:42:01 +02:00
compat_binfmt_elf.c
coredump.c v6.5/vfs.misc 2023-06-26 09:50:21 -07:00
d_path.c fs: d_path: include internal.h 2023-05-17 09:16:59 +02:00
dax.c dax: enable dax fault handler to report VM_FAULT_HWPOISON 2023-06-26 07:54:23 -06:00
dcache.c
direct-io.c - Yosry Ahmed brought back some cgroup v1 stats in OOM logs. 2023-06-28 10:28:11 -07:00
drop_caches.c
eventfd.c eventfd: prevent underflow for eventfd semaphores 2023-09-13 09:52:58 +02:00
eventpoll.c v6.5/vfs.misc 2023-06-26 09:50:21 -07:00
exec.c \n 2023-06-29 13:31:44 -07:00
fcntl.c fs.idmapped.v6.3 2023-02-20 11:53:11 -08:00
fhandle.c fsnotify: move fsnotify_open() hook into do_dentry_open() 2023-06-12 10:43:45 +02:00
file_table.c fs: move cleanup from init_file() into its callers 2023-07-02 13:15:49 +02:00
file.c fs: rely on ->iterate_shared to determine f_pos locking 2023-08-06 15:08:36 +02:00
filesystems.c
fs_context.c vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing 2023-09-13 09:52:58 +02:00
fs_parser.c ext4: journal_path mount options should follow links 2022-12-01 10:46:54 -05:00
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c writeback: move wb_over_bg_thresh() call outside lock section 2023-06-09 16:25:14 -07:00
fsopen.c
init.c fs: port ->permission() to pass mnt_idmap 2023-01-19 09:24:28 +01:00
inode.c locking: remove spin_lock_prefetch 2023-08-12 09:18:47 -07:00
internal.h v6.5/vfs.file 2023-06-26 10:14:36 -07:00
ioctl.c fs: port inode_owner_or_capable() to mnt_idmap 2023-01-19 09:24:29 +01:00
Kconfig smb: move client and server files to common directory fs/smb 2023-05-24 16:29:21 -05:00
Kconfig.binfmt
kernel_read_file.c
libfs.c fs: factor out a direct_write_fallback helper 2023-06-09 16:25:53 -07:00
locks.c locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock 2023-09-23 11:14:17 +02:00
Makefile for-6.5/block-2023-06-23 2023-06-26 12:47:20 -07:00
mbcache.c ext4: fix deadlock due to mbcache entry corruption 2022-12-08 21:49:25 -05:00
mnt_idmapping.c fs: move mnt_idmap 2023-01-19 09:24:30 +01:00
mount.h
mpage.c mpage: use folios in bio end_io handler 2023-04-18 16:30:02 -07:00
namei.c fs: Fix error checking for d_hash_and_lookup() 2023-09-13 09:52:58 +02:00
namespace.c v6.5/vfs.mount 2023-06-26 10:27:04 -07:00
nsfs.c kill the last remaining user of proc_ns_fget() 2023-04-20 22:55:35 -04:00
open.c open: make RESOLVE_CACHED correctly test for O_TMPFILE 2023-08-06 15:08:35 +02:00
pipe.c pipe: check for IOCB_NOWAIT alongside O_NONBLOCK 2023-05-12 17:17:27 +02:00
pnode.c fs: allow to mount beneath top mount 2023-05-19 04:30:22 +02:00
pnode.h fs: allow to mount beneath top mount 2023-05-19 04:30:22 +02:00
posix_acl.c acl: don't depend on IOP_XATTR 2023-03-06 09:59:20 +01:00
proc_namespace.c tty, proc, kernfs, random: Use copy_splice_read() 2023-05-24 08:42:16 -06:00
read_write.c splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
readdir.c vfs: get rid of old '->iterate' directory operation 2023-08-06 15:08:35 +02:00
remap_range.c fs: use UB-safe check for signed addition overflow in remap_verify_area 2023-05-24 11:03:59 +02:00
select.c
seq_file.c use less confusing names for iov_iter direction initializers 2022-11-25 13:01:55 -05:00
signalfd.c
splice.c splice: fsnotify_access(in), fsnotify_modify(out) on success in tee 2023-09-13 09:52:58 +02:00
stack.c
stat.c fs.idmapped.v6.3 2023-02-20 11:53:11 -08:00
statfs.c statfs: enforce statfs[64] structure initialization 2023-05-17 15:20:17 +02:00
super.c \n 2023-06-29 13:39:51 -07:00
sync.c
sysctls.c sysctl: Refactor base paths registrations 2023-05-23 21:43:26 -07:00
timerfd.c
userfaultfd.c Merge mm-hotfixes-stable into mm-stable to pick up depended-upon changes. 2023-06-23 16:58:19 -07:00
utimes.c fs.idmapped.v6.3 2023-02-20 11:53:11 -08:00
xattr.c fs: don't call posix_acl_listxattr in generic_listxattr 2023-05-17 15:25:20 +02:00