From patchwork Thu Oct 13 17:52:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 2187 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp408695wrs; Thu, 13 Oct 2022 11:03:47 -0700 (PDT) X-Google-Smtp-Source: AMsMyM435D1yAovsLmSbn6lePZs45PAfNWv8K7eBHSBEQu69FBzAES0wdCsbaV2I4yWGCLduvD37 X-Received: by 2002:a63:e254:0:b0:459:a2cd:cbfc with SMTP id y20-20020a63e254000000b00459a2cdcbfcmr962856pgj.275.1665684227122; Thu, 13 Oct 2022 11:03:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665684227; cv=none; d=google.com; s=arc-20160816; b=eJnWR4pvqGAlUmTqWPhiKi8CRxtGRIExjD8yqpVp88NblgHoOtK7NetHuVGBqCES2y J08zrHWi9uKNylj6iGmQe31x5azgc/CLFFMNV3Am9oT4TVE3+u8lGiBUlI3Enobd3Bdp YoIjsBIIUvfOr4cR0280ml3i4mBVC611TraWUd7hm1mxN/HDqw3wnOADTixyok9yIsg6 VN7YUTzZfMFxiCoFvmVFKAYkrLY/DAC+RTq3miVaFqkCzAZ/1wvnQAMAKiWaoOLxEKO8 H2b/YGdaDPflIZxsl5QxBiy6pT9jNvVutR7xDdYM8UtEl9nEizt1qsFMHlDaU1MWRYk2 ddqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=gr70zjtQ5jas1vsdeVG/L1D1vspGliz/Fs9Dp0vmGK4=; b=DFqBQlrlDCzavmzQKtijT50ia35bdpLMyYBEKbOEKnhdcBRrxz5dUxfrU0wugEdkPm Pffkw6kvc/Wbemd8I4hchVCSv+rN6aSMg5RlfcjfYrjK/SKOoBqhrsh8hNv6D6VNNr+T cgWN9aynqpZXwEiHjOfY2yojqts0V0ohKt7x/W0mW/yvveSIAKecfncDPAhe8/ZEnspR B9YAIH1QpXwsl6HlT0/mnLu8rSvBEvJy3E7IB5QRMwMEnDgJOuzCzN9HkMZLUyXxlJ8Z fZHv4djZUim7pl3q7i0natzQ9Pw12pypxJcKefbpWJAFHizmuKiKF4K6i5mbVZEBkwVz +IeQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=MUaGzmNV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b5-20020a170902e94500b00174ab1a7deasi353527pll.316.2022.10.13.11.03.14; Thu, 13 Oct 2022 11:03:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=MUaGzmNV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230364AbiJMSBw (ORCPT + 99 others); Thu, 13 Oct 2022 14:01:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58772 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230349AbiJMSBf (ORCPT ); Thu, 13 Oct 2022 14:01:35 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF7F6252B2; Thu, 13 Oct 2022 11:01:21 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id BA0CD61912; Thu, 13 Oct 2022 17:57:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C5C7CC433C1; Thu, 13 Oct 2022 17:57:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683844; bh=WxTjm5MReSjYjJAxBKI25pFq0/+t7woJOCT/OnWP32o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MUaGzmNVfpvWgEh1fEzyyu7MiZLWmpuFdLz6uh6xuYMPIXBjyKtgxwqej0dsP47cT wvKBdRmir/8fkA2YQ74B3FHaCWbTrXs0QPIHAxI+gxH6HS5CZxrsHUHJvA0AMnwvQT oV2vdj6KaksCDxRtLDZMgJK51yq5CUePAuFV81Dk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ryusuke Konishi , syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com, Khalid Masum , Andrew Morton Subject: [PATCH 5.15 02/27] nilfs2: fix use-after-free bug of struct nilfs_root Date: Thu, 13 Oct 2022 19:52:31 +0200 Message-Id: <20221013175143.616232783@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175143.518476113@linuxfoundation.org> References: <20221013175143.518476113@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1746596504238011806?= X-GMAIL-MSGID: =?utf-8?q?1746596504238011806?= From: Ryusuke Konishi commit d325dc6eb763c10f591c239550b8c7e5466a5d09 upstream. If the beginning of the inode bitmap area is corrupted on disk, an inode with the same inode number as the root inode can be allocated and fail soon after. In this case, the subsequent call to nilfs_clear_inode() on that bogus root inode will wrongly decrement the reference counter of struct nilfs_root, and this will erroneously free struct nilfs_root, causing kernel oopses. This fixes the problem by changing nilfs_new_inode() to skip reserved inode numbers while repairing the inode bitmap. Link: https://lkml.kernel.org/r/20221003150519.39789-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi Reported-by: syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com Reported-by: Khalid Masum Tested-by: Ryusuke Konishi Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman --- fs/nilfs2/inode.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) --- a/fs/nilfs2/inode.c +++ b/fs/nilfs2/inode.c @@ -332,6 +332,7 @@ struct inode *nilfs_new_inode(struct ino struct inode *inode; struct nilfs_inode_info *ii; struct nilfs_root *root; + struct buffer_head *bh; int err = -ENOMEM; ino_t ino; @@ -347,11 +348,25 @@ struct inode *nilfs_new_inode(struct ino ii->i_state = BIT(NILFS_I_NEW); ii->i_root = root; - err = nilfs_ifile_create_inode(root->ifile, &ino, &ii->i_bh); + err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); if (unlikely(err)) goto failed_ifile_create_inode; /* reference count of i_bh inherits from nilfs_mdt_read_block() */ + if (unlikely(ino < NILFS_USER_INO)) { + nilfs_warn(sb, + "inode bitmap is inconsistent for reserved inodes"); + do { + brelse(bh); + err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); + if (unlikely(err)) + goto failed_ifile_create_inode; + } while (ino < NILFS_USER_INO); + + nilfs_info(sb, "repaired inode bitmap for reserved inodes"); + } + ii->i_bh = bh; + atomic64_inc(&root->inodes_count); inode_init_owner(&init_user_ns, inode, dir, mode); inode->i_ino = ino;