From patchwork Sun Aug 27 16:49:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nikita Zhandarovich X-Patchwork-Id: 136984 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a7d1:0:b0:3f2:4152:657d with SMTP id p17csp2904636vqm; Sun, 27 Aug 2023 09:55:22 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGf75Mu9vSu+3q8s6sgSLembhft4IQ5gJ4G1uudnWCspVaNRCbPjimtZk6hbrDuqWHyGwrp X-Received: by 2002:a05:6a20:a11e:b0:14c:def0:dadc with SMTP id q30-20020a056a20a11e00b0014cdef0dadcmr2604158pzk.30.1693155321822; Sun, 27 Aug 2023 09:55:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1693155321; cv=none; d=google.com; s=arc-20160816; b=xomxxzeZlpkoKv6FY16m/th5WpdaYdC1hBug4dft73o2g46DUi/xwROtmEeks5fGin VMByGOKlTPQRGsQzU3SBXlfKzJKZyHD65/x9cxTpBq+Gg6u00x4XZ8cXa9vwJTNUQGl7 2UbfPRO6XW3+CttPGR4olmMWJSTBedD0lO5UCBQCY0gRmf9koWkg0sgRcYcQySCtGsqb 9QeDb12OsP1U/BgyuQjIa+aKDUzgOfGt5s8YTUx3sbc3K9xLqcycc7GqBnX5hDG9lJIM g0K+ompQmJHrZa5N4itgrDZLjcS5NzQygZwNYycOD5HzDBXqr3YNiG+3NpBtnJGnulS1 XRBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=DaCfz6uvD5j4Dgs+Q0yvagwCQctsmmMPf3kmz7/fd38=; fh=lbgkhrEMy1USzPzArzuLZxMrbUeILmOYxud0h1C/TYs=; b=N/30pWvS5ZMybXcmN9Un8QNMSWhpHIxoCh8rrmtrH4zOEipk31UvrOED1rOyCDTz8V Z3CwdccOVJyKXvy7feglP39IPvMuvOaHvCb/HXCHVtQ5ZvaW2AEM9YK7XILinlVYsJa8 mGtWCtEHy3TDF5LtR1rEQjYf9HlHrsiSxPIy29IOb8pEp1nIO5hZhaHqNQTUc4PmhhcZ Q+bt+Kz/39H9rdXct8MoxKFJt4LMDd0IhgHYH1EWvZBLJgHRsMtZNkUzJQoPRRyJ06Ri gHFX02DOO/1tZ7Wm028wRaXmgUDJDOZcaeF1DcF25tv6fqiLIUmgiS25NDYMUTYnIpp2 a90w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d24-20020a637358000000b0056499cdd79esi2300935pgn.368.2023.08.27.09.55.04; Sun, 27 Aug 2023 09:55:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229997AbjH0Qud (ORCPT + 99 others); Sun, 27 Aug 2023 12:50:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59212 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229795AbjH0QuB (ORCPT ); Sun, 27 Aug 2023 12:50:01 -0400 Received: from exchange.fintech.ru (e10edge.fintech.ru [195.54.195.159]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A0CAFA for ; Sun, 27 Aug 2023 09:49:57 -0700 (PDT) Received: from Ex16-01.fintech.ru (10.0.10.18) by exchange.fintech.ru (195.54.195.169) with Microsoft SMTP Server (TLS) id 14.3.498.0; Sun, 27 Aug 2023 19:49:54 +0300 Received: from localhost (10.0.253.138) by Ex16-01.fintech.ru (10.0.10.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Sun, 27 Aug 2023 19:49:54 +0300 From: Nikita Zhandarovich To: Konstantin Komarov CC: Nikita Zhandarovich , , , Subject: [PATCH] fs: ntfs3: fix possible NULL-ptr-deref in ni_readpage_cmpr() Date: Sun, 27 Aug 2023 09:49:44 -0700 Message-ID: <20230827164944.52560-1-n.zhandarovich@fintech.ru> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Originating-IP: [10.0.253.138] X-ClientProxiedBy: Ex16-02.fintech.ru (10.0.10.19) To Ex16-01.fintech.ru (10.0.10.18) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1775402034262839558 X-GMAIL-MSGID: 1775402034262839558 Syzkaller identified a possible issue with calling unlock_page() for pages that have not been correctly allocated by find_or_create_page(), leading to possible NULL pointer dereferences among other issues. Specifically, in case of an error with aforementioned find_or_create_page() function due to memory issues, ni_readpage_cmpr() attempts to erroneously unlock and release all elements of 'pages'. This patch ensures that we only deal with the pages successfully allocated with calls to find_or_create_page(). Fixes: 4342306f0f0d ("fs/ntfs3: Add file operations and implementation") Reported-by: syzbot+9d014e6e0df70d97c103@syzkaller.appspotmail.com Signed-off-by: Nikita Zhandarovich --- fs/ntfs3/frecord.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c index 16bd9faa2d28..9789b2ac7e2d 100644 --- a/fs/ntfs3/frecord.c +++ b/fs/ntfs3/frecord.c @@ -2095,7 +2095,7 @@ int ni_readpage_cmpr(struct ntfs_inode *ni, struct page *page) struct page **pages = NULL; /* Array of at most 16 pages. stack? */ u8 frame_bits; CLST frame; - u32 i, idx, frame_size, pages_per_frame; + u32 i, idx, frame_size, pages_per_frame, pages_created = 0; gfp_t gfp_mask; struct page *pg; @@ -2138,6 +2138,7 @@ int ni_readpage_cmpr(struct ntfs_inode *ni, struct page *page) goto out1; } pages[i] = pg; + pages_created++; } err = ni_read_frame(ni, frame_vbo, pages, pages_per_frame); @@ -2146,7 +2147,7 @@ int ni_readpage_cmpr(struct ntfs_inode *ni, struct page *page) if (err) SetPageError(page); - for (i = 0; i < pages_per_frame; i++) { + for (i = 0; i < pages_created; i++) { pg = pages[i]; if (i == idx) continue;