From patchwork Mon May 15 09:21:48 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jingbo Xu <jefflexu@linux.alibaba.com>
X-Patchwork-Id: 93995
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp6782464vqo;
        Mon, 15 May 2023 02:26:53 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ7Lq26FAK8weN21U67oZFuGKmB2uK40FJn4IaTDUfTycISH9705PIbgpoPJ2Os0V1W4WWER
X-Received: by 2002:a17:903:1248:b0:1ab:224b:d1fc with SMTP id
 u8-20020a170903124800b001ab224bd1fcmr45324863plh.41.1684142813373;
        Mon, 15 May 2023 02:26:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1684142813; cv=none;
        d=google.com; s=arc-20160816;
        b=XCcU61Cvc6W0nsGRfvEO7JzuVVDsenHIGW+gd2cEYd8i6gHKhnrUKPGsrP0W4j/pUY
         evpYUrrwB/0qdU7b9fL5hJfG6H7o0zTkGxiSn8Wy/7J3TLn4XU+p5VUvY9ctdc9/uMp0
         S3E2/uhVxESUwUWYexb3No2M1BzhrWvYCOZKFoIv1YDc/Am+DbgEMV1X7tPwFa6Eo63V
         SNBx0yVU6flMdsJxQE+nMQydhC30br3cy48oTg3TiCUL3fKpoAywxQEhTyv15pZprkCh
         iGEghoaWCzgnYnSrJ8PKRg2D2/jnAC6FRi6Tlt8dix51hmvLJ4Ds7pRKyPV8XYBLAqXA
         KVZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=58oZ8Wo4UfUxeJSgOPyCwZcljjum2ui2d+5IwdTD/w0=;
        b=Su55qUe1DVuKB9Gt8yFE3J/4QLYZluA4r2axe4Yj2ekOMlQvLCxXT0a8jj88ELxrRN
         4NidgbpI+IDeYyMwb6cSCXJXZVjHSVH61h7eeR8Hu0HDpx1AHi9KgVa+tzgho0CBM2kF
         WI9xX25uRytSlo30CeE8/yJuuMkVDjIP1lFE9AFMJiSI7qccqPTO7/F1S8Dbe3yydgfX
         ha5egjfYPiG36jR1UxOCxGXIbPoNwJK6BNkpvRgcCmBT0JYX1tbZP/Cn1FVkvmZ+uP0J
         5CbAPgJYIZXhFxA0wXcHVLXp5eq6nnmTTbNe4Yh9OXKqE8xsj7oiuYsWw5qwMbwS9CnS
         z9iw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 13-20020a170902c20d00b001ab259969e7si15502900pll.31.2023.05.15.02.26.41;
        Mon, 15 May 2023 02:26:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239119AbjEOJY0 (ORCPT <rfc822;peekingduck44@gmail.com>
        + 99 others); Mon, 15 May 2023 05:24:26 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56058 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S239176AbjEOJYF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 May 2023 05:24:05 -0400
Received: from out30-98.freemail.mail.aliyun.com
 (out30-98.freemail.mail.aliyun.com [115.124.30.98])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7E3B319B7
        for <linux-kernel@vger.kernel.org>;
 Mon, 15 May 2023 02:21:51 -0700 (PDT)
X-Alimail-AntiSpam: 
 AC=PASS;BC=-1|-1;BR=01201311R191e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018045170;MF=jefflexu@linux.alibaba.com;NM=1;PH=DS;RN=5;SR=0;TI=SMTPD_---0Vifybmh_1684142508;
Received: from localhost(mailfrom:jefflexu@linux.alibaba.com
 fp:SMTPD_---0Vifybmh_1684142508)
          by smtp.aliyun-inc.com;
          Mon, 15 May 2023 17:21:48 +0800
From: Jingbo Xu <jefflexu@linux.alibaba.com>
To: xiang@kernel.org, chao@kernel.org, huyue2@coolpad.com,
        linux-erofs@lists.ozlabs.org
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH] erofs: fix null-ptr-deref caused by erofs_xattr_prefixes_init
Date: Mon, 15 May 2023 17:21:48 +0800
Message-Id: <20230515092148.1485-1-jefflexu@linux.alibaba.com>
X-Mailer: git-send-email 2.19.1.6.gb485710b
MIME-Version: 1.0
X-Spam-Status: No, score=-9.9 required=5.0 tests=BAYES_00,
        ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY,
        USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1765951734515194886?=
X-GMAIL-MSGID: =?utf-8?q?1765951734515194886?=

Fragments and dedup share one feature bit, and thus packed inode may not
exist when fragment feature bit (dedup feature bit exactly) is set, e.g.
when deduplication feature is in use while fragments feature is not.  In
this case, sbi->packed_inode could be NULL while fragments feature bit
is set.

Fix this by accessing packed inode only when it exists.

Reported-by: syzbot+902d5a9373ae8f748a94@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=902d5a9373ae8f748a94
Fixes: 9e382914617c ("erofs: add helpers to load long xattr name prefixes")
Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
---
 fs/erofs/xattr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/erofs/xattr.c b/fs/erofs/xattr.c
index cd80499351e0..bbfe7ce170d2 100644
--- a/fs/erofs/xattr.c
+++ b/fs/erofs/xattr.c
@@ -675,7 +675,7 @@ int erofs_xattr_prefixes_init(struct super_block *sb)
 	if (!pfs)
 		return -ENOMEM;
 
-	if (erofs_sb_has_fragments(sbi))
+	if (sbi->packed_inode)
 		buf.inode = sbi->packed_inode;
 	else
 		erofs_init_metabuf(&buf, sb);