R0dn3yS/android_kernel_xiaomi_sm7250
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lineage-20.0
android_kernel_xiaomi_sm7250/fs/jfs
History
Zixuan Fu c381558c27 fs: jfs: fix possible NULL pointer dereference in dbFree() 
[ Upstream commit 0d4837fdb796f99369cf7691d33de1b856bcaf1f ]

In our fault-injection testing, the variable "nblocks" in dbFree() can be
zero when kmalloc_array() fails in dtSearch(). In this case, the variable
 "mp" in dbFree() would be NULL and then it is dereferenced in
"write_metapage(mp)".

The failure log is listed as follows:

[   13.824137] BUG: kernel NULL pointer dereference, address: 0000000000000020
...
[   13.827416] RIP: 0010:dbFree+0x5f7/0x910 [jfs]
[   13.834341] Call Trace:
[   13.834540]  <TASK>
[   13.834713]  txFreeMap+0x7b4/0xb10 [jfs]
[   13.835038]  txUpdateMap+0x311/0x650 [jfs]
[   13.835375]  jfs_lazycommit+0x5f2/0xc70 [jfs]
[   13.835726]  ? sched_dynamic_update+0x1b0/0x1b0
[   13.836092]  kthread+0x3c2/0x4a0
[   13.836355]  ? txLockFree+0x160/0x160 [jfs]
[   13.836763]  ? kthread_unuse_mm+0x160/0x160
[   13.837106]  ret_from_fork+0x1f/0x30
[   13.837402]  </TASK>
...

This patch adds a NULL check of "mp" before "write_metapage(mp)" is called.

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Zixuan Fu <r33s3n6@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-06-14 16:59:17 +02:00
..
acl.c jfs: preserve i_mode if __jfs_set_acl() fails 2017-07-18 14:28:06 -05:00
file.c fs: convert a pile of fsync routines to errseq_t based reporting 2017-08-01 08:39:29 -04:00
inode.c jfs: prevent NULL deref in diFree 2022-04-15 14:15:04 +02:00
ioctl.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
jfs_acl.h jfs: use generic posix ACL infrastructure 2014-01-25 23:58:22 -05:00
jfs_btree.h JFS: White space cleanup 2006-10-02 09:55:27 -05:00
jfs_debug.c jfs: simplify procfs code 2018-05-16 07:24:30 +02:00
jfs_debug.h jfs: simplify procfs code 2018-05-16 07:24:30 +02:00
jfs_dinode.h jfs: Fix usercopy whitelist for inline inode data 2018-08-04 07:53:46 -07:00
jfs_discard.c jfs: Remove unnecessary line continuations and terminating newlines 2016-03-30 10:48:25 -05:00
jfs_discard.h fs/jfs: TRIM support for JFS Filesystem 2012-09-17 11:58:19 -05:00
jfs_dmap.c fs: jfs: fix possible NULL pointer dereference in dbFree() 2022-06-14 16:59:17 +02:00
jfs_dmap.h jfs: Fix array index bounds check in dbAdjTree 2020-12-30 11:26:13 +01:00
jfs_dtree.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
jfs_dtree.h [readdir] convert jfs 2013-06-29 12:56:42 +04:00
jfs_extent.c jfs: Update jfs_error 2013-06-05 14:47:19 -05:00
jfs_extent.h JFS: White space cleanup 2006-10-02 09:55:27 -05:00
jfs_filsys.h JFS: more checks for invalid superblock 2021-03-07 12:18:54 +01:00
jfs_imap.c new helper: inode_fake_hash() 2018-08-03 16:03:32 -04:00
jfs_imap.h JFS: Whitespace cleanup and remove some dead code 2007-06-06 15:28:35 -05:00
jfs_incore.h Just one jfs patch for 4.19 2018-08-15 22:47:23 -07:00
jfs_inode.c jfs: don't bother with make_bad_inode() in ialloc() 2018-08-03 16:03:33 -04:00
jfs_inode.h jfs: Remove jfs_get_inode_flags() 2017-04-19 14:21:23 +02:00
jfs_lock.h JFS: use __set_current_state() 2007-04-26 07:30:29 -05:00
jfs_logmgr.c fs/jfs: Fix missing error code in lmLogInit() 2021-07-20 16:16:08 +02:00
jfs_logmgr.h Fix common misspellings 2011-03-31 11:26:23 -03:00
jfs_metapage.c jfs: simplify procfs code 2018-05-16 07:24:30 +02:00
jfs_metapage.h JFS: do not ignore return code from write_one_page() 2017-07-05 18:44:22 -04:00
jfs_mount.c JFS: fix memleak in jfs_mount 2021-11-26 11:36:12 +01:00
jfs_superblock.h jfs: Update jfs_error 2013-06-05 14:47:19 -05:00
jfs_txnmgr.c jfs: fix bogus variable self-initialization 2020-01-27 14:50:33 +01:00
jfs_txnmgr.h JFS: Whitespace cleanup and remove some dead code 2007-06-06 15:28:35 -05:00
jfs_types.h jfs: get rid of homegrown endianness helpers 2014-12-23 17:01:24 -06:00
jfs_umount.c jfs: flush journal completely before releasing metadata inodes 2011-08-01 12:41:00 -05:00
jfs_unicode.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
jfs_unicode.h include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
jfs_uniupr.c JFS: White space cleanup 2006-10-02 09:55:27 -05:00
jfs_xattr.h jfs: Switch to generic xattr handlers 2016-05-12 22:29:18 -04:00
jfs_xtree.c jfs: simplify procfs code 2018-05-16 07:24:30 +02:00
jfs_xtree.h jfs: get rid of homegrown endianness helpers 2014-12-23 17:01:24 -06:00
Kconfig fs/*/Kconfig: drop links to 404-compliant http://acl.bestbits.at 2018-01-01 12:45:37 -07:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
namei.c jfs: switch to discard_new_inode() 2018-08-03 16:03:31 -04:00
resize.c jfs: atomically read inode size 2017-02-09 11:57:22 -06:00
super.c Merge branch 'work.mkdir' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-08-13 20:25:58 -07:00
symlink.c vfs: remove ".readlink = generic_readlink" assignments 2016-12-09 16:45:04 +01:00
xattr.c jfs: Fix inconsistency between memory allocation and ea_buf->max_size 2018-06-05 10:36:46 -05:00