iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs/xfs
History
ChenXiaoSong 001c179c4e xfs: fix NULL pointer dereference in xfs_getbmap() 
Reproducer:
 1. fallocate -l 100M image
 2. mkfs.xfs -f image
 3. mount image /mnt
 4. setxattr("/mnt", "trusted.overlay.upper", NULL, 0, XATTR_CREATE)
 5. char arg[32] = "\x01\xff\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00"
                   "\x00\x00\x00\x00\x00\x08\x00\x00\x00\xc6\x2a\xf7";
    fd = open("/mnt", O_RDONLY|O_DIRECTORY);
    ioctl(fd, _IOC(_IOC_READ|_IOC_WRITE, 0x58, 0x2c, 0x20), arg);

NULL pointer dereference will occur when race happens between xfs_getbmap()
and xfs_bmap_set_attrforkoff():

         ioctl               |       setxattr
 ----------------------------|---------------------------
 xfs_getbmap                 |
   xfs_ifork_ptr             |
     xfs_inode_has_attr_fork |
       ip->i_forkoff == 0    |
     return NULL             |
   ifp == NULL               |
                             | xfs_bmap_set_attrforkoff
                             |   ip->i_forkoff > 0
   xfs_inode_has_attr_fork   |
     ip->i_forkoff > 0       |
   ifp == NULL               |
   ifp->if_format            |

Fix this by locking i_lock before xfs_ifork_ptr().

Fixes: abbf9e8a4507 ("xfs: rewrite getbmap using the xfs_iext_* helpers")
Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
Signed-off-by: Guo Xuenan <guoxuenan@huawei.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
[djwong: added fixes tag]
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
2022-07-31 09:21:27 -07:00
..
libxfs
xfs: Fix typo 'the the' in comment
2022-07-22 10:58:39 -07:00
scrub
xfs: fix for variable set but not used warning
2022-07-20 16:40:39 -07:00
Kconfig
kmem.c
mm: introduce memalloc_retry_wait()
2022-01-15 16:30:29 +02:00
kmem.h
xfs: remove kmem_zone typedef
2021-10-22 16:00:31 -07:00
Makefile
xfs: add in-memory iunlink log item
2022-07-14 11:47:42 +10:00
mrlock.h
xfs_acl.c
xfs: move xfs_attr_use_log_assist usage out of libxfs
2022-05-27 10:34:04 +10:00
xfs_acl.h
xfs: improve __xfs_set_acl
2022-04-26 13:34:42 +10:00
xfs_aops.c
Page cache changes for 5.19
2022-05-24 19:55:07 -07:00
xfs_aops.h
xfs_attr_inactive.c
xfs: don't leak memory when attr fork loading fails
2022-07-20 16:40:39 -07:00
xfs_attr_item.c
xfs: don't hold xattr leaf buffers across transaction rolls
2022-06-29 08:47:56 -07:00
xfs_attr_item.h
xfs: share xattr name and value buffers when logging xattr updates
2022-05-23 08:43:46 +10:00
xfs_attr_list.c
xfs: use XFS_IFORK_Q to determine the presence of an xattr fork
2022-07-09 15:17:21 -07:00
xfs_bio_io.c
Bug fixes for 5.18:
2022-04-01 19:30:44 -07:00
xfs_bmap_item.c
xfs: whiteouts release intents that are not in the AIL
2022-05-04 11:46:47 +10:00
xfs_bmap_item.h
xfs: rename _zone variables to _cache
2021-10-22 16:04:20 -07:00
xfs_bmap_util.c
xfs: fix NULL pointer dereference in xfs_getbmap()
2022-07-31 09:21:27 -07:00
xfs_bmap_util.h
xfs: kill the XFS_IOC_{ALLOC,FREE}SP* ioctls
2022-01-17 09:16:41 -08:00
xfs_buf_item_recover.c
xfs: convert buf_cancel_table allocation to kmalloc_array
2022-05-27 10:27:19 +10:00
xfs_buf_item.c
xfs: log items should have a xlog pointer, not a mount
2022-03-20 08:59:49 -07:00
xfs_buf_item.h
xfs: convert buffer log item flags to unsigned.
2022-04-21 10:46:40 +10:00
xfs_buf.c
xfs: xfs_buf cache destroy isn't RCU safe
2022-07-20 16:40:39 -07:00
xfs_buf.h
xfs: xfs_buf cache destroy isn't RCU safe
2022-07-20 16:40:39 -07:00
xfs_dir2_readdir.c
xfs: convert XFS_IFORK_PTR to a static inline helper
2022-07-09 15:17:21 -07:00
xfs_discard.c
xfs: pass perag to xfs_alloc_read_agf()
2022-07-07 19:07:40 +10:00
xfs_discard.h
xfs_dquot_item_recover.c
xfs: replace xfs_sb_version checks with feature flag checks
2021-08-19 10:07:12 -07:00
xfs_dquot_item.c
xfs: remove support for disabling quota accounting on a mounted file system
2021-08-06 11:05:36 -07:00
xfs_dquot_item.h
xfs: remove support for disabling quota accounting on a mounted file system
2021-08-06 11:05:36 -07:00
xfs_dquot.c
xfs: Fix comment typo
2022-07-22 10:58:39 -07:00
xfs_dquot.h
xfs: remove warning counters from struct xfs_dquot_res
2022-05-11 17:12:09 +10:00
xfs_error.c
xfs: add leaf to node error tag
2022-05-11 17:01:23 +10:00
xfs_error.h
xfs: convert ptag flags to unsigned.
2022-04-21 10:47:25 +10:00
xfs_export.c
xfs: convert remaining mount flags to state flags
2021-08-19 10:07:13 -07:00
xfs_export.h
xfs_extent_busy.c
xfs: pass perags through to the busy extent code
2021-06-02 10:48:24 +10:00
xfs_extent_busy.h
xfs: pass perags through to the busy extent code
2021-06-02 10:48:24 +10:00
xfs_extfree_item.c
xfs: pass perag to xfs_alloc_read_agf()
2022-07-07 19:07:40 +10:00
xfs_extfree_item.h
xfs: rename _zone variables to _cache
2021-10-22 16:04:20 -07:00
xfs_file.c
xfs: Changes for 5.19-rc1 [2nd set]
2022-06-01 17:23:53 -07:00
xfs_filestream.c
xfs: pass perag to xfs_alloc_read_agf()
2022-07-07 19:07:40 +10:00
xfs_filestream.h
xfs: convert mount flags to features
2021-08-19 10:07:12 -07:00
xfs_fsmap.c
xfs: pass perag to xfs_alloc_read_agf()
2022-07-07 19:07:40 +10:00
xfs_fsmap.h
xfs_fsops.c
xfs: Pre-calculate per-AG agbno geometry
2022-07-07 19:13:02 +10:00
xfs_fsops.h
xfs: get rid of xfs_growfs_{data,log}_t
2021-02-03 09:18:50 -08:00
xfs_globals.c
xfs: Add larp debug option
2022-05-11 17:01:22 +10:00
xfs_health.c
xfs: replace XFS_FORCED_SHUTDOWN with xfs_is_shutdown
2021-08-19 10:07:13 -07:00
xfs_icache.c
xfs: don't leak memory when attr fork loading fails
2022-07-20 16:40:39 -07:00
xfs_icache.h
xfs: introduce xfs_inodegc_push()
2022-06-23 13:34:38 -07:00
xfs_icreate_item.c
xfs: fix potential log item leak
2022-05-04 11:45:11 +10:00
xfs_icreate_item.h
xfs: rename _zone variables to _cache
2021-10-22 16:04:20 -07:00
xfs_inode_item_recover.c
xfs: hide log iovec alignment constraints
2022-05-04 11:45:50 +10:00
xfs_inode_item.c
xfs: replace inode fork size macros with functions
2022-07-12 11:17:27 -07:00
xfs_inode_item.h
xfs: aborting inodes on shutdown may need buffer lock
2022-03-29 18:21:59 -07:00
xfs_inode.c
xfs: make attr forks permanent
2022-07-14 09:46:37 -07:00
xfs_inode.h
xfs: make attr forks permanent
2022-07-14 09:46:37 -07:00
xfs_ioctl32.c
xfs: Set up infrastructure for log attribute replay
2022-05-04 12:41:02 +10:00
xfs_ioctl32.h
xfs: remove unused xfs_ioctl32.h declarations
2022-01-18 10:18:36 -08:00
xfs_ioctl.c
xfs: convert XFS_IFORK_PTR to a static inline helper
2022-07-09 15:17:21 -07:00
xfs_ioctl.h
xfs: kill the XFS_IOC_{ALLOC,FREE}SP* ioctls
2022-01-17 09:16:41 -08:00
xfs_iomap.c
xfs: replace XFS_IFORK_Q with a proper predicate function
2022-07-12 11:17:27 -07:00
xfs_iomap.h
iomap: add a IOMAP_DAX flag
2021-12-04 08:58:53 -08:00
xfs_iops.c
xfs: replace XFS_IFORK_Q with a proper predicate function
2022-07-12 11:17:27 -07:00
xfs_iops.h
xfs: add selinux labels to whiteout inodes
2022-07-09 10:56:02 -07:00
xfs_itable.c
xfs: replace inode fork size macros with functions
2022-07-12 11:17:27 -07:00
xfs_itable.h
xfs: Enable bulkstat ioctl to support 64-bit per-inode extent counters
2022-04-13 07:02:45 +00:00
xfs_iunlink_item.c
xfs: add in-memory iunlink log item
2022-07-14 11:47:42 +10:00
xfs_iunlink_item.h
xfs: add in-memory iunlink log item
2022-07-14 11:47:42 +10:00
xfs_iwalk.c
xfs: avoid buffer deadlocks when walking fs inodes
2021-08-09 11:13:16 -07:00
xfs_iwalk.h
xfs: Decouple XFS_IBULK flags from XFS_IWALK flags
2022-04-13 07:02:44 +00:00
xfs_linux.h
xfs: drop async cache flushes from CIL commits.
2022-03-29 18:22:02 -07:00
xfs_log_cil.c
xfs: xlog_sync() manually adjusts grant head space
2022-07-07 18:56:09 +10:00
xfs_log_priv.h
xfs: xlog_sync() manually adjusts grant head space
2022-07-07 18:56:09 +10:00
xfs_log_recover.c
xfs: double link the unlinked inode list
2022-07-14 11:46:43 +10:00
xfs_log.c
xfs: xlog_sync() manually adjusts grant head space
2022-07-07 18:56:09 +10:00
xfs_log.h
xfs: move CIL ordering to the logvec chain
2022-07-07 18:56:08 +10:00
xfs_message.c
Merge branch 'guilt/xfs-unsigned-flags-5.18' into xfs-5.19-for-next
2022-04-21 16:45:03 +10:00
xfs_message.h
xfs: implement per-mount warnings for scrub and shrink usage
2022-05-27 10:31:34 +10:00
xfs_mount.c
xfs: Pre-calculate per-AG agbno geometry
2022-07-07 19:13:02 +10:00
xfs_mount.h
xfs: bound maximum wait time for inodegc work
2022-06-23 13:34:38 -07:00
xfs_mru_cache.c
xfs: rename _zone variables to _cache
2021-10-22 16:04:20 -07:00
xfs_mru_cache.h
xfs_ondisk.h
xfs: Set up infrastructure for log attribute replay
2022-05-04 12:41:02 +10:00
xfs_pnfs.c
xfs: use setattr_copy to set vfs inode attributes
2022-03-14 10:23:16 -07:00
xfs_pnfs.h
xfs_pwork.c
xfs: increase the default parallelism levels of pwork clients
2021-02-03 09:18:49 -08:00
xfs_pwork.h
xfs: increase the default parallelism levels of pwork clients
2021-02-03 09:18:49 -08:00
xfs_qm_bhv.c
xfs: replace xfs_sb_version checks with feature flag checks
2021-08-19 10:07:12 -07:00
xfs_qm_syscalls.c
xfs: introduce xfs_inodegc_push()
2022-06-23 13:34:38 -07:00
xfs_qm.c
xfs: make attr forks permanent
2022-07-14 09:46:37 -07:00
xfs_qm.h
xfs: remove quota warning limit from struct xfs_quota_limits
2022-05-11 17:12:09 +10:00
xfs_quota.h
xfs: queue inactivation immediately when quota is nearing enforcement
2021-08-09 10:52:18 -07:00
xfs_quotaops.c
xfs: don't set quota warning values
2022-05-11 17:12:09 +10:00
xfs_refcount_item.c
xfs: whiteouts release intents that are not in the AIL
2022-05-04 11:46:47 +10:00
xfs_refcount_item.h
xfs: rename _zone variables to _cache
2021-10-22 16:04:20 -07:00
xfs_reflink.c
xfs: convert XFS_IFORK_PTR to a static inline helper
2022-07-09 15:17:21 -07:00
xfs_reflink.h
xfs: pass perag to xfs_alloc_read_agf()
2022-07-07 19:07:40 +10:00
xfs_rmap_item.c
xfs: whiteouts release intents that are not in the AIL
2022-05-04 11:46:47 +10:00
xfs_rmap_item.h
xfs: rename _zone variables to _cache
2021-10-22 16:04:20 -07:00
xfs_rtalloc.c
Merge tag 'large-extent-counters-v9' of https://github.com/chandanr/linux into xfs-5.19-for-next
2022-04-21 16:46:17 +10:00
xfs_rtalloc.h
xfs: recalculate free rt extents after log recovery
2022-04-12 06:49:42 +10:00
xfs_stats.c
xfs_stats.h
xfs_super.c
xfs: xfs_buf cache destroy isn't RCU safe
2022-07-20 16:40:39 -07:00
xfs_super.h
xfs: move xfs_attr_use_log_assist out of xfs_log.c
2022-05-27 10:33:29 +10:00
xfs_symlink.c
xfs: replace inode fork size macros with functions
2022-07-12 11:17:27 -07:00
xfs_symlink.h
xfs: support idmapped mounts
2021-01-24 14:43:46 +01:00
xfs_sysctl.c
xfs: restore speculative_cow_prealloc_lifetime sysctl
2021-02-24 10:16:08 -08:00
xfs_sysctl.h
xfs: Add larp debug option
2022-05-11 17:01:22 +10:00
xfs_sysfs.c
xfs: Add larp debug option
2022-05-11 17:01:22 +10:00
xfs_sysfs.h
xfs_trace.c
xfs: add trace point for fs shutdown
2021-08-18 18:46:00 -07:00
xfs_trace.h
xfs: make attr forks permanent
2022-07-14 09:46:37 -07:00
xfs_trans_ail.c
xfs: log shutdown triggers should only shut down the log
2022-03-29 18:22:01 -07:00
xfs_trans_buf.c
xfs: introduce xfs_buf_daddr()
2021-08-19 10:07:14 -07:00
xfs_trans_dquot.c
xfs: remove quota warning limit from struct xfs_quota_limits
2022-05-11 17:12:09 +10:00
xfs_trans_priv.h
xfs: convert log vector chain to use list heads
2022-07-07 18:55:59 +10:00
xfs_trans.c
xfs: introduce in-memory inode unlink log items
2022-07-14 09:21:42 -07:00
xfs_trans.h
xfs: introduce in-memory inode unlink log items
2022-07-14 09:21:42 -07:00
xfs_xattr.c
xfs: fix TOCTOU race involving the new logged xattrs control knob
2022-06-15 23:13:32 -07:00
xfs_xattr.h
xfs: move xfs_attr_use_log_assist usage out of libxfs
2022-05-27 10:34:04 +10:00
xfs.h