iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs
History
Jamie Iles 9ce7ac5ed5 jffs2: Fix NULL pointer dereference in rp_size fs option parsing 
[ Upstream commit a61df3c413e49b0042f9caf774c58512d1cc71b7 ]

syzkaller found the following JFFS2 splat:

  Unable to handle kernel paging request at virtual address dfffa00000000001
  Mem abort info:
    ESR = 0x96000004
    EC = 0x25: DABT (current EL), IL = 32 bits
    SET = 0, FnV = 0
    EA = 0, S1PTW = 0
  Data abort info:
    ISV = 0, ISS = 0x00000004
    CM = 0, WnR = 0
  [dfffa00000000001] address between user and kernel address ranges
  Internal error: Oops: 96000004 [#1] SMP
  Dumping ftrace buffer:
     (ftrace buffer empty)
  Modules linked in:
  CPU: 0 PID: 12745 Comm: syz-executor.5 Tainted: G S                5.9.0-rc8+ #98
  Hardware name: linux,dummy-virt (DT)
  pstate: 20400005 (nzCv daif +PAN -UAO BTYPE=--)
  pc : jffs2_parse_param+0x138/0x308 fs/jffs2/super.c:206
  lr : jffs2_parse_param+0x108/0x308 fs/jffs2/super.c:205
  sp : ffff000022a57910
  x29: ffff000022a57910 x28: 0000000000000000
  x27: ffff000057634008 x26: 000000000000d800
  x25: 000000000000d800 x24: ffff0000271a9000
  x23: ffffa0001adb5dc0 x22: ffff000023fdcf00
  x21: 1fffe0000454af2c x20: ffff000024cc9400
  x19: 0000000000000000 x18: 0000000000000000
  x17: 0000000000000000 x16: ffffa000102dbdd0
  x15: 0000000000000000 x14: ffffa000109e44bc
  x13: ffffa00010a3a26c x12: ffff80000476e0b3
  x11: 1fffe0000476e0b2 x10: ffff80000476e0b2
  x9 : ffffa00010a3ad60 x8 : ffff000023b70593
  x7 : 0000000000000003 x6 : 00000000f1f1f1f1
  x5 : ffff000023fdcf00 x4 : 0000000000000002
  x3 : ffffa00010000000 x2 : 0000000000000001
  x1 : dfffa00000000000 x0 : 0000000000000008
  Call trace:
   jffs2_parse_param+0x138/0x308 fs/jffs2/super.c:206
   vfs_parse_fs_param+0x234/0x4e8 fs/fs_context.c:117
   vfs_parse_fs_string+0xe8/0x148 fs/fs_context.c:161
   generic_parse_monolithic+0x17c/0x208 fs/fs_context.c:201
   parse_monolithic_mount_data+0x7c/0xa8 fs/fs_context.c:649
   do_new_mount fs/namespace.c:2871 [inline]
   path_mount+0x548/0x1da8 fs/namespace.c:3192
   do_mount+0x124/0x138 fs/namespace.c:3205
   __do_sys_mount fs/namespace.c:3413 [inline]
   __se_sys_mount fs/namespace.c:3390 [inline]
   __arm64_sys_mount+0x164/0x238 fs/namespace.c:3390
   __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
   invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]
   el0_svc_common.constprop.0+0x15c/0x598 arch/arm64/kernel/syscall.c:149
   do_el0_svc+0x60/0x150 arch/arm64/kernel/syscall.c:195
   el0_svc+0x34/0xb0 arch/arm64/kernel/entry-common.c:226
   el0_sync_handler+0xc8/0x5b4 arch/arm64/kernel/entry-common.c:236
   el0_sync+0x15c/0x180 arch/arm64/kernel/entry.S:663
  Code: d2d40001 f2fbffe1 91002260 d343fc02 (38e16841)
  ---[ end trace 4edf690313deda44 ]---

This is because since ec10a24f10c8, the option parsing happens before
fill_super and so the MTD device isn't associated with the filesystem.
Defer the size check until there is a valid association.

Fixes: ec10a24f10c8 ("vfs: Convert jffs2 to use the new mount API")
Cc: <stable@vger.kernel.org>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Jamie Iles <jamie@nuviainc.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-01-06 14:48:37 +01:00
..
9p
9P: Cast to loff_t before multiplying
2020-11-05 11:43:34 +01:00
adfs
Merge branch 'work.adfs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 11:33:22 -07:00
affs
affs: fix basic permission bits to actually work
2020-09-09 19:12:34 +02:00
afs
afs: Fix memory leak when mounting with multiple source parameters
2020-12-30 11:50:54 +01:00
autofs
autofs: fix a leak in autofs_expire_indirect()
2019-10-25 00:03:11 -04:00
befs
fs: Fill in max and min timestamps in superblock
2019-08-30 07:27:17 -07:00
bfs
fs: Fill in max and min timestamps in superblock
2019-08-30 07:27:17 -07:00
btrfs
btrfs: fix race when defragmenting leads to unnecessary IO
2021-01-06 14:48:36 +01:00
cachefiles
cachefiles: Handle readpage error correctly
2020-11-05 11:43:36 +01:00
ceph
ceph: fix race in concurrent __ceph_remove_cap invocations
2020-12-30 11:51:40 +01:00
cifs
SMB3: avoid confusing warning message on mount to Azure
2020-12-30 11:51:40 +01:00
coda
y2038: add inode timestamp clamping
2019-09-19 09:42:37 -07:00
configfs
configfs: fix config_item refcnt leak in configfs_rmdir()
2020-05-27 17:46:30 +02:00
cramfs
cramfs: fix usage on non-MTD device
2019-11-23 21:44:49 -05:00
crypto
fscrypt: remove kernel-internal constants from UAPI header
2021-01-06 14:48:35 +01:00
debugfs
debugfs: Fix module state check condition
2020-09-17 13:47:55 +02:00
devpts
devpts_pty_kill(): don't bother with d_delete()
2019-09-03 09:30:56 -04:00
dlm
fs: dlm: fix configfs memory leak
2020-10-29 09:58:03 +01:00
ecryptfs
ecryptfs: replace BUG_ON with error handling code
2020-02-28 17:22:26 +01:00
efivarfs
efivarfs: revert "fix memory leak in efivarfs_create()"
2020-12-02 08:49:53 +01:00
efs
fs: Fill in max and min timestamps in superblock
2019-08-30 07:27:17 -07:00
erofs
erofs: avoid using generic_block_bmap
2020-12-30 11:51:23 +01:00
exportfs
exportfs_decode_fh(): negative pinned may become positive without the parent locked
2019-11-10 11:56:05 -05:00
ext2
ext2: don't update mtime on COW faults
2020-09-09 19:12:30 +02:00
ext4
ext4: don't remount read-only with errors=continue on reboot
2021-01-06 14:48:36 +01:00
f2fs
f2fs: prevent creating duplicate encrypted filenames
2021-01-06 14:48:35 +01:00
fat
fat: don't allow to mount if the FAT length == 0
2020-06-17 16:40:36 +02:00
freevxfs
fs: Fill in max and min timestamps in superblock
2019-08-30 07:27:17 -07:00
fscache
Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs"
2019-07-10 18:43:43 -07:00
fuse
fuse: fix page dereference after free
2020-11-01 12:01:05 +01:00
gfs2
gfs2: check for empty rgrp tree in gfs2_ri_update
2020-12-11 13:23:32 +01:00
hfs
hfsplus
hfsplus: fix crash and filesystem corruption when deleting files
2020-04-17 10:50:22 +02:00
hostfs
hpfs
fs: hpfs: Initialize filesystem timestamp ranges
2019-08-30 08:11:25 -07:00
hugetlbfs
hugetlbfs: prevent filesystem stacking of hugetlbfs
2020-09-03 11:26:48 +02:00
iomap
iomap: fix WARN_ON_ONCE() from unprivileged users
2020-10-29 09:58:06 +01:00
isofs
y2038: add inode timestamp clamping
2019-09-19 09:42:37 -07:00
jbd2
jbd2: fix up sparse warnings in checkpoint code
2020-11-18 19:20:30 +01:00
jffs2
jffs2: Fix NULL pointer dereference in rp_size fs option parsing
2021-01-06 14:48:37 +01:00
jfs
jfs: Fix array index bounds check in dbAdjTree
2020-12-30 11:51:40 +01:00
kernfs
kernfs: do not call fsnotify() with name without a parent
2020-08-19 08:16:12 +02:00
lockd
lockd: don't use interval-based rebinding over TCP
2020-12-30 11:51:16 +01:00
minix
fs/minix: remove expected error message in block_to_path()
2020-08-21 13:05:37 +02:00
nfs
NFS: switch nfsiod to be an UNBOUND workqueue.
2020-12-30 11:51:16 +01:00
nfs_common
nfs_common: need lock during iterate through the list
2020-12-30 11:51:22 +01:00
nfsd
nfsd: Fix message level for normal termination
2020-12-30 11:51:22 +01:00
nilfs2
nilfs2: fix null pointer dereference at nilfs_segctor_do_construct()
2020-06-17 16:40:29 +02:00
nls
notify
fanotify: fix ignore mask logic for events on child and on dir
2020-06-17 16:40:24 +02:00
ntfs
ntfs: add check for mft record size in superblock
2020-10-29 09:58:03 +01:00
ocfs2
ocfs2: initialize ip_next_orphan
2020-11-18 19:20:30 +01:00
omfs
fs: omfs: Initialize filesystem timestamp ranges
2019-08-30 08:11:25 -07:00
openpromfs
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
orangefs
orangefs: get rid of knob code...
2020-08-21 13:05:29 +02:00
overlayfs
ovl: fix unneeded call to ovl_change_flags()
2020-07-22 09:33:12 +02:00
proc
proc: use untagged_addr() for pagemap_read addresses
2020-12-16 10:56:58 +01:00
pstore
pstore: Fix linking when crypto API disabled
2020-08-19 08:16:27 +02:00
qnx4
fs: Fill in max and min timestamps in superblock
2019-08-30 07:27:17 -07:00
qnx6
fs: Fill in max and min timestamps in superblock
2019-08-30 07:27:17 -07:00
quota
quota: Sanity-check quota file headers on load
2020-12-30 11:51:00 +01:00
ramfs
ramfs: fix nommu mmap with gaps in the page cache
2020-10-29 09:57:53 +01:00
reiserfs
reiserfs: Fix memory leak in reiserfs_parse_options()
2020-10-29 09:58:08 +01:00
romfs
romfs: fix uninitialized memory leak in romfs_dev_read()
2020-08-26 10:40:51 +02:00
squashfs
Merge branch 'work.mount2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-09-19 10:06:57 -07:00
sysfs
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
sysv
fs: sysv: Initialize filesystem timestamp ranges
2019-08-30 07:27:18 -07:00
tracefs
tracing: Do not create tracefs files if tracefs lockdown is in effect
2019-10-12 20:49:07 -04:00
ubifs
ubifs: prevent creating duplicate encrypted filenames
2021-01-06 14:48:35 +01:00
udf
udf: Fix memory leak when mounting
2020-11-05 11:43:29 +01:00
ufs
fs/ufs: avoid potential u32 multiplication overflow
2020-08-21 13:05:37 +02:00
unicode
unicode: make array 'token' static const, makes object smaller
2019-09-17 11:48:24 -04:00
verity
fs-verity: support builtin file signatures
2019-08-12 19:33:50 -07:00
xfs
xfs: revert "xfs: fix rmap key and record comparison functions"
2020-11-24 13:29:18 +01:00
aio.c
aio: fix async fsync creds
2020-06-17 16:40:24 +02:00
anon_inodes.c
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
attr.c
utimes: Clamp the timestamps in notify_change()
2020-02-11 04:35:12 -08:00
bad_inode.c
binfmt_aout.c
binfmt_elf_fdpic.c
binfmt_elf.c
fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
2020-06-03 08:21:27 +02:00
binfmt_em86.c
binfmt_flat.c
binfmt_flat: revert "binfmt_flat: don't offset the data start"
2020-09-03 11:26:39 +02:00
binfmt_misc.c
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
binfmt_script.c
block_dev.c
bdev: Reduce time holding bd_mutex in sync in blkdev_close()
2020-10-01 13:17:55 +02:00
buffer.c
fs: Don't invalidate page buffers in block_write_full_page()
2020-11-05 11:43:24 +01:00
char_dev.c
chardev: Avoid potential use-after-free in 'chrdev_open()'
2020-01-14 20:08:18 +01:00
compat_binfmt_elf.c
compat_ioctl.c
fix compat handling of FICLONERANGE, FIDEDUPERANGE and FS_IOC_FIEMAP
2020-01-09 10:20:05 +01:00
compat.c
coredump.c
coredump: fix core_pattern parse error
2020-12-11 13:23:30 +01:00
d_path.c
fs: fix NULL dereference due to data race in prepend_path()
2020-10-29 09:57:45 +01:00
dax.c
dax: pass NOWAIT flag to iomap_apply
2020-03-05 16:43:36 +01:00
dcache.c
fix dget_parent() fastpath race
2020-10-01 13:17:19 +02:00
dcookies.c
direct-io.c
fs/direct-io.c: fix kernel-doc warning
2019-10-14 15:04:01 -07:00
drop_caches.c
fs: avoid softlockups in s_inodes iterators
2020-01-12 12:21:37 +01:00
eventfd.c
eventfd: track eventfd_signal() recursion depth
2020-02-11 04:35:37 -08:00
eventpoll.c
ep_create_wakeup_source(): dentry name can change under you...
2020-10-07 08:01:31 +02:00
exec.c
mm: fix exec activate_mm vs TLB shootdown and lazy tlb switching race
2020-11-05 11:43:13 +01:00
fcntl.c
fhandle.c
fs/handle.c - fix up kerneldoc
2019-08-07 21:51:47 -04:00
file_table.c
vfs: Export flush_delayed_fput for use by knfsd.
2019-08-19 11:00:39 -04:00
file.c
fix multiplication overflow in copy_fdtable()
2020-05-27 17:46:12 +02:00
filesystems.c
fs/filesystems.c: downgrade user-reachable WARN_ONCE() to pr_warn_once()
2020-04-17 10:50:21 +02:00
fs_context.c
vfs: subtype handling moved to fuse
2019-09-06 21:28:49 +02:00
fs_parser.c
vfs: Make fs_parse() handle fs_param_is_fd-type params better
2019-09-12 21:06:14 -04:00
fs_pin.c
switch the remnants of releasing the mountpoint away from fs_pin
2019-07-16 22:52:37 -04:00
fs_struct.c
fs_types.c
fs-writeback.c
writeback: Fix sync livelock due to b_dirty_time processing
2020-09-03 11:27:04 +02:00
fsopen.c
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
inode.c
futex: Fix inode life-time issue
2020-03-25 08:25:58 +01:00
internal.h
fs: move guard_bio_eod() after bio_set_op_attrs
2020-01-17 19:48:21 +01:00
io_uring.c
io_uring: Fix double list add in io_queue_async_work()
2020-10-14 10:32:57 +02:00
ioctl.c
compat_ioctl: add compat_ptr_ioctl()
2019-12-17 19:55:30 +01:00
Kconfig
fs-verity for 5.4
2019-09-18 16:59:14 -07:00
Kconfig.binfmt
libfs.c
libfs: fix error cast of negative value in simple_attr_write()
2020-11-24 13:29:19 +01:00
locks.c
locks: reinstate locks_delete_block optimization
2020-03-25 08:25:41 +01:00
Makefile
fs-verity for 5.4
2019-09-18 16:59:14 -07:00
mbcache.c
mount.h
switch the remnants of releasing the mountpoint away from fs_pin
2019-07-16 22:52:37 -04:00
mpage.c
fs: move guard_bio_eod() after bio_set_op_attrs
2020-01-17 19:48:21 +01:00
namei.c
namei: only return -ECHILD from follow_dotdot_rcu()
2020-03-05 16:43:48 +01:00
namespace.c
fs/namespace.c: fix use-after-free of mount in mnt_warn_timestamp_expiry()
2019-10-16 23:15:09 -04:00
no-block.c
nsfs.c
open.c
cifs_atomic_open(): fix double-put on late allocation failure
2020-03-18 07:17:51 +01:00
pipe.c
pnode.c
propagate_one(): mnt_set_mountpoint() needs mount_lock
2020-05-02 08:48:44 +02:00
pnode.h
posix_acl.c
proc_namespace.c
vfs: subtype handling moved to fuse
2019-09-06 21:28:49 +02:00
read_write.c
fs: allow deduplication of eof block into the end of the destination file
2020-02-11 04:35:23 -08:00
readdir.c
readdir: be more conservative with directory entry names
2020-01-29 16:45:31 +01:00
select.c
fs/select.c: use struct_size() in kmalloc()
2019-07-16 19:23:25 -07:00
seq_file.c
seq_file: fix problem when seeking mid-record
2019-08-13 16:06:52 -07:00
signalfd.c
fs/signalfd.c: fix inconsistent return codes for signalfd4
2020-08-26 10:40:58 +02:00
splice.c
splice: only read in as much information as there is pipe buffer space
2019-12-17 19:56:52 +01:00
stack.c
stat.c
statfs.c
vfs: Fix EOVERFLOW testing in put_compat_statfs64
2019-10-03 14:21:35 -07:00
super.c
vfs: remove lockdep bogosity in __sb_start_write
2020-11-24 13:29:01 +01:00
sync.c
timerfd.c
timerfd: Prepare for PREEMPT_RT
2019-08-01 20:51:23 +02:00
userfaultfd.c
userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK
2020-01-04 19:18:32 +01:00
utimes.c
utimes: Clamp the timestamps in notify_change()
2020-02-11 04:35:12 -08:00
xattr.c
xattr: break delegations in {set,remove}xattr
2020-08-11 15:33:39 +02:00