Received: by 10.223.185.116 with SMTP id b49csp6374797wrg; Wed, 28 Feb 2018 08:22:34 -0800 (PST) X-Google-Smtp-Source: AH8x225mbOuK5bUgVx/529InMbY+rL9DOEO3vqdi9nPG+LvAEr9WRdmavnDDhwC9VhRU5F9r83GZ X-Received: by 2002:a17:902:7717:: with SMTP id n23-v6mr18236151pll.388.1519834954572; Wed, 28 Feb 2018 08:22:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519834954; cv=none; d=google.com; s=arc-20160816; b=TCCeCcpcpuUZlhOqGkpZmDtA/WrxCZFkShOWV38q2B8ztxFB6TZgVUUm2cagGdtJba iIPNGTEZycoTSG6z/Fvjz4jgiShxbleAgdHAX7mawPT6GVTbqutb+12ZKN5SKcFQWC4H zB6PR7GjSAM2/y9scTJJPoHSzHX3aFGuOMzd42/KBuMGnFVbyJQnsl7l7HdtS6Mo+zZF Uus+VzlcnEnv19Ux1fCmZbEcOIJDD9zyzzZaXl0NP+bNKHYtED8TM0B793x3kjOF/iM2 c5JvKvIzWsC4kr0+1aIxA5Hja7Pj1pxdRLKl4jwZhXA+dccZa65tuLy8HTUNMtLY1/GA oX4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=/Ih7GoCTlXX7kBkJvfajOvCY73pI/hVKbYFoh1VgxCI=; b=IWJYl/cmGOS5SkF7S7p7eul2jPAuJh2sxTbu7QRrrJfuqa6QNeEWNeTIZCCEFvDQaU LO8Hb8EXEpQ3klS/yAUJViFsumlUlv/lB17jZcgloy9qKtI3sld/PUsKkR9b1Lrz33zU K6vZAU1zKTGH7qZJJr37CCqIQnoziQ4eNMdH1elrxwbSMxO2qCCOu64Mj/bWu3+M6zDN aap/Eu7MgwlLd60nPCuT11XrJjLyvKcaENfQd0C05eBmCBkLOGUZYP6zZvLT/v12aaj/ G8JN+OJiXiH4nbEHTeoPQaWoWyC3F53DYM0Gh1xi9CVSsbtR9Zoa3l6KHa1i+mf8Ei6y RK/A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t2-v6si1468361plq.802.2018.02.28.08.22.19; Wed, 28 Feb 2018 08:22:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935256AbeB1QU5 (ORCPT + 99 others); Wed, 28 Feb 2018 11:20:57 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35403 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935236AbeB1QUz (ORCPT ); Wed, 28 Feb 2018 11:20:55 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yt-0006Xf-HZ; Wed, 28 Feb 2018 15:22:31 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yf-0008Vb-Po; Wed, 28 Feb 2018 15:22:17 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Chandan Rajendra" , "Abdul Haleem" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 089/254] ext4: fix crash when a directory's i_size is too small In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Chandan Rajendra commit 9d5afec6b8bd46d6ed821aa1579634437f58ef1f upstream. On a ppc64 machine, when mounting a fuzzed ext2 image (generated by fsfuzzer) the following call trace is seen, VFS: brelse: Trying to free free buffer WARNING: CPU: 1 PID: 6913 at /root/repos/linux/fs/buffer.c:1165 .__brelse.part.6+0x24/0x40 .__brelse.part.6+0x20/0x40 (unreliable) .ext4_find_entry+0x384/0x4f0 .ext4_lookup+0x84/0x250 .lookup_slow+0xdc/0x230 .walk_component+0x268/0x400 .path_lookupat+0xec/0x2d0 .filename_lookup+0x9c/0x1d0 .vfs_statx+0x98/0x140 .SyS_newfstatat+0x48/0x80 system_call+0x58/0x6c This happens because the directory that ext4_find_entry() looks up has inode->i_size that is less than the block size of the filesystem. This causes 'nblocks' to have a value of zero. ext4_bread_batch() ends up not reading any of the directory file's blocks. This renders the entries in bh_use[] array to continue to have garbage data. buffer_uptodate() on bh_use[0] can then return a zero value upon which brelse() function is invoked. This commit fixes the bug by returning -ENOENT when the directory file has no associated blocks. Reported-by: Abdul Haleem Signed-off-by: Chandan Rajendra Signed-off-by: Ben Hutchings --- fs/ext4/namei.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -1267,6 +1267,10 @@ static struct buffer_head * ext4_find_en "falling back\n")); } nblocks = dir->i_size >> EXT4_BLOCK_SIZE_BITS(sb); + if (!nblocks) { + ret = NULL; + goto cleanup_and_exit; + } start = EXT4_I(dir)->i_dir_start_lookup; if (start >= nblocks) start = 0;