Received: by 2002:a17:90a:9103:0:0:0:0 with SMTP id k3csp11790188pjo; Thu, 2 Jan 2020 14:19:37 -0800 (PST) X-Google-Smtp-Source: APXvYqy4DkVq5IWWq/Ss0XKSMGjwcTxB8zxcZMea7R7/JUYrKPdMDaN+E7Z5ucmHfeVRJhclajWc X-Received: by 2002:a05:6830:2009:: with SMTP id e9mr42911652otp.160.1578003577123; Thu, 02 Jan 2020 14:19:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578003577; cv=none; d=google.com; s=arc-20160816; b=E0OPCkn4UxgHT10kFvYdL3WHHFcv6dryKmMq0AGeW5UjehNZxaq2GRsmQZPm+9m37Z K4M9l/iA7AmlFrtd6VVKLbbSSyRqIYrqbosdGv7jSUYg3Y94/Yy2VJUx5rBWeeANcgVY 50hM1aEGWbts5ayKyyHCzd23Uvsf4lFIC6DlvdUiPCqgNDuT91rHutNEj0iu7CVfNNo9 o9xgWDRtZer8ms7UbXtUebMTRNLlLkcN31FFXPn8OIC7wZKUo8JdouRFq2cXpc/S+1mZ Fg5Rsr6zk3Ulv6wsCfwy6NX7jBllSRhUepmX68Pn/tuCMpQu049L6w5a9u/D9IvjXgfJ Tbqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=V5RvCvgSXpDjDpL5JRPtPWsrYvzggvSVFUgO3NAwhkA=; b=ONi6ciPClsb6uyffIuKj+bA5wlgQRsDKlW4k3zn5a9U9AAv3SlBtkt5vDAO3G3OnXR JRU2czQOqPmz41HayQGQvT4wQkAHTFroTn0COY4YJxaoYJjpZEyKQd6uTMUBgW2mukVj tPAHfkCaUlJiTFgVJ9ghHygI0rfULFZjRIga2NjQN66NJTGlOpE2dGiqBMxE/O1+6UMG Y9i+5btTAohNGqT71ZoeSnvuauG4YvhqMbhR6u8TV24/9WIj+/jCrqGDn94tuHNv41Bm isSM7jP/7RHV/Es4eoMdkIU666uUbEtoNOKePMJmuozyVNCxCyeZSMjtQWFGdzX1/oXi AMZw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vjBzFkyr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d12si28255328otf.141.2020.01.02.14.19.24; Thu, 02 Jan 2020 14:19:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vjBzFkyr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727558AbgABWRt (ORCPT + 99 others); Thu, 2 Jan 2020 17:17:49 -0500 Received: from mail.kernel.org ([198.145.29.99]:60608 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727931AbgABWRr (ORCPT ); Thu, 2 Jan 2020 17:17:47 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2B66B227BF; Thu, 2 Jan 2020 22:17:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578003466; bh=lSE00O/CEuOUfS3S5Xv/5UPawzE8FOPYyp+aO5AaB3Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vjBzFkyrrBELUiILc3jCZ1uLypowdIfLGQ1vtYas4D4Z3ZY/NWgNZhCadqL8hhogw QonsOmWy9Mgf3qYlF4nhBZsGOwuWLoVHj0d8ZdIekf/T6vbUjAwEeTSibXDKp94K5y 1HsG9pRPVAFubEYz7qxjf4ysCV60jHR/fMp4c824= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+c732f8644185de340492@syzkaller.appspotmail.com, Brian Foster , "Darrick J. Wong" Subject: [PATCH 5.4 146/191] xfs: fix mount failure crash on invalid iclog memory access Date: Thu, 2 Jan 2020 23:07:08 +0100 Message-Id: <20200102215845.170620568@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200102215829.911231638@linuxfoundation.org> References: <20200102215829.911231638@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Brian Foster commit 798a9cada4694ca8d970259f216cec47e675bfd5 upstream. syzbot (via KASAN) reports a use-after-free in the error path of xlog_alloc_log(). Specifically, the iclog freeing loop doesn't handle the case of a fully initialized ->l_iclog linked list. Instead, it assumes that the list is partially constructed and NULL terminated. This bug manifested because there was no possible error scenario after iclog list setup when the original code was added. Subsequent code and associated error conditions were added some time later, while the original error handling code was never updated. Fix up the error loop to terminate either on a NULL iclog or reaching the end of the list. Reported-by: syzbot+c732f8644185de340492@syzkaller.appspotmail.com Signed-off-by: Brian Foster Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Greg Kroah-Hartman --- fs/xfs/xfs_log.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/xfs/xfs_log.c +++ b/fs/xfs/xfs_log.c @@ -1495,6 +1495,8 @@ out_free_iclog: prev_iclog = iclog->ic_next; kmem_free(iclog->ic_data); kmem_free(iclog); + if (prev_iclog == log->l_iclog) + break; } out_free_log: kmem_free(log);