Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp3822519pxu; Wed, 9 Dec 2020 01:09:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJwg7aRSRQaPgRUx9LdYuKJG+Bw9kUR1M4Ie4geLMMwOH/1MRYj3qS2y/YJap2ADfg7QEBw4 X-Received: by 2002:aa7:df0f:: with SMTP id c15mr1096022edy.354.1607504994192; Wed, 09 Dec 2020 01:09:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607504994; cv=none; d=google.com; s=arc-20160816; b=b89AkMoJAHENUyH3zkh47BFCH/1AQerR+RlsZZsbnALFo9a1VHnWWli1vu2Dz5mY/c pYL6SSjx7RduvT2rOmmPA5liI57M/71Zw4EdjWHDJ+kJLFNUgPcPP/hUP/VYgd6z27sY YzjrUKheB0xDrxfG0txVlZ8k3fMSXFMx3dSik1YAgA81yM59Q64q2uk5wvCCmKFNYOn8 OXGqO6pQZPSAZfznMwqGGjshjjIlKXRZObVLzizToj1eY48DpSZelh1a0jAQmgL6NmH6 vaUMlEsvx72VmdiPvn7wQKFWUIoHflIhSHe4k1dSqyIEz5OAoXmKfZIynU1FcBfGUztD J2Ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=xTtfUxkUrzTHZw+Wzd2NPwk8+qIxD4NnyYoHqcuL3Ic=; b=RDxtzcUwgZnJe4Yo/WnMTJSyzK/8h72IU5Yowmec72t7fgC9hZIfQ92WFrzYXdmrQt 5iLmx2ijz84p96rfOdmJd63f171dPaWbCOzte9Xl2dCy+udqQ6z6FhfpLWZSITjQHJRe oJ7pErWsuMKTC7YRCQ3prBsbwFvN3FVCToYFfsHcE0bFv6IW1Pcx/7yrtEEwfbl17joC YpZWSwKJQ895oJgB1bdfxWm0mUyqqK98maSAwpjeI2wkGJjOCad4AhPwkCsZEacRgfwi aBaogLheBvP92INHM9Ne6pGLRQsRr1xCrfTjJLijdAT1XyyVYSDkQhG0zIG+J4lVDC1k paUA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f19si447425eja.89.2020.12.09.01.09.31; Wed, 09 Dec 2020 01:09:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728816AbgLIJHo (ORCPT + 99 others); Wed, 9 Dec 2020 04:07:44 -0500 Received: from mx2.suse.de ([195.135.220.15]:47324 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728814AbgLIJHm (ORCPT ); Wed, 9 Dec 2020 04:07:42 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 78D9BAB63; Wed, 9 Dec 2020 09:07:00 +0000 (UTC) Received: by quack2.suse.cz (Postfix, from userid 1000) id 26FBD1E133E; Wed, 9 Dec 2020 10:07:00 +0100 (CET) Date: Wed, 9 Dec 2020 10:07:00 +0100 From: Jan Kara To: Anant Thazhemadam Cc: Jan Kara , linux-kernel@vger.kernel.org, syzbot+2643e825238d7aabb37f@syzkaller.appspotmail.com Subject: Re: [PATCH] fs: quota: fix array-index-out-of-bounds bug by passing correct argument to vfs_cleanup_quota_inode() Message-ID: <20201209090700.GA18595@quack2.suse.cz> References: <20201208194338.7064-1-anant.thazhemadam@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201208194338.7064-1-anant.thazhemadam@gmail.com> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed 09-12-20 01:13:38, Anant Thazhemadam wrote: > When dquot_resume() was last updated, the argument that got passed > to vfs_cleanup_quota_inode was incorrectly set. > > If type = -1 and dquot_load_quota_sb() returns a negative value, > then vfs_cleanup_quota_inode() gets called with -1 passed as an > argument, and this leads to an array-index-out-of-bounds bug. > > Fix this issue by correctly passing the arguments. > > Fixes: ae45f07d47cc ("quota: Simplify dquot_resume()") > Reported-by: syzbot+2643e825238d7aabb37f@syzkaller.appspotmail.com > Tested-by: syzbot+2643e825238d7aabb37f@syzkaller.appspotmail.com > Signed-off-by: Anant Thazhemadam Thanks for the fix! I've just queued the very same fix I wrote yesterday to my tree. But yours has better changelog so let me pick your patch instead ;) For next time, how can we avoid collisions like this? Did you work on the fix based on the syzbot email sent to the list so if I actually reply to the syzbot email that I'm working on / already have a fix you'd see it? Honza > --- > If type = -1 is passed as an argument to vfs_cleanup_quota_inode(), > it causes an array-index-out-of-bounds error since dqopt->files[-1] > can be potentially attempted to be accessed. > Before the bisected commit introduced this bug, vfs_load_quota_inode() > was being directly called in dquot_resume(), and subsequently > vfs_cleanup_quota_inode() was called with the cnt value as argument. > > fs/quota/dquot.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c > index bb02989d92b6..4f1373463766 100644 > --- a/fs/quota/dquot.c > +++ b/fs/quota/dquot.c > @@ -2455,7 +2455,7 @@ int dquot_resume(struct super_block *sb, int type) > ret = dquot_load_quota_sb(sb, cnt, dqopt->info[cnt].dqi_fmt_id, > flags); > if (ret < 0) > - vfs_cleanup_quota_inode(sb, type); > + vfs_cleanup_quota_inode(sb, cnt); > } > > return ret; > -- > 2.25.1 > -- Jan Kara SUSE Labs, CR