Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp3759406pxt;
        Tue, 10 Aug 2021 10:39:30 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwGcpL+CcP6a4D0yq7uAKqbVBlvGIholKzQl4GkdqzDTG1stXjDV7KyHbtDgMekxNkjYhlj
X-Received: by 2002:a17:906:8444:: with SMTP id e4mr10009587ejy.516.1628617170640;
        Tue, 10 Aug 2021 10:39:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1628617170; cv=none;
        d=google.com; s=arc-20160816;
        b=vb3SqzjgQNp5gVWCxnIVcvw5dDkgFyeQWwPkxmg6PRScm0nNF93QCLAPGki5U782Gm
         6lrhkCED+OCXSM1xm0G5ujn4ZJ835+xUu1kTpiiAVwsHuoBafevsq2wTgzvPeS5lF6vb
         rOi4PYwORmDSYLaxnVRPgKDWGAntEyj4TxRUr6aBrhPD0cYxL17nBxNvSYVfI5oDB5iZ
         iun5JmNpmH4RbJJrD+Q7kszHE5hX6ibA6Hdj/OzF7W6XyysGEhkSczvPUMqiZ4iqV6DW
         scEyBIkjZQzW3tV+52JcIcv/Ll5vGCdQgUxOiUh3tmqH8dqEjf7Q3k0Qe0Am4IasMV7p
         G2rA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=T3zRiJVSMYdyozQYULQVo1sHh/+s/IY3+rBUiYkl2Y4=;
        b=CN0QTnt1hLk+ng26Utg5ikbjMkJr4BXWxhEVLHd9BqUvg0wssBc7k50dmKDIvp59Fg
         v7INDSHtn38UgbW5yIL2bwk+SGC1gy8Ifk6tk4p3J2OVjt60oyUdLVDdILyCxGEzGrwI
         ZepXmfSiyhsizqIPUPqciLx/+U0uFLKxXjLv9V7B+TNemV6SAYeUokQps/3QNoDQd3L5
         wi3i3bkEhHkzUphrrvRm+H1QZqWQ8F+Jq5D0IIm3e5CcS50cSCEYgkYy8p2QOVv03LP5
         zPJcZKUCkTCRSpekLfIEOhdpSFEZ3eie8xnyZJR/RLfkMb9UxmIrVh4B87VjZM9lIHip
         Ac+w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=WjgOt0R6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u9si10117146ejr.641.2021.08.10.10.39.06;
        Tue, 10 Aug 2021 10:39:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=WjgOt0R6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232230AbhHJRez (ORCPT <rfc822;list.andrew.ls@gmail.com>
        + 99 others); Tue, 10 Aug 2021 13:34:55 -0400
Received: from mail.kernel.org ([198.145.29.99]:38896 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S232376AbhHJReD (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 Aug 2021 13:34:03 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 8E5F161051;
        Tue, 10 Aug 2021 17:33:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1628616821;
        bh=tPzkEkvjSFr0zA/73+SPlLNE/7l1MF7egMhoqkolLD4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=WjgOt0R6ugqB0FhKejTbGXgZQKceEW/CrpLgFy7fhUtVlKZ0eW1ss7tzyY/0SE4XZ
         MxMVggUc0i4SM8MzHoRddSOVRaRQRIhsmGT3Ir3kzy9tvI3Ru3Xj0O7eAzn+giSmoM
         Stdrxeb6BqOJ4gZYQEvijj/PBivqVRC5YMUuYwUI=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Yu Kuai <yukuai3@huawei.com>,
        Jan Kara <jack@suse.cz>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 50/54] reiserfs: add check for root_inode in reiserfs_fill_super
Date:   Tue, 10 Aug 2021 19:30:44 +0200
Message-Id: <20210810172945.853706935@linuxfoundation.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20210810172944.179901509@linuxfoundation.org>
References: <20210810172944.179901509@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Yu Kuai <yukuai3@huawei.com>

[ Upstream commit 2acf15b94d5b8ea8392c4b6753a6ffac3135cd78 ]

Our syzcaller report a NULL pointer dereference:

BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 116e95067 P4D 116e95067 PUD 1080b5067 PMD 0
Oops: 0010 [#1] SMP KASAN
CPU: 7 PID: 592 Comm: a.out Not tainted 5.13.0-next-20210629-dirty #67
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-p4
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffff888114e779b8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff110229cef39 RCX: ffffffffaa67e1aa
RDX: 0000000000000000 RSI: ffff88810a58ee00 RDI: ffff8881233180b0
RBP: ffffffffac38e9c0 R08: ffffffffaa67e17e R09: 0000000000000001
R10: ffffffffb91c5557 R11: fffffbfff7238aaa R12: ffff88810a58ee00
R13: ffff888114e77aa0 R14: 0000000000000000 R15: ffff8881233180b0
FS:  00007f946163c480(0000) GS:ffff88839f1c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001099c1000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __lookup_slow+0x116/0x2d0
 ? page_put_link+0x120/0x120
 ? __d_lookup+0xfc/0x320
 ? d_lookup+0x49/0x90
 lookup_one_len+0x13c/0x170
 ? __lookup_slow+0x2d0/0x2d0
 ? reiserfs_schedule_old_flush+0x31/0x130
 reiserfs_lookup_privroot+0x64/0x150
 reiserfs_fill_super+0x158c/0x1b90
 ? finish_unfinished+0xb10/0xb10
 ? bprintf+0xe0/0xe0
 ? __mutex_lock_slowpath+0x30/0x30
 ? __kasan_check_write+0x20/0x30
 ? up_write+0x51/0xb0
 ? set_blocksize+0x9f/0x1f0
 mount_bdev+0x27c/0x2d0
 ? finish_unfinished+0xb10/0xb10
 ? reiserfs_kill_sb+0x120/0x120
 get_super_block+0x19/0x30
 legacy_get_tree+0x76/0xf0
 vfs_get_tree+0x49/0x160
 ? capable+0x1d/0x30
 path_mount+0xacc/0x1380
 ? putname+0x97/0xd0
 ? finish_automount+0x450/0x450
 ? kmem_cache_free+0xf8/0x5a0
 ? putname+0x97/0xd0
 do_mount+0xe2/0x110
 ? path_mount+0x1380/0x1380
 ? copy_mount_options+0x69/0x140
 __x64_sys_mount+0xf0/0x190
 do_syscall_64+0x35/0x80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

This is because 'root_inode' is initialized with wrong mode, and
it's i_op is set to 'reiserfs_special_inode_operations'. Thus add
check for 'root_inode' to fix the problem.

Link: https://lore.kernel.org/r/20210702040743.1918552-1-yukuai3@huawei.com
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/reiserfs/super.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
index ec5716dd58c2..831a542c22c6 100644
--- a/fs/reiserfs/super.c
+++ b/fs/reiserfs/super.c
@@ -2085,6 +2085,14 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent)
 		unlock_new_inode(root_inode);
 	}
 
+	if (!S_ISDIR(root_inode->i_mode) || !inode_get_bytes(root_inode) ||
+	    !root_inode->i_size) {
+		SWARN(silent, s, "", "corrupt root inode, run fsck");
+		iput(root_inode);
+		errval = -EUCLEAN;
+		goto error;
+	}
+
 	s->s_root = d_make_root(root_inode);
 	if (!s->s_root)
 		goto error;
-- 
2.30.2