| Message ID | 20240820094512.2228159-2-lizhi.xu@windriver.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [V3,1/2] ocfs2: remove unreasonable unlock | expand |
On 8/20/24 17:45, Lizhi Xu wrote: > In the for-loop after the 'read_failure' label, the condition > '(bh == NULL) && flags includes OCFS2_BH_READAHEAD' is missing. > When this contidion is true, this for-loop will call ocfs2_set_buffer > _uptodate(ci, bh), which then triggers a NULL pointer access error. > > Changes from V2: > * Make the code more concise > > Reported-and-suggested-by: Heming Zhao <heming.zhao@suse.com> > Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> > Reviewed-by: Heming Zhao <heming.zhao@suse.com> I didn't give you my "Reviewed-by" tag for this patch, and you can add my tag only after I send it to you. (take easy, you can get my "Reviewed-by" tag now.) Please remember this rule for next time. Another issue with this mail is that the change log should be placed before the file list, not in the commit message section. ref: Documentation/process/submitting-patches.rst Thanks, Heming > --- > fs/ocfs2/buffer_head_io.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c > index e62c7e1de4eb..8f714406528d 100644 > --- a/fs/ocfs2/buffer_head_io.c > +++ b/fs/ocfs2/buffer_head_io.c > @@ -388,7 +388,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, > /* Always set the buffer in the cache, even if it was > * a forced read, or read-ahead which hasn't yet > * completed. */ > - ocfs2_set_buffer_uptodate(ci, bh); > + if (bh) > + ocfs2_set_buffer_uptodate(ci, bh); > } > ocfs2_metadata_cache_io_unlock(ci); >
On Tue, 20 Aug 2024 19:32:03 +0800, Heming wrote: > > In the for-loop after the 'read_failure' label, the condition > > '(bh == NULL) && flags includes OCFS2_BH_READAHEAD' is missing. > > When this contidion is true, this for-loop will call ocfs2_set_buffer > > _uptodate(ci, bh), which then triggers a NULL pointer access error. > > > > Changes from V2: > > * Make the code more concise > > > > Reported-and-suggested-by: Heming Zhao <heming.zhao@suse.com> > > Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> > > Reviewed-by: Heming Zhao <heming.zhao@suse.com> > > I didn't give you my "Reviewed-by" tag for this patch, and you > can add my tag only after I send it to you. > (take easy, you can get my "Reviewed-by" tag now.) > Please remember this rule for next time. Got it. > > Another issue with this mail is that the change log should be > placed before the file list, not in the commit message section. Thanks. Its like following: Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> --- V2 -> V3: Make the code more concise fs/ocfs2/buffer_head_io.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) BR, Lizhi
On 8/20/24 5:45 PM, Lizhi Xu wrote: > In the for-loop after the 'read_failure' label, the condition > '(bh == NULL) && flags includes OCFS2_BH_READAHEAD' is missing. > When this contidion is true, this for-loop will call ocfs2_set_buffer > _uptodate(ci, bh), which then triggers a NULL pointer access error. > Or it may simplified as the following: When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if bh is NULL. > Changes from V2: > * Make the code more concise > This is not the right place for changelog. Thanks, Joseph > Reported-and-suggested-by: Heming Zhao <heming.zhao@suse.com> > Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> > Reviewed-by: Heming Zhao <heming.zhao@suse.com> > --- > fs/ocfs2/buffer_head_io.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c > index e62c7e1de4eb..8f714406528d 100644 > --- a/fs/ocfs2/buffer_head_io.c > +++ b/fs/ocfs2/buffer_head_io.c > @@ -388,7 +388,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, > /* Always set the buffer in the cache, even if it was > * a forced read, or read-ahead which hasn't yet > * completed. */ > - ocfs2_set_buffer_uptodate(ci, bh); > + if (bh) > + ocfs2_set_buffer_uptodate(ci, bh); > } > ocfs2_metadata_cache_io_unlock(ci); >
And this is not a UAF case, but NULL pointer dereference. So I suggest change the subject to: ocfs2: fix possible NULL pointer dereference in ocfs2_set_buffer_uptodate On 8/21/24 8:08 AM, Joseph Qi wrote: > > > On 8/20/24 5:45 PM, Lizhi Xu wrote: >> In the for-loop after the 'read_failure' label, the condition >> '(bh == NULL) && flags includes OCFS2_BH_READAHEAD' is missing. >> When this contidion is true, this for-loop will call ocfs2_set_buffer >> _uptodate(ci, bh), which then triggers a NULL pointer access error. >> > > Or it may simplified as the following: > > When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger > NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if > bh is NULL. > >> Changes from V2: >> * Make the code more concise >> > > This is not the right place for changelog. > > Thanks, > Joseph > >> Reported-and-suggested-by: Heming Zhao <heming.zhao@suse.com> >> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> >> Reviewed-by: Heming Zhao <heming.zhao@suse.com> >> --- >> fs/ocfs2/buffer_head_io.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c >> index e62c7e1de4eb..8f714406528d 100644 >> --- a/fs/ocfs2/buffer_head_io.c >> +++ b/fs/ocfs2/buffer_head_io.c >> @@ -388,7 +388,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, >> /* Always set the buffer in the cache, even if it was >> * a forced read, or read-ahead which hasn't yet >> * completed. */ >> - ocfs2_set_buffer_uptodate(ci, bh); >> + if (bh) >> + ocfs2_set_buffer_uptodate(ci, bh); >> } >> ocfs2_metadata_cache_io_unlock(ci); >>
On 8/21/24 10:34, Joseph Qi wrote: > And this is not a UAF case, but NULL pointer dereference. > So I suggest change the subject to: > ocfs2: fix possible NULL pointer dereference in ocfs2_set_buffer_uptodate I agree with above too. I didn't care about the patch subject in previous review jobs, 'UAF' is not suitable. -Heming > > On 8/21/24 8:08 AM, Joseph Qi wrote: >> >> >> On 8/20/24 5:45 PM, Lizhi Xu wrote: >>> In the for-loop after the 'read_failure' label, the condition >>> '(bh == NULL) && flags includes OCFS2_BH_READAHEAD' is missing. >>> When this contidion is true, this for-loop will call ocfs2_set_buffer >>> _uptodate(ci, bh), which then triggers a NULL pointer access error. >>> >> >> Or it may simplified as the following: >> >> When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger >> NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if >> bh is NULL. >> >>> Changes from V2: >>> * Make the code more concise >>> >> >> This is not the right place for changelog. >> >> Thanks, >> Joseph >> >>> Reported-and-suggested-by: Heming Zhao <heming.zhao@suse.com> >>> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> >>> Reviewed-by: Heming Zhao <heming.zhao@suse.com> >>> --- >>> fs/ocfs2/buffer_head_io.c | 3 ++- >>> 1 file changed, 2 insertions(+), 1 deletion(-) >>> >>> diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c >>> index e62c7e1de4eb..8f714406528d 100644 >>> --- a/fs/ocfs2/buffer_head_io.c >>> +++ b/fs/ocfs2/buffer_head_io.c >>> @@ -388,7 +388,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, >>> /* Always set the buffer in the cache, even if it was >>> * a forced read, or read-ahead which hasn't yet >>> * completed. */ >>> - ocfs2_set_buffer_uptodate(ci, bh); >>> + if (bh) >>> + ocfs2_set_buffer_uptodate(ci, bh); >>> } >>> ocfs2_metadata_cache_io_unlock(ci); >>>
On Wed, 21 Aug 2024 10:39:39 +0800, Heming Zhao wrote: > > And this is not a UAF case, but NULL pointer dereference. > > So I suggest change the subject to: > > ocfs2: fix possible NULL pointer dereference in ocfs2_set_buffer_uptodate > > I agree with above too. > I didn't care about the patch subject in previous review jobs, 'UAF' is not suitable. > > -Heming OK, I will update and send this patch V4 separately. Lizhi
diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c index e62c7e1de4eb..8f714406528d 100644 --- a/fs/ocfs2/buffer_head_io.c +++ b/fs/ocfs2/buffer_head_io.c @@ -388,7 +388,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, /* Always set the buffer in the cache, even if it was * a forced read, or read-ahead which hasn't yet * completed. */ - ocfs2_set_buffer_uptodate(ci, bh); + if (bh) + ocfs2_set_buffer_uptodate(ci, bh); } ocfs2_metadata_cache_io_unlock(ci);