| Message ID | 20241213161757.1928209-1-dmantipov@yandex.ru (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | exfat: bail out on -EIO in exfat_find_empty_entry() | expand |
On Sat, Dec 14, 2024 at 1:18 AM Dmitry Antipov <dmantipov@yandex.ru> wrote: > > Syzbot has reported the following KASAN splat: > > KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] > ... > Call Trace: > <TASK> > ... > ? exfat_get_dentry_cached+0xb6/0x1b0 > ? exfat_get_dentry_cached+0x11a/0x1b0 > ? exfat_get_dentry_cached+0xb6/0x1b0 > exfat_init_ext_entry+0x1b6/0x3b0 > exfat_add_entry+0x321/0x7a0 > ? __pfx_exfat_add_entry+0x10/0x10 > ? __lock_acquire+0x15a9/0x3c40 > ? __pfx___lock_acquire+0x10/0x10 > ? _raw_spin_unlock_irqrestore+0x52/0x80 > ? do_raw_spin_unlock+0x53/0x230 > ? _raw_spin_unlock+0x28/0x50 > ? exfat_set_vol_flags+0x23f/0x2f0 > exfat_create+0x1cf/0x5c0 > ... > path_openat+0x904/0x2d60 > ? __pfx_path_openat+0x10/0x10 > ? __pfx___lock_acquire+0x10/0x10 > ? lock_acquire.part.0+0x11b/0x380 > ? find_held_lock+0x2d/0x110 > do_filp_open+0x20c/0x470 > ? __pfx_do_filp_open+0x10/0x10 > ? find_held_lock+0x2d/0x110 > ? _raw_spin_unlock+0x28/0x50 > ? alloc_fd+0x41f/0x760 > do_sys_openat2+0x17a/0x1e0 > ? __pfx_do_sys_openat2+0x10/0x10 > ? __pfx_sigprocmask+0x10/0x10 > __x64_sys_creat+0xcd/0x120 > ... > </TASK> > > On exFAT with damaged directory structure, 'exfat_search_empty_slot()' > may issue an attempt to access beyond end of device and return -EIO. > So catch this error in 'exfat_find_empty_entry()', do not create an > invalid in-memory directory structure and do not confuse the rest > of the filesystem code further. > > Reported-by: syzbot+8f8fe64a30c50b289a18@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=8f8fe64a30c50b289a18 > Fixes: 5f2aa075070c ("exfat: add inode operations") > Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> > --- > fs/exfat/namei.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c > index 97d2774760fe..73dbc5cdf388 100644 > --- a/fs/exfat/namei.c > +++ b/fs/exfat/namei.c > @@ -331,7 +331,7 @@ static int exfat_find_empty_entry(struct inode *inode, > while ((dentry = exfat_search_empty_slot(sb, &hint_femp, p_dir, > num_entries, es)) < 0) { > if (dentry == -EIO) > - break; > + return -EIO; Sorry, I have already applied Yuezhang's patch that fixed this issue. https://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat.git/commit/?h=dev&id=744e50c7e25a0e743f30003137f8413dcd107bb0 Thanks. > > if (exfat_check_max_dentries(inode)) > return -ENOSPC; > -- > 2.47.1 >
diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c index 97d2774760fe..73dbc5cdf388 100644 --- a/fs/exfat/namei.c +++ b/fs/exfat/namei.c @@ -331,7 +331,7 @@ static int exfat_find_empty_entry(struct inode *inode, while ((dentry = exfat_search_empty_slot(sb, &hint_femp, p_dir, num_entries, es)) < 0) { if (dentry == -EIO) - break; + return -EIO; if (exfat_check_max_dentries(inode)) return -ENOSPC;
Syzbot has reported the following KASAN splat: KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] ... Call Trace: <TASK> ... ? exfat_get_dentry_cached+0xb6/0x1b0 ? exfat_get_dentry_cached+0x11a/0x1b0 ? exfat_get_dentry_cached+0xb6/0x1b0 exfat_init_ext_entry+0x1b6/0x3b0 exfat_add_entry+0x321/0x7a0 ? __pfx_exfat_add_entry+0x10/0x10 ? __lock_acquire+0x15a9/0x3c40 ? __pfx___lock_acquire+0x10/0x10 ? _raw_spin_unlock_irqrestore+0x52/0x80 ? do_raw_spin_unlock+0x53/0x230 ? _raw_spin_unlock+0x28/0x50 ? exfat_set_vol_flags+0x23f/0x2f0 exfat_create+0x1cf/0x5c0 ... path_openat+0x904/0x2d60 ? __pfx_path_openat+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? lock_acquire.part.0+0x11b/0x380 ? find_held_lock+0x2d/0x110 do_filp_open+0x20c/0x470 ? __pfx_do_filp_open+0x10/0x10 ? find_held_lock+0x2d/0x110 ? _raw_spin_unlock+0x28/0x50 ? alloc_fd+0x41f/0x760 do_sys_openat2+0x17a/0x1e0 ? __pfx_do_sys_openat2+0x10/0x10 ? __pfx_sigprocmask+0x10/0x10 __x64_sys_creat+0xcd/0x120 ... </TASK> On exFAT with damaged directory structure, 'exfat_search_empty_slot()' may issue an attempt to access beyond end of device and return -EIO. So catch this error in 'exfat_find_empty_entry()', do not create an invalid in-memory directory structure and do not confuse the rest of the filesystem code further. Reported-by: syzbot+8f8fe64a30c50b289a18@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8f8fe64a30c50b289a18 Fixes: 5f2aa075070c ("exfat: add inode operations") Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> --- fs/exfat/namei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)