| Message ID | 20220623035131.974098-1-xu.xin16@zte.com.cn (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | fs/ntfs: fix BUG_ON of ntfs_read_block() | expand |
On Thu, Jun 23, 2022 at 03:51:31AM +0000, cgel.zte@gmail.com wrote: > From: xu xin <xu.xin16@zte.com.cn> > > As the bug description, attckers can use this bug to crash the system > When CONFIG_NTFS_FS is set. > > So remove the BUG_ON, and use WARN and return instead until someone > really solve the bug. > > Reported-by: Zeal Robot <zealci@zte.com.cn> > Reported-by: syzbot+6a5a7672f663cce8b156@syzkaller.appspotmail.com > Reviewed-by: Songyi Zhang <zhang.songyi@zte.com.cn> > Reviewed-by: Yang Yang <yang.yang29@zte.com.cn> > Reviewed-by: Jiang Xuexin<jiang.xuexin@zte.com.cn> > Reviewed-by: Zhang wenya<zhang.wenya1@zte.com.cn> > Signed-off-by: xu xin <xu.xin16@zte.com.cn> > --- > fs/ntfs/aops.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/fs/ntfs/aops.c b/fs/ntfs/aops.c > index 5f4fb6ca6f2e..b6fd7e711420 100644 > --- a/fs/ntfs/aops.c > +++ b/fs/ntfs/aops.c > @@ -183,7 +183,11 @@ static int ntfs_read_block(struct page *page) > vol = ni->vol; > > /* $MFT/$DATA must have its complete runlist in memory at all times. */ > - BUG_ON(!ni->runlist.rl && !ni->mft_no && !NInoAttr(ni)); > + if (unlikely(!ni->runlist.rl && !ni->mft_no && !NInoAttr(ni))) { > + WARN(1, "NTFS: ni->runlist.rl, ni->mft_no, and NInoAttr(ni) is null!\n"); So for systems with panic-on-warn, you are still crashing? Why is this WARN() line still needed here? thanks, greg k-h
On Thu, Jun 23, 2022 at 03:51:31AM +0000, cgel.zte@gmail.com wrote: > From: xu xin <xu.xin16@zte.com.cn> > > As the bug description, attckers can use this bug to crash the system > When CONFIG_NTFS_FS is set. > > So remove the BUG_ON, and use WARN and return instead until someone > really solve the bug. > > Reported-by: Zeal Robot <zealci@zte.com.cn> > Reported-by: syzbot+6a5a7672f663cce8b156@syzkaller.appspotmail.com > Reviewed-by: Songyi Zhang <zhang.songyi@zte.com.cn> > Reviewed-by: Yang Yang <yang.yang29@zte.com.cn> > Reviewed-by: Jiang Xuexin<jiang.xuexin@zte.com.cn> > Reviewed-by: Zhang wenya<zhang.wenya1@zte.com.cn> > Signed-off-by: xu xin <xu.xin16@zte.com.cn> > --- > fs/ntfs/aops.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/fs/ntfs/aops.c b/fs/ntfs/aops.c > index 5f4fb6ca6f2e..b6fd7e711420 100644 > --- a/fs/ntfs/aops.c > +++ b/fs/ntfs/aops.c > @@ -183,7 +183,11 @@ static int ntfs_read_block(struct page *page) > vol = ni->vol; > > /* $MFT/$DATA must have its complete runlist in memory at all times. */ > - BUG_ON(!ni->runlist.rl && !ni->mft_no && !NInoAttr(ni)); > + if (unlikely(!ni->runlist.rl && !ni->mft_no && !NInoAttr(ni))) { > + WARN(1, "NTFS: ni->runlist.rl, ni->mft_no, and NInoAttr(ni) is null!\n"); > + unlock_page(page); > + return -EINVAL; > + } > > blocksize = vol->sb->s_blocksize; > blocksize_bits = vol->sb->s_blocksize_bits; > -- > 2.25.1 > <formletter> This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly. </formletter>
On Thu, Jun 23, 2022 at 09:57:21AM +0200, Greg KH wrote: > On Thu, Jun 23, 2022 at 03:51:31AM +0000, cgel.zte@gmail.com wrote: > > From: xu xin <xu.xin16@zte.com.cn> > > > > As the bug description, attckers can use this bug to crash the system > > When CONFIG_NTFS_FS is set. > > > > So remove the BUG_ON, and use WARN and return instead until someone > > really solve the bug. > > > > Reported-by: Zeal Robot <zealci@zte.com.cn> > > Reported-by: syzbot+6a5a7672f663cce8b156@syzkaller.appspotmail.com > > Reviewed-by: Songyi Zhang <zhang.songyi@zte.com.cn> > > Reviewed-by: Yang Yang <yang.yang29@zte.com.cn> > > Reviewed-by: Jiang Xuexin<jiang.xuexin@zte.com.cn> > > Reviewed-by: Zhang wenya<zhang.wenya1@zte.com.cn> > > Signed-off-by: xu xin <xu.xin16@zte.com.cn> > > --- > > fs/ntfs/aops.c | 6 +++++- > > 1 file changed, 5 insertions(+), 1 deletion(-) > > > > diff --git a/fs/ntfs/aops.c b/fs/ntfs/aops.c > > index 5f4fb6ca6f2e..b6fd7e711420 100644 > > --- a/fs/ntfs/aops.c > > +++ b/fs/ntfs/aops.c > > @@ -183,7 +183,11 @@ static int ntfs_read_block(struct page *page) > > vol = ni->vol; > > > > /* $MFT/$DATA must have its complete runlist in memory at all times. */ > > - BUG_ON(!ni->runlist.rl && !ni->mft_no && !NInoAttr(ni)); > > + if (unlikely(!ni->runlist.rl && !ni->mft_no && !NInoAttr(ni))) { > > + WARN(1, "NTFS: ni->runlist.rl, ni->mft_no, and NInoAttr(ni) is null!\n"); > > So for systems with panic-on-warn, you are still crashing? Why is this > WARN() line still needed here? > Sorry, I forgot about panic-on-warn. Use pr_warn() may be better. I'll send a patch-v2 . > thanks, > > greg k-h
On Thu, Jun 23, 2022 at 09:57:39AM +0200, Greg KH wrote: > On Thu, Jun 23, 2022 at 03:51:31AM +0000, cgel.zte@gmail.com wrote: > > From: xu xin <xu.xin16@zte.com.cn> > > > > As the bug description, attckers can use this bug to crash the system > > When CONFIG_NTFS_FS is set. > > > > So remove the BUG_ON, and use WARN and return instead until someone > > really solve the bug. > > > > Reported-by: Zeal Robot <zealci@zte.com.cn> > > Reported-by: syzbot+6a5a7672f663cce8b156@syzkaller.appspotmail.com > > Reviewed-by: Songyi Zhang <zhang.songyi@zte.com.cn> > > Reviewed-by: Yang Yang <yang.yang29@zte.com.cn> > > Reviewed-by: Jiang Xuexin<jiang.xuexin@zte.com.cn> > > Reviewed-by: Zhang wenya<zhang.wenya1@zte.com.cn> > > Signed-off-by: xu xin <xu.xin16@zte.com.cn> > > --- > > fs/ntfs/aops.c | 6 +++++- > > 1 file changed, 5 insertions(+), 1 deletion(-) > > > > --- a/fs/ntfs/aops.c > > +++ b/fs/ntfs/aops.c > > @@ -183,7 +183,11 @@ static int ntfs_read_block(struct page *page) > > vol = ni->vol; > > > > /* $MFT/$DATA must have its complete runlist in memory at all times. */ > > - BUG_ON(!ni->runlist.rl && !ni->mft_no && !NInoAttr(ni)); > > + if (unlikely(!ni->runlist.rl && !ni->mft_no && !NInoAttr(ni))) { > > + WARN(1, "NTFS: ni->runlist.rl, ni->mft_no, and NInoAttr(ni) is null!\n"); > > + unlock_page(page); > > + return -EINVAL; > > + } > > > > blocksize = vol->sb->s_blocksize; > > blocksize_bits = vol->sb->s_blocksize_bits; > > -- > > 2.25.1 > > > > <formletter> > > This is not the correct way to submit patches for inclusion in the > stable kernel tree. Please read: > https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html > for how to do this properly. > Sorry. I'll rewrite a patch to fix it. Thanks. > </formletter>
diff --git a/fs/ntfs/aops.c b/fs/ntfs/aops.c index 5f4fb6ca6f2e..b6fd7e711420 100644 --- a/fs/ntfs/aops.c +++ b/fs/ntfs/aops.c @@ -183,7 +183,11 @@ static int ntfs_read_block(struct page *page) vol = ni->vol; /* $MFT/$DATA must have its complete runlist in memory at all times. */ - BUG_ON(!ni->runlist.rl && !ni->mft_no && !NInoAttr(ni)); + if (unlikely(!ni->runlist.rl && !ni->mft_no && !NInoAttr(ni))) { + WARN(1, "NTFS: ni->runlist.rl, ni->mft_no, and NInoAttr(ni) is null!\n"); + unlock_page(page); + return -EINVAL; + } blocksize = vol->sb->s_blocksize; blocksize_bits = vol->sb->s_blocksize_bits;