Commit da27e0a0 authored by Eric Biggers's avatar Eric Biggers Committed by Linus Torvalds
Browse files

fs/minix: check return value of sb_getblk() 



Patch series "fs/minix: fix syzbot bugs and set s_maxbytes".

This series fixes all syzbot bugs in the minix filesystem:

	KASAN: null-ptr-deref Write in get_block
	KASAN: use-after-free Write in get_block
	KASAN: use-after-free Read in get_block
	WARNING in inc_nlink
	KMSAN: uninit-value in get_block
	WARNING in drop_nlink

It also fixes the minix filesystem to set s_maxbytes correctly, so that
userspace sees the correct behavior when exceeding the max file size.

This patch (of 6):

sb_getblk() can fail, so check its return value.

This fixes a NULL pointer dereference.

Originally from Qiujun Huang.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Reported-by: default avatar <syzbot+4a88b2b9dc280f47baf4@syzkaller.appspotmail.com>
Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Cc: Qiujun Huang <anenbupt@gmail.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/20200628060846.682158-1-ebiggers@kernel.org
Link: http://lkml.kernel.org/r/20200628060846.682158-2-ebiggers@kernel.org


Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 2fb3244f

fs/minix/itree_common.c

+7 −1
Original line number Diff line number Diff line
@@ -75,6 +75,7 @@ static int alloc_branch(struct inode *inode, 
	int n = 0;

	int i;

	int parent = minix_new_block(inode);

	int err = -ENOSPC;



	branch[0].key = cpu_to_block(parent);

	if (parent) for (n = 1; n < num; n++) {
@@ -85,6 +86,11 @@ static int alloc_branch(struct inode *inode, 
			break;

		branch[n].key = cpu_to_block(nr);

		bh = sb_getblk(inode->i_sb, parent);

		if (!bh) {

			minix_free_block(inode, nr);

			err = -ENOMEM;

			break;

		}

		lock_buffer(bh);

		memset(bh->b_data, 0, bh->b_size);

		branch[n].bh = bh;
@@ -103,7 +109,7 @@ static int alloc_branch(struct inode *inode, 
		bforget(branch[i].bh);

	for (i = 0; i < n; i++)

		minix_free_block(inode, block_to_cpu(branch[i].key));

	return -ENOSPC;

	return err;

}



static inline int splice_branch(struct inode *inode,

CRA Git | Maintained and supported by SUSTech CRA and CCSE