lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 6 May 2024 22:37:11 +0200
From: Jan Kara <jack@...e.cz>
To: libaokun@...weicloud.com
Cc: linux-ext4@...r.kernel.org, tytso@....edu, adilger.kernel@...ger.ca,
	jack@...e.cz, ritesh.list@...il.com, linux-kernel@...r.kernel.org,
	yi.zhang@...wei.com, yangerkun@...wei.com,
	Baokun Li <libaokun1@...wei.com>,
	syzbot+dd43bd0f7474512edc47@...kaller.appspotmail.com,
	stable@...nel.org
Subject: Re: [PATCH 1/2] ext4: fix mb_cache_entry's e_refcnt leak in
 ext4_xattr_block_cache_find()

On Sat 04-05-24 15:55:25, libaokun@...weicloud.com wrote:
> From: Baokun Li <libaokun1@...wei.com>
> 
> Syzbot reports a warning as follows:
> 
> ============================================
> WARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290
> Modules linked in:
> CPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7
> RIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419
> Call Trace:
>  <TASK>
>  ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375
>  generic_shutdown_super+0x136/0x2d0 fs/super.c:641
>  kill_block_super+0x44/0x90 fs/super.c:1675
>  ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327
> [...]
> ============================================
> 
> This is because when finding an entry in ext4_xattr_block_cache_find(), if
> ext4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown
> in the __entry_find(), won't be put away, and eventually trigger the above
> issue in mb_cache_destroy() due to reference count leakage.
> 
> So call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.
> 
> Reported-by: syzbot+dd43bd0f7474512edc47@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=dd43bd0f7474512edc47
> Fixes: fb265c9cb49e ("ext4: add ext4_sb_bread() to disambiguate ENOMEM cases")
> Cc: stable@...nel.org
> Signed-off-by: Baokun Li <libaokun1@...wei.com>

Looks good. Feel free to add:

Reviewed-by: Jan Kara <jack@...e.cz>

								Honza

> ---
>  fs/ext4/xattr.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
> index b67a176bfcf9..9fdd13422073 100644
> --- a/fs/ext4/xattr.c
> +++ b/fs/ext4/xattr.c
> @@ -3113,8 +3113,10 @@ ext4_xattr_block_cache_find(struct inode *inode,
>  
>  		bh = ext4_sb_bread(inode->i_sb, ce->e_value, REQ_PRIO);
>  		if (IS_ERR(bh)) {
> -			if (PTR_ERR(bh) == -ENOMEM)
> +			if (PTR_ERR(bh) == -ENOMEM) {
> +				mb_cache_entry_put(ea_block_cache, ce);
>  				return NULL;
> +			}
>  			bh = NULL;
>  			EXT4_ERROR_INODE(inode, "block %lu read error",
>  					 (unsigned long)ce->e_value);
> -- 
> 2.39.2
> 
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ