From bcdd0c1600903e9222abfcde28947406020ccb5d Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Tue, 22 Nov 2011 11:00:20 +0300 Subject: ext3: NULL dereference in ext3_evict_inode() This is an fsfuzzer bug. ->s_journal is set at the end of ext3_load_journal() but we try to use it in the error handling from ext3_get_journal() while it's still NULL. [ 337.039041] BUG: unable to handle kernel NULL pointer dereference at 0000000000000024 [ 337.040380] IP: [] _raw_spin_lock+0x9/0x30 [ 337.041687] PGD 0 [ 337.043118] Oops: 0002 [#1] SMP [ 337.044483] CPU 3 [ 337.044495] Modules linked in: ecb md4 cifs fuse kvm_intel kvm brcmsmac brcmutil crc8 cordic r8169 [last unloaded: scsi_wait_scan] [ 337.047633] [ 337.049259] Pid: 8308, comm: mount Not tainted 3.2.0-rc2-next-20111121+ #24 SAMSUNG ELECTRONICS CO., LTD. RV411/RV511/E3511/S3511 /RV411/RV511/E3511/S3511 [ 337.051064] RIP: 0010:[] [] _raw_spin_lock+0x9/0x30 [ 337.052879] RSP: 0018:ffff8800b1d11ae8 EFLAGS: 00010282 [ 337.054668] RAX: 0000000000000100 RBX: 0000000000000000 RCX: ffff8800b77c2000 [ 337.056400] RDX: ffff8800a97b5c00 RSI: 0000000000000000 RDI: 0000000000000024 [ 337.058099] RBP: ffff8800b1d11ae8 R08: 6000000000000000 R09: e018000000000000 [ 337.059841] R10: ff67366cc2607c03 R11: 00000000110688e6 R12: 0000000000000000 [ 337.061607] R13: 0000000000000000 R14: 0000000000000000 R15: ffff8800a78f06e8 [ 337.063385] FS: 00007f9d95652800(0000) GS:ffff8800b7180000(0000) knlGS:0000000000000000 [ 337.065110] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 337.066801] CR2: 0000000000000024 CR3: 00000000aef2c000 CR4: 00000000000006e0 [ 337.068581] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 337.070321] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 337.072105] Process mount (pid: 8308, threadinfo ffff8800b1d10000, task ffff8800b1d02be0) [ 337.073800] Stack: [ 337.075487] ffff8800b1d11b08 ffffffff811f48cf ffff88007ac9b158 0000000000000000 [ 337.077255] ffff8800b1d11b38 ffffffff8119405d ffff88007ac9b158 ffff88007ac9b250 [ 337.078851] ffffffff8181bda0 ffffffff8181bda0 ffff8800b1d11b68 ffffffff81131e31 [ 337.080284] Call Trace: [ 337.081706] [] log_start_commit+0x1f/0x40 [ 337.083107] [] ext3_evict_inode+0x1fd/0x2a0 [ 337.084490] [] evict+0xa1/0x1a0 [ 337.085857] [] iput+0x101/0x210 [ 337.087220] [] iget_failed+0x21/0x30 [ 337.088581] [] ext3_iget+0x15c/0x450 [ 337.089936] [] ? ext3_rsv_window_add+0x81/0x100 [ 337.091284] [] ext3_get_journal+0x15/0xde [ 337.092641] [] ext3_fill_super+0xf2b/0x1c30 [ 337.093991] [] ? register_shrinker+0x4d/0x60 [ 337.095332] [] mount_bdev+0x1a2/0x1e0 [ 337.096680] [] ? ext3_setup_super+0x210/0x210 [ 337.098026] [] ext3_mount+0x10/0x20 [ 337.099362] [] mount_fs+0x3e/0x1b0 [ 337.100759] [] ? __alloc_percpu+0xb/0x10 [ 337.102330] [] vfs_kern_mount+0x65/0xc0 [ 337.103889] [] do_kern_mount+0x4f/0x100 [ 337.105442] [] do_mount+0x19c/0x890 [ 337.106989] [] ? memdup_user+0x46/0x90 [ 337.108572] [] ? strndup_user+0x53/0x70 [ 337.110114] [] sys_mount+0x8b/0xe0 [ 337.111617] [] system_call_fastpath+0x16/0x1b [ 337.113133] Code: 38 c2 74 0f 66 0f 1f 44 00 00 f3 90 0f b6 03 38 c2 75 f7 48 83 c4 08 5b 5d c3 0f 1f 84 00 00 00 00 00 55 b8 00 01 00 00 48 89 e5 66 0f c1 07 0f b6 d4 38 c2 74 0c 0f 1f 00 f3 90 0f b6 07 38 [ 337.116588] RIP [] _raw_spin_lock+0x9/0x30 [ 337.118260] RSP [ 337.119998] CR2: 0000000000000024 [ 337.188701] ---[ end trace c36d790becac1615 ]--- Signed-off-by: Dan Carpenter Signed-off-by: Jan Kara --- fs/ext3/inode.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/ext3/inode.c b/fs/ext3/inode.c index 85fe655fe3e..9da9125ba3e 100644 --- a/fs/ext3/inode.c +++ b/fs/ext3/inode.c @@ -223,8 +223,12 @@ void ext3_evict_inode (struct inode *inode) * * Note that directories do not have this problem because they don't * use page cache. + * + * The s_journal check handles the case when ext3_get_journal() fails + * and puts the journal inode. */ if (inode->i_nlink && ext3_should_journal_data(inode) && + EXT3_SB(inode->i_sb)->s_journal && (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) { tid_t commit_tid = atomic_read(&ei->i_datasync_tid); journal_t *journal = EXT3_SB(inode->i_sb)->s_journal; -- cgit v1.2.3-18-g5258