Message ID | tencent_69E996EDCACDBC79A66CB02F956C3494D80A@qq.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | jfs: fix uaf in jfs_evict_inode | expand |
On 10/31/23 12:39AM, Edward Adam Davis wrote: > When the execution of diMount(ipimap) fails, the object ipimap that has been > released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs > when rcu_core() calls jfs_free_node(). > > Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as > ipimap. > > Reported-and-tested-by: syzbot+01cf2dbcbe2022454388@syzkaller.appspotmail.com > Signed-off-by: Edward Adam Davis <eadavis@qq.com> Looks good. Thanks, Shaggy > --- > fs/jfs/jfs_mount.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/fs/jfs/jfs_mount.c b/fs/jfs/jfs_mount.c > index 415eb65a36ff..9b5c6a20b30c 100644 > --- a/fs/jfs/jfs_mount.c > +++ b/fs/jfs/jfs_mount.c > @@ -172,15 +172,15 @@ int jfs_mount(struct super_block *sb) > } > jfs_info("jfs_mount: ipimap:0x%p", ipimap); > > - /* map further access of per fileset inodes by the fileset inode */ > - sbi->ipimap = ipimap; > - > /* initialize fileset inode allocation map */ > if ((rc = diMount(ipimap))) { > jfs_err("jfs_mount: diMount failed w/rc = %d", rc); > goto err_ipimap; > } > > + /* map further access of per fileset inodes by the fileset inode */ > + sbi->ipimap = ipimap; > + > return rc; > > /*
diff --git a/fs/jfs/jfs_mount.c b/fs/jfs/jfs_mount.c index 415eb65a36ff..9b5c6a20b30c 100644 --- a/fs/jfs/jfs_mount.c +++ b/fs/jfs/jfs_mount.c @@ -172,15 +172,15 @@ int jfs_mount(struct super_block *sb) } jfs_info("jfs_mount: ipimap:0x%p", ipimap); - /* map further access of per fileset inodes by the fileset inode */ - sbi->ipimap = ipimap; - /* initialize fileset inode allocation map */ if ((rc = diMount(ipimap))) { jfs_err("jfs_mount: diMount failed w/rc = %d", rc); goto err_ipimap; } + /* map further access of per fileset inodes by the fileset inode */ + sbi->ipimap = ipimap; + return rc; /*
When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap. Reported-and-tested-by: syzbot+01cf2dbcbe2022454388@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- fs/jfs/jfs_mount.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)