| Message ID | 20240820073739.1289567-1-lizhi.xu@windriver.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [V3] ocfs2: Fix uaf in ocfs2_set_buffer_uptodate | expand |
Could you resend v3 with both patches? And add my "Reviewed-by" tag to another patch. btw, you miss change log area from v2. -Heming On 8/20/24 15:37, Lizhi Xu wrote: > In the for-loop after the 'read_failure' label, the condition > '(bh == NULL) && flags includes OCFS2_BH_READAHEAD' is missing. > When this contidion is true, this for-loop will call ocfs2_set_buffer > _uptodate(ci, bh), which then triggers a NULL pointer access error. > > Reported-and-suggested-by: Heming Zhao <heming.zhao@suse.com> > Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> > --- > fs/ocfs2/buffer_head_io.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c > index e62c7e1de4eb..8f714406528d 100644 > --- a/fs/ocfs2/buffer_head_io.c > +++ b/fs/ocfs2/buffer_head_io.c > @@ -388,7 +388,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, > /* Always set the buffer in the cache, even if it was > * a forced read, or read-ahead which hasn't yet > * completed. */ > - ocfs2_set_buffer_uptodate(ci, bh); > + if (bh) > + ocfs2_set_buffer_uptodate(ci, bh); > } > ocfs2_metadata_cache_io_unlock(ci); >
diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c index e62c7e1de4eb..8f714406528d 100644 --- a/fs/ocfs2/buffer_head_io.c +++ b/fs/ocfs2/buffer_head_io.c @@ -388,7 +388,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, /* Always set the buffer in the cache, even if it was * a forced read, or read-ahead which hasn't yet * completed. */ - ocfs2_set_buffer_uptodate(ci, bh); + if (bh) + ocfs2_set_buffer_uptodate(ci, bh); } ocfs2_metadata_cache_io_unlock(ci);
In the for-loop after the 'read_failure' label, the condition '(bh == NULL) && flags includes OCFS2_BH_READAHEAD' is missing. When this contidion is true, this for-loop will call ocfs2_set_buffer _uptodate(ci, bh), which then triggers a NULL pointer access error. Reported-and-suggested-by: Heming Zhao <heming.zhao@suse.com> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> --- fs/ocfs2/buffer_head_io.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)