lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <202112302317.OJzUYuIb-lkp@intel.com>
Date:   Thu, 6 Jan 2022 16:01:36 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     kbuild@...ts.01.org, Goldwyn Rodrigues <rgoldwyn@...e.com>
Cc:     lkp@...el.com, kbuild-all@...ts.01.org,
        linux-kernel@...r.kernel.org
Subject: [goldwynr:iomap 27/33] fs/btrfs/file.c:1517
 btrfs_buffered_iomap_begin() error: dereferencing freed memory 'bi'

tree:   https://github.com/goldwynr/linux iomap
head:   30c74a8c201365178cae26d0d7aefa120c3245ab
commit: f3623890897fee87c24f37ae01a2f1a5c35a39d9 [27/33] btrfs: use srcmap for read-before-write cases
config: i386-randconfig-m031-20211228 (https://download.01.org/0day-ci/archive/20211230/202112302317.OJzUYuIb-lkp@intel.com/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>

smatch warnings:
fs/btrfs/file.c:1517 btrfs_buffered_iomap_begin() error: dereferencing freed memory 'bi'

vim +/bi +1517 fs/btrfs/file.c

b192ee8d4db510 Goldwyn Rodrigues 2021-04-21  1490  static int btrfs_buffered_iomap_begin(struct inode *inode, loff_t pos,
f4ecee4435f363 Goldwyn Rodrigues 2021-04-21  1491  		loff_t length, unsigned flags, struct iomap *iomap,
f4ecee4435f363 Goldwyn Rodrigues 2021-04-21  1492  		struct iomap *srcmap)
b192ee8d4db510 Goldwyn Rodrigues 2021-04-21  1493  {
b192ee8d4db510 Goldwyn Rodrigues 2021-04-21  1494  	int ret;
b192ee8d4db510 Goldwyn Rodrigues 2021-04-21  1495  	size_t write_bytes = length;
b192ee8d4db510 Goldwyn Rodrigues 2021-04-21  1496  	struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb);
b192ee8d4db510 Goldwyn Rodrigues 2021-04-21  1497  	size_t sector_offset = pos & (fs_info->sectorsize - 1);
f4ecee4435f363 Goldwyn Rodrigues 2021-04-21  1498  	struct btrfs_iomap *bi;
f3623890897fee Goldwyn Rodrigues 2021-04-21  1499  	loff_t end = pos + length;
f4ecee4435f363 Goldwyn Rodrigues 2021-04-21  1500  
f4ecee4435f363 Goldwyn Rodrigues 2021-04-21  1501  	bi = kzalloc(sizeof(struct btrfs_iomap), GFP_NOFS);
f4ecee4435f363 Goldwyn Rodrigues 2021-04-21  1502  	if (!bi)
f4ecee4435f363 Goldwyn Rodrigues 2021-04-21  1503  		return -ENOMEM;
b192ee8d4db510 Goldwyn Rodrigues 2021-04-21  1504  
f3623890897fee Goldwyn Rodrigues 2021-04-21  1505  	if ((pos & (PAGE_SIZE - 1) || end & (PAGE_SIZE - 1))) {
f3623890897fee Goldwyn Rodrigues 2021-04-21  1506  		loff_t isize = i_size_read(inode);
f3623890897fee Goldwyn Rodrigues 2021-04-21  1507  		if (pos >= isize) {
f3623890897fee Goldwyn Rodrigues 2021-04-21  1508  			srcmap->addr = IOMAP_NULL_ADDR;
f3623890897fee Goldwyn Rodrigues 2021-04-21  1509  			srcmap->type = IOMAP_HOLE;
f3623890897fee Goldwyn Rodrigues 2021-04-21  1510  			srcmap->offset = isize;
f3623890897fee Goldwyn Rodrigues 2021-04-21  1511  			srcmap->length = end - isize;
f3623890897fee Goldwyn Rodrigues 2021-04-21  1512  		} else {
f3623890897fee Goldwyn Rodrigues 2021-04-21  1513  			bi->em = btrfs_get_extent(BTRFS_I(inode), NULL, 0,
f3623890897fee Goldwyn Rodrigues 2021-04-21  1514  					pos - sector_offset, length);
f3623890897fee Goldwyn Rodrigues 2021-04-21  1515  			if (IS_ERR(bi->em)) {
f3623890897fee Goldwyn Rodrigues 2021-04-21  1516  				kfree(bi);
                                                                                ^^^^^^^^^

f3623890897fee Goldwyn Rodrigues 2021-04-21 @1517  				return PTR_ERR(bi->em);
                                                                                               ^^^^^^

f3623890897fee Goldwyn Rodrigues 2021-04-21  1518  			}
f3623890897fee Goldwyn Rodrigues 2021-04-21  1519  			btrfs_em_to_iomap(inode, bi->em, srcmap,
f3623890897fee Goldwyn Rodrigues 2021-04-21  1520  					pos - sector_offset);
f3623890897fee Goldwyn Rodrigues 2021-04-21  1521  		}
f3623890897fee Goldwyn Rodrigues 2021-04-21  1522  	}
f3623890897fee Goldwyn Rodrigues 2021-04-21  1523  
f3623890897fee Goldwyn Rodrigues 2021-04-21  1524  	if ((srcmap->type != IOMAP_HOLE) &&
f3623890897fee Goldwyn Rodrigues 2021-04-21  1525  			(end > srcmap->offset + srcmap->length))
f3623890897fee Goldwyn Rodrigues 2021-04-21  1526  			write_bytes = srcmap->offset + srcmap->length - pos;

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ