[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e6f16317-6d11-4f14-ba88-6c7b33276285@suse.com>
Date: Tue, 20 Aug 2024 19:32:03 +0800
From: Heming Zhao <heming.zhao@...e.com>
To: Lizhi Xu <lizhi.xu@...driver.com>, joseph.qi@...ux.alibaba.com
Cc: jlbec@...lplan.org, linux-kernel@...r.kernel.org, mark@...heh.com,
ocfs2-devel@...ts.linux.dev,
syzbot+ab134185af9ef88dfed5@...kaller.appspotmail.com,
syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH V3 2/2] ocfs2: Fix uaf in ocfs2_set_buffer_uptodate
On 8/20/24 17:45, Lizhi Xu wrote:
> In the for-loop after the 'read_failure' label, the condition
> '(bh == NULL) && flags includes OCFS2_BH_READAHEAD' is missing.
> When this contidion is true, this for-loop will call ocfs2_set_buffer
> _uptodate(ci, bh), which then triggers a NULL pointer access error.
>
> Changes from V2:
> * Make the code more concise
>
> Reported-and-suggested-by: Heming Zhao <heming.zhao@...e.com>
> Signed-off-by: Lizhi Xu <lizhi.xu@...driver.com>
> Reviewed-by: Heming Zhao <heming.zhao@...e.com>
I didn't give you my "Reviewed-by" tag for this patch, and you
can add my tag only after I send it to you.
(take easy, you can get my "Reviewed-by" tag now.)
Please remember this rule for next time.
Another issue with this mail is that the change log should be
placed before the file list, not in the commit message section.
ref: Documentation/process/submitting-patches.rst
Thanks,
Heming
> ---
> fs/ocfs2/buffer_head_io.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c
> index e62c7e1de4eb..8f714406528d 100644
> --- a/fs/ocfs2/buffer_head_io.c
> +++ b/fs/ocfs2/buffer_head_io.c
> @@ -388,7 +388,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
> /* Always set the buffer in the cache, even if it was
> * a forced read, or read-ahead which hasn't yet
> * completed. */
> - ocfs2_set_buffer_uptodate(ci, bh);
> + if (bh)
> + ocfs2_set_buffer_uptodate(ci, bh);
> }
> ocfs2_metadata_cache_io_unlock(ci);
>
Powered by blists - more mailing lists