| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20241102.090820.1442069226259701918.konishi.ryusuke@gmail.com> Date: Sat, 02 Nov 2024 09:08:20 +0900 (JST) From: Ryusuke Konishi <konishi.ryusuke@...il.com> To: syzbot+9982fb8d18eba905abe2@...kaller.appspotmail.com Cc: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com Subject: Re: [syzbot] [nilfs?] general protection fault in touch_buffer The cause of this problem seems to be that bh->b_bdev is not set when touch_buffer() is called (it is set later by the calling functions). This causes a general protection fault when the trace point trace_block_touch_buffer() in touch_buffer() references bh->b_bdev->bd_dev. touch_buffer() mark the folio owned by the buffer as accessed by calling folio_mark_accessed(), but nilfs_grab_buffer(), the only caller of __nilfs_get_folio_block(), acquires the folio through filemap_grab_folio(), which sets the folio as accessed by specifying the FGP_ACCESSED flag, so there is not need to call touch_buffer() in the first place. Once I have confirmed that there is not problem, including the past history, I will turn this into a formal bug fix patch. Ryusuke Konishi #syz test diff --git a/fs/nilfs2/page.c b/fs/nilfs2/page.c index 10def4b55995..296dbf9cca22 100644 --- a/fs/nilfs2/page.c +++ b/fs/nilfs2/page.c @@ -39,7 +39,6 @@ static struct buffer_head *__nilfs_get_folio_block(struct folio *folio, first_block = (unsigned long)index << (PAGE_SHIFT - blkbits); bh = get_nth_bh(bh, block - first_block); - touch_buffer(bh); wait_on_buffer(bh); return bh; } -- 2.43.0
Powered by blists - more mailing lists