| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251012083957.532330-1-liubaolin12138@163.com>
Date: Sun, 12 Oct 2025 16:39:57 +0800
From: Baolin Liu <liubaolin12138@....com>
To: trondmy@...nel.org,
anna@...nel.org
Cc: linux-nfs@...r.kernel.org,
linux-kernel@...r.kernel.org,
Baolin Liu <liubaolin@...inos.cn>
Subject: [PATCH v1] NFS: Fix possible NULL pointer dereference in nfs_inode_remove_request()
From: Baolin Liu <liubaolin@...inos.cn>
nfs_page_to_folio(req->wb_head) may return NULL in certain conditions,
but the function dereferences folio->mapping and calls
folio_end_dropbehind(folio) unconditionally. This may cause a NULL
pointer dereference crash.
Fix this by checking folio before using it or calling
folio_end_dropbehind().
Signed-off-by: Baolin Liu <liubaolin@...inos.cn>
---
fs/nfs/write.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/fs/nfs/write.c b/fs/nfs/write.c
index 0fb6905736d5..e148308c1923 100644
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -739,17 +739,18 @@ static void nfs_inode_remove_request(struct nfs_page *req)
nfs_page_group_lock(req);
if (nfs_page_group_sync_on_bit_locked(req, PG_REMOVE)) {
struct folio *folio = nfs_page_to_folio(req->wb_head);
- struct address_space *mapping = folio->mapping;
- spin_lock(&mapping->i_private_lock);
if (likely(folio)) {
+ struct address_space *mapping = folio->mapping;
+
+ spin_lock(&mapping->i_private_lock);
folio->private = NULL;
folio_clear_private(folio);
clear_bit(PG_MAPPED, &req->wb_head->wb_flags);
- }
- spin_unlock(&mapping->i_private_lock);
+ spin_unlock(&mapping->i_private_lock);
- folio_end_dropbehind(folio);
+ folio_end_dropbehind(folio);
+ }
}
nfs_page_group_unlock(req);
--
2.39.2
Powered by blists - more mailing lists