lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251208193024.GA89444@frogsfrogsfrogs>
Date: Mon, 8 Dec 2025 11:30:24 -0800
From: "Darrick J. Wong" <djwong@...nel.org>
To: Deepakkumar Karn <dkarn@...hat.com>
Cc: Alexander Viro <viro@...iv.linux.org.uk>,
	Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>,
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
	syzbot+e07658f51ca22ab65b4e@...kaller.appspotmail.com,
	syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH v2] fs: add NULL check in drop_buffers() to prevent
 null-ptr-deref

On Tue, Dec 09, 2025 at 12:33:07AM +0530, Deepakkumar Karn wrote:
> drop_buffers() dereferences the buffer_head pointer returned by
> folio_buffers() without checking for NULL. This leads to a null pointer
> dereference when called from try_to_free_buffers() on a folio with no
> buffers attached. This happens when filemap_release_folio() is called on
> a folio belonging to a mapping with AS_RELEASE_ALWAYS set but without
> release_folio address_space operation defined. In such case,

What user is that?  All the users of AS_RELEASE_ALWAYS in 6.18 appear to
supply a ->release_folio.  Is this some new thing in 6.19?

--D

> folio_needs_release() returns true because of AS_RELEASE_ALWAYS flag,
> the folio has no private buffer data, causing the try_to_free_buffers()
> with a folio that has no buffers.
> 
> Adding NULL check for the buffer_head pointer and return false early if
> no buffers are attached to the folio.
> 
> Reported-by: syzbot+e07658f51ca22ab65b4e@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=e07658f51ca22ab65b4e
> Fixes: 6439476311a6 ("fs: Convert drop_buffers() to use a folio")
> Signed-off-by: Deepakkumar Karn <dkarn@...hat.com>
> ---
>  fs/buffer.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/fs/buffer.c b/fs/buffer.c
> index 838c0c571022..fa5de0cdf540 100644
> --- a/fs/buffer.c
> +++ b/fs/buffer.c
> @@ -2893,6 +2893,10 @@ drop_buffers(struct folio *folio, struct buffer_head **buffers_to_free)
>  	struct buffer_head *head = folio_buffers(folio);
>  	struct buffer_head *bh;
>  
> +	/* In cases of folio without buffer_head*/
> +	if (!head)
> +		return false;
> +
>  	bh = head;
>  	do {
>  		if (buffer_busy(bh))
> -- 
> 2.52.0
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ