From patchwork Tue Jan 18 09:57:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kara X-Patchwork-Id: 533535 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E4C7DC433EF for ; Tue, 18 Jan 2022 09:57:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235393AbiARJ56 (ORCPT ); Tue, 18 Jan 2022 04:57:58 -0500 Received: from smtp-out2.suse.de ([195.135.220.29]:36306 "EHLO smtp-out2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234464AbiARJ55 (ORCPT ); Tue, 18 Jan 2022 04:57:57 -0500 Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out2.suse.de (Postfix) with ESMTP id 506141F3B5; Tue, 18 Jan 2022 09:57:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1642499876; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+3XHy9X4nT4n/AOl8C5jRxanVGoZKrHcxVdhA2eEHek=; b=20G7MBWNASyhjzIRqO/wD3Omch4/okChGRHAV/Ho3cjNCv5eqgBvExjngNEVnkMBKyZmwO bRR6hi/RFQO55mgHh35pKCjVTYROKxDv9QffcgqDaHOq5NgT7GJYLqwEkE9HCVGovFJ2I3 WPqrMiiFWmy2aQZe/JjIqCQ/QaSnwp8= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1642499876; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+3XHy9X4nT4n/AOl8C5jRxanVGoZKrHcxVdhA2eEHek=; b=2cy+F4YyWFsf2cOPtbUZi1yV8hkde0hTPF52ohSwMtf0yXTRLX7kv9p1f17X54v5T7hxld BdCVbRO1o0j5qdBg== Received: from quack3.suse.cz (unknown [10.163.43.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id 424C0A3B84; Tue, 18 Jan 2022 09:57:56 +0000 (UTC) Received: by quack3.suse.cz (Postfix, from userid 1000) id 0E273A05E2; Tue, 18 Jan 2022 10:57:56 +0100 (CET) From: Jan Kara To: Cc: butt3rflyh4ck , Jan Kara , stable@vger.kernel.org Subject: [PATCH 1/2] udf: Fix NULL ptr deref when converting from inline format Date: Tue, 18 Jan 2022 10:57:47 +0100 Message-Id: <20220118095753.627-1-jack@suse.cz> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20220118095449.2937-1-jack@suse.cz> References: <20220118095449.2937-1-jack@suse.cz> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2065; h=from:subject; bh=FGffWwKHxuxdIhhc030juu+3b62d1QHrgbzzRo6D37M=; b=owEBbQGS/pANAwAIAZydqgc/ZEDZAcsmYgBh5o8bFuYJbn9NJOogzMDzDzPAL/JbmS3e2a6Ic1LL Thbto/uJATMEAAEIAB0WIQSrWdEr1p4yirVVKBycnaoHP2RA2QUCYeaPGwAKCRCcnaoHP2RA2assB/ 46PhShSLxTJQt7WycODga3L1jqcwIJaJxxwNQr8us4gqu4/pcRStlz8jawMoesNKTK9vBe7YwQOHIe /d164ew7fz3aT2XDhUoaezfRpbmmnROExRo0RH0tVigLmJIWCZ6NrJThdt5b2qWmeUyIqEoMDqHS0q ZYOLSQh3XMH6FwLTstUjxCu8YZ4hcVPuZvPkEyNnt0p86LOI2Q7L+UpM0+COYPbldAk6PtwlM0U26w nPjxDd4ZeNbVpf+Nq1OyhOt+CeAhd5R3e3Q6/FXbH0treLPEs39Q9g0d7JPIYRmUU9qKy6/3VqMxWB SxYrfk/yQcm3w4PSC39nLO35mzCnyJ X-Developer-Key: i=jack@suse.cz; a=openpgp; fpr=93C6099A142276A28BBE35D815BC833443038D8C Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org udf_expand_file_adinicb() calls directly ->writepage to write data expanded into a page. This however misses to setup inode for writeback properly and so we can crash on inode->i_wb dereference when submitting page for IO like: BUG: kernel NULL pointer dereference, address: 0000000000000158 #PF: supervisor read access in kernel mode ... __folio_start_writeback+0x2ac/0x350 __block_write_full_page+0x37d/0x490 udf_expand_file_adinicb+0x255/0x400 [udf] udf_file_write_iter+0xbe/0x1b0 [udf] new_sync_write+0x125/0x1c0 vfs_write+0x28e/0x400 Fix the problem by marking the page dirty and going through the standard writeback path to write the page. Strictly speaking we would not even have to write the page but we want to catch e.g. ENOSPC errors early. Reported-by: butt3rflyh4ck CC: stable@vger.kernel.org Fixes: 52ebea749aae ("writeback: make backing_dev_info host cgroup-specific bdi_writebacks") Signed-off-by: Jan Kara Reviewed-by: Christoph Hellwig --- fs/udf/inode.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 1d6b7a50736b..d6aa506b6b58 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -258,10 +258,6 @@ int udf_expand_file_adinicb(struct inode *inode) char *kaddr; struct udf_inode_info *iinfo = UDF_I(inode); int err; - struct writeback_control udf_wbc = { - .sync_mode = WB_SYNC_NONE, - .nr_to_write = 1, - }; WARN_ON_ONCE(!inode_is_locked(inode)); if (!iinfo->i_lenAlloc) { @@ -305,8 +301,10 @@ int udf_expand_file_adinicb(struct inode *inode) iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG; /* from now on we have normal address_space methods */ inode->i_data.a_ops = &udf_aops; + set_page_dirty(page); + unlock_page(page); up_write(&iinfo->i_data_sem); - err = inode->i_data.a_ops->writepage(page, &udf_wbc); + err = filemap_fdatawrite(inode->i_mapping); if (err) { /* Restore everything back so that we don't lose data... */ lock_page(page); From patchwork Tue Jan 18 09:57:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kara X-Patchwork-Id: 533265 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8152CC433FE for ; Tue, 18 Jan 2022 09:57:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234563AbiARJ56 (ORCPT ); Tue, 18 Jan 2022 04:57:58 -0500 Received: from smtp-out2.suse.de ([195.135.220.29]:36308 "EHLO smtp-out2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234406AbiARJ55 (ORCPT ); Tue, 18 Jan 2022 04:57:57 -0500 Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out2.suse.de (Postfix) with ESMTP id 58D5E1F3C0; Tue, 18 Jan 2022 09:57:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1642499876; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rSHOPK7zYi3j7vq/yLcdOnOdEZ24LfmyZEXUCcoD0Jw=; b=eSvWZ+/4LNDWzjE5pqTe6MtcZDWGsdtFGxWafIfMSd3wf2nyNbCdvN8LIjwwSksW4olS1H Au2Px91/OKwIE9wd80R1BRULziEr696RLXaomoHnLqkSrz8vd7YiCMAEaGDjH6rgR7ntrw 6qOqpdXb2tnQtoED2JuGcnmz3ApJrIs= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1642499876; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rSHOPK7zYi3j7vq/yLcdOnOdEZ24LfmyZEXUCcoD0Jw=; b=9fiOC4YZZptMD4zettNfBcy+tt0lm08GzdWGjgm5vnqeuHWUavl+CHS6nzIfB5j//NtIgL 942BwZoWhCSKGsDg== Received: from quack3.suse.cz (unknown [10.163.43.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id 4D29AA3B85; Tue, 18 Jan 2022 09:57:56 +0000 (UTC) Received: by quack3.suse.cz (Postfix, from userid 1000) id 12D42A05E5; Tue, 18 Jan 2022 10:57:56 +0100 (CET) From: Jan Kara To: Cc: butt3rflyh4ck , Jan Kara , stable@vger.kernel.org Subject: [PATCH 2/2] udf: Restore i_lenAlloc when inode expansion fails Date: Tue, 18 Jan 2022 10:57:48 +0100 Message-Id: <20220118095753.627-2-jack@suse.cz> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20220118095449.2937-1-jack@suse.cz> References: <20220118095449.2937-1-jack@suse.cz> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=985; h=from:subject; bh=9b9vN2SU722zTqf8/Q5HNRvRGqESjFPUxds0LOSprRo=; b=owEBbQGS/pANAwAIAZydqgc/ZEDZAcsmYgBh5o8cWdAYPLgqHofPVfMk2ZkcoazBcz8l901c5NdL 4o6ztwyJATMEAAEIAB0WIQSrWdEr1p4yirVVKBycnaoHP2RA2QUCYeaPHAAKCRCcnaoHP2RA2ZBCCA CLAJ/L+dFi36l1RSdqp2ZwqsQ9pYD5v2zaK/BBysFrvjL6+RTk0iSbnuKHNAdt3lkFbflAc+5bR7Sv MnUu6T1u2JkpiFPWhlHyI/qnELpN9QOIojei2vQLvekuE2vNkm6ZS6M0wFPswpv9EvREf+C5cB+DxB VPW/fNWaumesZfAwY8JtqafwLt/+Rb2GxPL9piHncorvqTzkRhKmPek1CE1PManQGTsyNZWQkWnjm6 Uj0zEw2+4RLY6lE20uGxYW3TVYDaqZnENFLcoqKFW+tzMyPCaAFSVdyM+HvbYRtfS7kOMCdQbrR7y9 Y6iIAUyJY8krueRasMQ2/e7YvlAMni X-Developer-Key: i=jack@suse.cz; a=openpgp; fpr=93C6099A142276A28BBE35D815BC833443038D8C Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org When we fail to expand inode from inline format to a normal format, we restore inode to contain the original inline formatting but we forgot to set i_lenAlloc back. The mismatch between i_lenAlloc and i_size was then causing further problems such as warnings and lost data down the line. Reported-by: butt3rflyh4ck CC: stable@vger.kernel.org Fixes: 7e49b6f2480c ("udf: Convert UDF to new truncate calling sequence") Signed-off-by: Jan Kara Reviewed-by: Christoph Hellwig --- fs/udf/inode.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index d6aa506b6b58..ea8f6cd01f50 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -315,6 +315,7 @@ int udf_expand_file_adinicb(struct inode *inode) unlock_page(page); iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB; inode->i_data.a_ops = &udf_adinicb_aops; + iinfo->i_lenAlloc = inode->i_size; up_write(&iinfo->i_data_sem); } put_page(page);