| From f2d32429b917a646b870c296f791ce3eb3098467 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Tue, 22 Mar 2022 21:59:17 +0800 |
| Subject: jfs: prevent NULL deref in diFree |
| |
| From: Haimin Zhang <tcs_kernel@tencent.com> |
| |
| [ Upstream commit a53046291020ec41e09181396c1e829287b48d47 ] |
| |
| Add validation check for JFS_IP(ipimap)->i_imap to prevent a NULL deref |
| in diFree since diFree uses it without do any validations. |
| When function jfs_mount calls diMount to initialize fileset inode |
| allocation map, it can fail and JFS_IP(ipimap)->i_imap won't be |
| initialized. Then it calls diFreeSpecial to close fileset inode allocation |
| map inode and it will flow into jfs_evict_inode. Function jfs_evict_inode |
| just validates JFS_SBI(inode->i_sb)->ipimap, then calls diFree. diFree use |
| JFS_IP(ipimap)->i_imap directly, then it will cause a NULL deref. |
| |
| Reported-by: TCS Robot <tcs_robot@tencent.com> |
| Signed-off-by: Haimin Zhang <tcs_kernel@tencent.com> |
| Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| fs/jfs/inode.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| diff --git a/fs/jfs/inode.c b/fs/jfs/inode.c |
| index 57ab424c05ff..072821b50ab9 100644 |
| --- a/fs/jfs/inode.c |
| +++ b/fs/jfs/inode.c |
| @@ -146,12 +146,13 @@ void jfs_evict_inode(struct inode *inode) |
| dquot_initialize(inode); |
| |
| if (JFS_IP(inode)->fileset == FILESYSTEM_I) { |
| + struct inode *ipimap = JFS_SBI(inode->i_sb)->ipimap; |
| truncate_inode_pages_final(&inode->i_data); |
| |
| if (test_cflag(COMMIT_Freewmap, inode)) |
| jfs_free_zero_link(inode); |
| |
| - if (JFS_SBI(inode->i_sb)->ipimap) |
| + if (ipimap && JFS_IP(ipimap)->i_imap) |
| diFree(inode); |
| |
| /* |
| -- |
| 2.35.1 |
| |