[PATCH] jffs2: fix null-ptr-deref during jffs2_unregister_compressor()
From: Kefeng Wang
Date: Fri May 24 2019 - 10:38:36 EST
It is possible that jffs2_register_compressor() could not be called
(eg, alloc_workspace() return fails) in jffs2_compressors_init(), so
unconditionally delete list if unregister compressors will trigger
this issue when rmmod jffs2.
BUG: KASAN: null-ptr-deref in __list_del_entry_valid+0x45/0xd0 lib/list_debug.c:51
Read of size 8 at addr 0000000000000000 by task syz-executor.0/8049
CPU: 1 PID: 8049 Comm: syz-executor.0 Tainted: G C 5.1.0+ #28
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xa9/0x10e lib/dump_stack.c:113
__kasan_report+0x171/0x18d mm/kasan/report.c:321
kasan_report+0xe/0x20 mm/kasan/common.c:614
__list_del_entry_valid+0x45/0xd0 lib/list_debug.c:51
jffs2_unregister_compressor+0x41/0xf0 [jffs2]
jffs2_lzo_exit+0x11/0x20 [jffs2]
jffs2_compressors_exit+0xa/0x30 [jffs2]
exit_jffs2_fs+0x1b/0xf4b [jffs2]
__do_sys_delete_module kernel/module.c:1027 [inline]
__se_sys_delete_module kernel/module.c:970 [inline]
__x64_sys_delete_module+0x244/0x330 kernel/module.c:970
do_syscall_64+0x72/0x2a0 arch/x86/entry/common.c:298
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Add 'bool initialized' into struct jffs2_compressor, return error
if initialized is not set in jffs2_unregister_compressor().
Reported-by: Hulk Robot <hulkci@xxxxxxxxxx>
Signed-off-by: Kefeng Wang <wangkefeng.wang@xxxxxxxxxx>
---
fs/jffs2/compr.c | 7 +++++++
fs/jffs2/compr.h | 1 +
2 files changed, 8 insertions(+)
diff --git a/fs/jffs2/compr.c b/fs/jffs2/compr.c
index 4849a4c9a0e2..efbc166f8dca 100644
--- a/fs/jffs2/compr.c
+++ b/fs/jffs2/compr.c
@@ -302,6 +302,8 @@ int jffs2_register_compressor(struct jffs2_compressor *comp)
{
struct jffs2_compressor *this;
+ comp->initialized = false;
+
if (!comp->name) {
pr_warn("NULL compressor name at registering JFFS2 compressor. Failed.\n");
return -1;
@@ -331,6 +333,8 @@ int jffs2_register_compressor(struct jffs2_compressor *comp)
spin_unlock(&jffs2_compressor_list_lock);
+ comp->initialized = true
+
return 0;
}
@@ -338,6 +342,9 @@ int jffs2_unregister_compressor(struct jffs2_compressor *comp)
{
D2(struct jffs2_compressor *this);
+ if (!comp->initialized)
+ return -1;
+
jffs2_dbg(1, "Unregistering JFFS2 compressor \"%s\"\n", comp->name);
spin_lock(&jffs2_compressor_list_lock);
diff --git a/fs/jffs2/compr.h b/fs/jffs2/compr.h
index 5e91d578f4ed..c90b86fbddfe 100644
--- a/fs/jffs2/compr.h
+++ b/fs/jffs2/compr.h
@@ -56,6 +56,7 @@ struct jffs2_compressor {
uint32_t cdatalen, uint32_t datalen);
int usecount;
int disabled; /* if set the compressor won't compress */
+ int initialized;
unsigned char *compr_buf; /* used by size compr. mode */
uint32_t compr_buf_size; /* used by size compr. mode */
uint32_t stat_compr_orig_size;
--
2.20.1