diff options
| author | Andrew Price <anprice@redhat.com> | 2020-10-07 12:30:58 +0100 |
|---|---|---|
| committer | Andreas Gruenbacher <agruenba@redhat.com> | 2020-10-14 23:54:43 +0200 |
| commit | 0e539ca1bbbe85a86549c97a30a765ada4a09df9 (patch) | |
| tree | 939ab3e225c1051b9a3a23a2ffda1428739cf758 /fs/gfs2/util.c | |
| parent | 2164f9b9186962ffb7c687e18ec6f5255525f09d (diff) | |
| download | linux-0e539ca1bbbe85a86549c97a30a765ada4a09df9.tar.gz linux-0e539ca1bbbe85a86549c97a30a765ada4a09df9.tar.bz2 linux-0e539ca1bbbe85a86549c97a30a765ada4a09df9.zip | |
gfs2: Fix NULL pointer dereference in gfs2_rgrp_dump
When an rindex entry is found to be corrupt, compute_bitstructs() calls
gfs2_consist_rgrpd() which calls gfs2_rgrp_dump() like this:
gfs2_rgrp_dump(NULL, rgd->rd_gl, fs_id_buf);
gfs2_rgrp_dump then dereferences the gl without checking it and we get
BUG: KASAN: null-ptr-deref in gfs2_rgrp_dump+0x28/0x280
because there's no rgrp glock involved while reading the rindex on mount.
Fix this by changing gfs2_rgrp_dump to take an rgrp argument.
Reported-by: syzbot+43fa87986bdd31df9de6@syzkaller.appspotmail.com
Signed-off-by: Andrew Price <anprice@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Diffstat (limited to 'fs/gfs2/util.c')
| -rw-r--r-- | fs/gfs2/util.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/gfs2/util.c b/fs/gfs2/util.c index 1cd0328cae20..0fba3bf64189 100644 --- a/fs/gfs2/util.c +++ b/fs/gfs2/util.c @@ -419,7 +419,7 @@ void gfs2_consist_rgrpd_i(struct gfs2_rgrpd *rgd, char fs_id_buf[sizeof(sdp->sd_fsname) + 7]; sprintf(fs_id_buf, "fsid=%s: ", sdp->sd_fsname); - gfs2_rgrp_dump(NULL, rgd->rd_gl, fs_id_buf); + gfs2_rgrp_dump(NULL, rgd, fs_id_buf); gfs2_lm(sdp, "fatal: filesystem consistency error\n" " RG = %llu\n" |