jffs2: fix null-ptr-deref during jffs2_unregister_compressor()
diff mbox series

Message ID 20190524144357.43560-1-wangkefeng.wang@huawei.com
State New
Delegated to: Richard Weinberger
Headers show
Series
  • jffs2: fix null-ptr-deref during jffs2_unregister_compressor()
Related show

Commit Message

Kefeng Wang May 24, 2019, 2:43 p.m. UTC
It is possible that jffs2_register_compressor() could not be called
(eg, alloc_workspace() return fails) in jffs2_compressors_init(), so
unconditionally delete list if unregister compressors will trigger
this issue when rmmod jffs2.

  BUG: KASAN: null-ptr-deref in __list_del_entry_valid+0x45/0xd0 lib/list_debug.c:51
  Read of size 8 at addr 0000000000000000 by task syz-executor.0/8049

  CPU: 1 PID: 8049 Comm: syz-executor.0 Tainted: G         C 5.1.0+ #28
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
  Call Trace:
   __dump_stack lib/dump_stack.c:77 [inline]
   dump_stack+0xa9/0x10e lib/dump_stack.c:113
   __kasan_report+0x171/0x18d mm/kasan/report.c:321
   kasan_report+0xe/0x20 mm/kasan/common.c:614
   __list_del_entry_valid+0x45/0xd0 lib/list_debug.c:51
   jffs2_unregister_compressor+0x41/0xf0 [jffs2]
   jffs2_lzo_exit+0x11/0x20 [jffs2]
   jffs2_compressors_exit+0xa/0x30 [jffs2]
   exit_jffs2_fs+0x1b/0xf4b [jffs2]
   __do_sys_delete_module kernel/module.c:1027 [inline]
   __se_sys_delete_module kernel/module.c:970 [inline]
   __x64_sys_delete_module+0x244/0x330 kernel/module.c:970
   do_syscall_64+0x72/0x2a0 arch/x86/entry/common.c:298
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

Add 'bool initialized' into struct jffs2_compressor, return error
if initialized is not set in jffs2_unregister_compressor().

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
---
 fs/jffs2/compr.c | 7 +++++++
 fs/jffs2/compr.h | 1 +
 2 files changed, 8 insertions(+)

Patch
diff mbox series

diff --git a/fs/jffs2/compr.c b/fs/jffs2/compr.c
index 4849a4c9a0e2..efbc166f8dca 100644
--- a/fs/jffs2/compr.c
+++ b/fs/jffs2/compr.c
@@ -302,6 +302,8 @@  int jffs2_register_compressor(struct jffs2_compressor *comp)
 {
 	struct jffs2_compressor *this;
 
+	comp->initialized = false;
+
 	if (!comp->name) {
 		pr_warn("NULL compressor name at registering JFFS2 compressor. Failed.\n");
 		return -1;
@@ -331,6 +333,8 @@  int jffs2_register_compressor(struct jffs2_compressor *comp)
 
 	spin_unlock(&jffs2_compressor_list_lock);
 
+	comp->initialized = true
+
 	return 0;
 }
 
@@ -338,6 +342,9 @@  int jffs2_unregister_compressor(struct jffs2_compressor *comp)
 {
 	D2(struct jffs2_compressor *this);
 
+	if (!comp->initialized)
+		return -1;
+
 	jffs2_dbg(1, "Unregistering JFFS2 compressor \"%s\"\n", comp->name);
 
 	spin_lock(&jffs2_compressor_list_lock);
diff --git a/fs/jffs2/compr.h b/fs/jffs2/compr.h
index 5e91d578f4ed..c90b86fbddfe 100644
--- a/fs/jffs2/compr.h
+++ b/fs/jffs2/compr.h
@@ -56,6 +56,7 @@  struct jffs2_compressor {
 			  uint32_t cdatalen, uint32_t datalen);
 	int usecount;
 	int disabled;		/* if set the compressor won't compress */
+	int initialized;
 	unsigned char *compr_buf;	/* used by size compr. mode */
 	uint32_t compr_buf_size;	/* used by size compr. mode */
 	uint32_t stat_compr_orig_size;