Re: [PATCH] ext4: possible use-after-free when remounting r/o a mmp-protected file system

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Theodore,

url:    https://github.com/0day-ci/linux/commits/Theodore-Ts-o/ext4-possible-use-after-free-when-remounting-r-o-a-mmp-protected-file-system/20210703-005856
base:   https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev
config: i386-randconfig-m021-20210702 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

smatch warnings:
fs/ext4/mmp.c:252 kmmpd() error: uninitialized symbol 'retval'.

vim +/retval +252 fs/ext4/mmp.c

c5e06d101aaf72 Johann Lombardi   2011-05-24  128  static int kmmpd(void *data)
c5e06d101aaf72 Johann Lombardi   2011-05-24  129  {
618f003199c618 Pavel Skripkin    2021-04-30  130  	struct super_block *sb = (struct super_block *) data;
c5e06d101aaf72 Johann Lombardi   2011-05-24  131  	struct ext4_super_block *es = EXT4_SB(sb)->s_es;
618f003199c618 Pavel Skripkin    2021-04-30  132  	struct buffer_head *bh = EXT4_SB(sb)->s_mmp_bh;
c5e06d101aaf72 Johann Lombardi   2011-05-24  133  	struct mmp_struct *mmp;
c5e06d101aaf72 Johann Lombardi   2011-05-24  134  	ext4_fsblk_t mmp_block;
c5e06d101aaf72 Johann Lombardi   2011-05-24  135  	u32 seq = 0;
c5e06d101aaf72 Johann Lombardi   2011-05-24  136  	unsigned long failed_writes = 0;
c5e06d101aaf72 Johann Lombardi   2011-05-24  137  	int mmp_update_interval = le16_to_cpu(es->s_mmp_update_interval);
c5e06d101aaf72 Johann Lombardi   2011-05-24  138  	unsigned mmp_check_interval;
c5e06d101aaf72 Johann Lombardi   2011-05-24  139  	unsigned long last_update_time;
c5e06d101aaf72 Johann Lombardi   2011-05-24  140  	unsigned long diff;
c5e06d101aaf72 Johann Lombardi   2011-05-24  141  	int retval;
c5e06d101aaf72 Johann Lombardi   2011-05-24  142  
c5e06d101aaf72 Johann Lombardi   2011-05-24  143  	mmp_block = le64_to_cpu(es->s_mmp_block);
c5e06d101aaf72 Johann Lombardi   2011-05-24  144  	mmp = (struct mmp_struct *)(bh->b_data);
af123b3718592a Arnd Bergmann     2018-07-29  145  	mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi   2011-05-24  146  	/*
c5e06d101aaf72 Johann Lombardi   2011-05-24  147  	 * Start with the higher mmp_check_interval and reduce it if
c5e06d101aaf72 Johann Lombardi   2011-05-24  148  	 * the MMP block is being updated on time.
c5e06d101aaf72 Johann Lombardi   2011-05-24  149  	 */
c5e06d101aaf72 Johann Lombardi   2011-05-24  150  	mmp_check_interval = max(EXT4_MMP_CHECK_MULT * mmp_update_interval,
c5e06d101aaf72 Johann Lombardi   2011-05-24  151  				 EXT4_MMP_MIN_CHECK_INTERVAL);
c5e06d101aaf72 Johann Lombardi   2011-05-24  152  	mmp->mmp_check_interval = cpu_to_le16(mmp_check_interval);
14c9ca0583eee8 Andreas Dilger    2020-01-26  153  	BUILD_BUG_ON(sizeof(mmp->mmp_bdevname) < BDEVNAME_SIZE);
c5e06d101aaf72 Johann Lombardi   2011-05-24  154  	bdevname(bh->b_bdev, mmp->mmp_bdevname);
c5e06d101aaf72 Johann Lombardi   2011-05-24  155  
215fc6af739d2d Nikitas Angelinas 2011-10-18  156  	memcpy(mmp->mmp_nodename, init_utsname()->nodename,
c5e06d101aaf72 Johann Lombardi   2011-05-24  157  	       sizeof(mmp->mmp_nodename));
c5e06d101aaf72 Johann Lombardi   2011-05-24  158  
c5e06d101aaf72 Johann Lombardi   2011-05-24  159  	while (!kthread_should_stop()) {
37b4aa9eef5b3f Theodore Ts'o     2021-07-02  160  		if (!(le32_to_cpu(es->s_feature_incompat) &
37b4aa9eef5b3f Theodore Ts'o     2021-07-02  161  		    EXT4_FEATURE_INCOMPAT_MMP)) {
37b4aa9eef5b3f Theodore Ts'o     2021-07-02  162  			ext4_warning(sb, "kmmpd being stopped since MMP feature"
37b4aa9eef5b3f Theodore Ts'o     2021-07-02  163  				     " has been disabled.");
37b4aa9eef5b3f Theodore Ts'o     2021-07-02  164  			goto wait_to_exit;

Smatch complains about this goto.

37b4aa9eef5b3f Theodore Ts'o     2021-07-02  165  		}
37b4aa9eef5b3f Theodore Ts'o     2021-07-02  166  		if (sb_rdonly(sb)) {
37b4aa9eef5b3f Theodore Ts'o     2021-07-02  167  			schedule_timeout_interruptible(HZ);
37b4aa9eef5b3f Theodore Ts'o     2021-07-02  168  			continue;
37b4aa9eef5b3f Theodore Ts'o     2021-07-02  169  		}
c5e06d101aaf72 Johann Lombardi   2011-05-24  170  		if (++seq > EXT4_MMP_SEQ_MAX)
c5e06d101aaf72 Johann Lombardi   2011-05-24  171  			seq = 1;
c5e06d101aaf72 Johann Lombardi   2011-05-24  172  
c5e06d101aaf72 Johann Lombardi   2011-05-24  173  		mmp->mmp_seq = cpu_to_le32(seq);
af123b3718592a Arnd Bergmann     2018-07-29  174  		mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi   2011-05-24  175  		last_update_time = jiffies;
c5e06d101aaf72 Johann Lombardi   2011-05-24  176  
5c359a47e7d999 Darrick J. Wong   2012-04-29  177  		retval = write_mmp_block(sb, bh);
c5e06d101aaf72 Johann Lombardi   2011-05-24  178  		/*
c5e06d101aaf72 Johann Lombardi   2011-05-24  179  		 * Don't spew too many error messages. Print one every
c5e06d101aaf72 Johann Lombardi   2011-05-24  180  		 * (s_mmp_update_interval * 60) seconds.
c5e06d101aaf72 Johann Lombardi   2011-05-24  181  		 */
bdfc230f33a9da Nikitas Angelinas 2011-10-18  182  		if (retval) {
878520ac45f9f6 Theodore Ts'o     2019-11-19  183  			if ((failed_writes % 60) == 0) {
54d3adbc29f0c7 Theodore Ts'o     2020-03-28  184  				ext4_error_err(sb, -retval,
54d3adbc29f0c7 Theodore Ts'o     2020-03-28  185  					       "Error writing to MMP block");
878520ac45f9f6 Theodore Ts'o     2019-11-19  186  			}
c5e06d101aaf72 Johann Lombardi   2011-05-24  187  			failed_writes++;
c5e06d101aaf72 Johann Lombardi   2011-05-24  188  		}
c5e06d101aaf72 Johann Lombardi   2011-05-24  189  
c5e06d101aaf72 Johann Lombardi   2011-05-24  190  		diff = jiffies - last_update_time;
c5e06d101aaf72 Johann Lombardi   2011-05-24  191  		if (diff < mmp_update_interval * HZ)
c5e06d101aaf72 Johann Lombardi   2011-05-24  192  			schedule_timeout_interruptible(mmp_update_interval *
c5e06d101aaf72 Johann Lombardi   2011-05-24  193  						       HZ - diff);
c5e06d101aaf72 Johann Lombardi   2011-05-24  194  
c5e06d101aaf72 Johann Lombardi   2011-05-24  195  		/*
c5e06d101aaf72 Johann Lombardi   2011-05-24  196  		 * We need to make sure that more than mmp_check_interval
c5e06d101aaf72 Johann Lombardi   2011-05-24  197  		 * seconds have not passed since writing. If that has happened
c5e06d101aaf72 Johann Lombardi   2011-05-24  198  		 * we need to check if the MMP block is as we left it.
c5e06d101aaf72 Johann Lombardi   2011-05-24  199  		 */
c5e06d101aaf72 Johann Lombardi   2011-05-24  200  		diff = jiffies - last_update_time;
c5e06d101aaf72 Johann Lombardi   2011-05-24  201  		if (diff > mmp_check_interval * HZ) {
c5e06d101aaf72 Johann Lombardi   2011-05-24  202  			struct buffer_head *bh_check = NULL;
c5e06d101aaf72 Johann Lombardi   2011-05-24  203  			struct mmp_struct *mmp_check;
c5e06d101aaf72 Johann Lombardi   2011-05-24  204  
c5e06d101aaf72 Johann Lombardi   2011-05-24  205  			retval = read_mmp_block(sb, &bh_check, mmp_block);
c5e06d101aaf72 Johann Lombardi   2011-05-24  206  			if (retval) {
54d3adbc29f0c7 Theodore Ts'o     2020-03-28  207  				ext4_error_err(sb, -retval,
54d3adbc29f0c7 Theodore Ts'o     2020-03-28  208  					       "error reading MMP data: %d",
c5e06d101aaf72 Johann Lombardi   2011-05-24  209  					       retval);
37b4aa9eef5b3f Theodore Ts'o     2021-07-02  210  				goto wait_to_exit;
c5e06d101aaf72 Johann Lombardi   2011-05-24  211  			}
c5e06d101aaf72 Johann Lombardi   2011-05-24  212  
c5e06d101aaf72 Johann Lombardi   2011-05-24  213  			mmp_check = (struct mmp_struct *)(bh_check->b_data);
c5e06d101aaf72 Johann Lombardi   2011-05-24  214  			if (mmp->mmp_seq != mmp_check->mmp_seq ||
c5e06d101aaf72 Johann Lombardi   2011-05-24  215  			    memcmp(mmp->mmp_nodename, mmp_check->mmp_nodename,
c5e06d101aaf72 Johann Lombardi   2011-05-24  216  				   sizeof(mmp->mmp_nodename))) {
c5e06d101aaf72 Johann Lombardi   2011-05-24  217  				dump_mmp_msg(sb, mmp_check,
c5e06d101aaf72 Johann Lombardi   2011-05-24  218  					     "Error while updating MMP info. "
c5e06d101aaf72 Johann Lombardi   2011-05-24  219  					     "The filesystem seems to have been"
c5e06d101aaf72 Johann Lombardi   2011-05-24  220  					     " multiply mounted.");
54d3adbc29f0c7 Theodore Ts'o     2020-03-28  221  				ext4_error_err(sb, EBUSY, "abort");
0304688676bdfc vikram.jadhav07   2016-03-13  222  				put_bh(bh_check);
0304688676bdfc vikram.jadhav07   2016-03-13  223  				retval = -EBUSY;
37b4aa9eef5b3f Theodore Ts'o     2021-07-02  224  				goto wait_to_exit;
c5e06d101aaf72 Johann Lombardi   2011-05-24  225  			}
c5e06d101aaf72 Johann Lombardi   2011-05-24  226  			put_bh(bh_check);
c5e06d101aaf72 Johann Lombardi   2011-05-24  227  		}
c5e06d101aaf72 Johann Lombardi   2011-05-24  228  
c5e06d101aaf72 Johann Lombardi   2011-05-24  229  		 /*
c5e06d101aaf72 Johann Lombardi   2011-05-24  230  		 * Adjust the mmp_check_interval depending on how much time
c5e06d101aaf72 Johann Lombardi   2011-05-24  231  		 * it took for the MMP block to be written.
c5e06d101aaf72 Johann Lombardi   2011-05-24  232  		 */
c5e06d101aaf72 Johann Lombardi   2011-05-24  233  		mmp_check_interval = max(min(EXT4_MMP_CHECK_MULT * diff / HZ,
c5e06d101aaf72 Johann Lombardi   2011-05-24  234  					     EXT4_MMP_MAX_CHECK_INTERVAL),
c5e06d101aaf72 Johann Lombardi   2011-05-24  235  					 EXT4_MMP_MIN_CHECK_INTERVAL);
c5e06d101aaf72 Johann Lombardi   2011-05-24  236  		mmp->mmp_check_interval = cpu_to_le16(mmp_check_interval);
c5e06d101aaf72 Johann Lombardi   2011-05-24  237  	}
c5e06d101aaf72 Johann Lombardi   2011-05-24  238  
c5e06d101aaf72 Johann Lombardi   2011-05-24  239  	/*
c5e06d101aaf72 Johann Lombardi   2011-05-24  240  	 * Unmount seems to be clean.
c5e06d101aaf72 Johann Lombardi   2011-05-24  241  	 */
c5e06d101aaf72 Johann Lombardi   2011-05-24  242  	mmp->mmp_seq = cpu_to_le32(EXT4_MMP_SEQ_CLEAN);
af123b3718592a Arnd Bergmann     2018-07-29  243  	mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi   2011-05-24  244  
5c359a47e7d999 Darrick J. Wong   2012-04-29  245  	retval = write_mmp_block(sb, bh);
c5e06d101aaf72 Johann Lombardi   2011-05-24  246  
0304688676bdfc vikram.jadhav07   2016-03-13  247  exit_thread:
c5e06d101aaf72 Johann Lombardi   2011-05-24  248  	return retval;
37b4aa9eef5b3f Theodore Ts'o     2021-07-02  249  wait_to_exit:
37b4aa9eef5b3f Theodore Ts'o     2021-07-02  250  	while (!kthread_should_stop())
37b4aa9eef5b3f Theodore Ts'o     2021-07-02  251  		schedule();
37b4aa9eef5b3f Theodore Ts'o     2021-07-02 @252  	return retval;
37b4aa9eef5b3f Theodore Ts'o     2021-07-02  253  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx




[Index of Archives]     [Reiser Filesystem Development]     [Ceph FS]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite National Park]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Media]

  Powered by Linux