On Thu, Apr 18, 2024 at 11:03:30AM -0700, Marius Fleischer wrote:
> Hi,
>
>
> We would like to report the following bug which has been found by our
> modified version of syzkaller.
>
> ======================================================
>
> description: KASAN: null-ptr-deref Write in xlog_cil_commit
>
> affected file: fs/xfs/xfs_log_cil.c
>
> kernel version: 5.15.156
Really old kernel.
> We took a very brief look at the code. Is it possible that there is a check
> missing for the return value of kvmalloc at fs/xfs/xfs_log_cil.c:224?
>
> lv = kvmalloc(buf_size, GFP_KERNEL);
> memset(lv, 0, xlog_cil_iovec_space(niovecs));
I've never seen that memory allocation fail there, and that code has
been using an unchecked, open coded kvmalloc() for well over a
decade. We replaced it with a direct call to kvmalloc() in 5.15,
but the failure semantics here never changed.
But I guess it could fail if error injection is enabled,
and because we used to call __vmalloc() directly it may never have
had errors injected?
But, regardless, that's completely irrelevant.
We replaced the kvmalloc() call there with a guaranteed "no fail"
open coded loop in 5.17 for performance reasons, so this open coded
kvmalloc() call only existed in 5.15 and 5.16. See commit
8dc9384b7d75 ("xfs: reduce kvmalloc overhead for CIL shadow
buffers").
-Dave.
--
Dave Chinner
david@xxxxxxxxxxxxx
