UDF filesystems which have relocated blocks past the end of the device may
lead to a dcache without an inode that would lead to a NULL pointer
dereference, like this:
[ 20.554242] attempt to access beyond end of device
[ 20.554242] loop0: rw=2049, want=2054, limit=2048
[ 20.557322] Buffer I/O error on dev loop0, logical block 1026, lost async page write
[ 20.562948] ==================================================================
[ 20.565002] BUG: KASAN: null-ptr-deref in path_openat+0x6ae/0x9f9
[ 20.566460] Read of size 2 at addr 0000000000000000 by task repro/415
[ 20.567768]
[ 20.568112] CPU: 0 PID: 415 Comm: repro Not tainted 5.15.168-rc1-00692-g63cec7aeaef7 #5
[ 20.569739] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
[ 20.571549] Call Trace:
[ 20.571965] <TASK>
[ 20.572338] dump_stack_lvl+0x45/0x5d
[ 20.572991] ? path_openat+0x6ae/0x9f9
[ 20.573742] kasan_report+0x1b7/0x1d8
[ 20.574559] ? path_openat+0x6ae/0x9f9
[ 20.575241] path_openat+0x6ae/0x9f9
[ 20.575915] ? may_open+0x135/0x135
[ 20.576839] ? lockdep_hardirqs_on_prepare+0x1f1/0x1f1
[ 20.577953] ? kvm_sched_clock_read+0x5/0x11
[ 20.579140] ? sched_clock_cpu+0x1a/0x106
[ 20.580687] do_filp_open+0xab/0x12e
[ 20.582278] ? path_openat+0x9f9/0x9f9
[ 20.583503] ? kvm_sched_clock_read+0x5/0x11
[ 20.584925] ? lock_downgrade+0x324/0x324
[ 20.586144] ? lock_acquired+0x2d1/0x333
[ 20.587385] ? __check_heap_object+0x5d/0xe0
[ 20.588436] ? do_raw_spin_unlock+0xca/0xd6
[ 20.589853] ? _raw_spin_unlock+0x1a/0x2e
[ 20.590697] ? alloc_fd+0x218/0x22e
[ 20.591460] do_sys_openat2+0xbd/0x15c
[ 20.592241] ? file_open_root+0xee/0xee
[ 20.593034] ? lock_downgrade+0x324/0x324
[ 20.593839] do_sys_open+0x7b/0xac
[ 20.594532] ? filp_open+0x43/0x43
[ 20.595138] ? lockdep_hardirqs_on_prepare+0x1ce/0x1f1
[ 20.596062] ? __x64_sys_creat+0x1b/0x33
[ 20.596796] do_syscall_64+0x6d/0x84
[ 20.597485] entry_SYSCALL_64_after_hwframe+0x6c/0xd6
[ 20.598359] RIP: 0033:0x79f47fd46c7d
[ 20.599067] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 81 0d 00 f7 d8 64 89 01 48
[ 20.603403] RSP: 002b:00007fffca44e7f8 EFLAGS: 00000202 ORIG_RAX: 0000000000000055
[ 20.605712] RAX: ffffffffffffffda RBX: 00007fffca44e928 RCX: 000079f47fd46c7d
[ 20.607476] RDX: 000079f47fd46c7d RSI: 0000000000000000 RDI: 0000000020000d00
[ 20.609956] RBP: 00007fffca44e810 R08: 0000000000000000 R09: 0000000000000000
[ 20.612074] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
[ 20.613364] R13: 00007fffca44e938 R14: 00005c3ad8078d10 R15: 000079f47fe87000
[ 20.615618] </TASK>
[ 20.616752] ==================================================================
Jan Kara (19):
udf: New directory iteration code
udf: Convert udf_expand_dir_adinicb() to new directory iteration
udf: Move udf_expand_dir_adinicb() to its callsite
udf: Implement searching for directory entry using new iteration code
udf: Provide function to mark entry as deleted using new directory
iteration code
udf: Convert udf_rename() to new directory iteration code
udf: Convert udf_readdir() to new directory iteration
udf: Convert udf_lookup() to use new directory iteration code
udf: Convert udf_get_parent() to new directory iteration code
udf: Convert empty_dir() to new directory iteration code
udf: Convert udf_rmdir() to new directory iteration code
udf: Convert udf_unlink() to new directory iteration code
udf: Implement adding of dir entries using new iteration code
udf: Convert udf_add_nondir() to new directory iteration
udf: Convert udf_mkdir() to new directory iteration code
udf: Convert udf_link() to new directory iteration code
udf: Remove old directory iteration code
udf: Handle error when expanding directory
udf: Don't return bh from udf_expand_dir_adinicb()
fs/udf/dir.c | 148 ++-----
fs/udf/directory.c | 564 ++++++++++++++++++------
fs/udf/inode.c | 90 ----
fs/udf/namei.c | 1052 +++++++++++++++-----------------------------
fs/udf/udfdecl.h | 45 +-
5 files changed, 825 insertions(+), 1074 deletions(-)
--
2.34.1
