<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/jffs2, branch linux-4.9.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>jffs2: fix memory leak in jffs2_do_fill_super</title>
<updated>2022-06-14T14:52:38+00:00</updated>
<author>
<name>Baokun Li</name>
<email>libaokun1@huawei.com</email>
</author>
<published>2022-04-12T09:38:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4ba7bbeab8009faf3a726e565d98816593ddd5b0'/>
<id>4ba7bbeab8009faf3a726e565d98816593ddd5b0</id>
<content type='text'>
[ Upstream commit c14adb1cf70a984ed081c67e9d27bc3caad9537c ]

If jffs2_iget() or d_make_root() in jffs2_do_fill_super() returns
an error, we can observe the following kmemleak report:

--------------------------------------------
unreferenced object 0xffff888105a65340 (size 64):
  comm "mount", pid 710, jiffies 4302851558 (age 58.239s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [&lt;ffffffff859c45e5&gt;] kmem_cache_alloc_trace+0x475/0x8a0
    [&lt;ffffffff86160146&gt;] jffs2_sum_init+0x96/0x1a0
    [&lt;ffffffff86140e25&gt;] jffs2_do_mount_fs+0x745/0x2120
    [&lt;ffffffff86149fec&gt;] jffs2_do_fill_super+0x35c/0x810
    [&lt;ffffffff8614aae9&gt;] jffs2_fill_super+0x2b9/0x3b0
    [...]
unreferenced object 0xffff8881bd7f0000 (size 65536):
  comm "mount", pid 710, jiffies 4302851558 (age 58.239s)
  hex dump (first 32 bytes):
    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
  backtrace:
    [&lt;ffffffff858579ba&gt;] kmalloc_order+0xda/0x110
    [&lt;ffffffff85857a11&gt;] kmalloc_order_trace+0x21/0x130
    [&lt;ffffffff859c2ed1&gt;] __kmalloc+0x711/0x8a0
    [&lt;ffffffff86160189&gt;] jffs2_sum_init+0xd9/0x1a0
    [&lt;ffffffff86140e25&gt;] jffs2_do_mount_fs+0x745/0x2120
    [&lt;ffffffff86149fec&gt;] jffs2_do_fill_super+0x35c/0x810
    [&lt;ffffffff8614aae9&gt;] jffs2_fill_super+0x2b9/0x3b0
    [...]
--------------------------------------------

This is because the resources allocated in jffs2_sum_init() are not
released. Call jffs2_sum_exit() to release these resources to solve
the problem.

Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
Signed-off-by: Baokun Li &lt;libaokun1@huawei.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit c14adb1cf70a984ed081c67e9d27bc3caad9537c ]

If jffs2_iget() or d_make_root() in jffs2_do_fill_super() returns
an error, we can observe the following kmemleak report:

--------------------------------------------
unreferenced object 0xffff888105a65340 (size 64):
  comm "mount", pid 710, jiffies 4302851558 (age 58.239s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [&lt;ffffffff859c45e5&gt;] kmem_cache_alloc_trace+0x475/0x8a0
    [&lt;ffffffff86160146&gt;] jffs2_sum_init+0x96/0x1a0
    [&lt;ffffffff86140e25&gt;] jffs2_do_mount_fs+0x745/0x2120
    [&lt;ffffffff86149fec&gt;] jffs2_do_fill_super+0x35c/0x810
    [&lt;ffffffff8614aae9&gt;] jffs2_fill_super+0x2b9/0x3b0
    [...]
unreferenced object 0xffff8881bd7f0000 (size 65536):
  comm "mount", pid 710, jiffies 4302851558 (age 58.239s)
  hex dump (first 32 bytes):
    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
  backtrace:
    [&lt;ffffffff858579ba&gt;] kmalloc_order+0xda/0x110
    [&lt;ffffffff85857a11&gt;] kmalloc_order_trace+0x21/0x130
    [&lt;ffffffff859c2ed1&gt;] __kmalloc+0x711/0x8a0
    [&lt;ffffffff86160189&gt;] jffs2_sum_init+0xd9/0x1a0
    [&lt;ffffffff86140e25&gt;] jffs2_do_mount_fs+0x745/0x2120
    [&lt;ffffffff86149fec&gt;] jffs2_do_fill_super+0x35c/0x810
    [&lt;ffffffff8614aae9&gt;] jffs2_fill_super+0x2b9/0x3b0
    [...]
--------------------------------------------

This is because the resources allocated in jffs2_sum_init() are not
released. Call jffs2_sum_exit() to release these resources to solve
the problem.

Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
Signed-off-by: Baokun Li &lt;libaokun1@huawei.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>jffs2: fix memory leak in jffs2_scan_medium</title>
<updated>2022-04-20T07:06:29+00:00</updated>
<author>
<name>Baokun Li</name>
<email>libaokun1@huawei.com</email>
</author>
<published>2022-01-14T10:28:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9b0c69182f09b70779817af4dcf89780955d5c4c'/>
<id>9b0c69182f09b70779817af4dcf89780955d5c4c</id>
<content type='text'>
commit 9cdd3128874f5fe759e2c4e1360ab7fb96a8d1df upstream.

If an error is returned in jffs2_scan_eraseblock() and some memory
has been added to the jffs2_summary *s, we can observe the following
kmemleak report:

--------------------------------------------
unreferenced object 0xffff88812b889c40 (size 64):
  comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
  hex dump (first 32 bytes):
    40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00  @H........1...P.
    00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08  ................
  backtrace:
    [&lt;ffffffffae93a3a3&gt;] __kmalloc+0x613/0x910
    [&lt;ffffffffaf423b9c&gt;] jffs2_sum_add_dirent_mem+0x5c/0xa0
    [&lt;ffffffffb0f3afa8&gt;] jffs2_scan_medium.cold+0x36e5/0x4794
    [&lt;ffffffffb0f3dbe1&gt;] jffs2_do_mount_fs.cold+0xa7/0x2267
    [&lt;ffffffffaf40acf3&gt;] jffs2_do_fill_super+0x383/0xc30
    [&lt;ffffffffaf40c00a&gt;] jffs2_fill_super+0x2ea/0x4c0
    [&lt;ffffffffb0315d64&gt;] mtd_get_sb+0x254/0x400
    [&lt;ffffffffb0315f5f&gt;] mtd_get_sb_by_nr+0x4f/0xd0
    [&lt;ffffffffb0316478&gt;] get_tree_mtd+0x498/0x840
    [&lt;ffffffffaf40bd15&gt;] jffs2_get_tree+0x25/0x30
    [&lt;ffffffffae9f358d&gt;] vfs_get_tree+0x8d/0x2e0
    [&lt;ffffffffaea7a98f&gt;] path_mount+0x50f/0x1e50
    [&lt;ffffffffaea7c3d7&gt;] do_mount+0x107/0x130
    [&lt;ffffffffaea7c5c5&gt;] __se_sys_mount+0x1c5/0x2f0
    [&lt;ffffffffaea7c917&gt;] __x64_sys_mount+0xc7/0x160
    [&lt;ffffffffb10142f5&gt;] do_syscall_64+0x45/0x70
unreferenced object 0xffff888114b54840 (size 32):
  comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
  hex dump (first 32 bytes):
    c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00  .u..............
    00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5  ......D...kkkkk.
  backtrace:
    [&lt;ffffffffae93be24&gt;] kmem_cache_alloc_trace+0x584/0x880
    [&lt;ffffffffaf423b04&gt;] jffs2_sum_add_inode_mem+0x54/0x90
    [&lt;ffffffffb0f3bd44&gt;] jffs2_scan_medium.cold+0x4481/0x4794
    [...]
unreferenced object 0xffff888114b57280 (size 32):
  comm "mount", pid 692, jiffies 4294838393 (age 34.357s)
  hex dump (first 32 bytes):
    10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00  ..l.............
    00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5  ..8...(...kkkkk.
  backtrace:
    [&lt;ffffffffae93be24&gt;] kmem_cache_alloc_trace+0x584/0x880
    [&lt;ffffffffaf423c34&gt;] jffs2_sum_add_xattr_mem+0x54/0x90
    [&lt;ffffffffb0f3a24f&gt;] jffs2_scan_medium.cold+0x298c/0x4794
    [...]
unreferenced object 0xffff8881116cd510 (size 16):
  comm "mount", pid 692, jiffies 4294838395 (age 34.355s)
  hex dump (first 16 bytes):
    00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5  ..........`...k.
  backtrace:
    [&lt;ffffffffae93be24&gt;] kmem_cache_alloc_trace+0x584/0x880
    [&lt;ffffffffaf423cc4&gt;] jffs2_sum_add_xref_mem+0x54/0x90
    [&lt;ffffffffb0f3b2e3&gt;] jffs2_scan_medium.cold+0x3a20/0x4794
    [...]
--------------------------------------------

Therefore, we should call jffs2_sum_reset_collected(s) on exit to
release the memory added in s. In addition, a new tag "out_buf" is
added to prevent the NULL pointer reference caused by s being NULL.
(thanks to Zhang Yi for this analysis)

Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
Cc: stable@vger.kernel.org
Co-developed-with: Zhihao Cheng &lt;chengzhihao1@huawei.com&gt;
Signed-off-by: Baokun Li &lt;libaokun1@huawei.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9cdd3128874f5fe759e2c4e1360ab7fb96a8d1df upstream.

If an error is returned in jffs2_scan_eraseblock() and some memory
has been added to the jffs2_summary *s, we can observe the following
kmemleak report:

--------------------------------------------
unreferenced object 0xffff88812b889c40 (size 64):
  comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
  hex dump (first 32 bytes):
    40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00  @H........1...P.
    00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08  ................
  backtrace:
    [&lt;ffffffffae93a3a3&gt;] __kmalloc+0x613/0x910
    [&lt;ffffffffaf423b9c&gt;] jffs2_sum_add_dirent_mem+0x5c/0xa0
    [&lt;ffffffffb0f3afa8&gt;] jffs2_scan_medium.cold+0x36e5/0x4794
    [&lt;ffffffffb0f3dbe1&gt;] jffs2_do_mount_fs.cold+0xa7/0x2267
    [&lt;ffffffffaf40acf3&gt;] jffs2_do_fill_super+0x383/0xc30
    [&lt;ffffffffaf40c00a&gt;] jffs2_fill_super+0x2ea/0x4c0
    [&lt;ffffffffb0315d64&gt;] mtd_get_sb+0x254/0x400
    [&lt;ffffffffb0315f5f&gt;] mtd_get_sb_by_nr+0x4f/0xd0
    [&lt;ffffffffb0316478&gt;] get_tree_mtd+0x498/0x840
    [&lt;ffffffffaf40bd15&gt;] jffs2_get_tree+0x25/0x30
    [&lt;ffffffffae9f358d&gt;] vfs_get_tree+0x8d/0x2e0
    [&lt;ffffffffaea7a98f&gt;] path_mount+0x50f/0x1e50
    [&lt;ffffffffaea7c3d7&gt;] do_mount+0x107/0x130
    [&lt;ffffffffaea7c5c5&gt;] __se_sys_mount+0x1c5/0x2f0
    [&lt;ffffffffaea7c917&gt;] __x64_sys_mount+0xc7/0x160
    [&lt;ffffffffb10142f5&gt;] do_syscall_64+0x45/0x70
unreferenced object 0xffff888114b54840 (size 32):
  comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
  hex dump (first 32 bytes):
    c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00  .u..............
    00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5  ......D...kkkkk.
  backtrace:
    [&lt;ffffffffae93be24&gt;] kmem_cache_alloc_trace+0x584/0x880
    [&lt;ffffffffaf423b04&gt;] jffs2_sum_add_inode_mem+0x54/0x90
    [&lt;ffffffffb0f3bd44&gt;] jffs2_scan_medium.cold+0x4481/0x4794
    [...]
unreferenced object 0xffff888114b57280 (size 32):
  comm "mount", pid 692, jiffies 4294838393 (age 34.357s)
  hex dump (first 32 bytes):
    10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00  ..l.............
    00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5  ..8...(...kkkkk.
  backtrace:
    [&lt;ffffffffae93be24&gt;] kmem_cache_alloc_trace+0x584/0x880
    [&lt;ffffffffaf423c34&gt;] jffs2_sum_add_xattr_mem+0x54/0x90
    [&lt;ffffffffb0f3a24f&gt;] jffs2_scan_medium.cold+0x298c/0x4794
    [...]
unreferenced object 0xffff8881116cd510 (size 16):
  comm "mount", pid 692, jiffies 4294838395 (age 34.355s)
  hex dump (first 16 bytes):
    00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5  ..........`...k.
  backtrace:
    [&lt;ffffffffae93be24&gt;] kmem_cache_alloc_trace+0x584/0x880
    [&lt;ffffffffaf423cc4&gt;] jffs2_sum_add_xref_mem+0x54/0x90
    [&lt;ffffffffb0f3b2e3&gt;] jffs2_scan_medium.cold+0x3a20/0x4794
    [...]
--------------------------------------------

Therefore, we should call jffs2_sum_reset_collected(s) on exit to
release the memory added in s. In addition, a new tag "out_buf" is
added to prevent the NULL pointer reference caused by s being NULL.
(thanks to Zhang Yi for this analysis)

Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
Cc: stable@vger.kernel.org
Co-developed-with: Zhihao Cheng &lt;chengzhihao1@huawei.com&gt;
Signed-off-by: Baokun Li &lt;libaokun1@huawei.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>jffs2: fix memory leak in jffs2_do_mount_fs</title>
<updated>2022-04-20T07:06:29+00:00</updated>
<author>
<name>Baokun Li</name>
<email>libaokun1@huawei.com</email>
</author>
<published>2022-01-14T10:28:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2a9d8184458562e6bf2f40d0e677fc85e2dd3834'/>
<id>2a9d8184458562e6bf2f40d0e677fc85e2dd3834</id>
<content type='text'>
commit d051cef784de4d54835f6b6836d98a8f6935772c upstream.

If jffs2_build_filesystem() in jffs2_do_mount_fs() returns an error,
we can observe the following kmemleak report:

--------------------------------------------
unreferenced object 0xffff88811b25a640 (size 64):
  comm "mount", pid 691, jiffies 4294957728 (age 71.952s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [&lt;ffffffffa493be24&gt;] kmem_cache_alloc_trace+0x584/0x880
    [&lt;ffffffffa5423a06&gt;] jffs2_sum_init+0x86/0x130
    [&lt;ffffffffa5400e58&gt;] jffs2_do_mount_fs+0x798/0xac0
    [&lt;ffffffffa540acf3&gt;] jffs2_do_fill_super+0x383/0xc30
    [&lt;ffffffffa540c00a&gt;] jffs2_fill_super+0x2ea/0x4c0
    [...]
unreferenced object 0xffff88812c760000 (size 65536):
  comm "mount", pid 691, jiffies 4294957728 (age 71.952s)
  hex dump (first 32 bytes):
    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
  backtrace:
    [&lt;ffffffffa493a449&gt;] __kmalloc+0x6b9/0x910
    [&lt;ffffffffa5423a57&gt;] jffs2_sum_init+0xd7/0x130
    [&lt;ffffffffa5400e58&gt;] jffs2_do_mount_fs+0x798/0xac0
    [&lt;ffffffffa540acf3&gt;] jffs2_do_fill_super+0x383/0xc30
    [&lt;ffffffffa540c00a&gt;] jffs2_fill_super+0x2ea/0x4c0
    [...]
--------------------------------------------

This is because the resources allocated in jffs2_sum_init() are not
released. Call jffs2_sum_exit() to release these resources to solve
the problem.

Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
Cc: stable@vger.kernel.org
Signed-off-by: Baokun Li &lt;libaokun1@huawei.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d051cef784de4d54835f6b6836d98a8f6935772c upstream.

If jffs2_build_filesystem() in jffs2_do_mount_fs() returns an error,
we can observe the following kmemleak report:

--------------------------------------------
unreferenced object 0xffff88811b25a640 (size 64):
  comm "mount", pid 691, jiffies 4294957728 (age 71.952s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [&lt;ffffffffa493be24&gt;] kmem_cache_alloc_trace+0x584/0x880
    [&lt;ffffffffa5423a06&gt;] jffs2_sum_init+0x86/0x130
    [&lt;ffffffffa5400e58&gt;] jffs2_do_mount_fs+0x798/0xac0
    [&lt;ffffffffa540acf3&gt;] jffs2_do_fill_super+0x383/0xc30
    [&lt;ffffffffa540c00a&gt;] jffs2_fill_super+0x2ea/0x4c0
    [...]
unreferenced object 0xffff88812c760000 (size 65536):
  comm "mount", pid 691, jiffies 4294957728 (age 71.952s)
  hex dump (first 32 bytes):
    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
  backtrace:
    [&lt;ffffffffa493a449&gt;] __kmalloc+0x6b9/0x910
    [&lt;ffffffffa5423a57&gt;] jffs2_sum_init+0xd7/0x130
    [&lt;ffffffffa5400e58&gt;] jffs2_do_mount_fs+0x798/0xac0
    [&lt;ffffffffa540acf3&gt;] jffs2_do_fill_super+0x383/0xc30
    [&lt;ffffffffa540c00a&gt;] jffs2_fill_super+0x2ea/0x4c0
    [...]
--------------------------------------------

This is because the resources allocated in jffs2_sum_init() are not
released. Call jffs2_sum_exit() to release these resources to solve
the problem.

Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
Cc: stable@vger.kernel.org
Signed-off-by: Baokun Li &lt;libaokun1@huawei.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>jffs2: fix use-after-free in jffs2_clear_xattr_subsystem</title>
<updated>2022-04-20T07:06:29+00:00</updated>
<author>
<name>Baokun Li</name>
<email>libaokun1@huawei.com</email>
</author>
<published>2021-12-28T12:54:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9150cb625b46f68d524f4cfd491f1aafc23e10a9'/>
<id>9150cb625b46f68d524f4cfd491f1aafc23e10a9</id>
<content type='text'>
commit 4c7c44ee1650677fbe89d86edbad9497b7679b5c upstream.

When we mount a jffs2 image, assume that the first few blocks of
the image are normal and contain at least one xattr-related inode,
but the next block is abnormal. As a result, an error is returned
in jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then
called in jffs2_build_filesystem() and then again in
jffs2_do_fill_super().

Finally we can observe the following report:
 ==================================================================
 BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac
 Read of size 8 at addr ffff8881243384e0 by task mount/719

 Call Trace:
  dump_stack+0x115/0x16b
  jffs2_clear_xattr_subsystem+0x95/0x6ac
  jffs2_do_fill_super+0x84f/0xc30
  jffs2_fill_super+0x2ea/0x4c0
  mtd_get_sb+0x254/0x400
  mtd_get_sb_by_nr+0x4f/0xd0
  get_tree_mtd+0x498/0x840
  jffs2_get_tree+0x25/0x30
  vfs_get_tree+0x8d/0x2e0
  path_mount+0x50f/0x1e50
  do_mount+0x107/0x130
  __se_sys_mount+0x1c5/0x2f0
  __x64_sys_mount+0xc7/0x160
  do_syscall_64+0x45/0x70
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

 Allocated by task 719:
  kasan_save_stack+0x23/0x60
  __kasan_kmalloc.constprop.0+0x10b/0x120
  kasan_slab_alloc+0x12/0x20
  kmem_cache_alloc+0x1c0/0x870
  jffs2_alloc_xattr_ref+0x2f/0xa0
  jffs2_scan_medium.cold+0x3713/0x4794
  jffs2_do_mount_fs.cold+0xa7/0x2253
  jffs2_do_fill_super+0x383/0xc30
  jffs2_fill_super+0x2ea/0x4c0
 [...]

 Freed by task 719:
  kmem_cache_free+0xcc/0x7b0
  jffs2_free_xattr_ref+0x78/0x98
  jffs2_clear_xattr_subsystem+0xa1/0x6ac
  jffs2_do_mount_fs.cold+0x5e6/0x2253
  jffs2_do_fill_super+0x383/0xc30
  jffs2_fill_super+0x2ea/0x4c0
 [...]

 The buggy address belongs to the object at ffff8881243384b8
  which belongs to the cache jffs2_xattr_ref of size 48
 The buggy address is located 40 bytes inside of
  48-byte region [ffff8881243384b8, ffff8881243384e8)
 [...]
 ==================================================================

The triggering of the BUG is shown in the following stack:
-----------------------------------------------------------
jffs2_fill_super
  jffs2_do_fill_super
    jffs2_do_mount_fs
      jffs2_build_filesystem
        jffs2_scan_medium
          jffs2_scan_eraseblock        &lt;--- ERROR
        jffs2_clear_xattr_subsystem    &lt;--- free
    jffs2_clear_xattr_subsystem        &lt;--- free again
-----------------------------------------------------------

An error is returned in jffs2_do_mount_fs(). If the error is returned
by jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to
be executed. If the error is returned by jffs2_build_filesystem(), the
jffs2_clear_xattr_subsystem() also does not need to be executed again.
So move jffs2_clear_xattr_subsystem() from 'out_inohash' to 'out_root'
to fix this UAF problem.

Fixes: aa98d7cf59b5 ("[JFFS2][XATTR] XATTR support on JFFS2 (version. 5)")
Cc: stable@vger.kernel.org
Reported-by: Hulk Robot &lt;hulkci@huawei.com&gt;
Signed-off-by: Baokun Li &lt;libaokun1@huawei.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4c7c44ee1650677fbe89d86edbad9497b7679b5c upstream.

When we mount a jffs2 image, assume that the first few blocks of
the image are normal and contain at least one xattr-related inode,
but the next block is abnormal. As a result, an error is returned
in jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then
called in jffs2_build_filesystem() and then again in
jffs2_do_fill_super().

Finally we can observe the following report:
 ==================================================================
 BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac
 Read of size 8 at addr ffff8881243384e0 by task mount/719

 Call Trace:
  dump_stack+0x115/0x16b
  jffs2_clear_xattr_subsystem+0x95/0x6ac
  jffs2_do_fill_super+0x84f/0xc30
  jffs2_fill_super+0x2ea/0x4c0
  mtd_get_sb+0x254/0x400
  mtd_get_sb_by_nr+0x4f/0xd0
  get_tree_mtd+0x498/0x840
  jffs2_get_tree+0x25/0x30
  vfs_get_tree+0x8d/0x2e0
  path_mount+0x50f/0x1e50
  do_mount+0x107/0x130
  __se_sys_mount+0x1c5/0x2f0
  __x64_sys_mount+0xc7/0x160
  do_syscall_64+0x45/0x70
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

 Allocated by task 719:
  kasan_save_stack+0x23/0x60
  __kasan_kmalloc.constprop.0+0x10b/0x120
  kasan_slab_alloc+0x12/0x20
  kmem_cache_alloc+0x1c0/0x870
  jffs2_alloc_xattr_ref+0x2f/0xa0
  jffs2_scan_medium.cold+0x3713/0x4794
  jffs2_do_mount_fs.cold+0xa7/0x2253
  jffs2_do_fill_super+0x383/0xc30
  jffs2_fill_super+0x2ea/0x4c0
 [...]

 Freed by task 719:
  kmem_cache_free+0xcc/0x7b0
  jffs2_free_xattr_ref+0x78/0x98
  jffs2_clear_xattr_subsystem+0xa1/0x6ac
  jffs2_do_mount_fs.cold+0x5e6/0x2253
  jffs2_do_fill_super+0x383/0xc30
  jffs2_fill_super+0x2ea/0x4c0
 [...]

 The buggy address belongs to the object at ffff8881243384b8
  which belongs to the cache jffs2_xattr_ref of size 48
 The buggy address is located 40 bytes inside of
  48-byte region [ffff8881243384b8, ffff8881243384e8)
 [...]
 ==================================================================

The triggering of the BUG is shown in the following stack:
-----------------------------------------------------------
jffs2_fill_super
  jffs2_do_fill_super
    jffs2_do_mount_fs
      jffs2_build_filesystem
        jffs2_scan_medium
          jffs2_scan_eraseblock        &lt;--- ERROR
        jffs2_clear_xattr_subsystem    &lt;--- free
    jffs2_clear_xattr_subsystem        &lt;--- free again
-----------------------------------------------------------

An error is returned in jffs2_do_mount_fs(). If the error is returned
by jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to
be executed. If the error is returned by jffs2_build_filesystem(), the
jffs2_clear_xattr_subsystem() also does not need to be executed again.
So move jffs2_clear_xattr_subsystem() from 'out_inohash' to 'out_root'
to fix this UAF problem.

Fixes: aa98d7cf59b5 ("[JFFS2][XATTR] XATTR support on JFFS2 (version. 5)")
Cc: stable@vger.kernel.org
Reported-by: Hulk Robot &lt;hulkci@huawei.com&gt;
Signed-off-by: Baokun Li &lt;libaokun1@huawei.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>jffs2: GC deadlock reading a page that is used in jffs2_write_begin()</title>
<updated>2022-01-27T07:47:38+00:00</updated>
<author>
<name>Kyeong Yoo</name>
<email>kyeong.yoo@alliedtelesis.co.nz</email>
</author>
<published>2017-07-04T04:22:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=02c04d12834a8bca1e54cdce3abc0bd93e0bd70a'/>
<id>02c04d12834a8bca1e54cdce3abc0bd93e0bd70a</id>
<content type='text'>
[ Upstream commit aa39cc675799bc92da153af9a13d6f969c348e82 ]

GC task can deadlock in read_cache_page() because it may attempt
to release a page that is actually allocated by another task in
jffs2_write_begin().
The reason is that in jffs2_write_begin() there is a small window
a cache page is allocated for use but not set Uptodate yet.

This ends up with a deadlock between two tasks:
1) A task (e.g. file copy)
   - jffs2_write_begin() locks a cache page
   - jffs2_write_end() tries to lock "alloc_sem" from
	 jffs2_reserve_space() &lt;-- STUCK
2) GC task (jffs2_gcd_mtd3)
   - jffs2_garbage_collect_pass() locks "alloc_sem"
   - try to lock the same cache page in read_cache_page() &lt;-- STUCK

So to avoid this deadlock, hold "alloc_sem" in jffs2_write_begin()
while reading data in a cache page.

Signed-off-by: Kyeong Yoo &lt;kyeong.yoo@alliedtelesis.co.nz&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit aa39cc675799bc92da153af9a13d6f969c348e82 ]

GC task can deadlock in read_cache_page() because it may attempt
to release a page that is actually allocated by another task in
jffs2_write_begin().
The reason is that in jffs2_write_begin() there is a small window
a cache page is allocated for use but not set Uptodate yet.

This ends up with a deadlock between two tasks:
1) A task (e.g. file copy)
   - jffs2_write_begin() locks a cache page
   - jffs2_write_end() tries to lock "alloc_sem" from
	 jffs2_reserve_space() &lt;-- STUCK
2) GC task (jffs2_gcd_mtd3)
   - jffs2_garbage_collect_pass() locks "alloc_sem"
   - try to lock the same cache page in read_cache_page() &lt;-- STUCK

So to avoid this deadlock, hold "alloc_sem" in jffs2_write_begin()
while reading data in a cache page.

Signed-off-by: Kyeong Yoo &lt;kyeong.yoo@alliedtelesis.co.nz&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>jffs2: check the validity of dstlen in jffs2_zlib_compress()</title>
<updated>2021-05-22T08:40:19+00:00</updated>
<author>
<name>Yang Yang</name>
<email>yang.yang29@zte.com.cn</email>
</author>
<published>2021-01-28T10:55:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6fa27e51e4d32a55f0d83e8c4bc1799528ac674b'/>
<id>6fa27e51e4d32a55f0d83e8c4bc1799528ac674b</id>
<content type='text'>
commit 90ada91f4610c5ef11bc52576516d96c496fc3f1 upstream.

KASAN reports a BUG when download file in jffs2 filesystem.It is
because when dstlen == 1, cpage_out will write array out of bounds.
Actually, data will not be compressed in jffs2_zlib_compress() if
data's length less than 4.

[  393.799778] BUG: KASAN: slab-out-of-bounds in jffs2_rtime_compress+0x214/0x2f0 at addr ffff800062e3b281
[  393.809166] Write of size 1 by task tftp/2918
[  393.813526] CPU: 3 PID: 2918 Comm: tftp Tainted: G    B           4.9.115-rt93-EMBSYS-CGEL-6.1.R6-dirty #1
[  393.823173] Hardware name: LS1043A RDB Board (DT)
[  393.827870] Call trace:
[  393.830322] [&lt;ffff20000808c700&gt;] dump_backtrace+0x0/0x2f0
[  393.835721] [&lt;ffff20000808ca04&gt;] show_stack+0x14/0x20
[  393.840774] [&lt;ffff2000086ef700&gt;] dump_stack+0x90/0xb0
[  393.845829] [&lt;ffff20000827b19c&gt;] kasan_object_err+0x24/0x80
[  393.851402] [&lt;ffff20000827b404&gt;] kasan_report_error+0x1b4/0x4d8
[  393.857323] [&lt;ffff20000827bae8&gt;] kasan_report+0x38/0x40
[  393.862548] [&lt;ffff200008279d44&gt;] __asan_store1+0x4c/0x58
[  393.867859] [&lt;ffff2000084ce2ec&gt;] jffs2_rtime_compress+0x214/0x2f0
[  393.873955] [&lt;ffff2000084bb3b0&gt;] jffs2_selected_compress+0x178/0x2a0
[  393.880308] [&lt;ffff2000084bb530&gt;] jffs2_compress+0x58/0x478
[  393.885796] [&lt;ffff2000084c5b34&gt;] jffs2_write_inode_range+0x13c/0x450
[  393.892150] [&lt;ffff2000084be0b8&gt;] jffs2_write_end+0x2a8/0x4a0
[  393.897811] [&lt;ffff2000081f3008&gt;] generic_perform_write+0x1c0/0x280
[  393.903990] [&lt;ffff2000081f5074&gt;] __generic_file_write_iter+0x1c4/0x228
[  393.910517] [&lt;ffff2000081f5210&gt;] generic_file_write_iter+0x138/0x288
[  393.916870] [&lt;ffff20000829ec1c&gt;] __vfs_write+0x1b4/0x238
[  393.922181] [&lt;ffff20000829ff00&gt;] vfs_write+0xd0/0x238
[  393.927232] [&lt;ffff2000082a1ba8&gt;] SyS_write+0xa0/0x110
[  393.932283] [&lt;ffff20000808429c&gt;] __sys_trace_return+0x0/0x4
[  393.937851] Object at ffff800062e3b280, in cache kmalloc-64 size: 64
[  393.944197] Allocated:
[  393.946552] PID = 2918
[  393.948913]  save_stack_trace_tsk+0x0/0x220
[  393.953096]  save_stack_trace+0x18/0x20
[  393.956932]  kasan_kmalloc+0xd8/0x188
[  393.960594]  __kmalloc+0x144/0x238
[  393.963994]  jffs2_selected_compress+0x48/0x2a0
[  393.968524]  jffs2_compress+0x58/0x478
[  393.972273]  jffs2_write_inode_range+0x13c/0x450
[  393.976889]  jffs2_write_end+0x2a8/0x4a0
[  393.980810]  generic_perform_write+0x1c0/0x280
[  393.985251]  __generic_file_write_iter+0x1c4/0x228
[  393.990040]  generic_file_write_iter+0x138/0x288
[  393.994655]  __vfs_write+0x1b4/0x238
[  393.998228]  vfs_write+0xd0/0x238
[  394.001543]  SyS_write+0xa0/0x110
[  394.004856]  __sys_trace_return+0x0/0x4
[  394.008684] Freed:
[  394.010691] PID = 2918
[  394.013051]  save_stack_trace_tsk+0x0/0x220
[  394.017233]  save_stack_trace+0x18/0x20
[  394.021069]  kasan_slab_free+0x88/0x188
[  394.024902]  kfree+0x6c/0x1d8
[  394.027868]  jffs2_sum_write_sumnode+0x2c4/0x880
[  394.032486]  jffs2_do_reserve_space+0x198/0x598
[  394.037016]  jffs2_reserve_space+0x3f8/0x4d8
[  394.041286]  jffs2_write_inode_range+0xf0/0x450
[  394.045816]  jffs2_write_end+0x2a8/0x4a0
[  394.049737]  generic_perform_write+0x1c0/0x280
[  394.054179]  __generic_file_write_iter+0x1c4/0x228
[  394.058968]  generic_file_write_iter+0x138/0x288
[  394.063583]  __vfs_write+0x1b4/0x238
[  394.067157]  vfs_write+0xd0/0x238
[  394.070470]  SyS_write+0xa0/0x110
[  394.073783]  __sys_trace_return+0x0/0x4
[  394.077612] Memory state around the buggy address:
[  394.082404]  ffff800062e3b180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  394.089623]  ffff800062e3b200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  394.096842] &gt;ffff800062e3b280: 01 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  394.104056]                    ^
[  394.107283]  ffff800062e3b300: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  394.114502]  ffff800062e3b380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  394.121718] ==================================================================

Signed-off-by: Yang Yang &lt;yang.yang29@zte.com.cn&gt;
Cc: Joel Stanley &lt;joel@jms.id.au&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 90ada91f4610c5ef11bc52576516d96c496fc3f1 upstream.

KASAN reports a BUG when download file in jffs2 filesystem.It is
because when dstlen == 1, cpage_out will write array out of bounds.
Actually, data will not be compressed in jffs2_zlib_compress() if
data's length less than 4.

[  393.799778] BUG: KASAN: slab-out-of-bounds in jffs2_rtime_compress+0x214/0x2f0 at addr ffff800062e3b281
[  393.809166] Write of size 1 by task tftp/2918
[  393.813526] CPU: 3 PID: 2918 Comm: tftp Tainted: G    B           4.9.115-rt93-EMBSYS-CGEL-6.1.R6-dirty #1
[  393.823173] Hardware name: LS1043A RDB Board (DT)
[  393.827870] Call trace:
[  393.830322] [&lt;ffff20000808c700&gt;] dump_backtrace+0x0/0x2f0
[  393.835721] [&lt;ffff20000808ca04&gt;] show_stack+0x14/0x20
[  393.840774] [&lt;ffff2000086ef700&gt;] dump_stack+0x90/0xb0
[  393.845829] [&lt;ffff20000827b19c&gt;] kasan_object_err+0x24/0x80
[  393.851402] [&lt;ffff20000827b404&gt;] kasan_report_error+0x1b4/0x4d8
[  393.857323] [&lt;ffff20000827bae8&gt;] kasan_report+0x38/0x40
[  393.862548] [&lt;ffff200008279d44&gt;] __asan_store1+0x4c/0x58
[  393.867859] [&lt;ffff2000084ce2ec&gt;] jffs2_rtime_compress+0x214/0x2f0
[  393.873955] [&lt;ffff2000084bb3b0&gt;] jffs2_selected_compress+0x178/0x2a0
[  393.880308] [&lt;ffff2000084bb530&gt;] jffs2_compress+0x58/0x478
[  393.885796] [&lt;ffff2000084c5b34&gt;] jffs2_write_inode_range+0x13c/0x450
[  393.892150] [&lt;ffff2000084be0b8&gt;] jffs2_write_end+0x2a8/0x4a0
[  393.897811] [&lt;ffff2000081f3008&gt;] generic_perform_write+0x1c0/0x280
[  393.903990] [&lt;ffff2000081f5074&gt;] __generic_file_write_iter+0x1c4/0x228
[  393.910517] [&lt;ffff2000081f5210&gt;] generic_file_write_iter+0x138/0x288
[  393.916870] [&lt;ffff20000829ec1c&gt;] __vfs_write+0x1b4/0x238
[  393.922181] [&lt;ffff20000829ff00&gt;] vfs_write+0xd0/0x238
[  393.927232] [&lt;ffff2000082a1ba8&gt;] SyS_write+0xa0/0x110
[  393.932283] [&lt;ffff20000808429c&gt;] __sys_trace_return+0x0/0x4
[  393.937851] Object at ffff800062e3b280, in cache kmalloc-64 size: 64
[  393.944197] Allocated:
[  393.946552] PID = 2918
[  393.948913]  save_stack_trace_tsk+0x0/0x220
[  393.953096]  save_stack_trace+0x18/0x20
[  393.956932]  kasan_kmalloc+0xd8/0x188
[  393.960594]  __kmalloc+0x144/0x238
[  393.963994]  jffs2_selected_compress+0x48/0x2a0
[  393.968524]  jffs2_compress+0x58/0x478
[  393.972273]  jffs2_write_inode_range+0x13c/0x450
[  393.976889]  jffs2_write_end+0x2a8/0x4a0
[  393.980810]  generic_perform_write+0x1c0/0x280
[  393.985251]  __generic_file_write_iter+0x1c4/0x228
[  393.990040]  generic_file_write_iter+0x138/0x288
[  393.994655]  __vfs_write+0x1b4/0x238
[  393.998228]  vfs_write+0xd0/0x238
[  394.001543]  SyS_write+0xa0/0x110
[  394.004856]  __sys_trace_return+0x0/0x4
[  394.008684] Freed:
[  394.010691] PID = 2918
[  394.013051]  save_stack_trace_tsk+0x0/0x220
[  394.017233]  save_stack_trace+0x18/0x20
[  394.021069]  kasan_slab_free+0x88/0x188
[  394.024902]  kfree+0x6c/0x1d8
[  394.027868]  jffs2_sum_write_sumnode+0x2c4/0x880
[  394.032486]  jffs2_do_reserve_space+0x198/0x598
[  394.037016]  jffs2_reserve_space+0x3f8/0x4d8
[  394.041286]  jffs2_write_inode_range+0xf0/0x450
[  394.045816]  jffs2_write_end+0x2a8/0x4a0
[  394.049737]  generic_perform_write+0x1c0/0x280
[  394.054179]  __generic_file_write_iter+0x1c4/0x228
[  394.058968]  generic_file_write_iter+0x138/0x288
[  394.063583]  __vfs_write+0x1b4/0x238
[  394.067157]  vfs_write+0xd0/0x238
[  394.070470]  SyS_write+0xa0/0x110
[  394.073783]  __sys_trace_return+0x0/0x4
[  394.077612] Memory state around the buggy address:
[  394.082404]  ffff800062e3b180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  394.089623]  ffff800062e3b200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  394.096842] &gt;ffff800062e3b280: 01 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  394.104056]                    ^
[  394.107283]  ffff800062e3b300: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  394.114502]  ffff800062e3b380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  394.121718] ==================================================================

Signed-off-by: Yang Yang &lt;yang.yang29@zte.com.cn&gt;
Cc: Joel Stanley &lt;joel@jms.id.au&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>jffs2: Fix kasan slab-out-of-bounds problem</title>
<updated>2021-05-22T08:40:19+00:00</updated>
<author>
<name>lizhe</name>
<email>lizhe67@huawei.com</email>
</author>
<published>2021-03-18T03:06:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=20e988dddd95020355599b2e34e49ecdf956caad'/>
<id>20e988dddd95020355599b2e34e49ecdf956caad</id>
<content type='text'>
commit 960b9a8a7676b9054d8b46a2c7db52a0c8766b56 upstream.

KASAN report a slab-out-of-bounds problem. The logs are listed below.
It is because in function jffs2_scan_dirent_node, we alloc "checkedlen+1"
bytes for fd-&gt;name and we check crc with length rd-&gt;nsize. If checkedlen
is less than rd-&gt;nsize, it will cause the slab-out-of-bounds problem.

jffs2: Dirent at *** has zeroes in name. Truncating to %d char
==================================================================
BUG: KASAN: slab-out-of-bounds in crc32_le+0x1ce/0x260 at addr ffff8800842cf2d1
Read of size 1 by task test_JFFS2/915
=============================================================================
BUG kmalloc-64 (Tainted: G    B      O   ): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in jffs2_alloc_full_dirent+0x2a/0x40 age=0 cpu=1 pid=915
	___slab_alloc+0x580/0x5f0
	__slab_alloc.isra.24+0x4e/0x64
	__kmalloc+0x170/0x300
	jffs2_alloc_full_dirent+0x2a/0x40
	jffs2_scan_eraseblock+0x1ca4/0x3b64
	jffs2_scan_medium+0x285/0xfe0
	jffs2_do_mount_fs+0x5fb/0x1bbc
	jffs2_do_fill_super+0x245/0x6f0
	jffs2_fill_super+0x287/0x2e0
	mount_mtd_aux.isra.0+0x9a/0x144
	mount_mtd+0x222/0x2f0
	jffs2_mount+0x41/0x60
	mount_fs+0x63/0x230
	vfs_kern_mount.part.6+0x6c/0x1f4
	do_mount+0xae8/0x1940
	SyS_mount+0x105/0x1d0
INFO: Freed in jffs2_free_full_dirent+0x22/0x40 age=27 cpu=1 pid=915
	__slab_free+0x372/0x4e4
	kfree+0x1d4/0x20c
	jffs2_free_full_dirent+0x22/0x40
	jffs2_build_remove_unlinked_inode+0x17a/0x1e4
	jffs2_do_mount_fs+0x1646/0x1bbc
	jffs2_do_fill_super+0x245/0x6f0
	jffs2_fill_super+0x287/0x2e0
	mount_mtd_aux.isra.0+0x9a/0x144
	mount_mtd+0x222/0x2f0
	jffs2_mount+0x41/0x60
	mount_fs+0x63/0x230
	vfs_kern_mount.part.6+0x6c/0x1f4
	do_mount+0xae8/0x1940
	SyS_mount+0x105/0x1d0
	entry_SYSCALL_64_fastpath+0x1e/0x97
Call Trace:
 [&lt;ffffffff815befef&gt;] dump_stack+0x59/0x7e
 [&lt;ffffffff812d1d65&gt;] print_trailer+0x125/0x1b0
 [&lt;ffffffff812d82c8&gt;] object_err+0x34/0x40
 [&lt;ffffffff812dadef&gt;] kasan_report.part.1+0x21f/0x534
 [&lt;ffffffff81132401&gt;] ? vprintk+0x2d/0x40
 [&lt;ffffffff815f1ee2&gt;] ? crc32_le+0x1ce/0x260
 [&lt;ffffffff812db41a&gt;] kasan_report+0x26/0x30
 [&lt;ffffffff812d9fc1&gt;] __asan_load1+0x3d/0x50
 [&lt;ffffffff815f1ee2&gt;] crc32_le+0x1ce/0x260
 [&lt;ffffffff814764ae&gt;] ? jffs2_alloc_full_dirent+0x2a/0x40
 [&lt;ffffffff81485cec&gt;] jffs2_scan_eraseblock+0x1d0c/0x3b64
 [&lt;ffffffff81488813&gt;] ? jffs2_scan_medium+0xccf/0xfe0
 [&lt;ffffffff81483fe0&gt;] ? jffs2_scan_make_ino_cache+0x14c/0x14c
 [&lt;ffffffff812da3e9&gt;] ? kasan_unpoison_shadow+0x35/0x50
 [&lt;ffffffff812da3e9&gt;] ? kasan_unpoison_shadow+0x35/0x50
 [&lt;ffffffff812da462&gt;] ? kasan_kmalloc+0x5e/0x70
 [&lt;ffffffff812d5d90&gt;] ? kmem_cache_alloc_trace+0x10c/0x2cc
 [&lt;ffffffff818169fb&gt;] ? mtd_point+0xf7/0x130
 [&lt;ffffffff81487dc9&gt;] jffs2_scan_medium+0x285/0xfe0
 [&lt;ffffffff81487b44&gt;] ? jffs2_scan_eraseblock+0x3b64/0x3b64
 [&lt;ffffffff812da3e9&gt;] ? kasan_unpoison_shadow+0x35/0x50
 [&lt;ffffffff812da3e9&gt;] ? kasan_unpoison_shadow+0x35/0x50
 [&lt;ffffffff812da462&gt;] ? kasan_kmalloc+0x5e/0x70
 [&lt;ffffffff812d57df&gt;] ? __kmalloc+0x12b/0x300
 [&lt;ffffffff812da462&gt;] ? kasan_kmalloc+0x5e/0x70
 [&lt;ffffffff814a2753&gt;] ? jffs2_sum_init+0x9f/0x240
 [&lt;ffffffff8148b2ff&gt;] jffs2_do_mount_fs+0x5fb/0x1bbc
 [&lt;ffffffff8148ad04&gt;] ? jffs2_del_noinode_dirent+0x640/0x640
 [&lt;ffffffff812da462&gt;] ? kasan_kmalloc+0x5e/0x70
 [&lt;ffffffff81127c5b&gt;] ? __init_rwsem+0x97/0xac
 [&lt;ffffffff81492349&gt;] jffs2_do_fill_super+0x245/0x6f0
 [&lt;ffffffff81493c5b&gt;] jffs2_fill_super+0x287/0x2e0
 [&lt;ffffffff814939d4&gt;] ? jffs2_parse_options+0x594/0x594
 [&lt;ffffffff81819bea&gt;] mount_mtd_aux.isra.0+0x9a/0x144
 [&lt;ffffffff81819eb6&gt;] mount_mtd+0x222/0x2f0
 [&lt;ffffffff814939d4&gt;] ? jffs2_parse_options+0x594/0x594
 [&lt;ffffffff81819c94&gt;] ? mount_mtd_aux.isra.0+0x144/0x144
 [&lt;ffffffff81258757&gt;] ? free_pages+0x13/0x1c
 [&lt;ffffffff814fa0ac&gt;] ? selinux_sb_copy_data+0x278/0x2e0
 [&lt;ffffffff81492b35&gt;] jffs2_mount+0x41/0x60
 [&lt;ffffffff81302fb7&gt;] mount_fs+0x63/0x230
 [&lt;ffffffff8133755f&gt;] ? alloc_vfsmnt+0x32f/0x3b0
 [&lt;ffffffff81337f2c&gt;] vfs_kern_mount.part.6+0x6c/0x1f4
 [&lt;ffffffff8133ceec&gt;] do_mount+0xae8/0x1940
 [&lt;ffffffff811b94e0&gt;] ? audit_filter_rules.constprop.6+0x1d10/0x1d10
 [&lt;ffffffff8133c404&gt;] ? copy_mount_string+0x40/0x40
 [&lt;ffffffff812cbf78&gt;] ? alloc_pages_current+0xa4/0x1bc
 [&lt;ffffffff81253a89&gt;] ? __get_free_pages+0x25/0x50
 [&lt;ffffffff81338993&gt;] ? copy_mount_options.part.17+0x183/0x264
 [&lt;ffffffff8133e3a9&gt;] SyS_mount+0x105/0x1d0
 [&lt;ffffffff8133e2a4&gt;] ? copy_mnt_ns+0x560/0x560
 [&lt;ffffffff810e8391&gt;] ? msa_space_switch_handler+0x13d/0x190
 [&lt;ffffffff81be184a&gt;] entry_SYSCALL_64_fastpath+0x1e/0x97
 [&lt;ffffffff810e9274&gt;] ? msa_space_switch+0xb0/0xe0
Memory state around the buggy address:
 ffff8800842cf180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800842cf200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
&gt;ffff8800842cf280: fc fc fc fc fc fc 00 00 00 00 01 fc fc fc fc fc
                                                 ^
 ffff8800842cf300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800842cf380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Cc: stable@vger.kernel.org
Reported-by: Kunkun Xu &lt;xukunkun1@huawei.com&gt;
Signed-off-by: lizhe &lt;lizhe67@huawei.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 960b9a8a7676b9054d8b46a2c7db52a0c8766b56 upstream.

KASAN report a slab-out-of-bounds problem. The logs are listed below.
It is because in function jffs2_scan_dirent_node, we alloc "checkedlen+1"
bytes for fd-&gt;name and we check crc with length rd-&gt;nsize. If checkedlen
is less than rd-&gt;nsize, it will cause the slab-out-of-bounds problem.

jffs2: Dirent at *** has zeroes in name. Truncating to %d char
==================================================================
BUG: KASAN: slab-out-of-bounds in crc32_le+0x1ce/0x260 at addr ffff8800842cf2d1
Read of size 1 by task test_JFFS2/915
=============================================================================
BUG kmalloc-64 (Tainted: G    B      O   ): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in jffs2_alloc_full_dirent+0x2a/0x40 age=0 cpu=1 pid=915
	___slab_alloc+0x580/0x5f0
	__slab_alloc.isra.24+0x4e/0x64
	__kmalloc+0x170/0x300
	jffs2_alloc_full_dirent+0x2a/0x40
	jffs2_scan_eraseblock+0x1ca4/0x3b64
	jffs2_scan_medium+0x285/0xfe0
	jffs2_do_mount_fs+0x5fb/0x1bbc
	jffs2_do_fill_super+0x245/0x6f0
	jffs2_fill_super+0x287/0x2e0
	mount_mtd_aux.isra.0+0x9a/0x144
	mount_mtd+0x222/0x2f0
	jffs2_mount+0x41/0x60
	mount_fs+0x63/0x230
	vfs_kern_mount.part.6+0x6c/0x1f4
	do_mount+0xae8/0x1940
	SyS_mount+0x105/0x1d0
INFO: Freed in jffs2_free_full_dirent+0x22/0x40 age=27 cpu=1 pid=915
	__slab_free+0x372/0x4e4
	kfree+0x1d4/0x20c
	jffs2_free_full_dirent+0x22/0x40
	jffs2_build_remove_unlinked_inode+0x17a/0x1e4
	jffs2_do_mount_fs+0x1646/0x1bbc
	jffs2_do_fill_super+0x245/0x6f0
	jffs2_fill_super+0x287/0x2e0
	mount_mtd_aux.isra.0+0x9a/0x144
	mount_mtd+0x222/0x2f0
	jffs2_mount+0x41/0x60
	mount_fs+0x63/0x230
	vfs_kern_mount.part.6+0x6c/0x1f4
	do_mount+0xae8/0x1940
	SyS_mount+0x105/0x1d0
	entry_SYSCALL_64_fastpath+0x1e/0x97
Call Trace:
 [&lt;ffffffff815befef&gt;] dump_stack+0x59/0x7e
 [&lt;ffffffff812d1d65&gt;] print_trailer+0x125/0x1b0
 [&lt;ffffffff812d82c8&gt;] object_err+0x34/0x40
 [&lt;ffffffff812dadef&gt;] kasan_report.part.1+0x21f/0x534
 [&lt;ffffffff81132401&gt;] ? vprintk+0x2d/0x40
 [&lt;ffffffff815f1ee2&gt;] ? crc32_le+0x1ce/0x260
 [&lt;ffffffff812db41a&gt;] kasan_report+0x26/0x30
 [&lt;ffffffff812d9fc1&gt;] __asan_load1+0x3d/0x50
 [&lt;ffffffff815f1ee2&gt;] crc32_le+0x1ce/0x260
 [&lt;ffffffff814764ae&gt;] ? jffs2_alloc_full_dirent+0x2a/0x40
 [&lt;ffffffff81485cec&gt;] jffs2_scan_eraseblock+0x1d0c/0x3b64
 [&lt;ffffffff81488813&gt;] ? jffs2_scan_medium+0xccf/0xfe0
 [&lt;ffffffff81483fe0&gt;] ? jffs2_scan_make_ino_cache+0x14c/0x14c
 [&lt;ffffffff812da3e9&gt;] ? kasan_unpoison_shadow+0x35/0x50
 [&lt;ffffffff812da3e9&gt;] ? kasan_unpoison_shadow+0x35/0x50
 [&lt;ffffffff812da462&gt;] ? kasan_kmalloc+0x5e/0x70
 [&lt;ffffffff812d5d90&gt;] ? kmem_cache_alloc_trace+0x10c/0x2cc
 [&lt;ffffffff818169fb&gt;] ? mtd_point+0xf7/0x130
 [&lt;ffffffff81487dc9&gt;] jffs2_scan_medium+0x285/0xfe0
 [&lt;ffffffff81487b44&gt;] ? jffs2_scan_eraseblock+0x3b64/0x3b64
 [&lt;ffffffff812da3e9&gt;] ? kasan_unpoison_shadow+0x35/0x50
 [&lt;ffffffff812da3e9&gt;] ? kasan_unpoison_shadow+0x35/0x50
 [&lt;ffffffff812da462&gt;] ? kasan_kmalloc+0x5e/0x70
 [&lt;ffffffff812d57df&gt;] ? __kmalloc+0x12b/0x300
 [&lt;ffffffff812da462&gt;] ? kasan_kmalloc+0x5e/0x70
 [&lt;ffffffff814a2753&gt;] ? jffs2_sum_init+0x9f/0x240
 [&lt;ffffffff8148b2ff&gt;] jffs2_do_mount_fs+0x5fb/0x1bbc
 [&lt;ffffffff8148ad04&gt;] ? jffs2_del_noinode_dirent+0x640/0x640
 [&lt;ffffffff812da462&gt;] ? kasan_kmalloc+0x5e/0x70
 [&lt;ffffffff81127c5b&gt;] ? __init_rwsem+0x97/0xac
 [&lt;ffffffff81492349&gt;] jffs2_do_fill_super+0x245/0x6f0
 [&lt;ffffffff81493c5b&gt;] jffs2_fill_super+0x287/0x2e0
 [&lt;ffffffff814939d4&gt;] ? jffs2_parse_options+0x594/0x594
 [&lt;ffffffff81819bea&gt;] mount_mtd_aux.isra.0+0x9a/0x144
 [&lt;ffffffff81819eb6&gt;] mount_mtd+0x222/0x2f0
 [&lt;ffffffff814939d4&gt;] ? jffs2_parse_options+0x594/0x594
 [&lt;ffffffff81819c94&gt;] ? mount_mtd_aux.isra.0+0x144/0x144
 [&lt;ffffffff81258757&gt;] ? free_pages+0x13/0x1c
 [&lt;ffffffff814fa0ac&gt;] ? selinux_sb_copy_data+0x278/0x2e0
 [&lt;ffffffff81492b35&gt;] jffs2_mount+0x41/0x60
 [&lt;ffffffff81302fb7&gt;] mount_fs+0x63/0x230
 [&lt;ffffffff8133755f&gt;] ? alloc_vfsmnt+0x32f/0x3b0
 [&lt;ffffffff81337f2c&gt;] vfs_kern_mount.part.6+0x6c/0x1f4
 [&lt;ffffffff8133ceec&gt;] do_mount+0xae8/0x1940
 [&lt;ffffffff811b94e0&gt;] ? audit_filter_rules.constprop.6+0x1d10/0x1d10
 [&lt;ffffffff8133c404&gt;] ? copy_mount_string+0x40/0x40
 [&lt;ffffffff812cbf78&gt;] ? alloc_pages_current+0xa4/0x1bc
 [&lt;ffffffff81253a89&gt;] ? __get_free_pages+0x25/0x50
 [&lt;ffffffff81338993&gt;] ? copy_mount_options.part.17+0x183/0x264
 [&lt;ffffffff8133e3a9&gt;] SyS_mount+0x105/0x1d0
 [&lt;ffffffff8133e2a4&gt;] ? copy_mnt_ns+0x560/0x560
 [&lt;ffffffff810e8391&gt;] ? msa_space_switch_handler+0x13d/0x190
 [&lt;ffffffff81be184a&gt;] entry_SYSCALL_64_fastpath+0x1e/0x97
 [&lt;ffffffff810e9274&gt;] ? msa_space_switch+0xb0/0xe0
Memory state around the buggy address:
 ffff8800842cf180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800842cf200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
&gt;ffff8800842cf280: fc fc fc fc fc fc 00 00 00 00 01 fc fc fc fc fc
                                                 ^
 ffff8800842cf300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800842cf380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Cc: stable@vger.kernel.org
Reported-by: Kunkun Xu &lt;xukunkun1@huawei.com&gt;
Signed-off-by: lizhe &lt;lizhe67@huawei.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>jffs2: fix use after free in jffs2_sum_write_data()</title>
<updated>2021-03-03T16:44:36+00:00</updated>
<author>
<name>Tom Rix</name>
<email>trix@redhat.com</email>
</author>
<published>2020-12-30T14:56:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0f37fffb9494bd15f09355d02fd24b9a01865be7'/>
<id>0f37fffb9494bd15f09355d02fd24b9a01865be7</id>
<content type='text'>
[ Upstream commit 19646447ad3a680d2ab08c097585b7d96a66126b ]

clang static analysis reports this problem

fs/jffs2/summary.c:794:31: warning: Use of memory after it is freed
                c-&gt;summary-&gt;sum_list_head = temp-&gt;u.next;
                                            ^~~~~~~~~~~~

In jffs2_sum_write_data(), in a loop summary data is handles a node at
a time.  When it has written out the node it is removed the summary list,
and the node is deleted.  In the corner case when a
JFFS2_FEATURE_RWCOMPAT_COPY is seen, a call is made to
jffs2_sum_disable_collecting().  jffs2_sum_disable_collecting() deletes
the whole list which conflicts with the loop's deleting the list by parts.

To preserve the old behavior of stopping the write midway, bail out of
the loop after disabling summary collection.

Fixes: 6171586a7ae5 ("[JFFS2] Correct handling of JFFS2_FEATURE_RWCOMPAT_COPY nodes.")
Signed-off-by: Tom Rix &lt;trix@redhat.com&gt;
Reviewed-by: Nathan Chancellor &lt;natechancellor@gmail.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 19646447ad3a680d2ab08c097585b7d96a66126b ]

clang static analysis reports this problem

fs/jffs2/summary.c:794:31: warning: Use of memory after it is freed
                c-&gt;summary-&gt;sum_list_head = temp-&gt;u.next;
                                            ^~~~~~~~~~~~

In jffs2_sum_write_data(), in a loop summary data is handles a node at
a time.  When it has written out the node it is removed the summary list,
and the node is deleted.  In the corner case when a
JFFS2_FEATURE_RWCOMPAT_COPY is seen, a call is made to
jffs2_sum_disable_collecting().  jffs2_sum_disable_collecting() deletes
the whole list which conflicts with the loop's deleting the list by parts.

To preserve the old behavior of stopping the write midway, bail out of
the loop after disabling summary collection.

Fixes: 6171586a7ae5 ("[JFFS2] Correct handling of JFFS2_FEATURE_RWCOMPAT_COPY nodes.")
Signed-off-by: Tom Rix &lt;trix@redhat.com&gt;
Reviewed-by: Nathan Chancellor &lt;natechancellor@gmail.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>jffs2: Fix GC exit abnormally</title>
<updated>2020-12-29T12:45:05+00:00</updated>
<author>
<name>Zhe Li</name>
<email>lizhe67@huawei.com</email>
</author>
<published>2020-05-29T03:37:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=494c2c5ef3d4224d7b193a2f4a9fc92f9a8cd454'/>
<id>494c2c5ef3d4224d7b193a2f4a9fc92f9a8cd454</id>
<content type='text'>
commit 9afc9a8a4909fece0e911e72b1060614ba2f7969 upstream.

The log of this problem is:
jffs2: Error garbage collecting node at 0x***!
jffs2: No space for garbage collection. Aborting GC thread

This is because GC believe that it do nothing, so it abort.

After going over the image of jffs2, I find a scene that
can trigger this problem stably.
The scene is: there is a normal dirent node at summary-area,
but abnormal at corresponding not-summary-area with error
name_crc.

The reason that GC exit abnormally is because it find that
abnormal dirent node to GC, but when it goes to function
jffs2_add_fd_to_list, it cannot meet the condition listed
below:

if ((*prev)-&gt;nhash == new-&gt;nhash &amp;&amp; !strcmp((*prev)-&gt;name, new-&gt;name))

So no node is marked obsolete, statistical information of
erase_block do not change, which cause GC exit abnormally.

The root cause of this problem is: we do not check the
name_crc of the abnormal dirent node with summary is enabled.

Noticed that in function jffs2_scan_dirent_node, we use
function jffs2_scan_dirty_space to deal with the dirent
node with error name_crc. So this patch add a checking
code in function read_direntry to ensure the correctness
of dirent node. If checked failed, the dirent node will
be marked obsolete so GC will pass this node and this
problem will be fixed.

Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Zhe Li &lt;lizhe67@huawei.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9afc9a8a4909fece0e911e72b1060614ba2f7969 upstream.

The log of this problem is:
jffs2: Error garbage collecting node at 0x***!
jffs2: No space for garbage collection. Aborting GC thread

This is because GC believe that it do nothing, so it abort.

After going over the image of jffs2, I find a scene that
can trigger this problem stably.
The scene is: there is a normal dirent node at summary-area,
but abnormal at corresponding not-summary-area with error
name_crc.

The reason that GC exit abnormally is because it find that
abnormal dirent node to GC, but when it goes to function
jffs2_add_fd_to_list, it cannot meet the condition listed
below:

if ((*prev)-&gt;nhash == new-&gt;nhash &amp;&amp; !strcmp((*prev)-&gt;name, new-&gt;name))

So no node is marked obsolete, statistical information of
erase_block do not change, which cause GC exit abnormally.

The root cause of this problem is: we do not check the
name_crc of the abnormal dirent node with summary is enabled.

Noticed that in function jffs2_scan_dirent_node, we use
function jffs2_scan_dirty_space to deal with the dirent
node with error name_crc. So this patch add a checking
code in function read_direntry to ensure the correctness
of dirent node. If checked failed, the dirent node will
be marked obsolete so GC will pass this node and this
problem will be fixed.

Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Zhe Li &lt;lizhe67@huawei.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>jffs2: fix UAF problem</title>
<updated>2020-08-26T08:29:05+00:00</updated>
<author>
<name>Zhe Li</name>
<email>lizhe67@huawei.com</email>
</author>
<published>2020-06-19T09:06:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4afde5c2320a3277caadda6326d340f6b30e360e'/>
<id>4afde5c2320a3277caadda6326d340f6b30e360e</id>
<content type='text'>
[ Upstream commit 798b7347e4f29553db4b996393caf12f5b233daf ]

The log of UAF problem is listed below.
BUG: KASAN: use-after-free in jffs2_rmdir+0xa4/0x1cc [jffs2] at addr c1f165fc
Read of size 4 by task rm/8283
=============================================================================
BUG kmalloc-32 (Tainted: P    B      O   ): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in 0xbbbbbbbb age=3054364 cpu=0 pid=0
        0xb0bba6ef
        jffs2_write_dirent+0x11c/0x9c8 [jffs2]
        __slab_alloc.isra.21.constprop.25+0x2c/0x44
        __kmalloc+0x1dc/0x370
        jffs2_write_dirent+0x11c/0x9c8 [jffs2]
        jffs2_do_unlink+0x328/0x5fc [jffs2]
        jffs2_rmdir+0x110/0x1cc [jffs2]
        vfs_rmdir+0x180/0x268
        do_rmdir+0x2cc/0x300
        ret_from_syscall+0x0/0x3c
INFO: Freed in 0x205b age=3054364 cpu=0 pid=0
        0x2e9173
        jffs2_add_fd_to_list+0x138/0x1dc [jffs2]
        jffs2_add_fd_to_list+0x138/0x1dc [jffs2]
        jffs2_garbage_collect_dirent.isra.3+0x21c/0x288 [jffs2]
        jffs2_garbage_collect_live+0x16bc/0x1800 [jffs2]
        jffs2_garbage_collect_pass+0x678/0x11d4 [jffs2]
        jffs2_garbage_collect_thread+0x1e8/0x3b0 [jffs2]
        kthread+0x1a8/0x1b0
        ret_from_kernel_thread+0x5c/0x64
Call Trace:
[c17ddd20] [c02452d4] kasan_report.part.0+0x298/0x72c (unreliable)
[c17ddda0] [d2509680] jffs2_rmdir+0xa4/0x1cc [jffs2]
[c17dddd0] [c026da04] vfs_rmdir+0x180/0x268
[c17dde00] [c026f4e4] do_rmdir+0x2cc/0x300
[c17ddf40] [c001a658] ret_from_syscall+0x0/0x3c

The root cause is that we don't get "jffs2_inode_info.sem" before
we scan list "jffs2_inode_info.dents" in function jffs2_rmdir.
This patch add codes to get "jffs2_inode_info.sem" before we scan
"jffs2_inode_info.dents" to slove the UAF problem.

Signed-off-by: Zhe Li &lt;lizhe67@huawei.com&gt;
Reviewed-by: Hou Tao &lt;houtao1@huawei.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 798b7347e4f29553db4b996393caf12f5b233daf ]

The log of UAF problem is listed below.
BUG: KASAN: use-after-free in jffs2_rmdir+0xa4/0x1cc [jffs2] at addr c1f165fc
Read of size 4 by task rm/8283
=============================================================================
BUG kmalloc-32 (Tainted: P    B      O   ): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in 0xbbbbbbbb age=3054364 cpu=0 pid=0
        0xb0bba6ef
        jffs2_write_dirent+0x11c/0x9c8 [jffs2]
        __slab_alloc.isra.21.constprop.25+0x2c/0x44
        __kmalloc+0x1dc/0x370
        jffs2_write_dirent+0x11c/0x9c8 [jffs2]
        jffs2_do_unlink+0x328/0x5fc [jffs2]
        jffs2_rmdir+0x110/0x1cc [jffs2]
        vfs_rmdir+0x180/0x268
        do_rmdir+0x2cc/0x300
        ret_from_syscall+0x0/0x3c
INFO: Freed in 0x205b age=3054364 cpu=0 pid=0
        0x2e9173
        jffs2_add_fd_to_list+0x138/0x1dc [jffs2]
        jffs2_add_fd_to_list+0x138/0x1dc [jffs2]
        jffs2_garbage_collect_dirent.isra.3+0x21c/0x288 [jffs2]
        jffs2_garbage_collect_live+0x16bc/0x1800 [jffs2]
        jffs2_garbage_collect_pass+0x678/0x11d4 [jffs2]
        jffs2_garbage_collect_thread+0x1e8/0x3b0 [jffs2]
        kthread+0x1a8/0x1b0
        ret_from_kernel_thread+0x5c/0x64
Call Trace:
[c17ddd20] [c02452d4] kasan_report.part.0+0x298/0x72c (unreliable)
[c17ddda0] [d2509680] jffs2_rmdir+0xa4/0x1cc [jffs2]
[c17dddd0] [c026da04] vfs_rmdir+0x180/0x268
[c17dde00] [c026f4e4] do_rmdir+0x2cc/0x300
[c17ddf40] [c001a658] ret_from_syscall+0x0/0x3c

The root cause is that we don't get "jffs2_inode_info.sem" before
we scan list "jffs2_inode_info.dents" in function jffs2_rmdir.
This patch add codes to get "jffs2_inode_info.sem" before we scan
"jffs2_inode_info.dents" to slove the UAF problem.

Signed-off-by: Zhe Li &lt;lizhe67@huawei.com&gt;
Reviewed-by: Hou Tao &lt;houtao1@huawei.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
