UDF filesystems which have relocated blocks past the end of the device may lead to a dcache without an inode that would lead to a NULL pointer dereference, like this:
[ 20.554242] attempt to access beyond end of device [ 20.554242] loop0: rw=2049, want=2054, limit=2048 [ 20.557322] Buffer I/O error on dev loop0, logical block 1026, lost async page write [ 20.562948] ================================================================== [ 20.565002] BUG: KASAN: null-ptr-deref in path_openat+0x6ae/0x9f9 [ 20.566460] Read of size 2 at addr 0000000000000000 by task repro/415 [ 20.567768] [ 20.568112] CPU: 0 PID: 415 Comm: repro Not tainted 5.15.168-rc1-00692-g63cec7aeaef7 #5 [ 20.569739] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 20.571549] Call Trace: [ 20.571965] <TASK> [ 20.572338] dump_stack_lvl+0x45/0x5d [ 20.572991] ? path_openat+0x6ae/0x9f9 [ 20.573742] kasan_report+0x1b7/0x1d8 [ 20.574559] ? path_openat+0x6ae/0x9f9 [ 20.575241] path_openat+0x6ae/0x9f9 [ 20.575915] ? may_open+0x135/0x135 [ 20.576839] ? lockdep_hardirqs_on_prepare+0x1f1/0x1f1 [ 20.577953] ? kvm_sched_clock_read+0x5/0x11 [ 20.579140] ? sched_clock_cpu+0x1a/0x106 [ 20.580687] do_filp_open+0xab/0x12e [ 20.582278] ? path_openat+0x9f9/0x9f9 [ 20.583503] ? kvm_sched_clock_read+0x5/0x11 [ 20.584925] ? lock_downgrade+0x324/0x324 [ 20.586144] ? lock_acquired+0x2d1/0x333 [ 20.587385] ? __check_heap_object+0x5d/0xe0 [ 20.588436] ? do_raw_spin_unlock+0xca/0xd6 [ 20.589853] ? _raw_spin_unlock+0x1a/0x2e [ 20.590697] ? alloc_fd+0x218/0x22e [ 20.591460] do_sys_openat2+0xbd/0x15c [ 20.592241] ? file_open_root+0xee/0xee [ 20.593034] ? lock_downgrade+0x324/0x324 [ 20.593839] do_sys_open+0x7b/0xac [ 20.594532] ? filp_open+0x43/0x43 [ 20.595138] ? lockdep_hardirqs_on_prepare+0x1ce/0x1f1 [ 20.596062] ? __x64_sys_creat+0x1b/0x33 [ 20.596796] do_syscall_64+0x6d/0x84 [ 20.597485] entry_SYSCALL_64_after_hwframe+0x6c/0xd6 [ 20.598359] RIP: 0033:0x79f47fd46c7d [ 20.599067] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 81 0d 00 f7 d8 64 89 01 48 [ 20.603403] RSP: 002b:00007fffca44e7f8 EFLAGS: 00000202 ORIG_RAX: 0000000000000055 [ 20.605712] RAX: ffffffffffffffda RBX: 00007fffca44e928 RCX: 000079f47fd46c7d [ 20.607476] RDX: 000079f47fd46c7d RSI: 0000000000000000 RDI: 0000000020000d00 [ 20.609956] RBP: 00007fffca44e810 R08: 0000000000000000 R09: 0000000000000000 [ 20.612074] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 20.613364] R13: 00007fffca44e938 R14: 00005c3ad8078d10 R15: 000079f47fe87000 [ 20.615618] </TASK> [ 20.616752] ==================================================================
Jan Kara (19): udf: New directory iteration code udf: Convert udf_expand_dir_adinicb() to new directory iteration udf: Move udf_expand_dir_adinicb() to its callsite udf: Implement searching for directory entry using new iteration code udf: Provide function to mark entry as deleted using new directory iteration code udf: Convert udf_rename() to new directory iteration code udf: Convert udf_readdir() to new directory iteration udf: Convert udf_lookup() to use new directory iteration code udf: Convert udf_get_parent() to new directory iteration code udf: Convert empty_dir() to new directory iteration code udf: Convert udf_rmdir() to new directory iteration code udf: Convert udf_unlink() to new directory iteration code udf: Implement adding of dir entries using new iteration code udf: Convert udf_add_nondir() to new directory iteration udf: Convert udf_mkdir() to new directory iteration code udf: Convert udf_link() to new directory iteration code udf: Remove old directory iteration code udf: Handle error when expanding directory udf: Don't return bh from udf_expand_dir_adinicb()
fs/udf/dir.c | 148 ++----- fs/udf/directory.c | 564 ++++++++++++++++++------ fs/udf/inode.c | 90 ---- fs/udf/namei.c | 1052 +++++++++++++++----------------------------- fs/udf/udfdecl.h | 45 +- 5 files changed, 825 insertions(+), 1074 deletions(-)