[lvc-project] [PATCH] exfat: bail out on -EIO in exfat_find_empty_entry()

Dmitry Antipov dmantipov at yandex.ru
Fri Dec 13 19:17:57 MSK 2024 

Syzbot has reported the following KASAN splat:

KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
...
Call Trace:
 <TASK>
 ...
 ? exfat_get_dentry_cached+0xb6/0x1b0
 ? exfat_get_dentry_cached+0x11a/0x1b0
 ? exfat_get_dentry_cached+0xb6/0x1b0
 exfat_init_ext_entry+0x1b6/0x3b0
 exfat_add_entry+0x321/0x7a0
 ? __pfx_exfat_add_entry+0x10/0x10
 ? __lock_acquire+0x15a9/0x3c40
 ? __pfx___lock_acquire+0x10/0x10
 ? _raw_spin_unlock_irqrestore+0x52/0x80
 ? do_raw_spin_unlock+0x53/0x230
 ? _raw_spin_unlock+0x28/0x50
 ? exfat_set_vol_flags+0x23f/0x2f0
 exfat_create+0x1cf/0x5c0
 ...
 path_openat+0x904/0x2d60
 ? __pfx_path_openat+0x10/0x10
 ? __pfx___lock_acquire+0x10/0x10
 ? lock_acquire.part.0+0x11b/0x380
 ? find_held_lock+0x2d/0x110
 do_filp_open+0x20c/0x470
 ? __pfx_do_filp_open+0x10/0x10
 ? find_held_lock+0x2d/0x110
 ? _raw_spin_unlock+0x28/0x50
 ? alloc_fd+0x41f/0x760
 do_sys_openat2+0x17a/0x1e0
 ? __pfx_do_sys_openat2+0x10/0x10
 ? __pfx_sigprocmask+0x10/0x10
 __x64_sys_creat+0xcd/0x120
 ...
</TASK>

On exFAT with damaged directory structure, 'exfat_search_empty_slot()'
may issue an attempt to access beyond end of device and return -EIO.
So catch this error in 'exfat_find_empty_entry()', do not create an
invalid in-memory directory structure and do not confuse the rest
of the filesystem code further.

Reported-by: syzbot+8f8fe64a30c50b289a18 at syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8f8fe64a30c50b289a18
Fixes: 5f2aa075070c ("exfat: add inode operations")
Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
---
 fs/exfat/namei.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c
index 97d2774760fe..73dbc5cdf388 100644
--- a/fs/exfat/namei.c
+++ b/fs/exfat/namei.c
@@ -331,7 +331,7 @@ static int exfat_find_empty_entry(struct inode *inode,
 	while ((dentry = exfat_search_empty_slot(sb, &hint_femp, p_dir,
 					num_entries, es)) < 0) {
 		if (dentry == -EIO)
-			break;
+			return -EIO;
 
 		if (exfat_check_max_dentries(inode))
 			return -ENOSPC;
-- 
2.47.1

More information about the lvc-project mailing list