• Andrew Price's avatar
    gfs2: Fix NULL pointer dereference in gfs2_rgrp_dump · 0e539ca1
    Andrew Price authored
    When an rindex entry is found to be corrupt, compute_bitstructs() calls
    gfs2_consist_rgrpd() which calls gfs2_rgrp_dump() like this:
    
        gfs2_rgrp_dump(NULL, rgd->rd_gl, fs_id_buf);
    
    gfs2_rgrp_dump then dereferences the gl without checking it and we get
    
        BUG: KASAN: null-ptr-deref in gfs2_rgrp_dump+0x28/0x280
    
    because there's no rgrp glock involved while reading the rindex on mount.
    
    Fix this by changing gfs2_rgrp_dump to take an rgrp argument.
    
    Reported-by: syzbot+43fa87986bdd31df9de6@syzkaller.appspotmail.com
    Signed-off-by: default avatarAndrew Price <anprice@redhat.com>
    Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
    0e539ca1
rgrp.c 70.2 KB