In "fs/udf/namei.c" there is a possible NULL pointer dereference bug in udf_symlink:882 function. This is the relevant piece of code: > 936 epos.bh = udf_tgetblk(sb, block); > 937 lock_buffer(epos.bh); > 938 memset(epos.bh->b_data, 0x00, bsize); > 939 set_buffer_uptodate(epos.bh); > 940 unlock_buffer(epos.bh); At line 936 epos.bh is assigned with the value returned by udf_tgetblk. Then, epos.bh is used without any check, however it could be NULL. The function udf_tgetblk is defined in udf/misc.c and returns the value of sb_getblk function without any check. > 31 struct buffer_head *udf_tgetblk(struct super_block *sb, udf_pblk_t block) > 32 { > 33 if (UDF_QUERY_FLAG(sb, UDF_FLAG_VARCONV)) > 34 return sb_getblk(sb, udf_fixed_to_variable(block)); > 35 else > 36 return sb_getblk(sb, block); > 37 } Considering the older patches related to sb_getblk, a possible fix is the following: > 936 epos.bh = udf_tgetblk(sb, block); > +++ if (unlikely(!epos.bh)) { > +++ err = -ENOMEM; > +++ goto out_no_entry; > +++ } > 937 lock_buffer(epos.bh); > 938 memset(epos.bh->b_data, 0x00, bsize); > 939 set_buffer_uptodate(epos.bh); > 940 unlock_buffer(epos.bh);
Thanks for report. You are correct. Will you send a proper fix for this (with a changelog, signed-off-by, etc.)?
Yes, however give me few days to understand how this process works, this is my first patch to the kernel. I will let you know soon.
Sure, if you have any questions, feel free to email me :).
Not sure if you've already found it but a (somewhat long) description of the process is here: https://www.kernel.org/doc/html/v5.12/process/submitting-patches.html
Created attachment 296829 [details] Proposed patch to fix NULL pointer dereference in udf_symlink function
Thanks! I've added the patch to my tree.
Thank you for your responsiveness and support :)