{"id":"CVE-2022-49007","summary":"nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()\n\nSyzbot reported a null-ptr-deref bug:\n\n NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP\n frequency \u003c 30 seconds\n general protection fault, probably for non-canonical address\n 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n CPU: 1 PID: 3603 Comm: segctord Not tainted\n 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google\n 10/11/2022\n RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0\n fs/nilfs2/alloc.c:608\n Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00\n 00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02\n 00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7\n RSP: 0018:ffffc90003dff830 EFLAGS: 00010212\n RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d\n RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010\n RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f\n R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158\n R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004\n FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000)\n knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0\n Call Trace:\n  \u003cTASK\u003e\n  nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline]\n  nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193\n  nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236\n  nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940\n  nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline]\n  nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline]\n  nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088\n  nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337\n  nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568\n  nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018\n  nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067\n  nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline]\n  nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline]\n  nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045\n  nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379\n  nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline]\n  nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570\n  kthread+0x2e4/0x3a0 kernel/kthread.c:376\n  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n  \u003c/TASK\u003e\n ...\n\nIf DAT metadata file is corrupted on disk, there is a case where\nreq-\u003epr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during\na b-tree operation that cascadingly updates ancestor nodes of the b-tree,\nbecause nilfs_dat_commit_alloc() for a lower level block can initialize\nthe blocknr on the same DAT entry between nilfs_dat_prepare_end() and\nnilfs_dat_commit_end().\n\nIf this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free()\nwithout valid buffer heads in req-\u003epr_desc_bh and req-\u003epr_bitmap_bh, and\ncauses the NULL pointer dereference above in\nnilfs_palloc_commit_free_entry() function, which leads to a crash.\n\nFix this by adding a NULL check on req-\u003epr_desc_bh and req-\u003epr_bitmap_bh\nbefore nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free().\n\nThis also calls nilfs_error() in that case to notify that there is a fatal\nflaw in the filesystem metadata and prevent further operations.","modified":"2026-04-02T08:27:13.667752Z","published":"2024-10-21T20:06:19.506Z","related":["SUSE-SU-2024:3983-1","SUSE-SU-2024:3985-1","SUSE-SU-2024:4082-1","SUSE-SU-2024:4131-1","SUSE-SU-2024:4364-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49007.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/165c7a3b27a3857ebf57f626b9f38b48b6792e68"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2f2c59506ae39496588ceb8b88bdbdbaed895d63"},{"type":"WEB","url":"https://git.kernel.org/stable/c/33021419fd81efd3d729a7f19341ba4b98fe66ce"},{"type":"WEB","url":"https://git.kernel.org/stable/c/381b84f60e549ea98cec4666c6c728b1b3318756"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9a130b72e6bd1fb07fc3cde839dc6fb53da76f07"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bc3fd3293887b4cf84a9109700faeb82de533c89"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e858917ab785afe83c14f5ac141301216ccda847"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f0a0ccda18d6fd826d7c7e7ad48a6ed61c20f8b4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49007.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49007"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a17564f58b11476c011d623fa1f268602a81c27c"},{"fixed":"2f2c59506ae39496588ceb8b88bdbdbaed895d63"},{"fixed":"165c7a3b27a3857ebf57f626b9f38b48b6792e68"},{"fixed":"bc3fd3293887b4cf84a9109700faeb82de533c89"},{"fixed":"9a130b72e6bd1fb07fc3cde839dc6fb53da76f07"},{"fixed":"e858917ab785afe83c14f5ac141301216ccda847"},{"fixed":"33021419fd81efd3d729a7f19341ba4b98fe66ce"},{"fixed":"381b84f60e549ea98cec4666c6c728b1b3318756"},{"fixed":"f0a0ccda18d6fd826d7c7e7ad48a6ed61c20f8b4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49007.json"}}],"schema_version":"1.7.5"}