Re: [syzbot] [PATCH] Test oob in squashfs readahead

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+604424eb051c2f696163@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org
Subject: Re: [syzbot] [PATCH] Test oob in squashfs readahead
Date: Mon, 13 Nov 2023 23:53:47 -0800	[thread overview]
Message-ID: <00000000000028efe8060a181604@google.com> (raw)
In-Reply-To: <000000000000b1fda20609ede0d1@google.com>

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] Test oob in squashfs readahead
Author: eadavis@qq.com

please test squashfs readahead oob

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 13d88ac54ddd

diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c
index 581ce9519339..1c7c5500206b 100644
--- a/fs/squashfs/block.c
+++ b/fs/squashfs/block.c
@@ -314,9 +314,11 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,
 		bio_uninit(bio);
 		kfree(bio);
 
+		printk("datal: %d \n", length);
 		compressed = SQUASHFS_COMPRESSED(length);
 		length = SQUASHFS_COMPRESSED_SIZE(length);
 		index += 2;
+		printk("datal2: %d, c:%d, i:%d \n", length, compressed, index);
 
 		TRACE("Block @ 0x%llx, %scompressed size %d\n", index - 2,
 		      compressed ? "" : "un", length);
@@ -324,6 +326,7 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,
 	if (length < 0 || length > output->length ||
 			(index + length) > msblk->bytes_used) {
 		res = -EIO;
+		printk("srd: l:%d, ol: %d, bu: %d \n", length, output->length, msblk->bytes_used);
 		goto out;
 	}
 
@@ -340,6 +343,7 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,
 			goto out_free_bio;
 		}
 		res = msblk->thread_ops->decompress(msblk, bio, offset, length, output);
+		printk("srd6: r: %d \n", res);
 	} else {
 		res = copy_bio_to_actor(bio, output, offset, length);
 	}
diff --git a/fs/squashfs/cache.c b/fs/squashfs/cache.c
index 5062326d0efb..dac9eedea868 100644
--- a/fs/squashfs/cache.c
+++ b/fs/squashfs/cache.c
@@ -340,6 +340,7 @@ int squashfs_read_metadata(struct super_block *sb, void *buffer,
 	if (unlikely(length < 0))
 		return -EIO;
 
+	printk("srm: %d\n", length);
 	while (length) {
 		entry = squashfs_cache_get(sb, msblk->block_cache, *block, 0);
 		if (entry->error) {
@@ -381,6 +382,7 @@ struct squashfs_cache_entry *squashfs_get_fragment(struct super_block *sb,
 {
 	struct squashfs_sb_info *msblk = sb->s_fs_info;
 
+	printk("sgf: %d\n", length);
 	return squashfs_cache_get(sb, msblk->fragment_cache, start_block,
 		length);
 }
@@ -396,6 +398,7 @@ struct squashfs_cache_entry *squashfs_get_datablock(struct super_block *sb,
 {
 	struct squashfs_sb_info *msblk = sb->s_fs_info;
 
+	printk("sgd: %d\n", length);
 	return squashfs_cache_get(sb, msblk->read_page, start_block, length);
 }
 
diff --git a/fs/squashfs/file.c b/fs/squashfs/file.c
index 8ba8c4c50770..b54d6b993357 100644
--- a/fs/squashfs/file.c
+++ b/fs/squashfs/file.c
@@ -461,6 +461,12 @@ static int squashfs_read_folio(struct file *file, struct folio *folio)
 	TRACE("Entered squashfs_readpage, page index %lx, start block %llx\n",
 				page->index, squashfs_i(inode)->start);
 
+	if (!file_end) {
+		printk("i:%p, is:%d, %s\n", inode, i_size_read(inode), __func__);
+		res = -EINVAL;
+		goto out;
+	}
+
 	if (page->index >= ((i_size_read(inode) + PAGE_SIZE - 1) >>
 					PAGE_SHIFT))
 		goto out;
@@ -547,6 +553,11 @@ static void squashfs_readahead(struct readahead_control *ractl)
 	int i, file_end = i_size_read(inode) >> msblk->block_log;
 	unsigned int max_pages = 1UL << shift;
 
+	if (!file_end && !start) {
+		printk("i:%p, is:%d, %s\n", inode, i_size_read(inode), __func__);
+		return;
+	}
+
 	readahead_expand(ractl, start, (len | mask) + 1);
 
 	pages = kmalloc_array(max_pages, sizeof(void *), GFP_KERNEL);
diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c
index aa3411354e66..f3b0111e6fbd 100644
--- a/fs/squashfs/inode.c
+++ b/fs/squashfs/inode.c
@@ -175,6 +175,7 @@ int squashfs_read_inode(struct inode *inode, long long ino)
 		u64 frag_blk;
 		struct squashfs_lreg_inode *sqsh_ino = &squashfs_ino.lreg;
 
+		printk("in0: %p, fs: %d, it: %d, %s\n", inode, inode->i_size, type, __func__);
 		err = squashfs_read_metadata(sb, sqsh_ino, &block, &offset,
 							sizeof(*sqsh_ino));
 		if (err < 0)
@@ -403,6 +404,7 @@ int squashfs_read_inode(struct inode *inode, long long ino)
 	} else
 		squashfs_i(inode)->xattr_count = 0;
 
+	printk("in: %p, fs: %d, it: %d, %s\n", inode, inode->i_size, type, __func__);
 	return 0;
 
 failed_read:

next prev parent reply	other threads:[~2023-11-14  7:53 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-12  5:32 [syzbot] [squashfs?] KASAN: slab-out-of-bounds Write in squashfs_readahead (2) syzbot
2023-11-13 11:00 ` [syzbot] [PATCH] Test oob in squashfs readahead syzbot
2023-11-13 12:10 ` syzbot
2023-11-13 15:27 ` [syzbot] [squashfs?] KASAN: slab-out-of-bounds Write in squashfs_readahead (2) Phillip Lougher
2023-11-14  0:22 ` [syzbot] [PATCH] Test oob in squashfs readahead syzbot
2023-11-14  1:04 ` syzbot
2023-11-14  1:55 ` syzbot
2023-11-14  3:33 ` syzbot
2023-11-14  4:06 ` syzbot
2023-11-14  6:35 ` syzbot
2023-11-14  7:53 ` syzbot [this message]
2023-11-14  8:58 ` syzbot
2023-11-15  2:21 ` syzbot
2023-11-15  4:05 ` [PATCH] squashfs: fix oob in squashfs_readahead Edward Adam Davis
2023-11-15 22:39   ` Andrew Morton
2023-11-16 15:14   ` Phillip Lougher
2023-11-18  2:12     ` Edward Adam Davis
2023-11-17 13:17   ` Marek Szyprowski
2023-11-17 15:48     ` Andrew Morton

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:581ce951933 dfblob:1c7c5500206 dfblob:5062326d0ef
dfblob:dac9eedea86 dfblob:8ba8c4c5077 dfblob:b54d6b99335
dfblob:aa3411354e6 dfblob:f3b0111e6fb )
 OR (
bs:"Test oob in squashfs readahead" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=00000000000028efe8060a181604@google.com \
    --to=syzbot+604424eb051c2f696163@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.