[syzbot] [nilfs?] kernel BUG in __block_write_begin_int (2)

[syzbot] [nilfs?] kernel BUG in __block_write_begin_int (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    9e4bc4bcae01 Merge tag 'nfs-for-6.9-2' of git://git.linux-..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12f2ae87180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3714fc09f933e505
dashboard link: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=150c697f180000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140de537180000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b98a742ff5ed/disk-9e4bc4bc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/207a8191df7c/vmlinux-9e4bc4bc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7dd86c3ad0ba/bzImage-9e4bc4bc.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d35001c4b748/mount_0.gz

Bisection is inconclusive: the issue happens on the oldest tested release.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15526d37180000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=17526d37180000
console output: https://syzkaller.appspot.com/x/log.txt?x=13526d37180000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d3abed1ad3d367fa2627@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at fs/buffer.c:2083!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 5084 Comm: syz-executor283 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:__block_write_begin_int+0x19a7/0x1a70 fs/buffer.c:2083
Code: 31 ff e8 ac 35 78 ff 48 89 d8 48 25 ff 0f 00 00 74 27 e8 bc 30 78 ff e9 c6 e7 ff ff e8 b2 30 78 ff 90 0f 0b e8 aa 30 78 ff 90 <0f> 0b e8 a2 30 78 ff 90 0f 0b e8 ca 5d 62 09 48 8b 5c 24 08 48 89
RSP: 0018:ffffc90003327760 EFLAGS: 00010293
RAX: ffffffff821ddf06 RBX: 0000000000007b54 RCX: ffff88802eff3c00
RDX: 0000000000000000 RSI: 0000000000001000 RDI: 0000000000007b54
RBP: ffffc900033278c8 R08: ffffffff821dc733 R09: 1ffffd400006f810
R10: dffffc0000000000 R11: fffff9400006f811 R12: 00fff0000000920d
R13: 0000000000000000 R14: 0000000000001000 R15: 0000000000007b54
FS:  000055556494d480(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055838a10d7f0 CR3: 0000000078508000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 nilfs_prepare_chunk fs/nilfs2/dir.c:86 [inline]
 nilfs_set_link+0xc5/0x2a0 fs/nilfs2/dir.c:411
 nilfs_rename+0x5b2/0xaf0 fs/nilfs2/namei.c:416
 vfs_rename+0xbdd/0xf00 fs/namei.c:4880
 do_renameat2+0xd94/0x13f0 fs/namei.c:5037
 __do_sys_rename fs/namei.c:5084 [inline]
 __se_sys_rename fs/namei.c:5082 [inline]
 __x64_sys_rename+0x86/0xa0 fs/namei.c:5082
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa292c67f99
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd9d3b0198 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa292c67f99
RDX: 00007fa292c67f99 RSI: 0000000020000040 RDI: 0000000020000180
RBP: 0000000000000000 R08: 00007ffd9d3b01d0 R09: 00007ffd9d3b01d0
R10: 0000000000000f69 R11: 0000000000000246 R12: 00007ffd9d3b01d0
R13: 00007ffd9d3b0458 R14: 431bde82d7b634db R15: 00007fa292cb103b
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__block_write_begin_int+0x19a7/0x1a70 fs/buffer.c:2083
Code: 31 ff e8 ac 35 78 ff 48 89 d8 48 25 ff 0f 00 00 74 27 e8 bc 30 78 ff e9 c6 e7 ff ff e8 b2 30 78 ff 90 0f 0b e8 aa 30 78 ff 90 <0f> 0b e8 a2 30 78 ff 90 0f 0b e8 ca 5d 62 09 48 8b 5c 24 08 48 89
RSP: 0018:ffffc90003327760 EFLAGS: 00010293
RAX: ffffffff821ddf06 RBX: 0000000000007b54 RCX: ffff88802eff3c00
RDX: 0000000000000000 RSI: 0000000000001000 RDI: 0000000000007b54
RBP: ffffc900033278c8 R08: ffffffff821dc733 R09: 1ffffd400006f810
R10: dffffc0000000000 R11: fffff9400006f811 R12: 00fff0000000920d
R13: 0000000000000000 R14: 0000000000001000 R15: 0000000000007b54
FS:  000055556494d480(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055838a039e38 CR3: 0000000078508000 CR4: 0000000000350ef0


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [nilfs?] kernel BUG in __block_write_begin_int (2)

[Ryusuke Konishi]

On Sat, May 4, 2024 at 7:20 PM syzbot wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    9e4bc4bcae01 Merge tag 'nfs-for-6.9-2' of git://git.linux-..
> git tree:       upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=12f2ae87180000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=3714fc09f933e505
> dashboard link: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=150c697f180000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140de537180000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/b98a742ff5ed/disk-9e4bc4bc.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/207a8191df7c/vmlinux-9e4bc4bc.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/7dd86c3ad0ba/bzImage-9e4bc4bc.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/d35001c4b748/mount_0.gz
>
> Bisection is inconclusive: the issue happens on the oldest tested release.
>
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15526d37180000
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=17526d37180000
> console output: https://syzkaller.appspot.com/x/log.txt?x=13526d37180000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+d3abed1ad3d367fa2627@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> kernel BUG at fs/buffer.c:2083!
> invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
> CPU: 0 PID: 5084 Comm: syz-executor283 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
> RIP: 0010:__block_write_begin_int+0x19a7/0x1a70 fs/buffer.c:2083
> Code: 31 ff e8 ac 35 78 ff 48 89 d8 48 25 ff 0f 00 00 74 27 e8 bc 30 78 ff e9 c6 e7 ff ff e8 b2 30 78 ff 90 0f 0b e8 aa 30 78 ff 90 <0f> 0b e8 a2 30 78 ff 90 0f 0b e8 ca 5d 62 09 48 8b 5c 24 08 48 89
> RSP: 0018:ffffc90003327760 EFLAGS: 00010293
> RAX: ffffffff821ddf06 RBX: 0000000000007b54 RCX: ffff88802eff3c00
> RDX: 0000000000000000 RSI: 0000000000001000 RDI: 0000000000007b54
> RBP: ffffc900033278c8 R08: ffffffff821dc733 R09: 1ffffd400006f810
> R10: dffffc0000000000 R11: fffff9400006f811 R12: 00fff0000000920d
> R13: 0000000000000000 R14: 0000000000001000 R15: 0000000000007b54
> FS:  000055556494d480(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055838a10d7f0 CR3: 0000000078508000 CR4: 0000000000350ef0
> Call Trace:
>  <TASK>
>  nilfs_prepare_chunk fs/nilfs2/dir.c:86 [inline]
>  nilfs_set_link+0xc5/0x2a0 fs/nilfs2/dir.c:411
>  nilfs_rename+0x5b2/0xaf0 fs/nilfs2/namei.c:416
>  vfs_rename+0xbdd/0xf00 fs/namei.c:4880
>  do_renameat2+0xd94/0x13f0 fs/namei.c:5037
>  __do_sys_rename fs/namei.c:5084 [inline]
>  __se_sys_rename fs/namei.c:5082 [inline]
>  __x64_sys_rename+0x86/0xa0 fs/namei.c:5082
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fa292c67f99
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffd9d3b0198 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa292c67f99
> RDX: 00007fa292c67f99 RSI: 0000000020000040 RDI: 0000000020000180
> RBP: 0000000000000000 R08: 00007ffd9d3b01d0 R09: 00007ffd9d3b01d0
> R10: 0000000000000f69 R11: 0000000000000246 R12: 00007ffd9d3b01d0
> R13: 00007ffd9d3b0458 R14: 431bde82d7b634db R15: 00007fa292cb103b
>  </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:__block_write_begin_int+0x19a7/0x1a70 fs/buffer.c:2083
> Code: 31 ff e8 ac 35 78 ff 48 89 d8 48 25 ff 0f 00 00 74 27 e8 bc 30 78 ff e9 c6 e7 ff ff e8 b2 30 78 ff 90 0f 0b e8 aa 30 78 ff 90 <0f> 0b e8 a2 30 78 ff 90 0f 0b e8 ca 5d 62 09 48 8b 5c 24 08 48 89
> RSP: 0018:ffffc90003327760 EFLAGS: 00010293
> RAX: ffffffff821ddf06 RBX: 0000000000007b54 RCX: ffff88802eff3c00
> RDX: 0000000000000000 RSI: 0000000000001000 RDI: 0000000000007b54
> RBP: ffffc900033278c8 R08: ffffffff821dc733 R09: 1ffffd400006f810
> R10: dffffc0000000000 R11: fffff9400006f811 R12: 00fff0000000920d
> R13: 0000000000000000 R14: 0000000000001000 R15: 0000000000007b54
> FS:  000055556494d480(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055838a039e38 CR3: 0000000078508000 CR4: 0000000000350ef0
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup

This appears to be an issue with the same cause as the automatically
obsoleted issue below:

https://syzkaller.appspot.com/bug?extid=4936b06b07f365af31cc

I would like to take a closer look.

Ryusuke Konishi

[PATCH] nilfs2: fix kernel bug on rename operation of broken directory

[Ryusuke Konishi]

Syzbot reported that in rename directory operation on broken directory
on nilfs2, __block_write_begin_int() called to prepare block write may
fail BUG_ON check for access exceeding the folio/page size.

This is because nilfs_dotdot(), which gets parent directory reference
entry ("..") of the directory to be moved or renamed, does not check
consistency enough, and may return location exceeding folio/page size
for broken directories.

Fix this issue by checking required directory entries ("." and "..")
in the first chunk of the directory in nilfs_dotdot().

Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+d3abed1ad3d367fa2627@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627
Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: stable@vger.kernel.org
---
Hi Andrew, please apply this as a bug fix.

This fixes a potential kernel bug reported by syzbot regarding broken
directory rename operations.

Thanks,
Ryusuke Konishi

 fs/nilfs2/dir.c | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c
index dddfa604491a..4a29b0138d75 100644
--- a/fs/nilfs2/dir.c
+++ b/fs/nilfs2/dir.c
@@ -383,11 +383,39 @@ struct nilfs_dir_entry *nilfs_find_entry(struct inode *dir,
 
 struct nilfs_dir_entry *nilfs_dotdot(struct inode *dir, struct folio **foliop)
 {
-	struct nilfs_dir_entry *de = nilfs_get_folio(dir, 0, foliop);
+	struct folio *folio;
+	struct nilfs_dir_entry *de, *next_de;
+	size_t limit;
+	char *msg;
 
+	de = nilfs_get_folio(dir, 0, &folio);
 	if (IS_ERR(de))
 		return NULL;
-	return nilfs_next_entry(de);
+
+	limit = nilfs_last_byte(dir, 0);  /* is a multiple of chunk size */
+	if (unlikely(!limit || le64_to_cpu(de->inode) != dir->i_ino ||
+		     !nilfs_match(1, ".", de))) {
+		msg = "missing '.'";
+		goto fail;
+	}
+
+	next_de = nilfs_next_entry(de);
+	/*
+	 * If "next_de" has not reached the end of the chunk, there is
+	 * at least one more record.  Check whether it matches "..".
+	 */
+	if (unlikely((char *)next_de == (char *)de + nilfs_chunk_size(dir) ||
+		     !nilfs_match(2, "..", next_de))) {
+		msg = "missing '..'";
+		goto fail;
+	}
+	*foliop = folio;
+	return next_de;
+
+fail:
+	nilfs_error(dir->i_sb, "directory #%lu %s", dir->i_ino, msg);
+	folio_release_kmap(folio, de);
+	return NULL;
 }
 
 ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr)
-- 
2.34.1