From: Al Viro <viro@zeniv.linux.org.uk>
To: Lizhi Xu <lizhi.xu@windriver.com>
Cc: brauner@kernel.org, jack@suse.cz, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, phillip@squashfs.org.uk,
squashfs-devel@lists.sourceforge.net,
syzbot+24ac24ff58dc5b0d26b9@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] filemap: Init the newly allocated folio memory to 0 for the filemap
Date: Thu, 1 Aug 2024 13:42:20 +0100 [thread overview]
Message-ID: <20240801124220.GP5334@ZenIV> (raw)
In-Reply-To: <20240801081224.1252836-1-lizhi.xu@windriver.com>
On Thu, Aug 01, 2024 at 04:12:24PM +0800, Lizhi Xu wrote:
> > * ->read_folio() had been called, claimed to have succeeded and
> > yet it had left something in range 0..inode->i_size-1 uninitialized.
> > Again, a bug, this time in ->read_folio() instance.
> read_folio, have you noticed that the file value was passed to read_folio is NULL?
> fs/namei.c
> const char *page_get_link(struct dentry *dentry, struct inode *inode
> ...
> 5272 read_mapping_page(mapping, 0, NULL);
>
> So, Therefore, no matter what, the value of folio will not be initialized by file
> in read_folio.
What does struct file have to do with anything? What it asks is the
first page of the address space of inode in question.
file argument of ->read_folio() is not how an instance determines which
filesystem object it's dealing with. _That_ is determined by the
address space (mapping) the folio had been attached to. For some
filesystems that is not enough - they need an information established
at open() time. Those ->read_folio() instances can pick such stuff
from the file argument - and those obviously cannot be used with
page_get_link(), since for symlinks there's no opened files, etc.
Most of the instances do not use the 'file' argument. In particular,
squashfs_symlink_read_folio() doesn't even look at it.
It would probably be less confusing if the arguments of ->read_folio()
went in the opposite order, but that's a separate story. In any case,
"which filesystem object" is determined by folio->mapping, "which
offset in that filesystem object" comes from folio_pos(folio), not
that it realistically could be anything other than 0 in case of a symlink
(they can't be more than 4Kb long, so the first page will cover the
entire thing).
next prev parent reply other threads:[~2024-08-01 12:42 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-31 8:12 [syzbot] [squashfs?] KMSAN: uninit-value in pick_link syzbot
2024-08-01 1:23 ` [syzbot] " syzbot
2024-08-01 2:27 ` [PATCH] filemap: Init the newly allocated folio memory to 0 for the filemap Lizhi Xu
2024-08-01 2:58 ` Al Viro
2024-08-01 5:28 ` Lizhi Xu
2024-08-01 7:10 ` Al Viro
2024-08-01 7:24 ` Al Viro
2024-08-01 8:12 ` Lizhi Xu
2024-08-01 9:13 ` Lizhi Xu
2024-08-01 12:42 ` Al Viro [this message]
2024-08-01 15:17 ` [PATCH V2] squashfs: Add length check in squashfs_symlink_read_folio Lizhi Xu
2024-08-01 15:30 ` Jan Kara
2024-08-02 1:39 ` Lizhi Xu
2024-08-02 1:50 ` [PATCH V3] squashfs: Add i_size check in squash_read_inode Lizhi Xu
2024-08-02 3:01 ` [PATCH V4] " Lizhi Xu
2024-08-02 9:33 ` Jan Kara
2024-08-02 11:16 ` [PATCH V5] " Lizhi Xu
2024-08-02 13:52 ` Al Viro
2024-08-02 14:44 ` [PATCH] filemap: Init the newly allocated folio memory to 0 for the filemap Lizhi Xu
2024-08-02 15:03 ` Al Viro
2024-08-03 4:07 ` [PATCH V6] squashfs: Add symlink size check in squash_read_inode Lizhi Xu
2024-08-03 7:43 ` [PATCH V7] " Lizhi Xu
2024-08-04 21:16 ` Phillip Lougher
2024-08-04 21:20 ` Al Viro
2024-08-04 22:31 ` Phillip Lougher
2024-08-05 7:03 ` Christian Brauner
2024-08-05 1:02 ` Lizhi Xu
2024-08-05 1:40 ` Al Viro
2024-08-06 2:56 ` Lizhi Xu
2024-08-06 4:59 ` Al Viro
2024-08-06 6:19 ` Lizhi Xu
2024-08-06 6:58 ` Al Viro
2024-08-01 9:07 ` [syzbot] Re: [syzbot] [squashfs?] KMSAN: uninit-value in pick_link syzbot
2024-08-01 9:27 ` syzbot
2024-08-01 12:08 ` syzbot
2024-08-01 13:06 ` syzbot
2024-08-01 14:08 ` syzbot
2024-08-01 14:39 ` syzbot
2024-08-02 1:02 ` syzbot
2024-08-02 2:00 ` syzbot
2024-08-03 3:04 ` syzbot
2024-08-03 3:13 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240801124220.GP5334@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lizhi.xu@windriver.com \
--cc=phillip@squashfs.org.uk \
--cc=squashfs-devel@lists.sourceforge.net \
--cc=syzbot+24ac24ff58dc5b0d26b9@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.