Forwarded: [PATCH] ext4: check folio uptodate state in ext4_page_mkwrite()

[syzbot <syzbot+b0a0670332b6b3230a0a@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ext4: check folio uptodate state in ext4_page_mkwrite()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


When a write fault occurs on a memory-mapped ext4 file, ext4_page_mkwrite()
is called to prepare the folio for writing. However, if the folio could
not be read successfully due to filesystem corruption or I/O errors, it
will not be marked uptodate.

Attempting to write to a non-uptodate folio is problematic because:
1. We don't have valid data from the backing store to preserve
2. A subsequent writeback could write uninitialized data to disk
3. It triggers a warning in __folio_mark_dirty():
   WARN_ON_ONCE(warn && !folio_test_uptodate(folio))

This issue can be reproduced by:
1. Creating a corrupted ext4 filesystem with invalid extent entries
2. Memory-mapping a file on that filesystem
3. Attempting to write to the mapped region

The sequence of events is:
- User reads/writes to mmap region -> page fault
- ext4_filemap_fault() -> ext4_map_blocks() detects corruption
- Returns error, folio allocated but NOT marked uptodate
- User writes to same region -> ext4_page_mkwrite() called
- No uptodate check -> folio marked dirty -> WARNING

Fix this by checking folio_test_uptodate() after locking the folio in
ext4_page_mkwrite(). If the folio is not uptodate, unlock it and return
VM_FAULT_SIGBUS to signal the error to userspace. This is consistent
with how we handle other error conditions like truncated folios.

Reported-by: syzbot+b0a0670332b6b3230a0a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b0a0670332b6b3230a0a
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/buffer.c     |  5 +++--
 fs/ext4/inode.c | 11 ++++++++++-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/fs/buffer.c b/fs/buffer.c
index 6a8752f7bbed..805cc0a2ecab 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -2621,7 +2621,8 @@ int block_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf,
 	unsigned long end;
 	loff_t size;
 	int ret;
-
+	pr_info("BUFFER_DEBUG: block_page_mkwrite called for inode %lu, folio index %lu, uptodate=%d\n",
+		inode->i_ino, folio->index, folio_test_uptodate(folio));
 	folio_lock(folio);
 	size = i_size_read(inode);
 	if ((folio->mapping != inode->i_mapping) ||
@@ -2630,7 +2631,7 @@ int block_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf,
 		ret = -EFAULT;
 		goto out_unlock;
 	}
-
+	pr_info("BUFFER_DEBUG: Folio checks passed, calling __block_write_begin\n");
 	end = folio_size(folio);
 	/* folio is wholly or partially inside EOF */
 	if (folio_pos(folio) + end > size)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index e99306a8f47c..535da8fa9233 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -6675,7 +6675,8 @@ vm_fault_t ext4_page_mkwrite(struct vm_fault *vmf)
 	struct address_space *mapping = inode->i_mapping;
 	get_block_t *get_block = ext4_get_block;
 	int retries = 0;
-
+	pr_info("EXT4_DEBUG: ext4_page_mkwrite called for inode %lu, folio index %lu, uptodate=%d\n",
+		inode->i_ino, folio->index, folio_test_uptodate(folio));
 	if (unlikely(IS_IMMUTABLE(inode)))
 		return VM_FAULT_SIGBUS;
 
@@ -6700,19 +6701,27 @@ vm_fault_t ext4_page_mkwrite(struct vm_fault *vmf)
 	/* Delalloc case is easy... */
 	if (test_opt(inode->i_sb, DELALLOC) &&
 	    !ext4_nonda_switch(inode->i_sb)) {
+		pr_info("EXT4_DEBUG: Taking delalloc path, calling block_page_mkwrite\n");
 		do {
 			err = block_page_mkwrite(vma, vmf,
 						   ext4_da_get_block_prep);
+			pr_info("EXT4_DEBUG: block_page_mkwrite returned err=%d\n", err);
 		} while (err == -ENOSPC &&
 		       ext4_should_retry_alloc(inode->i_sb, &retries));
 		goto out_ret;
 	}
 
 	folio_lock(folio);
+	if (!folio_test_uptodate(folio)) {
+		folio_unlock(folio);
+		ret = VM_FAULT_SIGBUS;
+		goto out;
+	}
 	size = i_size_read(inode);
 	/* Page got truncated from under us? */
 	if (folio->mapping != mapping || folio_pos(folio) > size) {
 		folio_unlock(folio);
+		pr_info("EXT4_DEBUG: Folio truncated, returning VM_FAULT_NOPAGE\n");
 		ret = VM_FAULT_NOPAGE;
 		goto out;
 	}
-- 
2.43.0