* Re: [syzbot] [nilfs?] kernel BUG in __block_write_begin_int (2)
2024-05-04 10:20 [syzbot] [nilfs?] kernel BUG in __block_write_begin_int (2) syzbot
@ 2024-05-04 18:26 ` Ryusuke Konishi
2024-06-28 16:51 ` [PATCH] nilfs2: fix kernel bug on rename operation of broken directory Ryusuke Konishi
1 sibling, 0 replies; 3+ messages in thread
From: Ryusuke Konishi @ 2024-05-04 18:26 UTC (permalink / raw)
To: syzbot; +Cc: linux-fsdevel, linux-kernel, linux-nilfs, syzkaller-bugs
On Sat, May 4, 2024 at 7:20 PM syzbot wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 9e4bc4bcae01 Merge tag 'nfs-for-6.9-2' of git://git.linux-..
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=12f2ae87180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=3714fc09f933e505
> dashboard link: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=150c697f180000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140de537180000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/b98a742ff5ed/disk-9e4bc4bc.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/207a8191df7c/vmlinux-9e4bc4bc.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/7dd86c3ad0ba/bzImage-9e4bc4bc.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/d35001c4b748/mount_0.gz
>
> Bisection is inconclusive: the issue happens on the oldest tested release.
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15526d37180000
> final oops: https://syzkaller.appspot.com/x/report.txt?x=17526d37180000
> console output: https://syzkaller.appspot.com/x/log.txt?x=13526d37180000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+d3abed1ad3d367fa2627@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> kernel BUG at fs/buffer.c:2083!
> invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
> CPU: 0 PID: 5084 Comm: syz-executor283 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
> RIP: 0010:__block_write_begin_int+0x19a7/0x1a70 fs/buffer.c:2083
> Code: 31 ff e8 ac 35 78 ff 48 89 d8 48 25 ff 0f 00 00 74 27 e8 bc 30 78 ff e9 c6 e7 ff ff e8 b2 30 78 ff 90 0f 0b e8 aa 30 78 ff 90 <0f> 0b e8 a2 30 78 ff 90 0f 0b e8 ca 5d 62 09 48 8b 5c 24 08 48 89
> RSP: 0018:ffffc90003327760 EFLAGS: 00010293
> RAX: ffffffff821ddf06 RBX: 0000000000007b54 RCX: ffff88802eff3c00
> RDX: 0000000000000000 RSI: 0000000000001000 RDI: 0000000000007b54
> RBP: ffffc900033278c8 R08: ffffffff821dc733 R09: 1ffffd400006f810
> R10: dffffc0000000000 R11: fffff9400006f811 R12: 00fff0000000920d
> R13: 0000000000000000 R14: 0000000000001000 R15: 0000000000007b54
> FS: 000055556494d480(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055838a10d7f0 CR3: 0000000078508000 CR4: 0000000000350ef0
> Call Trace:
> <TASK>
> nilfs_prepare_chunk fs/nilfs2/dir.c:86 [inline]
> nilfs_set_link+0xc5/0x2a0 fs/nilfs2/dir.c:411
> nilfs_rename+0x5b2/0xaf0 fs/nilfs2/namei.c:416
> vfs_rename+0xbdd/0xf00 fs/namei.c:4880
> do_renameat2+0xd94/0x13f0 fs/namei.c:5037
> __do_sys_rename fs/namei.c:5084 [inline]
> __se_sys_rename fs/namei.c:5082 [inline]
> __x64_sys_rename+0x86/0xa0 fs/namei.c:5082
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fa292c67f99
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffd9d3b0198 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa292c67f99
> RDX: 00007fa292c67f99 RSI: 0000000020000040 RDI: 0000000020000180
> RBP: 0000000000000000 R08: 00007ffd9d3b01d0 R09: 00007ffd9d3b01d0
> R10: 0000000000000f69 R11: 0000000000000246 R12: 00007ffd9d3b01d0
> R13: 00007ffd9d3b0458 R14: 431bde82d7b634db R15: 00007fa292cb103b
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:__block_write_begin_int+0x19a7/0x1a70 fs/buffer.c:2083
> Code: 31 ff e8 ac 35 78 ff 48 89 d8 48 25 ff 0f 00 00 74 27 e8 bc 30 78 ff e9 c6 e7 ff ff e8 b2 30 78 ff 90 0f 0b e8 aa 30 78 ff 90 <0f> 0b e8 a2 30 78 ff 90 0f 0b e8 ca 5d 62 09 48 8b 5c 24 08 48 89
> RSP: 0018:ffffc90003327760 EFLAGS: 00010293
> RAX: ffffffff821ddf06 RBX: 0000000000007b54 RCX: ffff88802eff3c00
> RDX: 0000000000000000 RSI: 0000000000001000 RDI: 0000000000007b54
> RBP: ffffc900033278c8 R08: ffffffff821dc733 R09: 1ffffd400006f810
> R10: dffffc0000000000 R11: fffff9400006f811 R12: 00fff0000000920d
> R13: 0000000000000000 R14: 0000000000001000 R15: 0000000000007b54
> FS: 000055556494d480(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055838a039e38 CR3: 0000000078508000 CR4: 0000000000350ef0
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
This appears to be an issue with the same cause as the automatically
obsoleted issue below:
https://syzkaller.appspot.com/bug?extid=4936b06b07f365af31cc
I would like to take a closer look.
Ryusuke Konishi
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH] nilfs2: fix kernel bug on rename operation of broken directory
2024-05-04 10:20 [syzbot] [nilfs?] kernel BUG in __block_write_begin_int (2) syzbot
2024-05-04 18:26 ` Ryusuke Konishi
@ 2024-06-28 16:51 ` Ryusuke Konishi
1 sibling, 0 replies; 3+ messages in thread
From: Ryusuke Konishi @ 2024-06-28 16:51 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-nilfs, syzbot, syzkaller-bugs, LKML
Syzbot reported that in rename directory operation on broken directory
on nilfs2, __block_write_begin_int() called to prepare block write may
fail BUG_ON check for access exceeding the folio/page size.
This is because nilfs_dotdot(), which gets parent directory reference
entry ("..") of the directory to be moved or renamed, does not check
consistency enough, and may return location exceeding folio/page size
for broken directories.
Fix this issue by checking required directory entries ("." and "..")
in the first chunk of the directory in nilfs_dotdot().
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+d3abed1ad3d367fa2627@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627
Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: stable@vger.kernel.org
---
Hi Andrew, please apply this as a bug fix.
This fixes a potential kernel bug reported by syzbot regarding broken
directory rename operations.
Thanks,
Ryusuke Konishi
fs/nilfs2/dir.c | 32 ++++++++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c
index dddfa604491a..4a29b0138d75 100644
--- a/fs/nilfs2/dir.c
+++ b/fs/nilfs2/dir.c
@@ -383,11 +383,39 @@ struct nilfs_dir_entry *nilfs_find_entry(struct inode *dir,
struct nilfs_dir_entry *nilfs_dotdot(struct inode *dir, struct folio **foliop)
{
- struct nilfs_dir_entry *de = nilfs_get_folio(dir, 0, foliop);
+ struct folio *folio;
+ struct nilfs_dir_entry *de, *next_de;
+ size_t limit;
+ char *msg;
+ de = nilfs_get_folio(dir, 0, &folio);
if (IS_ERR(de))
return NULL;
- return nilfs_next_entry(de);
+
+ limit = nilfs_last_byte(dir, 0); /* is a multiple of chunk size */
+ if (unlikely(!limit || le64_to_cpu(de->inode) != dir->i_ino ||
+ !nilfs_match(1, ".", de))) {
+ msg = "missing '.'";
+ goto fail;
+ }
+
+ next_de = nilfs_next_entry(de);
+ /*
+ * If "next_de" has not reached the end of the chunk, there is
+ * at least one more record. Check whether it matches "..".
+ */
+ if (unlikely((char *)next_de == (char *)de + nilfs_chunk_size(dir) ||
+ !nilfs_match(2, "..", next_de))) {
+ msg = "missing '..'";
+ goto fail;
+ }
+ *foliop = folio;
+ return next_de;
+
+fail:
+ nilfs_error(dir->i_sb, "directory #%lu %s", dir->i_ino, msg);
+ folio_release_kmap(folio, de);
+ return NULL;
}
ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr)
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread