[syzbot] [integrity?] [lsm?] INFO: task hung in process_measurement (2)

[syzbot] [integrity?] [lsm?] INFO: task hung in process_measurement (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    7ba2090ca64e Merge tag 'ceph-for-6.6-rc1' of https://githu..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14074c94680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ed626705db308b2d
dashboard link: https://syzkaller.appspot.com/bug?extid=1de5a37cb85a2d536330
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7abbf7618c3a/disk-7ba2090c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/694adc723518/vmlinux-7ba2090c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3c5d9addc4e4/bzImage-7ba2090c.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1de5a37cb85a2d536330@syzkaller.appspotmail.com

INFO: task syz-executor.0:8008 blocked for more than 143 seconds.
      Not tainted 6.5.0-syzkaller-12107-g7ba2090ca64e #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.0  state:D stack:27472 pid:8008  ppid:5056   flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0x1873/0x48f0 kernel/sched/core.c:6695
 schedule+0xc3/0x180 kernel/sched/core.c:6771
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6830
 rwsem_down_write_slowpath+0xedd/0x13a0 kernel/locking/rwsem.c:1178
 __down_write_common+0x1aa/0x200 kernel/locking/rwsem.c:1306
 inode_lock include/linux/fs.h:802 [inline]
 process_measurement+0x43b/0x1cf0 security/integrity/ima/ima_main.c:247
 ima_file_check+0xf1/0x170 security/integrity/ima/ima_main.c:543
 do_open fs/namei.c:3641 [inline]
 path_openat+0x2812/0x3180 fs/namei.c:3796
 do_filp_open+0x234/0x490 fs/namei.c:3823
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1422
 do_sys_open fs/open.c:1437 [inline]
 __do_sys_creat fs/open.c:1513 [inline]
 __se_sys_creat fs/open.c:1507 [inline]
 __x64_sys_creat+0x123/0x160 fs/open.c:1507
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb7faa7cae9
RSP: 002b:00007fb7fb88a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007fb7fab9c050 RCX: 00007fb7faa7cae9
RDX: 0000000000000000 RSI: 00000000000001f2 RDI: 0000000020000280
RBP: 00007fb7faac847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007fb7fab9c050 R15: 00007ffebde5d0b8
 </TASK>
INFO: lockdep is turned off.
NMI backtrace for cpu 1
CPU: 1 PID: 29 Comm: khungtaskd Not tainted 6.5.0-syzkaller-12107-g7ba2090ca64e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 nmi_cpu_backtrace+0x498/0x4d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x198/0x310 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
 watchdog+0xdf5/0xe40 kernel/hung_task.c:379
 kthread+0x2b8/0x350 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 8771 Comm: syz-executor.0 Not tainted 6.5.0-syzkaller-12107-g7ba2090ca64e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:__asan_memset+0x31/0x40 mm/kasan/shadow.c:87
Code: 53 48 89 d3 41 89 f6 48 89 fd 48 8b 4c 24 18 48 89 d6 ba 01 00 00 00 e8 6d ea ff ff 84 c0 74 12 48 89 ef 44 89 f6 48 89 da 5b <41> 5e 5d e9 87 02 e2 08 31 c0 5b 41 5e 5d c3 f3 0f 1e fa 41 57 41
RSP: 0018:ffffc90016796d50 EFLAGS: 00000202
RAX: ffffc90016797501 RBX: ffffc90016796e78 RCX: ffffffff813d953c
RDX: 0000000000000010 RSI: 0000000000000000 RDI: ffffc90016796e90
RBP: ffffc90016796e90 R08: ffffc90016796e9f R09: 1ffff92002cf2dd3
R10: dffffc0000000000 R11: fffff52002cf2dd4 R12: ffffc90016797530
R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff92002cf2dc8
FS:  00007f87258b56c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f306edfe000 CR3: 0000000063639000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <NMI>
 </NMI>
 <TASK>
 unwind_next_frame+0x13ac/0x29e0 arch/x86/kernel/unwind_orc.c:592
 arch_stack_walk+0x146/0x1a0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x117/0x1c0 kernel/stacktrace.c:122
 save_stack+0xfa/0x1e0 mm/page_owner.c:128
 __set_page_owner+0x29/0x380 mm/page_owner.c:192
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 __folio_alloc+0x13/0x30 mm/page_alloc.c:4458
 vma_alloc_folio+0x48a/0x9a0 mm/mempolicy.c:2259
 shmem_alloc_folio mm/shmem.c:1658 [inline]
 shmem_alloc_and_acct_folio+0x438/0x9b0 mm/shmem.c:1683
 shmem_get_folio_gfp+0xca4/0x2b60 mm/shmem.c:2020
 shmem_get_folio mm/shmem.c:2143 [inline]
 shmem_write_begin+0x170/0x300 mm/shmem.c:2688
 generic_perform_write+0x31b/0x630 mm/filemap.c:3942
 shmem_file_write_iter+0xfc/0x120 mm/shmem.c:2865
 call_write_iter include/linux/fs.h:1985 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x782/0xaf0 fs/read_write.c:584
 ksys_write+0x1a0/0x2c0 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8724a7b82f
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 b9 80 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 0c 81 02 00 48
RSP: 002b:00007f87258b4e70 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000001000000 RCX: 00007f8724a7b82f
RDX: 0000000001000000 RSI: 00007f871b1ff000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000012605
R10: 0000000020024d42 R11: 0000000000000293 R12: 0000000000000003
R13: 00007f87258b4f3c R14: 00007f87258b4f40 R15: 00007f871b1ff000
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [integrity?] [lsm?] INFO: task hung in process_measurement (2)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    b5f217084ab3 Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17307330580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=335e39020523e2ed
dashboard link: https://syzkaller.appspot.com/bug?extid=1de5a37cb85a2d536330
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=126a8820580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=153e70f8580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3b2c9b99ecf6/disk-b5f21708.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3458db92b2a8/vmlinux-b5f21708.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e14f0c677748/bzImage-b5f21708.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/928495b63af4/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1de5a37cb85a2d536330@syzkaller.appspotmail.com

INFO: task syz-executor240:5823 blocked for more than 143 seconds.
      Not tainted 6.13.0-rc1-syzkaller-00316-gb5f217084ab3 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor240 state:D stack:25592 pid:5823  tgid:5820  ppid:5819   flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5369 [inline]
 __schedule+0x17fb/0x4be0 kernel/sched/core.c:6756
 __schedule_loop kernel/sched/core.c:6833 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6848
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6905
 rwsem_down_write_slowpath+0xeee/0x13b0 kernel/locking/rwsem.c:1176
 __down_write_common kernel/locking/rwsem.c:1304 [inline]
 __down_write kernel/locking/rwsem.c:1313 [inline]
 down_write+0x1d7/0x220 kernel/locking/rwsem.c:1578
 inode_lock include/linux/fs.h:818 [inline]
 process_measurement+0x439/0x1fb0 security/integrity/ima/ima_main.c:250
 ima_file_check+0xd9/0x120 security/integrity/ima/ima_main.c:572
 security_file_post_open+0xb9/0x280 security/security.c:3121
 do_open fs/namei.c:3830 [inline]
 path_openat+0x2ccd/0x3590 fs/namei.c:3987
 do_filp_open+0x27f/0x4e0 fs/namei.c:4014
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_open fs/open.c:1425 [inline]
 __se_sys_open fs/open.c:1421 [inline]
 __x64_sys_open+0x225/0x270 fs/open.c:1421
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7788ca3409
RSP: 002b:00007f7788c39218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007f7788d2b5f8 RCX: 00007f7788ca3409
RDX: 0000000000000008 RSI: 0000000000002000 RDI: 0000000020001b80
RBP: 00007f7788d2b5f0 R08: 00007ffddcf3bf57 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7788d2b5fc
R13: 0032656c69662f2e R14: 00007f7788cf70c0 R15: 00000000200002c0
 </TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/30:
 #0: ffffffff8e937aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
 #0: ffffffff8e937aa0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
 #0: ffffffff8e937aa0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6744
2 locks held by getty/5579:
 #0: ffff888035afa0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc9000332b2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x6a6/0x1e00 drivers/tty/n_tty.c:2211
5 locks held by syz-executor240/5822:
1 lock held by syz-executor240/5823:
 #0: ffff8880744782a0 (&sb->s_type->i_mutex_key#14){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
 #0: ffff8880744782a0 (&sb->s_type->i_mutex_key#14){++++}-{4:4}, at: process_measurement+0x439/0x1fb0 security/integrity/ima/ima_main.c:250

=============================================

NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.13.0-rc1-syzkaller-00316-gb5f217084ab3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:234 [inline]
 watchdog+0xff6/0x1040 kernel/hung_task.c:397
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 5822 Comm: syz-executor240 Not tainted 6.13.0-rc1-syzkaller-00316-gb5f217084ab3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:EXFAT_SB fs/exfat/exfat_fs.h:336 [inline]
RIP: 0010:exfat_ent_get+0x3d/0x400 fs/exfat/fatent.c:88
Code: 89 d7 41 89 f5 49 89 fe 49 bc 00 00 00 00 00 fc ff df e8 46 a5 20 ff 49 8d 9e 38 06 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 <74> 08 48 89 df e8 69 66 88 ff 48 8b 1b bf 01 00 00 00 44 89 ee e8
RSP: 0018:ffffc90003ad7348 EFLAGS: 00000246
RAX: 1ffff11006b350c7 RBX: ffff8880359a8638 RCX: ffff8880343c1e00
RDX: 0000000000000000 RSI: 0000000000000010 RDI: ffff8880359a8000
RBP: ffffc90003ad74b8 R08: ffffffff827ed915 R09: 1ffff1100eef7874
R10: dffffc0000000000 R11: ffffed100eef7875 R12: dffffc0000000000
R13: 0000000000000010 R14: ffff8880359a8000 R15: ffffc90003ad7440
FS:  00007f7788c5a6c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055c822941600 CR3: 00000000783fc000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <NMI>
 </NMI>
 <TASK>
 __exfat_free_cluster+0x56f/0x990 fs/exfat/fatent.c:200
 exfat_free_cluster+0x77/0xd0 fs/exfat/fatent.c:232
 __exfat_truncate+0x745/0xa60 fs/exfat/file.c:235
 exfat_truncate fs/exfat/file.c:257 [inline]
 exfat_setattr+0x10fa/0x1a90 fs/exfat/file.c:353
 notify_change+0xbca/0xe90 fs/attr.c:552
 do_truncate+0x220/0x310 fs/open.c:65
 handle_truncate fs/namei.c:3449 [inline]
 do_open fs/namei.c:3832 [inline]
 path_openat+0x2e1e/0x3590 fs/namei.c:3987
 do_filp_open+0x27f/0x4e0 fs/namei.c:4014
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_creat fs/open.c:1495 [inline]
 __se_sys_creat fs/open.c:1489 [inline]
 __x64_sys_creat+0x123/0x170 fs/open.c:1489
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7788ca3409
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7788c5a218 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007f7788d2b5e8 RCX: 00007f7788ca3409
RDX: 00007f7788ca3409 RSI: 0000000000000100 RDI: 0000000020000000
RBP: 00007f7788d2b5e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7788d2b5ec
R13: 0032656c69662f2e R14: 00007f7788cf70c0 R15: 00000000200002c0
 </TASK>
INFO: NMI handler (nmi_cpu_backtrace_handler) took too long to run: 1.409 msecs


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [integrity?] [lsm?] INFO: task hung in process_measurement (2)

[syzbot]

syzbot has bisected this issue to:

commit f55c096f62f100aa9f5f48d86e1b6846ecbd67e7
Author: Yuezhang Mo <Yuezhang.Mo@sony.com>
Date:   Tue May 30 09:35:00 2023 +0000

    exfat: do not zero the extended part

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15275944580000
start commit:   b5f217084ab3 Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree:       upstream
final oops:     https://syzkaller.appspot.com/x/report.txt?x=17275944580000
console output: https://syzkaller.appspot.com/x/log.txt?x=13275944580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=335e39020523e2ed
dashboard link: https://syzkaller.appspot.com/bug?extid=1de5a37cb85a2d536330
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=126a8820580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=153e70f8580000

Reported-by: syzbot+1de5a37cb85a2d536330@syzkaller.appspotmail.com
Fixes: f55c096f62f1 ("exfat: do not zero the extended part")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] [integrity?] [lsm?] INFO: task hung in process_measurement (2)

[Yuezhang.Mo]

[-- Attachment #1: Type: text/plain, Size: 9 bytes --]

#syz test

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-exfat-test.patch --]
[-- Type: text/x-patch; name="0001-exfat-test.patch", Size: 727 bytes --]

From 1ead2f7e0cfc68dcedef57de9e72365b7e129e44 Mon Sep 17 00:00:00 2001
From: Yuezhang Mo <Yuezhang.Mo@sony.com>
Date: Tue, 10 Dec 2024 18:02:07 +0800
Subject: [PATCH] exfat: test

Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
---
 fs/exfat/fatent.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c
index 56b870d9cc0d..5073c6e7514e 100644
--- a/fs/exfat/fatent.c
+++ b/fs/exfat/fatent.c
@@ -210,6 +210,8 @@ static int __exfat_free_cluster(struct inode *inode, struct exfat_chain *p_chain
 				cur_cmap_i = next_cmap_i;
 			}
 
+			pr_err("free cluster %u\n", clu);
+
 			exfat_clear_bitmap(inode, clu, (sync && IS_DIRSYNC(inode)));
 			clu = n_clu;
 			num_clusters++;
-- 
2.43.0

Re: [syzbot] [integrity?] [lsm?] INFO: task hung in process_measurement (2)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in process_measurement

INFO: task syz.0.15:6594 blocked for more than 143 seconds.
      Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.15        state:D
 stack:25784 pid:6594  tgid:6585  ppid:6461   flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5369 [inline]
 __schedule+0x17fb/0x4be0 kernel/sched/core.c:6756
 __schedule_loop kernel/sched/core.c:6833 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6848
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6905
 rwsem_down_write_slowpath+0xeee/0x13b0 kernel/locking/rwsem.c:1176
 __down_write_common kernel/locking/rwsem.c:1304 [inline]
 __down_write kernel/locking/rwsem.c:1313 [inline]
 down_write+0x1d7/0x220 kernel/locking/rwsem.c:1578
 inode_lock include/linux/fs.h:818 [inline]
 process_measurement+0x439/0x1fb0 security/integrity/ima/ima_main.c:250
 ima_file_check+0xd9/0x120 security/integrity/ima/ima_main.c:572
 security_file_post_open+0xb9/0x280 security/security.c:3121
 do_open fs/namei.c:3830 [inline]
 path_openat+0x2ccd/0x3590 fs/namei.c:3987
 do_filp_open+0x27f/0x4e0 fs/namei.c:4014
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_open fs/open.c:1425 [inline]
 __se_sys_open fs/open.c:1421 [inline]
 __x64_sys_open+0x225/0x270 fs/open.c:1421
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f928277fed9
RSP: 002b:00007f92834c6058 EFLAGS: 00000246
 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007f9282946080 RCX: 00007f928277fed9
RDX: 0000000000000008 RSI: 0000000000002000 RDI: 0000000020001b80
RBP: 00007f92827f3cc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007f9282946080 R15: 00007ffee74328d8
 </TASK>

Showing all locks held in the system:
3 locks held by kworker/u8:0/11:
 #0: 
ffff88801ac89148
 (
(wq_completion)events_unbound){+.+.}-{0:0}
, at: process_one_work kernel/workqueue.c:3204 [inline]
, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3310
 #1: 
ffffc90000107d00
 (
(linkwatch_work).work
){+.+.}-{0:0}
, at: process_one_work kernel/workqueue.c:3205 [inline]
, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3310
 #2: 
ffffffff8fc9f048
 (
rtnl_mutex
){+.+.}-{4:4}
, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:281
1 lock held by khungtaskd/30:
 #0: 
ffffffff8e937ae0
 (
rcu_read_lock
){....}-{1:3}
, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6744
5 locks held by kworker/u8:4/67:
 #0: 
ffff88801baeb148
 (
(wq_completion)netns
){+.+.}-{0:0}
, at: process_one_work kernel/workqueue.c:3204 [inline]
, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3310
 #1: ffffc9000216fd00
 (
net_cleanup_work
){+.+.}-{0:0}
, at: process_one_work kernel/workqueue.c:3205 [inline]
, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3310
 #2: 
ffffffff8fc92bd0
 (pernet_ops_rwsem
){++++}-{4:4}
, at: cleanup_net+0x16a/0xcc0 net/core/net_namespace.c:586
 #3: ffffffff8fc9f048 (rtnl_mutex){+.+.}-{4:4}
, at: default_device_exit_batch+0xe9/0xaa0 net/core/dev.c:12059
 #4: 
ffffffff8e93cff8
 (
rcu_state.exp_mutex
){+.+.}-{4:4}
, at: exp_funnel_lock kernel/rcu/tree_exp.h:297 [inline]
, at: synchronize_rcu_expedited+0x381/0x830 kernel/rcu/tree_exp.h:976
3 locks held by kworker/u8:6/2960:
 #0: 
ffff888031920948
 (
(wq_completion)ipv6_addrconf
){+.+.}-{0:0}
, at: process_one_work kernel/workqueue.c:3204 [inline]
, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3310
 #1: 
ffffc9000cb6fd00
 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3310
 #2: ffffffff8fc9f048 (rtnl_mutex){+.+.}-{4:4}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4755
1 lock held by dhcpcd/5489:
 #0: ffffffff8fc9f048 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
 #0: ffffffff8fc9f048 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:326 [inline]
 #0: ffffffff8fc9f048 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0xbb0/0x20e0 net/core/rtnetlink.c:4008
2 locks held by getty/5573:
 #0: ffff888031f740a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc9000330b2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x6a6/0x1e00 drivers/tty/n_tty.c:2211
5 locks held by syz.0.15/6586:
1 lock held by syz.0.15/6594:
 #0: ffff888060c982a0 (&sb->s_type->i_mutex_key#21){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
 #0: ffff888060c982a0 (&sb->s_type->i_mutex_key#21){++++}-{4:4}, at: process_measurement+0x439/0x1fb0 security/integrity/ima/ima_main.c:250
5 locks held by syz.1.16/6692:
1 lock held by syz.1.16/6693:
 #0: ffff888060c98f80 (&sb->s_type->i_mutex_key
#21
){++++}-{4:4}
, at: inode_lock include/linux/fs.h:818 [inline]
, at: process_measurement+0x439/0x1fb0 security/integrity/ima/ima_main.c:250
10 locks held by syz.2.17/6709:
1 lock held by syz.2.17/6710:
 #0: 
ffff888075bb0f80
 (&sb->s_type->i_mutex_key
#21
){++++}-{4:4}
, at: inode_lock include/linux/fs.h:818 [inline]
, at: process_measurement+0x439/0x1fb0 security/integrity/ima/ima_main.c:250
2 locks held by syz-executor/6737:
 #0: ffffffff90187a68
 (
&ops->srcu
#2
){.+.+}-{0:0}
, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
, at: rtnl_link_ops_get+0x22/0x250 net/core/rtnetlink.c:555
 #1: 
ffffffff8fc9f048
 (
rtnl_mutex){+.+.}-{4:4}
, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
, at: rtnl_nets_lock net/core/rtnetlink.c:326 [inline]
, at: rtnl_newlink+0xbb0/0x20e0 net/core/rtnetlink.c:4008

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:234 [inline]
 watchdog+0xff6/0x1040 kernel/hung_task.c:397
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 6709 Comm: syz.2.17 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:io_serial_in+0x76/0xb0 drivers/tty/serial/8250/8250_port.c:409
Code: 90 35 57 fc 89 e9 41 d3 e6 48 83 c3 40 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 d1 09 bb fc 44 03 33 44 89 f2 ec <0f> b6 c0 5b 41 5e 41 5f 5d c3 cc cc cc cc 89 e9 80 e1 07 38 c1 7c
RSP: 0018:ffffc900032c6cd8 EFLAGS: 00000002
RAX: 1ffffffff34d7400 RBX: ffffffff9a6ba5e0 RCX: 0000000000000000
RDX: 00000000000003fd RSI: 0000000000000000 RDI: 0000000000000020
RBP: 0000000000000000 R08: ffffffff85482856 R09: 1ffff11004bed046
R10: dffffc0000000000 R11: ffffffff85482810 R12: dffffc0000000000
R13: ffffffff9a3b4f70 R14: 00000000000003fd R15: dffffc0000000000
FS:  00007ff0221986c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005576d5d24d98 CR3: 0000000034c90000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <NMI>
 </NMI>
 <TASK>
 serial_in drivers/tty/serial/8250/8250.h:137 [inline]
 serial_lsr_in drivers/tty/serial/8250/8250.h:159 [inline]
 wait_for_lsr drivers/tty/serial/8250/8250_port.c:2087 [inline]
 serial8250_console_fifo_write drivers/tty/serial/8250/8250_port.c:3334 [inline]
 serial8250_console_write+0x1373/0x1ed0 drivers/tty/serial/8250/8250_port.c:3412
 console_emit_next_record kernel/printk/printk.c:3122 [inline]
 console_flush_all+0x869/0xeb0 kernel/printk/printk.c:3210
 __console_flush_and_unlock kernel/printk/printk.c:3269 [inline]
 console_unlock+0x14f/0x3b0 kernel/printk/printk.c:3309
 vprintk_emit+0x730/0xa10 kernel/printk/printk.c:2432
 _printk+0xd5/0x120 kernel/printk/printk.c:2457
 __exfat_free_cluster+0x701/0xa00 fs/exfat/fatent.c:213
 exfat_free_cluster+0x77/0xd0 fs/exfat/fatent.c:234
 __exfat_truncate+0x745/0xa60 fs/exfat/file.c:235
 exfat_truncate fs/exfat/file.c:257 [inline]
 exfat_setattr+0x10fa/0x1a90 fs/exfat/file.c:353
 notify_change+0xbca/0xe90 fs/attr.c:552
 do_truncate+0x220/0x310 fs/open.c:65
 handle_truncate fs/namei.c:3449 [inline]
 do_open fs/namei.c:3832 [inline]
 path_openat+0x2e1e/0x3590 fs/namei.c:3987
 do_filp_open+0x27f/0x4e0 fs/namei.c:4014
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_creat fs/open.c:1495 [inline]
 __se_sys_creat fs/open.c:1489 [inline]
 __x64_sys_creat+0x123/0x170 fs/open.c:1489
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff02137fed9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff022198058 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007ff021545fa0 RCX: 00007ff02137fed9
RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000020000000
RBP: 00007ff0213f3cc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ff021545fa0 R15: 00007fffd20e6358
 </TASK>


Tested on:

commit:         7cb1b466 Merge tag 'locking_urgent_for_v6.13_rc3' of g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=145653e8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c7c9f223bfe8924e
dashboard link: https://syzkaller.appspot.com/bug?extid=1de5a37cb85a2d536330
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=135868f8580000

Re: [syzbot] [integrity?] [lsm?] INFO: task hung in process_measurement (2)

[Yuezhang.Mo]

[-- Attachment #1: Type: text/plain, Size: 9 bytes --]

#syz test

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-exfat-check-cluster-chain-loop-when-freeing-clusters.patch --]
[-- Type: text/x-patch; name="0001-exfat-check-cluster-chain-loop-when-freeing-clusters.patch", Size: 2706 bytes --]

From c459223367da6df65ea254059424a86d8d2bf4f8 Mon Sep 17 00:00:00 2001
From: Yuezhang Mo <Yuezhang.Mo@sony.com>
Date: Tue, 10 Dec 2024 18:02:07 +0800
Subject: [PATCH] exfat: check cluster chain loop when freeing clusters

In order to avoid orphan clusters, clusters in the cluster chain
need to be freed until the EOF cluster is traversed. However, if
a cluster chain includes a loop in itself, the EOF cluster will
cannot be traversed, resulting in an infinite loop.

Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
---
 fs/exfat/balloc.c   | 13 +++++++++++++
 fs/exfat/exfat_fs.h |  1 +
 fs/exfat/fatent.c   |  8 ++++++++
 3 files changed, 22 insertions(+)

diff --git a/fs/exfat/balloc.c b/fs/exfat/balloc.c
index ce9be95c9172..398a05d2a2dd 100644
--- a/fs/exfat/balloc.c
+++ b/fs/exfat/balloc.c
@@ -173,6 +173,19 @@ void exfat_clear_bitmap(struct inode *inode, unsigned int clu, bool sync)
 	}
 }
 
+bool exfat_test_bitmap(struct super_block *sb, unsigned int clu)
+{
+	unsigned int map_i, map_b, bit;
+	struct exfat_sb_info *sbi = EXFAT_SB(sb);
+
+	bit = CLUSTER_TO_BITMAP_ENT(clu);
+	map_i = BITMAP_OFFSET_SECTOR_INDEX(sb, bit);
+	map_b = BITMAP_OFFSET_BYTE_IN_SECTOR(sb, bit);
+	bit &= (BITS_PER_BYTE - 1);
+
+	return *(sbi->vol_amap[map_i]->b_data + map_b) & BIT(bit);
+}
+
 /*
  * If the value of "clu" is 0, it means cluster 2 which is the first cluster of
  * the cluster heap.
diff --git a/fs/exfat/exfat_fs.h b/fs/exfat/exfat_fs.h
index 78be6964a8a0..90d907609e47 100644
--- a/fs/exfat/exfat_fs.h
+++ b/fs/exfat/exfat_fs.h
@@ -457,6 +457,7 @@ int exfat_load_bitmap(struct super_block *sb);
 void exfat_free_bitmap(struct exfat_sb_info *sbi);
 int exfat_set_bitmap(struct inode *inode, unsigned int clu, bool sync);
 void exfat_clear_bitmap(struct inode *inode, unsigned int clu, bool sync);
+bool exfat_test_bitmap(struct super_block *sb, unsigned int clu);
 unsigned int exfat_find_free_bitmap(struct super_block *sb, unsigned int clu);
 int exfat_count_used_clusters(struct super_block *sb, unsigned int *ret_count);
 int exfat_trim_fs(struct inode *inode, struct fstrim_range *range);
diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c
index 56b870d9cc0d..5d8b7413d80d 100644
--- a/fs/exfat/fatent.c
+++ b/fs/exfat/fatent.c
@@ -199,6 +199,14 @@ static int __exfat_free_cluster(struct inode *inode, struct exfat_chain *p_chain
 			unsigned int n_clu = clu;
 			int err = exfat_get_next_cluster(sb, &n_clu);
 
+			/*
+			 * To avoid the cluster chain itself including a loop
+			 * causing an infinite loop.
+			 */
+			if (num_clusters >= p_chain->size &&
+			    !exfat_test_bitmap(sb, clu))
+				break;
+
 			if (err || n_clu == EXFAT_EOF_CLUSTER)
 				sync = true;
 			else
-- 
2.43.0

Re: [syzbot] [integrity?] [lsm?] INFO: task hung in process_measurement (2)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+1de5a37cb85a2d536330@syzkaller.appspotmail.com
Tested-by: syzbot+1de5a37cb85a2d536330@syzkaller.appspotmail.com

Tested on:

commit:         f92f4749 Merge tag 'clk-fixes-for-linus' of git://git...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12034cdf980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c7c9f223bfe8924e
dashboard link: https://syzkaller.appspot.com/bug?extid=1de5a37cb85a2d536330
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=179da544580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [integrity?] [lsm?] INFO: task hung in process_measurement (2)

[Yuezhang.Mo]

[-- Attachment #1: Type: text/plain, Size: 9 bytes --]

#syz test

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-exfat-fix-the-infinite-loop-in-__exfat_free_cluster.patch --]
[-- Type: text/x-patch; name="0001-exfat-fix-the-infinite-loop-in-__exfat_free_cluster.patch", Size: 1200 bytes --]

From 75a7f8778e929104684d975e637eae01336d082d Mon Sep 17 00:00:00 2001
From: Yuezhang Mo <Yuezhang.Mo@sony.com>
Date: Mon, 16 Dec 2024 13:39:42 +0800
Subject: [PATCH] exfat: fix the infinite loop in __exfat_free_cluster()

In __exfat_free_cluster(), the cluster chain is traversed until the
EOF cluster. If the cluster chain includes a loop due to file system
corruption, the EOF cluster cannot be traversed, resulting in an
infinite loop.

To avoid this infinite loop, this commit changes to only traverse and
free the number of clusters indicated by the file size.

Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
Suggested-by: Namjae Jeon <linkinjeon@kernel.org>
---
 fs/exfat/fatent.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c
index 773c320d68f3..ab29c30ebaab 100644
--- a/fs/exfat/fatent.c
+++ b/fs/exfat/fatent.c
@@ -201,6 +201,8 @@ static int __exfat_free_cluster(struct inode *inode, struct exfat_chain *p_chain
 
 			if (err || n_clu == EXFAT_EOF_CLUSTER)
 				sync = true;
+			else if (num_clusters >= p_chain->size)
+				break;
 			else
 				next_cmap_i =
 				  BITMAP_OFFSET_SECTOR_INDEX(sb, CLUSTER_TO_BITMAP_ENT(n_clu));
-- 
2.43.0

Re: [syzbot] [integrity?] [lsm?] INFO: task hung in process_measurement (2)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+1de5a37cb85a2d536330@syzkaller.appspotmail.com
Tested-by: syzbot+1de5a37cb85a2d536330@syzkaller.appspotmail.com

Tested on:

commit:         78d4f34e Linux 6.13-rc3
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11259ed7980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6fe704d2356374ad
dashboard link: https://syzkaller.appspot.com/bug?extid=1de5a37cb85a2d536330
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=105d1730580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [integrity?] [lsm?] INFO: task hung in process_measurement (2)

[Yuezhang.Mo]

[-- Attachment #1: Type: text/plain, Size: 9 bytes --]

#syz test

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: v2-0001-exfat-fix-the-infinite-loop-in-__exfat_free_clust.patch --]
[-- Type: text/x-patch; name="v2-0001-exfat-fix-the-infinite-loop-in-__exfat_free_clust.patch", Size: 1309 bytes --]

From 51280720535aba38b63447c37229db102f276190 Mon Sep 17 00:00:00 2001
From: Yuezhang Mo <Yuezhang.Mo@sony.com>
Date: Mon, 16 Dec 2024 13:39:42 +0800
Subject: [PATCH v2] exfat: fix the infinite loop in __exfat_free_cluster()

In __exfat_free_cluster(), the cluster chain is traversed until the
EOF cluster. If the cluster chain includes a loop due to file system
corruption, the EOF cluster cannot be traversed, resulting in an
infinite loop.

This commit uses the total number of clusters to prevent this infinite
loop.

Fixes: 31023864e67a ("exfat: add fat entry operations")
Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
---
 fs/exfat/fatent.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c
index 773c320d68f3..203c4dc2dce9 100644
--- a/fs/exfat/fatent.c
+++ b/fs/exfat/fatent.c
@@ -216,6 +216,16 @@ static int __exfat_free_cluster(struct inode *inode, struct exfat_chain *p_chain
 
 			if (err)
 				goto dec_used_clus;
+
+			if (num_clusters >= sbi->num_clusters - EXFAT_FIRST_CLUSTER) {
+				/*
+				 * The cluster chain inlcudes a loop, scan the
+				 * bitmap to get the number of used clusters.
+				 */
+				exfat_count_used_clusters(sb, &sbi->used_clusters);
+
+				return 0;
+			}
 		} while (clu != EXFAT_EOF_CLUSTER);
 	}
 
-- 
2.43.0

Re: [syzbot] [integrity?] [lsm?] INFO: task hung in process_measurement (2)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+1de5a37cb85a2d536330@syzkaller.appspotmail.com
Tested-by: syzbot+1de5a37cb85a2d536330@syzkaller.appspotmail.com

Tested on:

commit:         fc033cf2 Linux 6.13-rc5
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=155a6818580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ba7cde9482d6bb6
dashboard link: https://syzkaller.appspot.com/bug?extid=1de5a37cb85a2d536330
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=162126df980000

Note: testing is done by a robot and is best-effort only.