[syzbot] [ocfs2?] kernel BUG in ocfs2_read_virt_blocks

[syzbot] [ocfs2?] kernel BUG in ocfs2_read_virt_blocks

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    87d6aab2389e Merge tag 'for_linus' of git://git.kernel.org..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17fbbb80580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7a3fccdd0bb995
dashboard link: https://syzkaller.appspot.com/bug?extid=797d4829dafe3f11dce7
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13c117d0580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1007bb80580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/47c26a185f6d/disk-87d6aab2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fe82dfdaaac4/vmlinux-87d6aab2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ecaba119a5f0/bzImage-87d6aab2.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/197dcbc41fea/mount_0.gz

Bisection is inconclusive: the issue happens on the oldest tested release.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=114db707980000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=134db707980000
console output: https://syzkaller.appspot.com/x/log.txt?x=154db707980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com

JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
------------[ cut here ]------------
kernel BUG at fs/ocfs2/extent_map.c:971!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 5221 Comm: syz-executor117 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:ocfs2_read_virt_blocks+0xaa3/0xb20 fs/ocfs2/extent_map.c:971
Code: 8b 54 24 30 8b 4c 24 1c 4c 8b 44 24 38 45 89 e1 ff 74 24 48 e8 7e 0a 0c 00 48 83 c4 08 eb 25 e8 43 d2 34 08 e8 ee d1 0c fe 90 <0f> 0b e8 e6 d1 0c fe 4c 89 e8 45 89 e5 49 89 c4 e9 01 f7 ff ff e8
RSP: 0018:ffffc90002e2e820 EFLAGS: 00010293
RAX: ffffffff83881432 RBX: 0000000000000000 RCX: ffff88802d3e9e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002e2e9f0 R08: ffffffff83880eae R09: 1ffffffff203781d
R10: dffffc0000000000 R11: fffffbfff203781e R12: ffff8880764d8878
R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff920005c5d18
FS:  000055557cd55380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005628fd41e058 CR3: 000000002d2e6000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ocfs2_read_dir_block+0x106/0x5c0 fs/ocfs2/dir.c:508
 ocfs2_find_dir_space_el fs/ocfs2/dir.c:3427 [inline]
 ocfs2_prepare_dir_for_insert+0x3f2/0x5c60 fs/ocfs2/dir.c:4274
 ocfs2_mknod+0xcaf/0x2b40 fs/ocfs2/namei.c:292
 ocfs2_create+0x1ab/0x480 fs/ocfs2/namei.c:672
 lookup_open fs/namei.c:3595 [inline]
 open_last_lookups fs/namei.c:3694 [inline]
 path_openat+0x1c03/0x3590 fs/namei.c:3930
 do_filp_open+0x235/0x490 fs/namei.c:3960
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
 do_sys_open fs/open.c:1430 [inline]
 __do_sys_openat fs/open.c:1446 [inline]
 __se_sys_openat fs/open.c:1441 [inline]
 __x64_sys_openat+0x247/0x2a0 fs/open.c:1441
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa356467d59
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe912bab08 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa356467d59
RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c
RBP: 00007fa3564e05f0 R08: 0000000000004472 R09: 000055557cd564c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe912bab30
R13: 00007ffe912bad58 R14: 431bde82d7b634db R15: 00007fa3564b103b
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ocfs2_read_virt_blocks+0xaa3/0xb20 fs/ocfs2/extent_map.c:971
Code: 8b 54 24 30 8b 4c 24 1c 4c 8b 44 24 38 45 89 e1 ff 74 24 48 e8 7e 0a 0c 00 48 83 c4 08 eb 25 e8 43 d2 34 08 e8 ee d1 0c fe 90 <0f> 0b e8 e6 d1 0c fe 4c 89 e8 45 89 e5 49 89 c4 e9 01 f7 ff ff e8
RSP: 0018:ffffc90002e2e820 EFLAGS: 00010293
RAX: ffffffff83881432 RBX: 0000000000000000 RCX: ffff88802d3e9e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002e2e9f0 R08: ffffffff83880eae R09: 1ffffffff203781d
R10: dffffc0000000000 R11: fffffbfff203781e R12: ffff8880764d8878
R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff920005c5d18
FS:  000055557cd55380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005628fd41e058 CR3: 000000002d2e6000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [ocfs2?] kernel BUG in ocfs2_read_virt_blocks

[Edward Adam Davis]

if the value of flags is 0, it is meaningless to check it contains OCFS2_BH_READAHEAD

#syz test

diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
index f7672472fa82..0043c2428ef2 100644
--- a/fs/ocfs2/extent_map.c
+++ b/fs/ocfs2/extent_map.c
@@ -968,7 +968,8 @@ int ocfs2_read_virt_blocks(struct inode *inode, u64 v_block, int nr,
 
 	if (((v_block + nr - 1) << inode->i_sb->s_blocksize_bits) >=
 	    i_size_read(inode)) {
-		BUG_ON(!(flags & OCFS2_BH_READAHEAD));
+		BUG_ON(flags && !(flags & OCFS2_BH_READAHEAD));
+		rc = flags ?: -EIO;
 		goto out;
 	}
 

Re: [syzbot] [ocfs2?] kernel BUG in ocfs2_read_virt_blocks

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com
Tested-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com

Tested on:

commit:         36c25451 Merge tag 'powerpc-6.12-4' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12860727980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7a3fccdd0bb995
dashboard link: https://syzkaller.appspot.com/bug?extid=797d4829dafe3f11dce7
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17c3f05f980000

Note: testing is done by a robot and is best-effort only.

[PATCH] ocfs2: BUG is meaningless when the flags is 0

[Edward Adam Davis]

Syzbot reported a BUG in ocfs2_read_virt_blocks.
------------[ cut here ]------------
kernel BUG at fs/ocfs2/extent_map.c:971!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 5221 Comm: syz-executor117 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:ocfs2_read_virt_blocks+0xaa3/0xb20 fs/ocfs2/extent_map.c:971
Code: 8b 54 24 30 8b 4c 24 1c 4c 8b 44 24 38 45 89 e1 ff 74 24 48 e8 7e 0a 0c 00 48 83 c4 08 eb 25 e8 43 d2 34 08 e8 ee d1 0c fe 90 <0f> 0b e8 e6 d1 0c fe 4c 89 e8 45 89 e5 49 89 c4 e9 01 f7 ff ff e8
RSP: 0018:ffffc90002e2e820 EFLAGS: 00010293
RAX: ffffffff83881432 RBX: 0000000000000000 RCX: ffff88802d3e9e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002e2e9f0 R08: ffffffff83880eae R09: 1ffffffff203781d
R10: dffffc0000000000 R11: fffffbfff203781e R12: ffff8880764d8878
R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff920005c5d18
FS:  000055557cd55380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005628fd41e058 CR3: 000000002d2e6000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ocfs2_read_dir_block+0x106/0x5c0 fs/ocfs2/dir.c:508
 ocfs2_find_dir_space_el fs/ocfs2/dir.c:3427 [inline]           // status = ocfs2_read_dir_block(dir, 0, &bh, 0);
 ocfs2_prepare_dir_for_insert+0x3f2/0x5c60 fs/ocfs2/dir.c:4274
 ocfs2_mknod+0xcaf/0x2b40 fs/ocfs2/namei.c:292
 ocfs2_create+0x1ab/0x480 fs/ocfs2/namei.c:672
 lookup_open fs/namei.c:3595 [inline]
 open_last_lookups fs/namei.c:3694 [inline]
 path_openat+0x1c03/0x3590 fs/namei.c:3930
 do_filp_open+0x235/0x490 fs/namei.c:3960
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
 do_sys_open fs/open.c:1430 [inline]
 __do_sys_openat fs/open.c:1446 [inline]
 __se_sys_openat fs/open.c:1441 [inline]
 __x64_sys_openat+0x247/0x2a0 fs/open.c:1441
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

It is because the parameter v_block passed to ocfs2_read_virt_blocks() is 0,
nr is 1, and inode->i_size is 0, and flags are also 0.
In this path, v_block, flags, and nr are fixed values that are hard coded,
so if i_size is 0, the bug will be triggered.
Therefore, it is more meaningful to check if the flags contain the READHEAD
bit when their value is non-zero.

Reported-and-tested-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=797d4829dafe3f11dce7
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/ocfs2/extent_map.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
index f7672472fa82..0043c2428ef2 100644
--- a/fs/ocfs2/extent_map.c
+++ b/fs/ocfs2/extent_map.c
@@ -968,7 +968,8 @@ int ocfs2_read_virt_blocks(struct inode *inode, u64 v_block, int nr,
 
 	if (((v_block + nr - 1) << inode->i_sb->s_blocksize_bits) >=
 	    i_size_read(inode)) {
-		BUG_ON(!(flags & OCFS2_BH_READAHEAD));
+		BUG_ON(flags && !(flags & OCFS2_BH_READAHEAD));
+		rc = flags ?: -EIO;
 		goto out;
 	}
 
-- 
2.43.0

[PATCH V2] ocfs2: BUG is meaningless when the flags is 0

[Edward Adam Davis]

Syzbot reported a BUG in ocfs2_read_virt_blocks.
------------[ cut here ]------------
kernel BUG at fs/ocfs2/extent_map.c:971!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 5221 Comm: syz-executor117 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:ocfs2_read_virt_blocks+0xaa3/0xb20 fs/ocfs2/extent_map.c:971
Code: 8b 54 24 30 8b 4c 24 1c 4c 8b 44 24 38 45 89 e1 ff 74 24 48 e8 7e 0a 0c 00 48 83 c4 08 eb 25 e8 43 d2 34 08 e8 ee d1 0c fe 90 <0f> 0b e8 e6 d1 0c fe 4c 89 e8 45 89 e5 49 89 c4 e9 01 f7 ff ff e8
RSP: 0018:ffffc90002e2e820 EFLAGS: 00010293
RAX: ffffffff83881432 RBX: 0000000000000000 RCX: ffff88802d3e9e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002e2e9f0 R08: ffffffff83880eae R09: 1ffffffff203781d
R10: dffffc0000000000 R11: fffffbfff203781e R12: ffff8880764d8878
R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff920005c5d18
FS:  000055557cd55380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005628fd41e058 CR3: 000000002d2e6000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ocfs2_read_dir_block+0x106/0x5c0 fs/ocfs2/dir.c:508
 ocfs2_find_dir_space_el fs/ocfs2/dir.c:3427 [inline]           // status = ocfs2_read_dir_block(dir, 0, &bh, 0);
 ocfs2_prepare_dir_for_insert+0x3f2/0x5c60 fs/ocfs2/dir.c:4274
 ocfs2_mknod+0xcaf/0x2b40 fs/ocfs2/namei.c:292
 ocfs2_create+0x1ab/0x480 fs/ocfs2/namei.c:672
 lookup_open fs/namei.c:3595 [inline]
 open_last_lookups fs/namei.c:3694 [inline]
 path_openat+0x1c03/0x3590 fs/namei.c:3930
 do_filp_open+0x235/0x490 fs/namei.c:3960
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
 do_sys_open fs/open.c:1430 [inline]
 __do_sys_openat fs/open.c:1446 [inline]
 __se_sys_openat fs/open.c:1441 [inline]
 __x64_sys_openat+0x247/0x2a0 fs/open.c:1441
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

It is because the parameter v_block passed to ocfs2_read_virt_blocks() is 0,
nr is 1, and inode->i_size is 0, and flags are also 0.
In this path, v_block, flags, and nr are fixed values that are hard coded,
so if i_size is 0, the bug will be triggered.
Therefore, it is more meaningful to check if the flags contain the READHEAD
bit when their value is non-zero.

Reported-and-tested-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=797d4829dafe3f11dce7
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: keep rc to 0 when falgs contains READHEAD

 fs/ocfs2/extent_map.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
index f7672472fa82..0043c2428ef2 100644
--- a/fs/ocfs2/extent_map.c
+++ b/fs/ocfs2/extent_map.c
@@ -968,7 +968,8 @@ int ocfs2_read_virt_blocks(struct inode *inode, u64 v_block, int nr,
 
 	if (((v_block + nr - 1) << inode->i_sb->s_blocksize_bits) >=
 	    i_size_read(inode)) {
-		BUG_ON(!(flags & OCFS2_BH_READAHEAD));
+		BUG_ON(flags && !(flags & OCFS2_BH_READAHEAD));
+		rc = flags ? 0 : -EIO;
 		goto out;
 	}
 
-- 
2.43.0

[PATCH V2] ocfs2: BUG is meaningless when the flags is 0

[heming.zhao]

Let syzbot test this patch first.
(Hope I used the right command to trigger the test.)

----
Syzbot reported a BUG in ocfs2_read_virt_blocks.
------------[ cut here ]------------
kernel BUG at fs/ocfs2/extent_map.c:971!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 5221 Comm: syz-executor117 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:ocfs2_read_virt_blocks+0xaa3/0xb20 fs/ocfs2/extent_map.c:971
Code: 8b 54 24 30 8b 4c 24 1c 4c 8b 44 24 38 45 89 e1 ff 74 24 48 e8 7e 0a 0c 00 48 83 c4 08 eb 25 e8 43 d2 34 08 e8 ee d1 0c fe 90 <0f> 0b e8 e6 d1 0c fe 4c 89 e8 45 89 e5 49 89 c4 e9 01 f7 ff ff e8
RSP: 0018:ffffc90002e2e820 EFLAGS: 00010293
RAX: ffffffff83881432 RBX: 0000000000000000 RCX: ffff88802d3e9e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002e2e9f0 R08: ffffffff83880eae R09: 1ffffffff203781d
R10: dffffc0000000000 R11: fffffbfff203781e R12: ffff8880764d8878
R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff920005c5d18
FS:  000055557cd55380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005628fd41e058 CR3: 000000002d2e6000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  <TASK>
  ocfs2_read_dir_block+0x106/0x5c0 fs/ocfs2/dir.c:508
  ocfs2_find_dir_space_el fs/ocfs2/dir.c:3427 [inline]           // status = ocfs2_read_dir_block(dir, 0, &bh, 0);
  ocfs2_prepare_dir_for_insert+0x3f2/0x5c60 fs/ocfs2/dir.c:4274
  ocfs2_mknod+0xcaf/0x2b40 fs/ocfs2/namei.c:292
  ocfs2_create+0x1ab/0x480 fs/ocfs2/namei.c:672
  lookup_open fs/namei.c:3595 [inline]
  open_last_lookups fs/namei.c:3694 [inline]
  path_openat+0x1c03/0x3590 fs/namei.c:3930
  do_filp_open+0x235/0x490 fs/namei.c:3960
  do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
  do_sys_open fs/open.c:1430 [inline]
  __do_sys_openat fs/open.c:1446 [inline]
  __se_sys_openat fs/open.c:1441 [inline]
  __x64_sys_openat+0x247/0x2a0 fs/open.c:1441
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

It is because the parameter v_block passed to ocfs2_read_virt_blocks() is 0,
nr is 1, and inode->i_size is 0, and flags are also 0.
In this path, v_block, flags, and nr are fixed values that are hard coded,
so if i_size is 0, the bug will be triggered.
Therefore, it is more meaningful to check if the flags contain the READHEAD
bit when their value is non-zero.

Reported-and-tested-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=797d4829dafe3f11dce7
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: keep rc to 0 when falgs contains READHEAD

  fs/ocfs2/extent_map.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

#syz test

diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
index f7672472fa82..0043c2428ef2 100644
--- a/fs/ocfs2/extent_map.c
+++ b/fs/ocfs2/extent_map.c
@@ -968,7 +968,8 @@ int ocfs2_read_virt_blocks(struct inode *inode, u64 v_block, int nr,
  
  	if (((v_block + nr - 1) << inode->i_sb->s_blocksize_bits) >=
  	    i_size_read(inode)) {
-		BUG_ON(!(flags & OCFS2_BH_READAHEAD));
+		BUG_ON(flags && !(flags & OCFS2_BH_READAHEAD));
+		rc = flags ? 0 : -EIO;
  		goto out;
  	}
  
-- 
2.43.0

Re: [PATCH V2] ocfs2: BUG is meaningless when the flags is 0

[Joseph Qi]

On 10/14/24 7:31 AM, Edward Adam Davis wrote:
> Syzbot reported a BUG in ocfs2_read_virt_blocks.
> ------------[ cut here ]------------
> kernel BUG at fs/ocfs2/extent_map.c:971!
> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 1 UID: 0 PID: 5221 Comm: syz-executor117 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> RIP: 0010:ocfs2_read_virt_blocks+0xaa3/0xb20 fs/ocfs2/extent_map.c:971
> Code: 8b 54 24 30 8b 4c 24 1c 4c 8b 44 24 38 45 89 e1 ff 74 24 48 e8 7e 0a 0c 00 48 83 c4 08 eb 25 e8 43 d2 34 08 e8 ee d1 0c fe 90 <0f> 0b e8 e6 d1 0c fe 4c 89 e8 45 89 e5 49 89 c4 e9 01 f7 ff ff e8
> RSP: 0018:ffffc90002e2e820 EFLAGS: 00010293
> RAX: ffffffff83881432 RBX: 0000000000000000 RCX: ffff88802d3e9e00
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: ffffc90002e2e9f0 R08: ffffffff83880eae R09: 1ffffffff203781d
> R10: dffffc0000000000 R11: fffffbfff203781e R12: ffff8880764d8878
> R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff920005c5d18
> FS:  000055557cd55380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005628fd41e058 CR3: 000000002d2e6000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  ocfs2_read_dir_block+0x106/0x5c0 fs/ocfs2/dir.c:508
>  ocfs2_find_dir_space_el fs/ocfs2/dir.c:3427 [inline]           // status = ocfs2_read_dir_block(dir, 0, &bh, 0);

Keep the original stacks is enough.

>  ocfs2_prepare_dir_for_insert+0x3f2/0x5c60 fs/ocfs2/dir.c:4274
>  ocfs2_mknod+0xcaf/0x2b40 fs/ocfs2/namei.c:292
>  ocfs2_create+0x1ab/0x480 fs/ocfs2/namei.c:672
>  lookup_open fs/namei.c:3595 [inline]
>  open_last_lookups fs/namei.c:3694 [inline]
>  path_openat+0x1c03/0x3590 fs/namei.c:3930
>  do_filp_open+0x235/0x490 fs/namei.c:3960
>  do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
>  do_sys_open fs/open.c:1430 [inline]
>  __do_sys_openat fs/open.c:1446 [inline]
>  __se_sys_openat fs/open.c:1441 [inline]
>  __x64_sys_openat+0x247/0x2a0 fs/open.c:1441
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> It is because the parameter v_block passed to ocfs2_read_virt_blocks() is 0,
> nr is 1, and inode->i_size is 0, and flags are also 0.
> In this path, v_block, flags, and nr are fixed values that are hard coded,
> so if i_size is 0, the bug will be triggered.
> Therefore, it is more meaningful to check if the flags contain the READHEAD
> bit when their value is non-zero.
> 
> Reported-and-tested-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=797d4829dafe3f11dce7
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> V1 -> V2: keep rc to 0 when falgs contains READHEAD
> 
>  fs/ocfs2/extent_map.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
> index f7672472fa82..0043c2428ef2 100644
> --- a/fs/ocfs2/extent_map.c
> +++ b/fs/ocfs2/extent_map.c
> @@ -968,7 +968,8 @@ int ocfs2_read_virt_blocks(struct inode *inode, u64 v_block, int nr,
>  
>  	if (((v_block + nr - 1) << inode->i_sb->s_blocksize_bits) >=
>  	    i_size_read(inode)) {
> -		BUG_ON(!(flags & OCFS2_BH_READAHEAD));
> +		BUG_ON(flags && !(flags & OCFS2_BH_READAHEAD));

I don't think this is a right fix.
As you described in commit log, I think the root cause is the inode size
is 0, which mean no blocks actually.
So it seems we have to add a sanity check for this case.

Thanks,
Joseph

> +		rc = flags ? 0 : -EIO;
>  		goto out;
>  	}
>  

Re: [syzbot] [ocfs2?] kernel BUG in ocfs2_read_virt_blocks

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com
Tested-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com

Tested on:

commit:         6485cf5e Merge tag 'hid-for-linus-2024101301' of git:/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17169440580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=164d2822debd8b0d
dashboard link: https://syzkaller.appspot.com/bug?extid=797d4829dafe3f11dce7
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12e20030580000

Note: testing is done by a robot and is best-effort only.

[PATCH V3] ocfs2: add a sanity check for i_size

[Edward Adam Davis]

Syzbot reported a BUG in ocfs2_read_virt_blocks.
------------[ cut here ]------------
kernel BUG at fs/ocfs2/extent_map.c:971!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 5221 Comm: syz-executor117 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:ocfs2_read_virt_blocks+0xaa3/0xb20 fs/ocfs2/extent_map.c:971
Code: 8b 54 24 30 8b 4c 24 1c 4c 8b 44 24 38 45 89 e1 ff 74 24 48 e8 7e 0a 0c 00 48 83 c4 08 eb 25 e8 43 d2 34 08 e8 ee d1 0c fe 90 <0f> 0b e8 e6 d1 0c fe 4c 89 e8 45 89 e5 49 89 c4 e9 01 f7 ff ff e8
RSP: 0018:ffffc90002e2e820 EFLAGS: 00010293
RAX: ffffffff83881432 RBX: 0000000000000000 RCX: ffff88802d3e9e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002e2e9f0 R08: ffffffff83880eae R09: 1ffffffff203781d
R10: dffffc0000000000 R11: fffffbfff203781e R12: ffff8880764d8878
R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff920005c5d18
FS:  000055557cd55380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005628fd41e058 CR3: 000000002d2e6000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ocfs2_read_dir_block+0x106/0x5c0 fs/ocfs2/dir.c:508
 ocfs2_find_dir_space_el fs/ocfs2/dir.c:3427 [inline]           // status = ocfs2_read_dir_block(dir, 0, &bh, 0);
 ocfs2_prepare_dir_for_insert+0x3f2/0x5c60 fs/ocfs2/dir.c:4274
 ocfs2_mknod+0xcaf/0x2b40 fs/ocfs2/namei.c:292
 ocfs2_create+0x1ab/0x480 fs/ocfs2/namei.c:672
 lookup_open fs/namei.c:3595 [inline]
 open_last_lookups fs/namei.c:3694 [inline]
 path_openat+0x1c03/0x3590 fs/namei.c:3930
 do_filp_open+0x235/0x490 fs/namei.c:3960
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
 do_sys_open fs/open.c:1430 [inline]
 __do_sys_openat fs/open.c:1446 [inline]
 __se_sys_openat fs/open.c:1441 [inline]
 __x64_sys_openat+0x247/0x2a0 fs/open.c:1441
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

In this path, v_block(0), flags(0), and nr(1) are fixed values that are
hard coded, so if i_size is 0, the bug will be triggered.

Reported-and-tested-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=797d4829dafe3f11dce7
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: keep rc to 0 when falgs contains READHEAD
V2 -> V3: check i_size only and alert subject and comments

 fs/ocfs2/extent_map.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

#syz test

diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
index f7672472fa82..29d27a70dbdd 100644
--- a/fs/ocfs2/extent_map.c
+++ b/fs/ocfs2/extent_map.c
@@ -961,13 +961,17 @@ int ocfs2_read_virt_blocks(struct inode *inode, u64 v_block, int nr,
 	int rc = 0;
 	u64 p_block, p_count;
 	int i, count, done = 0;
+	loff_t i_size = i_size_read(inode);
 
 	trace_ocfs2_read_virt_blocks(
 	     inode, (unsigned long long)v_block, nr, bhs, flags,
 	     validate);
 
+	if (!i_size)
+		return -EINVAL;
+
 	if (((v_block + nr - 1) << inode->i_sb->s_blocksize_bits) >=
-	    i_size_read(inode)) {
+	    i_size) {
 		BUG_ON(!(flags & OCFS2_BH_READAHEAD));
 		goto out;
 	}
-- 
2.43.0

Re: [syzbot] [ocfs2?] kernel BUG in ocfs2_read_virt_blocks

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com
Tested-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com

Tested on:

commit:         6485cf5e Merge tag 'hid-for-linus-2024101301' of git:/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17186887980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=164d2822debd8b0d
dashboard link: https://syzkaller.appspot.com/bug?extid=797d4829dafe3f11dce7
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14cb0030580000

Note: testing is done by a robot and is best-effort only.

Re: [PATCH V3] ocfs2: add a sanity check for i_size

[Joseph Qi]

On 10/14/24 7:47 PM, Edward Adam Davis wrote:
> Syzbot reported a BUG in ocfs2_read_virt_blocks.
> ------------[ cut here ]------------
> kernel BUG at fs/ocfs2/extent_map.c:971!
> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 1 UID: 0 PID: 5221 Comm: syz-executor117 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> RIP: 0010:ocfs2_read_virt_blocks+0xaa3/0xb20 fs/ocfs2/extent_map.c:971
> Code: 8b 54 24 30 8b 4c 24 1c 4c 8b 44 24 38 45 89 e1 ff 74 24 48 e8 7e 0a 0c 00 48 83 c4 08 eb 25 e8 43 d2 34 08 e8 ee d1 0c fe 90 <0f> 0b e8 e6 d1 0c fe 4c 89 e8 45 89 e5 49 89 c4 e9 01 f7 ff ff e8
> RSP: 0018:ffffc90002e2e820 EFLAGS: 00010293
> RAX: ffffffff83881432 RBX: 0000000000000000 RCX: ffff88802d3e9e00
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: ffffc90002e2e9f0 R08: ffffffff83880eae R09: 1ffffffff203781d
> R10: dffffc0000000000 R11: fffffbfff203781e R12: ffff8880764d8878
> R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff920005c5d18
> FS:  000055557cd55380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005628fd41e058 CR3: 000000002d2e6000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  ocfs2_read_dir_block+0x106/0x5c0 fs/ocfs2/dir.c:508
>  ocfs2_find_dir_space_el fs/ocfs2/dir.c:3427 [inline]           // status = ocfs2_read_dir_block(dir, 0, &bh, 0);

As I replied before, the comment behind seems unneeded.

>  ocfs2_prepare_dir_for_insert+0x3f2/0x5c60 fs/ocfs2/dir.c:4274
>  ocfs2_mknod+0xcaf/0x2b40 fs/ocfs2/namei.c:292
>  ocfs2_create+0x1ab/0x480 fs/ocfs2/namei.c:672
>  lookup_open fs/namei.c:3595 [inline]
>  open_last_lookups fs/namei.c:3694 [inline]
>  path_openat+0x1c03/0x3590 fs/namei.c:3930
>  do_filp_open+0x235/0x490 fs/namei.c:3960
>  do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
>  do_sys_open fs/open.c:1430 [inline]
>  __do_sys_openat fs/open.c:1446 [inline]
>  __se_sys_openat fs/open.c:1441 [inline]
>  __x64_sys_openat+0x247/0x2a0 fs/open.c:1441
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> In this path, v_block(0), flags(0), and nr(1) are fixed values that are
> hard coded, so if i_size is 0, the bug will be triggered.
> 

This is not a proper commit log.
You have to convert to the user scenario, but not simply list the
parameters value that cause the issue.

> Reported-and-tested-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=797d4829dafe3f11dce7
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> V1 -> V2: keep rc to 0 when falgs contains READHEAD
> V2 -> V3: check i_size only and alert subject and comments
> 
>  fs/ocfs2/extent_map.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> #syz test
> 
> diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
> index f7672472fa82..29d27a70dbdd 100644
> --- a/fs/ocfs2/extent_map.c
> +++ b/fs/ocfs2/extent_map.c
> @@ -961,13 +961,17 @@ int ocfs2_read_virt_blocks(struct inode *inode, u64 v_block, int nr,
>  	int rc = 0;
>  	u64 p_block, p_count;
>  	int i, count, done = 0;
> +	loff_t i_size = i_size_read(inode);
>  
>  	trace_ocfs2_read_virt_blocks(
>  	     inode, (unsigned long long)v_block, nr, bhs, flags,
>  	     validate);
>  
> +	if (!i_size)
> +		return -EINVAL;
> +

Take a more consideration, inode size 0 doesn't mean it has no blocks,
since we have a case that fallocate with KEEP_SIZE.
Could you please check inode->i_blocks in above coredump?

Thanks,
Joseph

>  	if (((v_block + nr - 1) << inode->i_sb->s_blocksize_bits) >=
> -	    i_size_read(inode)) {
> +	    i_size) {
>  		BUG_ON(!(flags & OCFS2_BH_READAHEAD));
>  		goto out;
>  	}

Re: [PATCH V3] ocfs2: add a sanity check for i_size

[Joseph Qi]

On 10/16/24 10:06 AM, Joseph Qi wrote:
> 
> 
> On 10/14/24 7:47 PM, Edward Adam Davis wrote:
>> Syzbot reported a BUG in ocfs2_read_virt_blocks.
>> ------------[ cut here ]------------
>> kernel BUG at fs/ocfs2/extent_map.c:971!
>> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
>> CPU: 1 UID: 0 PID: 5221 Comm: syz-executor117 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
>> RIP: 0010:ocfs2_read_virt_blocks+0xaa3/0xb20 fs/ocfs2/extent_map.c:971
>> Code: 8b 54 24 30 8b 4c 24 1c 4c 8b 44 24 38 45 89 e1 ff 74 24 48 e8 7e 0a 0c 00 48 83 c4 08 eb 25 e8 43 d2 34 08 e8 ee d1 0c fe 90 <0f> 0b e8 e6 d1 0c fe 4c 89 e8 45 89 e5 49 89 c4 e9 01 f7 ff ff e8
>> RSP: 0018:ffffc90002e2e820 EFLAGS: 00010293
>> RAX: ffffffff83881432 RBX: 0000000000000000 RCX: ffff88802d3e9e00
>> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
>> RBP: ffffc90002e2e9f0 R08: ffffffff83880eae R09: 1ffffffff203781d
>> R10: dffffc0000000000 R11: fffffbfff203781e R12: ffff8880764d8878
>> R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff920005c5d18
>> FS:  000055557cd55380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00005628fd41e058 CR3: 000000002d2e6000 CR4: 00000000003526f0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> Call Trace:
>>  <TASK>
>>  ocfs2_read_dir_block+0x106/0x5c0 fs/ocfs2/dir.c:508
>>  ocfs2_find_dir_space_el fs/ocfs2/dir.c:3427 [inline]           // status = ocfs2_read_dir_block(dir, 0, &bh, 0);
> 
> As I replied before, the comment behind seems unneeded.
> 
>>  ocfs2_prepare_dir_for_insert+0x3f2/0x5c60 fs/ocfs2/dir.c:4274
>>  ocfs2_mknod+0xcaf/0x2b40 fs/ocfs2/namei.c:292
>>  ocfs2_create+0x1ab/0x480 fs/ocfs2/namei.c:672
>>  lookup_open fs/namei.c:3595 [inline]
>>  open_last_lookups fs/namei.c:3694 [inline]
>>  path_openat+0x1c03/0x3590 fs/namei.c:3930
>>  do_filp_open+0x235/0x490 fs/namei.c:3960
>>  do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
>>  do_sys_open fs/open.c:1430 [inline]
>>  __do_sys_openat fs/open.c:1446 [inline]
>>  __se_sys_openat fs/open.c:1441 [inline]
>>  __x64_sys_openat+0x247/0x2a0 fs/open.c:1441
>>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>>  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
>>
>> In this path, v_block(0), flags(0), and nr(1) are fixed values that are
>> hard coded, so if i_size is 0, the bug will be triggered.
>>
> 
> This is not a proper commit log.
> You have to convert to the user scenario, but not simply list the
> parameters value that cause the issue.
> 
>> Reported-and-tested-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=797d4829dafe3f11dce7
>> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
>> ---
>> V1 -> V2: keep rc to 0 when falgs contains READHEAD
>> V2 -> V3: check i_size only and alert subject and comments
>>
>>  fs/ocfs2/extent_map.c | 6 +++++-
>>  1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> #syz test
>>

BTW, please don't mix syzbot test command into the formal patch.

>> diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
>> index f7672472fa82..29d27a70dbdd 100644
>> --- a/fs/ocfs2/extent_map.c
>> +++ b/fs/ocfs2/extent_map.c
>> @@ -961,13 +961,17 @@ int ocfs2_read_virt_blocks(struct inode *inode, u64 v_block, int nr,
>>  	int rc = 0;
>>  	u64 p_block, p_count;
>>  	int i, count, done = 0;
>> +	loff_t i_size = i_size_read(inode);
>>  
>>  	trace_ocfs2_read_virt_blocks(
>>  	     inode, (unsigned long long)v_block, nr, bhs, flags,
>>  	     validate);
>>  
>> +	if (!i_size)
>> +		return -EINVAL;
>> +
> 
> Take a more consideration, inode size 0 doesn't mean it has no blocks,
> since we have a case that fallocate with KEEP_SIZE.
> Could you please check inode->i_blocks in above coredump?
> 
> Thanks,
> Joseph
> 
>>  	if (((v_block + nr - 1) << inode->i_sb->s_blocksize_bits) >=
>> -	    i_size_read(inode)) {
>> +	    i_size) {
>>  		BUG_ON(!(flags & OCFS2_BH_READAHEAD));
>>  		goto out;
>>  	}
> 

Re: [PATCH V3] ocfs2: add a sanity check for i_size

[Edward Adam Davis]

On Wed, 16 Oct 2024 10:06:27 +0800, Joseph Qi wrote:
> > Reported-and-tested-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=797d4829dafe3f11dce7
> > Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> > ---
> > V1 -> V2: keep rc to 0 when falgs contains READHEAD
> > V2 -> V3: check i_size only and alert subject and comments
> > 
> >  fs/ocfs2/extent_map.c | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> > #syz test
> > 
> > diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
> > index f7672472fa82..29d27a70dbdd 100644
> > --- a/fs/ocfs2/extent_map.c
> > +++ b/fs/ocfs2/extent_map.c
> > @@ -961,13 +961,17 @@ int ocfs2_read_virt_blocks(struct inode *inode, u64 v_block, int nr,
> >  	int rc = 0;
> >  	u64 p_block, p_count;
> >  	int i, count, done = 0;
> > +	loff_t i_size = i_size_read(inode);
> >  
> >  	trace_ocfs2_read_virt_blocks(
> >  	     inode, (unsigned long long)v_block, nr, bhs, flags,
> >  	     validate);
> >  
> > +	if (!i_size)
> > +		return -EINVAL;
> > +
> 
> Take a more consideration, inode size 0 doesn't mean it has no blocks,
> since we have a case that fallocate with KEEP_SIZE.
> Could you please check inode->i_blocks in above coredump?
I have previously verified the value of inode->i_blocks in my testing environment, which is 0.

BR,
Edward

Re: [PATCH V3] ocfs2: add a sanity check for i_size

[Joseph Qi]

On 10/16/24 11:52 AM, Edward Adam Davis wrote:
> On Wed, 16 Oct 2024 10:06:27 +0800, Joseph Qi wrote:
>>> Reported-and-tested-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com
>>> Closes: https://syzkaller.appspot.com/bug?extid=797d4829dafe3f11dce7
>>> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
>>> ---
>>> V1 -> V2: keep rc to 0 when falgs contains READHEAD
>>> V2 -> V3: check i_size only and alert subject and comments
>>>
>>>  fs/ocfs2/extent_map.c | 6 +++++-
>>>  1 file changed, 5 insertions(+), 1 deletion(-)
>>>
>>> #syz test
>>>
>>> diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
>>> index f7672472fa82..29d27a70dbdd 100644
>>> --- a/fs/ocfs2/extent_map.c
>>> +++ b/fs/ocfs2/extent_map.c
>>> @@ -961,13 +961,17 @@ int ocfs2_read_virt_blocks(struct inode *inode, u64 v_block, int nr,
>>>  	int rc = 0;
>>>  	u64 p_block, p_count;
>>>  	int i, count, done = 0;
>>> +	loff_t i_size = i_size_read(inode);
>>>  
>>>  	trace_ocfs2_read_virt_blocks(
>>>  	     inode, (unsigned long long)v_block, nr, bhs, flags,
>>>  	     validate);
>>>  
>>> +	if (!i_size)
>>> +		return -EINVAL;
>>> +
>>
>> Take a more consideration, inode size 0 doesn't mean it has no blocks,
>> since we have a case that fallocate with KEEP_SIZE.
>> Could you please check inode->i_blocks in above coredump?
> I have previously verified the value of inode->i_blocks in my testing environment, which is 0.
> 
So it seems the check condition should be:

  (v_block + nr) > (inode->i_blocks >> (inode->i_sb->s_blocksize_bits - 9))

Re: [PATCH V3] ocfs2: add a sanity check for i_size

[Edward Adam Davis]

On Wed, 16 Oct 2024 19:08:26 +0800, Joseph Qi wrote:
> On 10/16/24 11:52 AM, Edward Adam Davis wrote:
> > On Wed, 16 Oct 2024 10:06:27 +0800, Joseph Qi wrote:
> >>> Reported-and-tested-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com
> >>> Closes: https://syzkaller.appspot.com/bug?extid=797d4829dafe3f11dce7
> >>> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> >>> ---
> >>> V1 -> V2: keep rc to 0 when falgs contains READHEAD
> >>> V2 -> V3: check i_size only and alert subject and comments
> >>>
> >>>  fs/ocfs2/extent_map.c | 6 +++++-
> >>>  1 file changed, 5 insertions(+), 1 deletion(-)
> >>>
> >>> #syz test
> >>>
> >>> diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
> >>> index f7672472fa82..29d27a70dbdd 100644
> >>> --- a/fs/ocfs2/extent_map.c
> >>> +++ b/fs/ocfs2/extent_map.c
> >>> @@ -961,13 +961,17 @@ int ocfs2_read_virt_blocks(struct inode *inode, u64 v_block, int nr,
> >>>  	int rc = 0;
> >>>  	u64 p_block, p_count;
> >>>  	int i, count, done = 0;
> >>> +	loff_t i_size = i_size_read(inode);
> >>>
> >>>  	trace_ocfs2_read_virt_blocks(
> >>>  	     inode, (unsigned long long)v_block, nr, bhs, flags,
> >>>  	     validate);
> >>>
> >>> +	if (!i_size)
> >>> +		return -EINVAL;
> >>> +
> >>
> >> Take a more consideration, inode size 0 doesn't mean it has no blocks,
> >> since we have a case that fallocate with KEEP_SIZE.
> >> Could you please check inode->i_blocks in above coredump?
> > I have previously verified the value of inode->i_blocks in my testing environment, which is 0.
> >
> So it seems the check condition should be:
> 
>   (v_block + nr) > (inode->i_blocks >> (inode->i_sb->s_blocksize_bits - 9))
Do you mean like this?

diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
index f7672472fa82..9613cd356ac5 100644
--- a/fs/ocfs2/extent_map.c
+++ b/fs/ocfs2/extent_map.c
@@ -966,6 +966,9 @@ int ocfs2_read_virt_blocks(struct inode *inode, u64 v_block, int nr,
             inode, (unsigned long long)v_block, nr, bhs, flags,
             validate);

+       if ((v_block + nr) > (inode->i_blocks >> (inode->i_sb->s_blocksize_bits - 9)))
+               return -EINVAL;
+
        if (((v_block + nr - 1) << inode->i_sb->s_blocksize_bits) >=
            i_size_read(inode)) {
                BUG_ON(!(flags & OCFS2_BH_READAHEAD));

BR,
Edward

Re: [PATCH V3] ocfs2: add a sanity check for i_size

[Joseph Qi]

On 10/16/24 7:57 PM, Edward Adam Davis wrote:
> On Wed, 16 Oct 2024 19:08:26 +0800, Joseph Qi wrote:
>> On 10/16/24 11:52 AM, Edward Adam Davis wrote:
>>> On Wed, 16 Oct 2024 10:06:27 +0800, Joseph Qi wrote:
>>>>> Reported-and-tested-by: syzbot+797d4829dafe3f11dce7@syzkaller.appspotmail.com
>>>>> Closes: https://syzkaller.appspot.com/bug?extid=797d4829dafe3f11dce7
>>>>> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
>>>>> ---
>>>>> V1 -> V2: keep rc to 0 when falgs contains READHEAD
>>>>> V2 -> V3: check i_size only and alert subject and comments
>>>>>
>>>>>  fs/ocfs2/extent_map.c | 6 +++++-
>>>>>  1 file changed, 5 insertions(+), 1 deletion(-)
>>>>>
>>>>> #syz test
>>>>>
>>>>> diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
>>>>> index f7672472fa82..29d27a70dbdd 100644
>>>>> --- a/fs/ocfs2/extent_map.c
>>>>> +++ b/fs/ocfs2/extent_map.c
>>>>> @@ -961,13 +961,17 @@ int ocfs2_read_virt_blocks(struct inode *inode, u64 v_block, int nr,
>>>>>  	int rc = 0;
>>>>>  	u64 p_block, p_count;
>>>>>  	int i, count, done = 0;
>>>>> +	loff_t i_size = i_size_read(inode);
>>>>>
>>>>>  	trace_ocfs2_read_virt_blocks(
>>>>>  	     inode, (unsigned long long)v_block, nr, bhs, flags,
>>>>>  	     validate);
>>>>>
>>>>> +	if (!i_size)
>>>>> +		return -EINVAL;
>>>>> +
>>>>
>>>> Take a more consideration, inode size 0 doesn't mean it has no blocks,
>>>> since we have a case that fallocate with KEEP_SIZE.
>>>> Could you please check inode->i_blocks in above coredump?
>>> I have previously verified the value of inode->i_blocks in my testing environment, which is 0.
>>>
>> So it seems the check condition should be:
>>
>>   (v_block + nr) > (inode->i_blocks >> (inode->i_sb->s_blocksize_bits - 9))
> Do you mean like this?
> 
> diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
> index f7672472fa82..9613cd356ac5 100644
> --- a/fs/ocfs2/extent_map.c
> +++ b/fs/ocfs2/extent_map.c
> @@ -966,6 +966,9 @@ int ocfs2_read_virt_blocks(struct inode *inode, u64 v_block, int nr,
>              inode, (unsigned long long)v_block, nr, bhs, flags,
>              validate);
> 
> +       if ((v_block + nr) > (inode->i_blocks >> (inode->i_sb->s_blocksize_bits - 9)))
> +               return -EINVAL;
> +
>         if (((v_block + nr - 1) << inode->i_sb->s_blocksize_bits) >=
>             i_size_read(inode)) {
>                 BUG_ON(!(flags & OCFS2_BH_READAHEAD));
> 
Right, which mean the block read request is invalid.