[syzbot] [ntfs3?] WARNING in ntfs_extend_initialized_size

[syzbot] [ntfs3?] WARNING in ntfs_extend_initialized_size

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    e32cde8d2bd7 Merge tag 'sched_ext-for-6.12-rc1-fixes-1' of..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1201939f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1f009dd80b3799c2
dashboard link: https://syzkaller.appspot.com/bug?extid=e37dd1dfc814b10caa55
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15c8e927980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13b7bdd0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/08f3ba449e03/disk-e32cde8d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/17bcace1ab90/vmlinux-e32cde8d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/da9183ac0145/bzImage-e32cde8d.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/0e40cc89da55/mount_0.gz

Bisection is inconclusive: the first bad commit could be any of:

220cf0498bbf fs/ntfs3: Simplify initialization of $AttrDef and $UpCase
2c2814d0dafc fs/ntfs3: Use macros NTFS_LABEL_MAX_LENGTH instead of hardcoded value

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=138b539f980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e37dd1dfc814b10caa55@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 1 PID: 5234 at fs/ntfs3/file.c:181 ntfs_extend_initialized_size+0x907/0x950 fs/ntfs3/file.c:181
Modules linked in:
CPU: 1 UID: 0 PID: 5234 Comm: syz-executor337 Not tainted 6.12.0-rc1-syzkaller-00031-ge32cde8d2bd7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:ntfs_extend_initialized_size+0x907/0x950 fs/ntfs3/file.c:181
Code: 66 89 d8 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 58 72 a7 fe 90 0f 0b 90 e9 ba f8 ff ff e8 4a 72 a7 fe 90 <0f> 0b 90 e9 cf f8 ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 5a
RSP: 0018:ffffc90002eaf580 EFLAGS: 00010293
RAX: ffffffff82ed6916 RBX: 000000000000b5b3 RCX: ffff888029a61e00
RDX: 0000000000000000 RSI: 000000000000b5b3 RDI: 0000000000050000
RBP: ffffc90002eaf6b0 R08: ffffffff82ed61e0 R09: 1ffffffff2037745
R10: dffffc0000000000 R11: fffffbfff2037746 R12: ffff88802db18000
R13: dffffc0000000000 R14: 0000000000050000 R15: 0000000000000000
FS:  00007f62c31fa6c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffee48b8dd8 CR3: 0000000076342000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ntfs_file_mmap+0x5f2/0x850 fs/ntfs3/file.c:368
 call_mmap include/linux/fs.h:2172 [inline]
 mmap_region+0x1add/0x2990 mm/mmap.c:1440
 do_mmap+0x8f0/0x1000 mm/mmap.c:496
 vm_mmap_pgoff+0x1dd/0x3d0 mm/util.c:588
 ksys_mmap_pgoff+0x4eb/0x720 mm/mmap.c:542
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f62c32646b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f62c31fa208 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f62c330a658 RCX: 00007f62c32646b9
RDX: 00000000017ffff7 RSI: 0000000000600000 RDI: 0000000020000000
RBP: 00007f62c330a650 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000004002011 R11: 0000000000000246 R12: 00007f62c32d78c4
R13: 00007f62c32b80c0 R14: 007570637265705f R15: 0700000000000000
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [ntfs3?] WARNING in ntfs_extend_initialized_size

[Edward Adam Davis]

The data type of in->i_valid and to is u64 in ntfs_file_mmap(). 
If their values are greater than LLONG_MAX, overflow will occur because
the data types of the parameters valid and new_valid corresponding to
the function ntfs_extend_initialized_size() are loff_t.

#syz test

diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c
index 6202895a4542..c42454a62314 100644
--- a/fs/ntfs3/file.c
+++ b/fs/ntfs3/file.c
@@ -178,7 +178,6 @@ static int ntfs_extend_initialized_size(struct file *file,
 	}
 
 	WARN_ON(is_compressed(ni));
-	WARN_ON(valid >= new_valid);
 
 	for (;;) {
 		u32 zerofrom, len;
@@ -400,6 +399,7 @@ static int ntfs_extend(struct inode *inode, loff_t pos, size_t count,
 	}
 
 	if (extend_init && !is_compressed(ni)) {
+		WARN_ON(ni->i_valid >= pos);
 		err = ntfs_extend_initialized_size(file, ni, ni->i_valid, pos);
 		if (err)
 			goto out;

Re: [syzbot] [ntfs3?] WARNING in ntfs_extend_initialized_size

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+e37dd1dfc814b10caa55@syzkaller.appspotmail.com
Tested-by: syzbot+e37dd1dfc814b10caa55@syzkaller.appspotmail.com

Tested on:

commit:         8cf0b939 Linux 6.12-rc2
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12e24327980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7a3fccdd0bb995
dashboard link: https://syzkaller.appspot.com/bug?extid=e37dd1dfc814b10caa55
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13ac4327980000

Note: testing is done by a robot and is best-effort only.

[PATCH] ntfs3: Fix WARNING in ntfs_extend_initialized_size

[Edward Adam Davis]

Syzbot reported a WARNING in ntfs_extend_initialized_size.
The data type of in->i_valid and to is u64 in ntfs_file_mmap().
If their values are greater than LLONG_MAX, overflow will occur because
the data types of the parameters valid and new_valid corresponding to
the function ntfs_extend_initialized_size() are loff_t.

Before calling ntfs_extend_initialized_size() in the ntfs_file_mmap(),
the "ni->i_valid < to" has been determined, so the same WARN_ON determination
is not required in ntfs_extend_initialized_size(). 
Just execute the ntfs_extend_initialized_size() in ntfs_extend() to make
a WARN_ON check.

Reported-and-tested-by: syzbot+e37dd1dfc814b10caa55@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e37dd1dfc814b10caa55
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/ntfs3/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c
index 6202895a4542..c42454a62314 100644
--- a/fs/ntfs3/file.c
+++ b/fs/ntfs3/file.c
@@ -178,7 +178,6 @@ static int ntfs_extend_initialized_size(struct file *file,
 	}
 
 	WARN_ON(is_compressed(ni));
-	WARN_ON(valid >= new_valid);
 
 	for (;;) {
 		u32 zerofrom, len;
@@ -400,6 +399,7 @@ static int ntfs_extend(struct inode *inode, loff_t pos, size_t count,
 	}
 
 	if (extend_init && !is_compressed(ni)) {
+		WARN_ON(ni->valid >= pos);
 		err = ntfs_extend_initialized_size(file, ni, ni->i_valid, pos);
 		if (err)
 			goto out;
-- 
2.43.0

Re: [PATCH] ntfs3: Fix WARNING in ntfs_extend_initialized_size

[kernel test robot]

Hi Edward,

kernel test robot noticed the following build errors:

[auto build test ERROR on brauner-vfs/vfs.all]
[also build test ERROR on linus/master v6.12-rc2 next-20241010]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Edward-Adam-Davis/ntfs3-Fix-WARNING-in-ntfs_extend_initialized_size/20241007-191224
base:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git vfs.all
patch link:    https://lore.kernel.org/r/tencent_EE134FDF8DFFA5E18D84121FDDE5DDB41907%40qq.com
patch subject: [PATCH] ntfs3: Fix WARNING in ntfs_extend_initialized_size
config: i386-buildonly-randconfig-001-20241010 (https://download.01.org/0day-ci/archive/20241010/202410101748.6VtnyCOG-lkp@intel.com/config)
compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241010/202410101748.6VtnyCOG-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202410101748.6VtnyCOG-lkp@intel.com/

All errors (new ones prefixed by >>):

>> fs/ntfs3/file.c:402:15: error: no member named 'valid' in 'struct ntfs_inode'
     402 |                 WARN_ON(ni->valid >= pos);
         |                         ~~  ^
   include/asm-generic/bug.h:123:25: note: expanded from macro 'WARN_ON'
     123 |         int __ret_warn_on = !!(condition);                              \
         |                                ^~~~~~~~~
   1 error generated.


vim +402 fs/ntfs3/file.c

   379	
   380	static int ntfs_extend(struct inode *inode, loff_t pos, size_t count,
   381			       struct file *file)
   382	{
   383		struct ntfs_inode *ni = ntfs_i(inode);
   384		struct address_space *mapping = inode->i_mapping;
   385		loff_t end = pos + count;
   386		bool extend_init = file && pos > ni->i_valid;
   387		int err;
   388	
   389		if (end <= inode->i_size && !extend_init)
   390			return 0;
   391	
   392		/* Mark rw ntfs as dirty. It will be cleared at umount. */
   393		ntfs_set_state(ni->mi.sbi, NTFS_DIRTY_DIRTY);
   394	
   395		if (end > inode->i_size) {
   396			err = ntfs_set_size(inode, end);
   397			if (err)
   398				goto out;
   399		}
   400	
   401		if (extend_init && !is_compressed(ni)) {
 > 402			WARN_ON(ni->valid >= pos);
   403			err = ntfs_extend_initialized_size(file, ni, ni->i_valid, pos);
   404			if (err)
   405				goto out;
   406		} else {
   407			err = 0;
   408		}
   409	
   410		inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
   411		mark_inode_dirty(inode);
   412	
   413		if (IS_SYNC(inode)) {
   414			int err2;
   415	
   416			err = filemap_fdatawrite_range(mapping, pos, end - 1);
   417			err2 = sync_mapping_buffers(mapping);
   418			if (!err)
   419				err = err2;
   420			err2 = write_inode_now(inode, 1);
   421			if (!err)
   422				err = err2;
   423			if (!err)
   424				err = filemap_fdatawait_range(mapping, pos, end - 1);
   425		}
   426	
   427	out:
   428		return err;
   429	}
   430	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

[PATCH V2] ntfs3: Fix WARNING in ntfs_extend_initialized_size

[Edward Adam Davis]

Syzbot reported a WARNING in ntfs_extend_initialized_size.
The data type of in->i_valid and to is u64 in ntfs_file_mmap().
If their values are greater than LLONG_MAX, overflow will occur because
the data types of the parameters valid and new_valid corresponding to
the function ntfs_extend_initialized_size() are loff_t.

Before calling ntfs_extend_initialized_size() in the ntfs_file_mmap(),
the "ni->i_valid < to" has been determined, so the same WARN_ON determination
is not required in ntfs_extend_initialized_size(). 
Just execute the ntfs_extend_initialized_size() in ntfs_extend() to make
a WARN_ON check.

Reported-and-tested-by: syzbot+e37dd1dfc814b10caa55@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e37dd1dfc814b10caa55
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: typo for ni->i_valid

 fs/ntfs3/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c
index 6202895a4542..c42454a62314 100644
--- a/fs/ntfs3/file.c
+++ b/fs/ntfs3/file.c
@@ -178,7 +178,6 @@ static int ntfs_extend_initialized_size(struct file *file,
 	}
 
 	WARN_ON(is_compressed(ni));
-	WARN_ON(valid >= new_valid);
 
 	for (;;) {
 		u32 zerofrom, len;
@@ -400,6 +399,7 @@ static int ntfs_extend(struct inode *inode, loff_t pos, size_t count,
 	}
 
 	if (extend_init && !is_compressed(ni)) {
+		WARN_ON(ni->i_valid >= pos);
 		err = ntfs_extend_initialized_size(file, ni, ni->i_valid, pos);
 		if (err)
 			goto out;
-- 
2.43.0

Re: [PATCH] ntfs3: Fix WARNING in ntfs_extend_initialized_size

[kernel test robot]

Hi Edward,

kernel test robot noticed the following build errors:

[auto build test ERROR on brauner-vfs/vfs.all]
[also build test ERROR on linus/master v6.12-rc2 next-20241010]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Edward-Adam-Davis/ntfs3-Fix-WARNING-in-ntfs_extend_initialized_size/20241007-191224
base:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git vfs.all
patch link:    https://lore.kernel.org/r/tencent_EE134FDF8DFFA5E18D84121FDDE5DDB41907%40qq.com
patch subject: [PATCH] ntfs3: Fix WARNING in ntfs_extend_initialized_size
config: i386-randconfig-003-20241010 (https://download.01.org/0day-ci/archive/20241010/202410102052.KIxxilgH-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241010/202410102052.KIxxilgH-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202410102052.KIxxilgH-lkp@intel.com/

All errors (new ones prefixed by >>):

   In file included from arch/x86/include/asm/bug.h:99,
                    from include/linux/bug.h:5,
                    from include/linux/thread_info.h:13,
                    from include/linux/spinlock.h:60,
                    from include/linux/wait.h:9,
                    from include/linux/wait_bit.h:8,
                    from include/linux/fs.h:6,
                    from include/linux/backing-dev.h:13,
                    from fs/ntfs3/file.c:10:
   fs/ntfs3/file.c: In function 'ntfs_extend':
>> fs/ntfs3/file.c:402:29: error: 'struct ntfs_inode' has no member named 'valid'; did you mean 'i_valid'?
     402 |                 WARN_ON(ni->valid >= pos);
         |                             ^~~~~
   include/asm-generic/bug.h:123:32: note: in definition of macro 'WARN_ON'
     123 |         int __ret_warn_on = !!(condition);                              \
         |                                ^~~~~~~~~


vim +402 fs/ntfs3/file.c

   379	
   380	static int ntfs_extend(struct inode *inode, loff_t pos, size_t count,
   381			       struct file *file)
   382	{
   383		struct ntfs_inode *ni = ntfs_i(inode);
   384		struct address_space *mapping = inode->i_mapping;
   385		loff_t end = pos + count;
   386		bool extend_init = file && pos > ni->i_valid;
   387		int err;
   388	
   389		if (end <= inode->i_size && !extend_init)
   390			return 0;
   391	
   392		/* Mark rw ntfs as dirty. It will be cleared at umount. */
   393		ntfs_set_state(ni->mi.sbi, NTFS_DIRTY_DIRTY);
   394	
   395		if (end > inode->i_size) {
   396			err = ntfs_set_size(inode, end);
   397			if (err)
   398				goto out;
   399		}
   400	
   401		if (extend_init && !is_compressed(ni)) {
 > 402			WARN_ON(ni->valid >= pos);
   403			err = ntfs_extend_initialized_size(file, ni, ni->i_valid, pos);
   404			if (err)
   405				goto out;
   406		} else {
   407			err = 0;
   408		}
   409	
   410		inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
   411		mark_inode_dirty(inode);
   412	
   413		if (IS_SYNC(inode)) {
   414			int err2;
   415	
   416			err = filemap_fdatawrite_range(mapping, pos, end - 1);
   417			err2 = sync_mapping_buffers(mapping);
   418			if (!err)
   419				err = err2;
   420			err2 = write_inode_now(inode, 1);
   421			if (!err)
   422				err = err2;
   423			if (!err)
   424				err = filemap_fdatawait_range(mapping, pos, end - 1);
   425		}
   426	
   427	out:
   428		return err;
   429	}
   430	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki