[PATCH 4.19 5.4 5.10 5.15 6.1 6.6] nilfs2: fix kernel bug on rename operation of broken directory

Linux kernel -stable discussions
 help / color / mirror / Atom feed

* [PATCH 4.19 5.4 5.10 5.15 6.1 6.6] nilfs2: fix kernel bug on rename operation of broken directory
@ 2024-07-15 16:27 Ryusuke Konishi
  2024-07-16 13:10 ` Greg KH
  0 siblings, 1 reply; 2+ messages in thread
From: Ryusuke Konishi @ 2024-07-15 16:27 UTC (permalink / raw)
  To: stable, gregkh; +Cc: akpm

commit a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 upstream.

Syzbot reported that in rename directory operation on broken directory on
nilfs2, __block_write_begin_int() called to prepare block write may fail
BUG_ON check for access exceeding the folio/page size.

This is because nilfs_dotdot(), which gets parent directory reference
entry ("..") of the directory to be moved or renamed, does not check
consistency enough, and may return location exceeding folio/page size for
broken directories.

Fix this issue by checking required directory entries ("." and "..") in
the first chunk of the directory in nilfs_dotdot().

Link: https://lkml.kernel.org/r/20240628165107.9006-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+d3abed1ad3d367fa2627@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627
Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
Please apply this patch to the stable trees indicated by the subject
prefix instead of the patch that failed.

This patch is tailored to take page/folio conversion into account and
can be applied to these stable trees.

Also, all the builds and tests I did on each stable tree passed.

Thanks,
Ryusuke Konishi

 fs/nilfs2/dir.c | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c
index 51c982ad9608..53e4e63c607e 100644
--- a/fs/nilfs2/dir.c
+++ b/fs/nilfs2/dir.c
@@ -396,11 +396,39 @@ nilfs_find_entry(struct inode *dir, const struct qstr *qstr,
 
 struct nilfs_dir_entry *nilfs_dotdot(struct inode *dir, struct page **p)
 {
-	struct nilfs_dir_entry *de = nilfs_get_page(dir, 0, p);
+	struct page *page;
+	struct nilfs_dir_entry *de, *next_de;
+	size_t limit;
+	char *msg;
 
+	de = nilfs_get_page(dir, 0, &page);
 	if (IS_ERR(de))
 		return NULL;
-	return nilfs_next_entry(de);
+
+	limit = nilfs_last_byte(dir, 0);  /* is a multiple of chunk size */
+	if (unlikely(!limit || le64_to_cpu(de->inode) != dir->i_ino ||
+		     !nilfs_match(1, ".", de))) {
+		msg = "missing '.'";
+		goto fail;
+	}
+
+	next_de = nilfs_next_entry(de);
+	/*
+	 * If "next_de" has not reached the end of the chunk, there is
+	 * at least one more record.  Check whether it matches "..".
+	 */
+	if (unlikely((char *)next_de == (char *)de + nilfs_chunk_size(dir) ||
+		     !nilfs_match(2, "..", next_de))) {
+		msg = "missing '..'";
+		goto fail;
+	}
+	*p = page;
+	return next_de;
+
+fail:
+	nilfs_error(dir->i_sb, "directory #%lu %s", dir->i_ino, msg);
+	nilfs_put_page(page);
+	return NULL;
 }
 
 ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr)
-- 
2.43.5


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH 4.19 5.4 5.10 5.15 6.1 6.6] nilfs2: fix kernel bug on rename operation of broken directory
  2024-07-15 16:27 [PATCH 4.19 5.4 5.10 5.15 6.1 6.6] nilfs2: fix kernel bug on rename operation of broken directory Ryusuke Konishi
@ 2024-07-16 13:10 ` Greg KH
  0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2024-07-16 13:10 UTC (permalink / raw)
  To: Ryusuke Konishi; +Cc: stable, akpm

On Tue, Jul 16, 2024 at 01:27:11AM +0900, Ryusuke Konishi wrote:
> commit a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 upstream.
> 
> Syzbot reported that in rename directory operation on broken directory on
> nilfs2, __block_write_begin_int() called to prepare block write may fail
> BUG_ON check for access exceeding the folio/page size.
> 
> This is because nilfs_dotdot(), which gets parent directory reference
> entry ("..") of the directory to be moved or renamed, does not check
> consistency enough, and may return location exceeding folio/page size for
> broken directories.
> 
> Fix this issue by checking required directory entries ("." and "..") in
> the first chunk of the directory in nilfs_dotdot().
> 
> Link: https://lkml.kernel.org/r/20240628165107.9006-1-konishi.ryusuke@gmail.com
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> Reported-by: syzbot+d3abed1ad3d367fa2627@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627
> Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> ---
> Please apply this patch to the stable trees indicated by the subject
> prefix instead of the patch that failed.
> 
> This patch is tailored to take page/folio conversion into account and
> can be applied to these stable trees.
> 
> Also, all the builds and tests I did on each stable tree passed.

Now queued up, thanks!

greg k-h

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-07-16 13:10 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-15 16:27 [PATCH 4.19 5.4 5.10 5.15 6.1 6.6] nilfs2: fix kernel bug on rename operation of broken directory Ryusuke Konishi
2024-07-16 13:10 ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox