From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Ryusuke Konishi <konishi.ryusuke@gmail.com>,
Lizhi Xu <lizhi.xu@windriver.com>,
syzbot+8a192e8d090fa9a31135@syzkaller.appspotmail.com,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 5.15 80/82] nilfs2: propagate directory read errors from nilfs_find_entry()
Date: Mon, 21 Oct 2024 12:26:01 +0200 [thread overview]
Message-ID: <20241021102250.381740724@linuxfoundation.org> (raw)
In-Reply-To: <20241021102247.209765070@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
commit 08cfa12adf888db98879dbd735bc741360a34168 upstream.
Syzbot reported that a task hang occurs in vcs_open() during a fuzzing
test for nilfs2.
The root cause of this problem is that in nilfs_find_entry(), which
searches for directory entries, ignores errors when loading a directory
page/folio via nilfs_get_folio() fails.
If the filesystem images is corrupted, and the i_size of the directory
inode is large, and the directory page/folio is successfully read but
fails the sanity check, for example when it is zero-filled,
nilfs_check_folio() may continue to spit out error messages in bursts.
Fix this issue by propagating the error to the callers when loading a
page/folio fails in nilfs_find_entry().
The current interface of nilfs_find_entry() and its callers is outdated
and cannot propagate error codes such as -EIO and -ENOMEM returned via
nilfs_find_entry(), so fix it together.
Link: https://lkml.kernel.org/r/20241004033640.6841-1-konishi.ryusuke@gmail.com
Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: Lizhi Xu <lizhi.xu@windriver.com>
Closes: https://lkml.kernel.org/r/20240927013806.3577931-1-lizhi.xu@windriver.com
Reported-by: syzbot+8a192e8d090fa9a31135@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8a192e8d090fa9a31135
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/dir.c | 50 +++++++++++++++++++++++++++-----------------------
fs/nilfs2/namei.c | 39 ++++++++++++++++++++++++++-------------
fs/nilfs2/nilfs.h | 2 +-
3 files changed, 54 insertions(+), 37 deletions(-)
--- a/fs/nilfs2/dir.c
+++ b/fs/nilfs2/dir.c
@@ -331,6 +331,8 @@ static int nilfs_readdir(struct file *fi
* returns the page in which the entry was found, and the entry itself
* (as a parameter - res_dir). Page is returned mapped and unlocked.
* Entry is guaranteed to be valid.
+ *
+ * On failure, returns an error pointer and the caller should ignore res_page.
*/
struct nilfs_dir_entry *
nilfs_find_entry(struct inode *dir, const struct qstr *qstr,
@@ -358,22 +360,24 @@ nilfs_find_entry(struct inode *dir, cons
do {
char *kaddr = nilfs_get_page(dir, n, &page);
- if (!IS_ERR(kaddr)) {
- de = (struct nilfs_dir_entry *)kaddr;
- kaddr += nilfs_last_byte(dir, n) - reclen;
- while ((char *) de <= kaddr) {
- if (de->rec_len == 0) {
- nilfs_error(dir->i_sb,
- "zero-length directory entry");
- nilfs_put_page(page);
- goto out;
- }
- if (nilfs_match(namelen, name, de))
- goto found;
- de = nilfs_next_entry(de);
+ if (IS_ERR(kaddr))
+ return ERR_CAST(kaddr);
+
+ de = (struct nilfs_dir_entry *)kaddr;
+ kaddr += nilfs_last_byte(dir, n) - reclen;
+ while ((char *)de <= kaddr) {
+ if (de->rec_len == 0) {
+ nilfs_error(dir->i_sb,
+ "zero-length directory entry");
+ nilfs_put_page(page);
+ goto out;
}
- nilfs_put_page(page);
+ if (nilfs_match(namelen, name, de))
+ goto found;
+ de = nilfs_next_entry(de);
}
+ nilfs_put_page(page);
+
if (++n >= npages)
n = 0;
/* next page is past the blocks we've got */
@@ -386,7 +390,7 @@ nilfs_find_entry(struct inode *dir, cons
}
} while (n != start);
out:
- return NULL;
+ return ERR_PTR(-ENOENT);
found:
*res_page = page;
@@ -431,19 +435,19 @@ fail:
return NULL;
}
-ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr)
+int nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr, ino_t *ino)
{
- ino_t res = 0;
struct nilfs_dir_entry *de;
struct page *page;
de = nilfs_find_entry(dir, qstr, &page);
- if (de) {
- res = le64_to_cpu(de->inode);
- kunmap(page);
- put_page(page);
- }
- return res;
+ if (IS_ERR(de))
+ return PTR_ERR(de);
+
+ *ino = le64_to_cpu(de->inode);
+ kunmap(page);
+ put_page(page);
+ return 0;
}
/* Releases the page */
--- a/fs/nilfs2/namei.c
+++ b/fs/nilfs2/namei.c
@@ -55,12 +55,20 @@ nilfs_lookup(struct inode *dir, struct d
{
struct inode *inode;
ino_t ino;
+ int res;
if (dentry->d_name.len > NILFS_NAME_LEN)
return ERR_PTR(-ENAMETOOLONG);
- ino = nilfs_inode_by_name(dir, &dentry->d_name);
- inode = ino ? nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino) : NULL;
+ res = nilfs_inode_by_name(dir, &dentry->d_name, &ino);
+ if (res) {
+ if (res != -ENOENT)
+ return ERR_PTR(res);
+ inode = NULL;
+ } else {
+ inode = nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino);
+ }
+
return d_splice_alias(inode, dentry);
}
@@ -263,10 +271,11 @@ static int nilfs_do_unlink(struct inode
struct page *page;
int err;
- err = -ENOENT;
de = nilfs_find_entry(dir, &dentry->d_name, &page);
- if (!de)
+ if (IS_ERR(de)) {
+ err = PTR_ERR(de);
goto out;
+ }
inode = d_inode(dentry);
err = -EIO;
@@ -361,10 +370,11 @@ static int nilfs_rename(struct user_name
if (unlikely(err))
return err;
- err = -ENOENT;
old_de = nilfs_find_entry(old_dir, &old_dentry->d_name, &old_page);
- if (!old_de)
+ if (IS_ERR(old_de)) {
+ err = PTR_ERR(old_de);
goto out;
+ }
if (S_ISDIR(old_inode->i_mode)) {
err = -EIO;
@@ -381,10 +391,12 @@ static int nilfs_rename(struct user_name
if (dir_de && !nilfs_empty_dir(new_inode))
goto out_dir;
- err = -ENOENT;
- new_de = nilfs_find_entry(new_dir, &new_dentry->d_name, &new_page);
- if (!new_de)
+ new_de = nilfs_find_entry(new_dir, &new_dentry->d_name,
+ &new_page);
+ if (IS_ERR(new_de)) {
+ err = PTR_ERR(new_de);
goto out_dir;
+ }
nilfs_set_link(new_dir, new_de, new_page, old_inode);
nilfs_mark_inode_dirty(new_dir);
new_inode->i_ctime = current_time(new_inode);
@@ -438,13 +450,14 @@ out:
*/
static struct dentry *nilfs_get_parent(struct dentry *child)
{
- unsigned long ino;
+ ino_t ino;
+ int res;
struct inode *inode;
struct nilfs_root *root;
- ino = nilfs_inode_by_name(d_inode(child), &dotdot_name);
- if (!ino)
- return ERR_PTR(-ENOENT);
+ res = nilfs_inode_by_name(d_inode(child), &dotdot_name, &ino);
+ if (res)
+ return ERR_PTR(res);
root = NILFS_I(d_inode(child))->i_root;
--- a/fs/nilfs2/nilfs.h
+++ b/fs/nilfs2/nilfs.h
@@ -233,7 +233,7 @@ static inline __u32 nilfs_mask_flags(umo
/* dir.c */
extern int nilfs_add_link(struct dentry *, struct inode *);
-extern ino_t nilfs_inode_by_name(struct inode *, const struct qstr *);
+int nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr, ino_t *ino);
extern int nilfs_make_empty(struct inode *, struct inode *);
extern struct nilfs_dir_entry *
nilfs_find_entry(struct inode *, const struct qstr *, struct page **);
next prev parent reply other threads:[~2024-10-21 10:49 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-21 10:24 [PATCH 5.15 00/82] 5.15.169-rc1 review Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 01/82] ALSA: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 02/82] udf: New directory iteration code Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 03/82] udf: Convert udf_expand_dir_adinicb() to new directory iteration Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 04/82] udf: Move udf_expand_dir_adinicb() to its callsite Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 05/82] udf: Implement searching for directory entry using new iteration code Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 06/82] udf: Provide function to mark entry as deleted using new directory " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 07/82] udf: Convert udf_rename() to " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 08/82] udf: Convert udf_readdir() to new directory iteration Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 09/82] udf: Convert udf_lookup() to use new directory iteration code Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 10/82] udf: Convert udf_get_parent() to " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 11/82] udf: Convert empty_dir() " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 12/82] udf: Convert udf_rmdir() " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 13/82] udf: Convert udf_unlink() " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 14/82] udf: Implement adding of dir entries using new " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 15/82] udf: Convert udf_add_nondir() to new directory iteration Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 16/82] udf: Convert udf_mkdir() to new directory iteration code Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 17/82] udf: Convert udf_link() " Greg Kroah-Hartman
2024-10-21 10:24 ` [PATCH 5.15 18/82] udf: Remove old " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 19/82] udf: Handle error when expanding directory Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 20/82] udf: Dont return bh from udf_expand_dir_adinicb() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 21/82] udf: Fix bogus checksum computation in udf_rename() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 22/82] net: enetc: remove xdp_drops statistic from enetc_xdp_drop() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 23/82] net: enetc: add missing static descriptor and inline keyword Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 24/82] posix-clock: Fix missing timespec64 check in pc_clock_settime() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 25/82] arm64: probes: Remove broken LDR (literal) uprobe support Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 26/82] arm64: probes: Fix simulate_ldr*_literal() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 27/82] net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 28/82] irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 29/82] fat: fix uninitialized variable Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 30/82] mm/swapfile: skip HugeTLB pages for unuse_vma Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 31/82] secretmem: disable memfd_secret() if arch cannot set direct map Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 32/82] wifi: mac80211: fix potential key use-after-free Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 33/82] dm-crypt, dm-verity: disable tasklets Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 34/82] KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 35/82] drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 36/82] io_uring/sqpoll: do not allow pinning outside of cpuset Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 37/82] io_uring/sqpoll: retain test for whether the CPU is valid Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 38/82] io_uring/sqpoll: do not put cpumask on stack Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 39/82] iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 40/82] s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 41/82] KVM: s390: Change virtual to physical address access in diag 0x258 handler Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 42/82] x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 43/82] x86/cpufeatures: Add a IBPB_NO_RET BUG flag Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 44/82] x86/entry: Have entry_ibpb() invalidate return predictions Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 45/82] x86/bugs: Skip RSB fill at VMEXIT Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 46/82] x86/bugs: Do not use UNTRAIN_RET with IBPB on entry Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 47/82] blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 48/82] io_uring/sqpoll: close race on waiting for sqring entries Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 49/82] drm/radeon: Fix encoder->possible_clones Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 50/82] drm/vmwgfx: Handle surface check failure correctly Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 51/82] iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 52/82] iio: dac: ltc1660: " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 53/82] iio: dac: stm32-dac-core: add missing select REGMAP_MMIO " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 54/82] iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 55/82] iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 56/82] iio: light: veml6030: fix ALS sensor resolution Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 57/82] iio: light: veml6030: fix IIO device retrieval from embedded device Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 58/82] iio: light: opt3001: add missing full-scale range value Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 59/82] iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 60/82] iio: adc: ti-ads124s08: " Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 61/82] Bluetooth: Remove debugfs directory on module init failure Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 62/82] Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 63/82] xhci: Fix incorrect stream context type macro Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 64/82] xhci: Mitigate failed set dequeue pointer commands Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 65/82] USB: serial: option: add support for Quectel EG916Q-GL Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 66/82] USB: serial: option: add Telit FN920C04 MBIM compositions Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 67/82] parport: Proper fix for array out-of-bounds access Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 68/82] x86/resctrl: Annotate get_mem_config() functions as __init Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 69/82] x86/apic: Always explicitly disarm TSC-deadline timer Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 70/82] x86/entry_32: Do not clobber user EFLAGS.ZF Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 71/82] x86/entry_32: Clear CPU buffers after register restore in NMI return Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 72/82] pinctrl: ocelot: fix system hang on level based interrupts Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 73/82] irqchip/gic-v4: Dont allow a VMOVP on a dying VPE Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 74/82] mptcp: track and update contiguous data status Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 75/82] mptcp: handle consistently DSS corruption Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 76/82] tcp: fix mptcp DSS corruption due to large pmtu xmit Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 77/82] mptcp: fallback when MPTCP opts are dropped after 1st data Greg Kroah-Hartman
2024-10-21 10:25 ` [PATCH 5.15 78/82] mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Greg Kroah-Hartman
2024-10-21 10:26 ` [PATCH 5.15 79/82] mptcp: prevent MPC handshake on port-based signal endpoints Greg Kroah-Hartman
2024-10-21 10:26 ` Greg Kroah-Hartman [this message]
2024-10-21 10:26 ` [PATCH 5.15 81/82] powerpc/mm: Always update max/min_low_pfn in mem_topology_setup() Greg Kroah-Hartman
2024-10-21 10:26 ` [PATCH 5.15 82/82] ALSA: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 Greg Kroah-Hartman
2024-10-21 18:05 ` [PATCH 5.15 00/82] 5.15.169-rc1 review Florian Fainelli
2024-10-21 18:06 ` SeongJae Park
2024-10-21 19:25 ` Naresh Kamboju
2024-10-21 20:01 ` Harshit Mogalapalli
2024-10-21 22:41 ` Shuah Khan
2024-10-22 13:00 ` Mark Brown
2024-10-22 17:56 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241021102250.381740724@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=konishi.ryusuke@gmail.com \
--cc=lizhi.xu@windriver.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzbot+8a192e8d090fa9a31135@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox