[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Zba9zRWq6rZhWn-p@casper.infradead.org>
Date: Sun, 28 Jan 2024 20:49:17 +0000
From: Matthew Wilcox <willy@...radead.org>
To: Manas Ghandat <ghandatmanas@...il.com>
Cc: dave.kleikamp@...cle.com, shaggy@...nel.org,
Linux-kernel-mentees@...ts.linuxfoundation.org,
jfs-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
syzbot+411debe54d318eaed386@...kaller.appspotmail.com,
Sasha Levin <sashal@...nel.org>
Subject: Re: [PATCH] jfs: fix shift-out-of-bounds in dbJoin
On Wed, Oct 11, 2023 at 08:09:37PM +0530, Manas Ghandat wrote:
> Currently while joining the leaf in a buddy system there is shift out
> of bound error in calculation of BUDSIZE. Added the required check
> to the BUDSIZE and fixed the documentation as well.
This patch causes xfstests to fail frequently. The one this trace is
from was generic/074.
Sasha, I see this one was AUTOSEL. Please stop it from going into
-stable.
00274 [failed, exit status 1]------------[ cut here ]------------
00274 kernel BUG at fs/jfs/inode.c:169!
00274 invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
00274 CPU: 7 PID: 52174 Comm: umount Kdump: loaded Tainted: G N 6.7.0-rc2-00020-gcca974daeb6c #442
00274 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
00274 RIP: 0010:jfs_evict_inode+0xfb/0x110
00274 Code: 28 fc ff ff a8 04 75 24 4d 85 e4 74 10 49 83 7c 24 80 00 74 08 48 89 df e8 e2 a5 00 00 48 89 df e8 3a 95 ee ff e9 2f ff ff ff <0f> 0b 48 89 df e8 0b 28 00 00 eb d2 66 0f 1f 84 00 00 00 00 00 90
00274 RSP: 0018:ffff8880080bbd48 EFLAGS: 00010287
00274 RAX: ffff88804b209a80 RBX: ffff88804b209df8 RCX: 0000000000000000
00274 RDX: ffff88800b813ce0 RSI: ffffffff8217a259 RDI: ffff88804b209df8
00274 RBP: ffff8880080bbd58 R08: 0000000000000001 R09: 0000000000000001
00274 R10: ffff8880551e4540 R11: 0000000000000001 R12: ffff88804b209fa8
00274 R13: ffffffff81e35fa0 R14: ffff88800eaae7d0 R15: ffff88800eaae7d0
00274 FS: 00007f4f5784a840(0000) GS:ffff88807d9c0000(0000) knlGS:0000000000000000
00274 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
00274 CR2: 00007f4f57ae2c00 CR3: 000000000a5c4005 CR4: 0000000000770eb0
00274 PKRU: 55555554
00274 Call Trace:
00274 <TASK>
00274 ? show_regs+0x60/0x70
00274 ? die+0x32/0x90
00274 ? do_trap+0xbf/0xe0
00274 ? do_error_trap+0x75/0x110
00274 ? jfs_evict_inode+0xfb/0x110
00274 ? exc_invalid_op+0x52/0x70
00274 ? jfs_evict_inode+0xfb/0x110
00274 ? asm_exc_invalid_op+0x1b/0x20
00274 ? jfs_evict_inode+0xfb/0x110
00274 ? jfs_evict_inode+0x3a/0x110
00274 evict+0xcc/0x1d0
00274 dispose_list+0x48/0x80
00274 evict_inodes+0x14c/0x190
00274 generic_shutdown_super+0x34/0x160
00274 kill_block_super+0x16/0x40
00274 deactivate_locked_super+0x2d/0xa0
00274 deactivate_super+0x3b/0x50
00274 cleanup_mnt+0xbe/0x160
00274 __cleanup_mnt+0xd/0x20
00274 task_work_run+0x59/0xa0
00274 exit_to_user_mode_prepare+0x175/0x180
00274 syscall_exit_to_user_mode+0x1d/0x50
00274 do_syscall_64+0x4e/0xf0
00274 entry_SYSCALL_64_after_hwframe+0x6e/0x76
00274 RIP: 0033:0x7f4f57a76857
00274 Code: af 95 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 79 95 0c 00 f7 d8 64 89 02 b8
00274 RSP: 002b:00007fff75aa4be8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
00274 RAX: 0000000000000000 RBX: 00005586b9c30ad8 RCX: 00007f4f57a76857
00274 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005586b9c343e0
00274 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000073
00274 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4f57bb1264
00274 R13: 00005586b9c343e0 R14: 00005586b9c30bf0 R15: 00005586b9c309c0
00274 </TASK>
00274 Modules linked in:
I haven't attempted to dig into why yet.
> Reported-by: syzbot+411debe54d318eaed386@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=411debe54d318eaed386
> Signed-off-by: Manas Ghandat <ghandatmanas@...il.com>
> ---
> fs/jfs/jfs_dmap.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
> index 6b838d3ae7c2..baa97bda1c7a 100644
> --- a/fs/jfs/jfs_dmap.c
> +++ b/fs/jfs/jfs_dmap.c
> @@ -2730,7 +2730,9 @@ static int dbBackSplit(dmtree_t * tp, int leafno)
> * leafno - the number of the leaf to be updated.
> * newval - the new value for the leaf.
> *
> - * RETURN VALUES: none
> + * RETURN VALUES:
> + * 0 - success
> + * -EIO - i/o error
> */
> static int dbJoin(dmtree_t * tp, int leafno, int newval)
> {
> @@ -2757,6 +2759,10 @@ static int dbJoin(dmtree_t * tp, int leafno, int newval)
> * get the buddy size (number of words covered) of
> * the new value.
> */
> +
> + if ((newval - tp->dmt_budmin) > BUDMIN)
> + return -EIO;
> +
> budsz = BUDSIZE(newval, tp->dmt_budmin);
>
> /* try to join.
> --
> 2.37.2
>
Powered by blists - more mailing lists