[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e068a56d-959c-43ad-aaea-839b89344693@suse.com>
Date: Thu, 19 Sep 2024 15:44:38 +0800
From: "heming.zhao@...e.com" <heming.zhao@...e.com>
To: Mohammed Anees <pvmohammedanees2003@...il.com>,
ocfs2-devel@...ts.linux.dev, linux-kernel@...r.kernel.org
Cc: Mark Fasheh <mark@...heh.com>, Joel Becker <jlbec@...lplan.org>,
Joseph Qi <joseph.qi@...ux.alibaba.com>,
syzbot+18a87160c7d64ba2e2f6@...kaller.appspotmail.com
Subject: Re: [PATCH 2/2] osfs2: Fix kernel BUG in ocfs2_write_cluster
On 9/19/24 01:20, Mohammed Anees wrote:
> syzbot has found a kernel BUG in ocfs2_write_cluster_by_desc [1].
>
> The issue arises because ocfs2_insert_extent receives start_blk
> as 0, which incorrectly maps to a physical address of 0. This
> occurs when block is 0 after the call to ocfs2_clusters_to_blocks
> which is invoked inside the ocfs2_add_clusters_in_btree. The block
> value is then passed to ocfs2_insert_extent, leading to the problem.
>
> [1] https://syzkaller.appspot.com/bug?extid=18a87160c7d64ba2e2f6
>
> Reported-and-tested-by: syzbot+18a87160c7d64ba2e2f6@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=18a87160c7d64ba2e2f6
> Signed-off-by: Mohammed Anees <pvmohammedanees2003@...il.com>
> ---
> fs/ocfs2/alloc.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
> index 395e23920..926ffeed8 100644
> --- a/fs/ocfs2/alloc.c
> +++ b/fs/ocfs2/alloc.c
> @@ -4843,6 +4843,13 @@ int ocfs2_add_clusters_in_btree(handle_t *handle,
> }
>
> block = ocfs2_clusters_to_blocks(osb->sb, bit_off);> + if (block == 0) {
> + mlog(ML_ERROR, "Conversion resulted in zero block number");
> + status = -EIO;
> + need_free = 1;
> + goto bail;
> + }
> +
If you check this function, there is no IO operation, so -EIO is not suitable.
In the the ocfs2_clusters_to_blocks() code, there are two possible cases where
the result is zero:
bit_off is 0 or bit_off is out of range for a u64 after a bit shift.
It seems that the root cause is that __ocfs2_claim_clusters allocates an
incorrect bit_off.
-Heming
> trace_ocfs2_add_clusters_in_btree(
> (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci),
> bit_off, num_bits);
Powered by blists - more mailing lists