lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4901e9a6-f870-c30a-d910-732843d91a0f@huaweicloud.com>
Date: Mon, 21 Oct 2024 11:49:57 +0800
From: Hou Tao <houtao@...weicloud.com>
To: syzbot <syzbot+65d101735df4bb19d2a3@...kaller.appspotmail.com>,
 joannelkoong@...il.com, josef@...icpanda.com
Cc: hdanton@...a.com, linux-fsdevel@...r.kernel.org,
 linux-kernel@...r.kernel.org, miklos@...redi.hu, mszeredi@...hat.com,
 syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [fuse?] kernel BUG in fuse_dev_do_write

Hi,

On 10/21/2024 9:30 AM, syzbot wrote:
> syzbot has bisected this issue to:
>
> commit 5d9e1455630d0f464f169bbd637dbb264cbd8ac8
> Author: Josef Bacik <josef@...icpanda.com>
> Date:   Mon Sep 30 13:45:18 2024 +0000
>
>     fuse: convert fuse_notify_store to use folios
>
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=120dc25f980000
> start commit:   15e7d45e786a Add linux-next specific files for 20241016
> git tree:       linux-next
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=110dc25f980000
> console output: https://syzkaller.appspot.com/x/log.txt?x=160dc25f980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=c36416f1c54640c0
> dashboard link: https://syzkaller.appspot.com/bug?extid=65d101735df4bb19d2a3
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1623e830580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16582f27980000
>
> Reported-by: syzbot+65d101735df4bb19d2a3@...kaller.appspotmail.com
> Fixes: 5d9e1455630d ("fuse: convert fuse_notify_store to use folios")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> .

It seems fuse_notify_store invokes folio_zero_range() incorrectly. The
third argument of folio_zero_range() should be the to-copy length
instead of the total length. The following patch will fix the problem:

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 5edad55750b0..87e39c9343c4 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1668,7 +1668,7 @@ static int fuse_notify_store(struct fuse_conn *fc,
unsigned int size,
                err = fuse_copy_page(cs, &page, offset, this_num, 0);
                if (!folio_test_uptodate(folio) && !err && offset == 0 &&
                    (this_num == folio_size(folio) || file_size == end)) {
-                       folio_zero_range(folio, this_num,
folio_size(folio));
+                       folio_zero_range(folio, this_num,
folio_size(folio) - this_num);
                        folio_mark_uptodate(folio);
                }
                folio_unlock(folio);

Will post a formal patch later.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ