From: Anup Sharma <anupnewsmail@gmail.com> To: shaggy@kernel.org, r33s3n6@gmail.com, mudongliangabcd@gmail.com, liushixin2@huawei.com, wuhoipok@gmail.com Cc: jfs-discussion@lists.sourceforge.net, linux-kernel-mentees@lists.linuxfoundation.org, linux-kernel@vger.kernel.org, shuah@kernel.org, syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com Subject: [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree Date: Fri, 7 Apr 2023 19:29:09 +0530 [thread overview] Message-ID: <ZDAhrYVHTVEYIGUM@yoga> (raw) Syzkaller reported the following issue: option from the mount to silence this warning. ======================================================= find_entry called with index = 0 read_mapping_page failed! ERROR: (device loop0): txCommit: ERROR: (device loop0): remounting filesystem as read-only ================================================================================ UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:381:12 shift exponent 134217736 is too large for 64-bit type 'long long' CPU: 1 PID: 5068 Comm: syz-executor350 Not tainted 6.3.0-rc2-syzkaller-00069-g0ddc84d2dd43 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_shift_out_of_bounds+0x3c3/0x420 lib/ubsan.c:387 dbFree+0x46e/0x650 fs/jfs/jfs_dmap.c:381 txFreeMap+0x96a/0xd50 fs/jfs/jfs_txnmgr.c:2510 xtTruncate+0xe5c/0x3260 fs/jfs/jfs_xtree.c:2467 jfs_free_zero_link+0x46e/0x6e0 fs/jfs/namei.c:758 jfs_evict_inode+0x35f/0x440 fs/jfs/inode.c:153 evict+0x2a4/0x620 fs/inode.c:665 __dentry_kill+0x436/0x650 fs/dcache.c:607 shrink_dentry_list+0x39c/0x6a0 fs/dcache.c:1201 shrink_dcache_parent+0xcd/0x480 do_one_tree+0x23/0xe0 fs/dcache.c:1682 shrink_dcache_for_umount+0x7d/0x120 fs/dcache.c:1699 generic_shutdown_super+0x67/0x340 fs/super.c:472 kill_block_super+0x7e/0xe0 fs/super.c:1398 deactivate_locked_super+0xa4/0x110 fs/super.c:331 cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177 task_work_run+0x24a/0x300 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x68f/0x2290 kernel/exit.c:869 do_group_exit+0x206/0x2c0 kernel/exit.c:1019 __do_sys_exit_group kernel/exit.c:1030 [inline] __se_sys_exit_group kernel/exit.c:1028 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1028 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fa87e2289b9 Code: Unable to access opcode bytes at 0x7fa87e22898f. RSP: 002b:00007fff4bfe3938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007fa87e2a3330 RCX: 00007fa87e2289b9 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007fa87e29de40 R10: 00007fff4bfe3850 R11: 0000000000000246 R12: 00007fa87e2a3330 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 </TASK> ================================================================================ The current size of dn_l2nbperpage was insufficient for larger values, leading to unexpected behavior. This patch increases the size of dn_l2nbperpage to ensure that larger values can be accommodated without issue. Tested via syzbot. Reported-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715 Signed-off-by: anupsharma <anupnewsmail@gmail.com> --- fs/jfs/jfs_dmap.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/jfs/jfs_dmap.h b/fs/jfs/jfs_dmap.h index aa03a904d5ab..e852b3cb6b61 100644 --- a/fs/jfs/jfs_dmap.h +++ b/fs/jfs/jfs_dmap.h @@ -191,7 +191,7 @@ typedef union dmtree { struct dbmap_disk { __le64 dn_mapsize; /* 8: number of blocks in aggregate */ __le64 dn_nfree; /* 8: num free blks in aggregate map */ - __le32 dn_l2nbperpage; /* 4: number of blks per page */ + __le64 dn_l2nbperpage; /* 4: number of blks per page */ __le32 dn_numag; /* 4: total number of ags */ __le32 dn_maxlevel; /* 4: number of active ags */ __le32 dn_maxag; /* 4: max active alloc group number */ -- 2.34.1 _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
WARNING: multiple messages have this Message-ID (diff)
From: Anup Sharma <anupnewsmail@gmail.com> To: shaggy@kernel.org, r33s3n6@gmail.com, mudongliangabcd@gmail.com, liushixin2@huawei.com, wuhoipok@gmail.com Cc: jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linuxfoundation.org, shuah@kernel.org, syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com, anupnewsmail@gmail.com Subject: [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree Date: Fri, 7 Apr 2023 19:29:09 +0530 [thread overview] Message-ID: <ZDAhrYVHTVEYIGUM@yoga> (raw) Syzkaller reported the following issue: option from the mount to silence this warning. ======================================================= find_entry called with index = 0 read_mapping_page failed! ERROR: (device loop0): txCommit: ERROR: (device loop0): remounting filesystem as read-only ================================================================================ UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:381:12 shift exponent 134217736 is too large for 64-bit type 'long long' CPU: 1 PID: 5068 Comm: syz-executor350 Not tainted 6.3.0-rc2-syzkaller-00069-g0ddc84d2dd43 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_shift_out_of_bounds+0x3c3/0x420 lib/ubsan.c:387 dbFree+0x46e/0x650 fs/jfs/jfs_dmap.c:381 txFreeMap+0x96a/0xd50 fs/jfs/jfs_txnmgr.c:2510 xtTruncate+0xe5c/0x3260 fs/jfs/jfs_xtree.c:2467 jfs_free_zero_link+0x46e/0x6e0 fs/jfs/namei.c:758 jfs_evict_inode+0x35f/0x440 fs/jfs/inode.c:153 evict+0x2a4/0x620 fs/inode.c:665 __dentry_kill+0x436/0x650 fs/dcache.c:607 shrink_dentry_list+0x39c/0x6a0 fs/dcache.c:1201 shrink_dcache_parent+0xcd/0x480 do_one_tree+0x23/0xe0 fs/dcache.c:1682 shrink_dcache_for_umount+0x7d/0x120 fs/dcache.c:1699 generic_shutdown_super+0x67/0x340 fs/super.c:472 kill_block_super+0x7e/0xe0 fs/super.c:1398 deactivate_locked_super+0xa4/0x110 fs/super.c:331 cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177 task_work_run+0x24a/0x300 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x68f/0x2290 kernel/exit.c:869 do_group_exit+0x206/0x2c0 kernel/exit.c:1019 __do_sys_exit_group kernel/exit.c:1030 [inline] __se_sys_exit_group kernel/exit.c:1028 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1028 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fa87e2289b9 Code: Unable to access opcode bytes at 0x7fa87e22898f. RSP: 002b:00007fff4bfe3938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007fa87e2a3330 RCX: 00007fa87e2289b9 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007fa87e29de40 R10: 00007fff4bfe3850 R11: 0000000000000246 R12: 00007fa87e2a3330 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 </TASK> ================================================================================ The current size of dn_l2nbperpage was insufficient for larger values, leading to unexpected behavior. This patch increases the size of dn_l2nbperpage to ensure that larger values can be accommodated without issue. Tested via syzbot. Reported-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715 Signed-off-by: anupsharma <anupnewsmail@gmail.com> --- fs/jfs/jfs_dmap.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/jfs/jfs_dmap.h b/fs/jfs/jfs_dmap.h index aa03a904d5ab..e852b3cb6b61 100644 --- a/fs/jfs/jfs_dmap.h +++ b/fs/jfs/jfs_dmap.h @@ -191,7 +191,7 @@ typedef union dmtree { struct dbmap_disk { __le64 dn_mapsize; /* 8: number of blocks in aggregate */ __le64 dn_nfree; /* 8: num free blks in aggregate map */ - __le32 dn_l2nbperpage; /* 4: number of blks per page */ + __le64 dn_l2nbperpage; /* 4: number of blks per page */ __le32 dn_numag; /* 4: total number of ags */ __le32 dn_maxlevel; /* 4: number of active ags */ __le32 dn_maxag; /* 4: max active alloc group number */ -- 2.34.1
next reply other threads:[~2023-04-07 13:59 UTC|newest] Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-04-07 13:59 Anup Sharma [this message] 2023-04-07 13:59 ` [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree Anup Sharma 2023-04-07 20:47 ` kernel test robot 2023-04-07 20:47 ` kernel test robot 2023-04-14 13:53 anupsharma 2023-04-14 13:53 ` anupsharma 2023-05-07 5:28 ` Anup Sharma 2023-06-20 20:24 ` Dave Kleikamp 2023-06-20 20:24 ` Dave Kleikamp
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=ZDAhrYVHTVEYIGUM@yoga \ --to=anupnewsmail@gmail.com \ --cc=jfs-discussion@lists.sourceforge.net \ --cc=linux-kernel-mentees@lists.linuxfoundation.org \ --cc=linux-kernel@vger.kernel.org \ --cc=liushixin2@huawei.com \ --cc=mudongliangabcd@gmail.com \ --cc=r33s3n6@gmail.com \ --cc=shaggy@kernel.org \ --cc=shuah@kernel.org \ --cc=syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com \ --cc=wuhoipok@gmail.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.