From: Anup Sharma <anupnewsmail@gmail.com>
To: shaggy@kernel.org, r33s3n6@gmail.com, mudongliangabcd@gmail.com,
liushixin2@huawei.com, wuhoipok@gmail.com
Cc: jfs-discussion@lists.sourceforge.net,
linux-kernel-mentees@lists.linuxfoundation.org,
linux-kernel@vger.kernel.org, shuah@kernel.org,
syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com
Subject: [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree
Date: Fri, 7 Apr 2023 19:29:09 +0530 [thread overview]
Message-ID: <ZDAhrYVHTVEYIGUM@yoga> (raw)
Syzkaller reported the following issue:
option from the mount to silence this warning.
=======================================================
find_entry called with index = 0
read_mapping_page failed!
ERROR: (device loop0): txCommit:
ERROR: (device loop0): remounting filesystem as read-only
================================================================================
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:381:12
shift exponent 134217736 is too large for 64-bit type 'long long'
CPU: 1 PID: 5068 Comm: syz-executor350 Not tainted 6.3.0-rc2-syzkaller-00069-g0ddc84d2dd43 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_shift_out_of_bounds+0x3c3/0x420 lib/ubsan.c:387
dbFree+0x46e/0x650 fs/jfs/jfs_dmap.c:381
txFreeMap+0x96a/0xd50 fs/jfs/jfs_txnmgr.c:2510
xtTruncate+0xe5c/0x3260 fs/jfs/jfs_xtree.c:2467
jfs_free_zero_link+0x46e/0x6e0 fs/jfs/namei.c:758
jfs_evict_inode+0x35f/0x440 fs/jfs/inode.c:153
evict+0x2a4/0x620 fs/inode.c:665
__dentry_kill+0x436/0x650 fs/dcache.c:607
shrink_dentry_list+0x39c/0x6a0 fs/dcache.c:1201
shrink_dcache_parent+0xcd/0x480
do_one_tree+0x23/0xe0 fs/dcache.c:1682
shrink_dcache_for_umount+0x7d/0x120 fs/dcache.c:1699
generic_shutdown_super+0x67/0x340 fs/super.c:472
kill_block_super+0x7e/0xe0 fs/super.c:1398
deactivate_locked_super+0xa4/0x110 fs/super.c:331
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177
task_work_run+0x24a/0x300 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x68f/0x2290 kernel/exit.c:869
do_group_exit+0x206/0x2c0 kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1028
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fa87e2289b9
Code: Unable to access opcode bytes at 0x7fa87e22898f.
RSP: 002b:00007fff4bfe3938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fa87e2a3330 RCX: 00007fa87e2289b9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007fa87e29de40
R10: 00007fff4bfe3850 R11: 0000000000000246 R12: 00007fa87e2a3330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
================================================================================
The current size of dn_l2nbperpage was insufficient for larger values,
leading to unexpected behavior. This patch increases the size of dn_l2nbperpage
to ensure that larger values can be accommodated without issue.
Tested via syzbot.
Reported-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715
Signed-off-by: anupsharma <anupnewsmail@gmail.com>
---
fs/jfs/jfs_dmap.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dmap.h b/fs/jfs/jfs_dmap.h
index aa03a904d5ab..e852b3cb6b61 100644
--- a/fs/jfs/jfs_dmap.h
+++ b/fs/jfs/jfs_dmap.h
@@ -191,7 +191,7 @@ typedef union dmtree {
struct dbmap_disk {
__le64 dn_mapsize; /* 8: number of blocks in aggregate */
__le64 dn_nfree; /* 8: num free blks in aggregate map */
- __le32 dn_l2nbperpage; /* 4: number of blks per page */
+ __le64 dn_l2nbperpage; /* 4: number of blks per page */
__le32 dn_numag; /* 4: total number of ags */
__le32 dn_maxlevel; /* 4: number of active ags */
__le32 dn_maxag; /* 4: max active alloc group number */
--
2.34.1
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
WARNING: multiple messages have this Message-ID (diff)
From: Anup Sharma <anupnewsmail@gmail.com>
To: shaggy@kernel.org, r33s3n6@gmail.com, mudongliangabcd@gmail.com,
liushixin2@huawei.com, wuhoipok@gmail.com
Cc: jfs-discussion@lists.sourceforge.net,
linux-kernel@vger.kernel.org,
linux-kernel-mentees@lists.linuxfoundation.org, shuah@kernel.org,
syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com,
anupnewsmail@gmail.com
Subject: [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree
Date: Fri, 7 Apr 2023 19:29:09 +0530 [thread overview]
Message-ID: <ZDAhrYVHTVEYIGUM@yoga> (raw)
Syzkaller reported the following issue:
option from the mount to silence this warning.
=======================================================
find_entry called with index = 0
read_mapping_page failed!
ERROR: (device loop0): txCommit:
ERROR: (device loop0): remounting filesystem as read-only
================================================================================
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:381:12
shift exponent 134217736 is too large for 64-bit type 'long long'
CPU: 1 PID: 5068 Comm: syz-executor350 Not tainted 6.3.0-rc2-syzkaller-00069-g0ddc84d2dd43 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_shift_out_of_bounds+0x3c3/0x420 lib/ubsan.c:387
dbFree+0x46e/0x650 fs/jfs/jfs_dmap.c:381
txFreeMap+0x96a/0xd50 fs/jfs/jfs_txnmgr.c:2510
xtTruncate+0xe5c/0x3260 fs/jfs/jfs_xtree.c:2467
jfs_free_zero_link+0x46e/0x6e0 fs/jfs/namei.c:758
jfs_evict_inode+0x35f/0x440 fs/jfs/inode.c:153
evict+0x2a4/0x620 fs/inode.c:665
__dentry_kill+0x436/0x650 fs/dcache.c:607
shrink_dentry_list+0x39c/0x6a0 fs/dcache.c:1201
shrink_dcache_parent+0xcd/0x480
do_one_tree+0x23/0xe0 fs/dcache.c:1682
shrink_dcache_for_umount+0x7d/0x120 fs/dcache.c:1699
generic_shutdown_super+0x67/0x340 fs/super.c:472
kill_block_super+0x7e/0xe0 fs/super.c:1398
deactivate_locked_super+0xa4/0x110 fs/super.c:331
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177
task_work_run+0x24a/0x300 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x68f/0x2290 kernel/exit.c:869
do_group_exit+0x206/0x2c0 kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1028
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fa87e2289b9
Code: Unable to access opcode bytes at 0x7fa87e22898f.
RSP: 002b:00007fff4bfe3938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fa87e2a3330 RCX: 00007fa87e2289b9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007fa87e29de40
R10: 00007fff4bfe3850 R11: 0000000000000246 R12: 00007fa87e2a3330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
================================================================================
The current size of dn_l2nbperpage was insufficient for larger values,
leading to unexpected behavior. This patch increases the size of dn_l2nbperpage
to ensure that larger values can be accommodated without issue.
Tested via syzbot.
Reported-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715
Signed-off-by: anupsharma <anupnewsmail@gmail.com>
---
fs/jfs/jfs_dmap.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dmap.h b/fs/jfs/jfs_dmap.h
index aa03a904d5ab..e852b3cb6b61 100644
--- a/fs/jfs/jfs_dmap.h
+++ b/fs/jfs/jfs_dmap.h
@@ -191,7 +191,7 @@ typedef union dmtree {
struct dbmap_disk {
__le64 dn_mapsize; /* 8: number of blocks in aggregate */
__le64 dn_nfree; /* 8: num free blks in aggregate map */
- __le32 dn_l2nbperpage; /* 4: number of blks per page */
+ __le64 dn_l2nbperpage; /* 4: number of blks per page */
__le32 dn_numag; /* 4: total number of ags */
__le32 dn_maxlevel; /* 4: number of active ags */
__le32 dn_maxag; /* 4: max active alloc group number */
--
2.34.1
next reply other threads:[~2023-04-07 13:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-07 13:59 Anup Sharma [this message]
2023-04-07 13:59 ` [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree Anup Sharma
2023-04-07 20:47 ` kernel test robot
2023-04-07 20:47 ` kernel test robot
2023-04-14 13:53 anupsharma
2023-04-14 13:53 ` anupsharma
2023-05-07 5:28 ` Anup Sharma
2023-06-20 20:24 ` Dave Kleikamp
2023-06-20 20:24 ` Dave Kleikamp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZDAhrYVHTVEYIGUM@yoga \
--to=anupnewsmail@gmail.com \
--cc=jfs-discussion@lists.sourceforge.net \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liushixin2@huawei.com \
--cc=mudongliangabcd@gmail.com \
--cc=r33s3n6@gmail.com \
--cc=shaggy@kernel.org \
--cc=shuah@kernel.org \
--cc=syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com \
--cc=wuhoipok@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.