* [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree
@ 2023-04-07 13:59 ` Anup Sharma
0 siblings, 0 replies; 9+ messages in thread
From: Anup Sharma @ 2023-04-07 13:59 UTC (permalink / raw)
To: shaggy, r33s3n6, mudongliangabcd, liushixin2, wuhoipok
Cc: jfs-discussion, linux-kernel-mentees, linux-kernel, shuah,
syzbot+d2cd27dcf8e04b232eb2
Syzkaller reported the following issue:
option from the mount to silence this warning.
=======================================================
find_entry called with index = 0
read_mapping_page failed!
ERROR: (device loop0): txCommit:
ERROR: (device loop0): remounting filesystem as read-only
================================================================================
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:381:12
shift exponent 134217736 is too large for 64-bit type 'long long'
CPU: 1 PID: 5068 Comm: syz-executor350 Not tainted 6.3.0-rc2-syzkaller-00069-g0ddc84d2dd43 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_shift_out_of_bounds+0x3c3/0x420 lib/ubsan.c:387
dbFree+0x46e/0x650 fs/jfs/jfs_dmap.c:381
txFreeMap+0x96a/0xd50 fs/jfs/jfs_txnmgr.c:2510
xtTruncate+0xe5c/0x3260 fs/jfs/jfs_xtree.c:2467
jfs_free_zero_link+0x46e/0x6e0 fs/jfs/namei.c:758
jfs_evict_inode+0x35f/0x440 fs/jfs/inode.c:153
evict+0x2a4/0x620 fs/inode.c:665
__dentry_kill+0x436/0x650 fs/dcache.c:607
shrink_dentry_list+0x39c/0x6a0 fs/dcache.c:1201
shrink_dcache_parent+0xcd/0x480
do_one_tree+0x23/0xe0 fs/dcache.c:1682
shrink_dcache_for_umount+0x7d/0x120 fs/dcache.c:1699
generic_shutdown_super+0x67/0x340 fs/super.c:472
kill_block_super+0x7e/0xe0 fs/super.c:1398
deactivate_locked_super+0xa4/0x110 fs/super.c:331
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177
task_work_run+0x24a/0x300 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x68f/0x2290 kernel/exit.c:869
do_group_exit+0x206/0x2c0 kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1028
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fa87e2289b9
Code: Unable to access opcode bytes at 0x7fa87e22898f.
RSP: 002b:00007fff4bfe3938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fa87e2a3330 RCX: 00007fa87e2289b9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007fa87e29de40
R10: 00007fff4bfe3850 R11: 0000000000000246 R12: 00007fa87e2a3330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
================================================================================
The current size of dn_l2nbperpage was insufficient for larger values,
leading to unexpected behavior. This patch increases the size of dn_l2nbperpage
to ensure that larger values can be accommodated without issue.
Tested via syzbot.
Reported-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715
Signed-off-by: anupsharma <anupnewsmail@gmail.com>
---
fs/jfs/jfs_dmap.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dmap.h b/fs/jfs/jfs_dmap.h
index aa03a904d5ab..e852b3cb6b61 100644
--- a/fs/jfs/jfs_dmap.h
+++ b/fs/jfs/jfs_dmap.h
@@ -191,7 +191,7 @@ typedef union dmtree {
struct dbmap_disk {
__le64 dn_mapsize; /* 8: number of blocks in aggregate */
__le64 dn_nfree; /* 8: num free blks in aggregate map */
- __le32 dn_l2nbperpage; /* 4: number of blks per page */
+ __le64 dn_l2nbperpage; /* 4: number of blks per page */
__le32 dn_numag; /* 4: total number of ags */
__le32 dn_maxlevel; /* 4: number of active ags */
__le32 dn_maxag; /* 4: max active alloc group number */
--
2.34.1
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree
@ 2023-04-07 13:59 ` Anup Sharma
0 siblings, 0 replies; 9+ messages in thread
From: Anup Sharma @ 2023-04-07 13:59 UTC (permalink / raw)
To: shaggy, r33s3n6, mudongliangabcd, liushixin2, wuhoipok
Cc: jfs-discussion, linux-kernel, linux-kernel-mentees, shuah,
syzbot+d2cd27dcf8e04b232eb2, anupnewsmail
Syzkaller reported the following issue:
option from the mount to silence this warning.
=======================================================
find_entry called with index = 0
read_mapping_page failed!
ERROR: (device loop0): txCommit:
ERROR: (device loop0): remounting filesystem as read-only
================================================================================
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:381:12
shift exponent 134217736 is too large for 64-bit type 'long long'
CPU: 1 PID: 5068 Comm: syz-executor350 Not tainted 6.3.0-rc2-syzkaller-00069-g0ddc84d2dd43 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_shift_out_of_bounds+0x3c3/0x420 lib/ubsan.c:387
dbFree+0x46e/0x650 fs/jfs/jfs_dmap.c:381
txFreeMap+0x96a/0xd50 fs/jfs/jfs_txnmgr.c:2510
xtTruncate+0xe5c/0x3260 fs/jfs/jfs_xtree.c:2467
jfs_free_zero_link+0x46e/0x6e0 fs/jfs/namei.c:758
jfs_evict_inode+0x35f/0x440 fs/jfs/inode.c:153
evict+0x2a4/0x620 fs/inode.c:665
__dentry_kill+0x436/0x650 fs/dcache.c:607
shrink_dentry_list+0x39c/0x6a0 fs/dcache.c:1201
shrink_dcache_parent+0xcd/0x480
do_one_tree+0x23/0xe0 fs/dcache.c:1682
shrink_dcache_for_umount+0x7d/0x120 fs/dcache.c:1699
generic_shutdown_super+0x67/0x340 fs/super.c:472
kill_block_super+0x7e/0xe0 fs/super.c:1398
deactivate_locked_super+0xa4/0x110 fs/super.c:331
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177
task_work_run+0x24a/0x300 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x68f/0x2290 kernel/exit.c:869
do_group_exit+0x206/0x2c0 kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1028
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fa87e2289b9
Code: Unable to access opcode bytes at 0x7fa87e22898f.
RSP: 002b:00007fff4bfe3938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fa87e2a3330 RCX: 00007fa87e2289b9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007fa87e29de40
R10: 00007fff4bfe3850 R11: 0000000000000246 R12: 00007fa87e2a3330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
================================================================================
The current size of dn_l2nbperpage was insufficient for larger values,
leading to unexpected behavior. This patch increases the size of dn_l2nbperpage
to ensure that larger values can be accommodated without issue.
Tested via syzbot.
Reported-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715
Signed-off-by: anupsharma <anupnewsmail@gmail.com>
---
fs/jfs/jfs_dmap.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dmap.h b/fs/jfs/jfs_dmap.h
index aa03a904d5ab..e852b3cb6b61 100644
--- a/fs/jfs/jfs_dmap.h
+++ b/fs/jfs/jfs_dmap.h
@@ -191,7 +191,7 @@ typedef union dmtree {
struct dbmap_disk {
__le64 dn_mapsize; /* 8: number of blocks in aggregate */
__le64 dn_nfree; /* 8: num free blks in aggregate map */
- __le32 dn_l2nbperpage; /* 4: number of blks per page */
+ __le64 dn_l2nbperpage; /* 4: number of blks per page */
__le32 dn_numag; /* 4: total number of ags */
__le32 dn_maxlevel; /* 4: number of active ags */
__le32 dn_maxag; /* 4: max active alloc group number */
--
2.34.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree
2023-04-07 13:59 ` Anup Sharma
@ 2023-04-07 20:47 ` kernel test robot
-1 siblings, 0 replies; 9+ messages in thread
From: kernel test robot @ 2023-04-07 20:47 UTC (permalink / raw)
To: Anup Sharma, shaggy, r33s3n6, mudongliangabcd, liushixin2, wuhoipok
Cc: oe-kbuild-all, jfs-discussion, linux-kernel,
linux-kernel-mentees, shuah, syzbot+d2cd27dcf8e04b232eb2,
anupnewsmail
Hi Anup,
kernel test robot noticed the following build warnings:
[auto build test WARNING on kleikamp-shaggy/jfs-next]
[also build test WARNING on linus/master v6.3-rc5 next-20230406]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Anup-Sharma/fs-jfs-fixed-UBSAN-shift-out-of-bounds-in-dbFree/20230407-220115
base: https://github.com/kleikamp/linux-shaggy jfs-next
patch link: https://lore.kernel.org/r/ZDAhrYVHTVEYIGUM%40yoga
patch subject: [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree
config: alpha-randconfig-s042-20230403 (https://download.01.org/0day-ci/archive/20230408/202304080405.7pWwoha3-lkp@intel.com/config)
compiler: alpha-linux-gcc (GCC) 12.1.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# apt-get install sparse
# sparse version: v0.6.4-39-gce1a6720-dirty
# https://github.com/intel-lab-lkp/linux/commit/b9353aee08c4a798b40d76fd540d524ea1147dfc
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Anup-Sharma/fs-jfs-fixed-UBSAN-shift-out-of-bounds-in-dbFree/20230407-220115
git checkout b9353aee08c4a798b40d76fd540d524ea1147dfc
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=alpha olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=alpha SHELL=/bin/bash fs/jfs/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202304080405.7pWwoha3-lkp@intel.com/
sparse warnings: (new ones prefixed by >>)
>> fs/jfs/jfs_dmap.c:181:31: sparse: sparse: cast to restricted __le32
>> fs/jfs/jfs_dmap.c:181:31: sparse: sparse: cast from restricted __le64
>> fs/jfs/jfs_dmap.c:295:33: sparse: sparse: incorrect type in assignment (different base types) @@ expected restricted __le64 [usertype] dn_l2nbperpage @@ got restricted __le32 [usertype] @@
fs/jfs/jfs_dmap.c:295:33: sparse: expected restricted __le64 [usertype] dn_l2nbperpage
fs/jfs/jfs_dmap.c:295:33: sparse: got restricted __le32 [usertype]
vim +181 fs/jfs/jfs_dmap.c
^1da177e4c3f41 Linus Torvalds 2005-04-16 135
^1da177e4c3f41 Linus Torvalds 2005-04-16 136 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 137 * NAME: dbMount()
^1da177e4c3f41 Linus Torvalds 2005-04-16 138 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 139 * FUNCTION: initializate the block allocation map.
^1da177e4c3f41 Linus Torvalds 2005-04-16 140 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 141 * memory is allocated for the in-core bmap descriptor and
^1da177e4c3f41 Linus Torvalds 2005-04-16 142 * the in-core descriptor is initialized from disk.
^1da177e4c3f41 Linus Torvalds 2005-04-16 143 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 144 * PARAMETERS:
^1da177e4c3f41 Linus Torvalds 2005-04-16 145 * ipbmap - pointer to in-core inode for the block map.
^1da177e4c3f41 Linus Torvalds 2005-04-16 146 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 147 * RETURN VALUES:
^1da177e4c3f41 Linus Torvalds 2005-04-16 148 * 0 - success
^1da177e4c3f41 Linus Torvalds 2005-04-16 149 * -ENOMEM - insufficient memory
^1da177e4c3f41 Linus Torvalds 2005-04-16 150 * -EIO - i/o error
2cc7cc01c15f57 Pavel Skripkin 2022-03-19 151 * -EINVAL - wrong bmap data
^1da177e4c3f41 Linus Torvalds 2005-04-16 152 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 153 int dbMount(struct inode *ipbmap)
^1da177e4c3f41 Linus Torvalds 2005-04-16 154 {
^1da177e4c3f41 Linus Torvalds 2005-04-16 155 struct bmap *bmp;
^1da177e4c3f41 Linus Torvalds 2005-04-16 156 struct dbmap_disk *dbmp_le;
^1da177e4c3f41 Linus Torvalds 2005-04-16 157 struct metapage *mp;
898f706695682b Dongliang Mu 2022-10-18 158 int i, err;
^1da177e4c3f41 Linus Torvalds 2005-04-16 159
^1da177e4c3f41 Linus Torvalds 2005-04-16 160 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 161 * allocate/initialize the in-memory bmap descriptor
^1da177e4c3f41 Linus Torvalds 2005-04-16 162 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 163 /* allocate memory for the in-memory bmap descriptor */
^1da177e4c3f41 Linus Torvalds 2005-04-16 164 bmp = kmalloc(sizeof(struct bmap), GFP_KERNEL);
^1da177e4c3f41 Linus Torvalds 2005-04-16 165 if (bmp == NULL)
^1da177e4c3f41 Linus Torvalds 2005-04-16 166 return -ENOMEM;
^1da177e4c3f41 Linus Torvalds 2005-04-16 167
^1da177e4c3f41 Linus Torvalds 2005-04-16 168 /* read the on-disk bmap descriptor. */
^1da177e4c3f41 Linus Torvalds 2005-04-16 169 mp = read_metapage(ipbmap,
^1da177e4c3f41 Linus Torvalds 2005-04-16 170 BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage,
^1da177e4c3f41 Linus Torvalds 2005-04-16 171 PSIZE, 0);
^1da177e4c3f41 Linus Torvalds 2005-04-16 172 if (mp == NULL) {
898f706695682b Dongliang Mu 2022-10-18 173 err = -EIO;
898f706695682b Dongliang Mu 2022-10-18 174 goto err_kfree_bmp;
^1da177e4c3f41 Linus Torvalds 2005-04-16 175 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 176
^1da177e4c3f41 Linus Torvalds 2005-04-16 177 /* copy the on-disk bmap descriptor to its in-memory version. */
^1da177e4c3f41 Linus Torvalds 2005-04-16 178 dbmp_le = (struct dbmap_disk *) mp->data;
^1da177e4c3f41 Linus Torvalds 2005-04-16 179 bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize);
^1da177e4c3f41 Linus Torvalds 2005-04-16 180 bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
^1da177e4c3f41 Linus Torvalds 2005-04-16 @181 bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
^1da177e4c3f41 Linus Torvalds 2005-04-16 182 bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
2cc7cc01c15f57 Pavel Skripkin 2022-03-19 183 if (!bmp->db_numag) {
898f706695682b Dongliang Mu 2022-10-18 184 err = -EINVAL;
898f706695682b Dongliang Mu 2022-10-18 185 goto err_release_metapage;
2cc7cc01c15f57 Pavel Skripkin 2022-03-19 186 }
2cc7cc01c15f57 Pavel Skripkin 2022-03-19 187
^1da177e4c3f41 Linus Torvalds 2005-04-16 188 bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
^1da177e4c3f41 Linus Torvalds 2005-04-16 189 bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
^1da177e4c3f41 Linus Torvalds 2005-04-16 190 bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
^1da177e4c3f41 Linus Torvalds 2005-04-16 191 bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel);
d7eecb483cc29e Daniel Mack 2010-01-28 192 bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight);
^1da177e4c3f41 Linus Torvalds 2005-04-16 193 bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
^1da177e4c3f41 Linus Torvalds 2005-04-16 194 bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
^1da177e4c3f41 Linus Torvalds 2005-04-16 195 bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
fad376fce0af58 Liu Shixin via Jfs-discussion 2022-11-03 196 if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG ||
fad376fce0af58 Liu Shixin via Jfs-discussion 2022-11-03 197 bmp->db_agl2size < 0) {
898f706695682b Dongliang Mu 2022-10-18 198 err = -EINVAL;
898f706695682b Dongliang Mu 2022-10-18 199 goto err_release_metapage;
898f706695682b Dongliang Mu 2022-10-18 200 }
898f706695682b Dongliang Mu 2022-10-18 201
25e70c6162f207 Hoi Pok Wu 2022-10-25 202 if (((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) {
25e70c6162f207 Hoi Pok Wu 2022-10-25 203 err = -EINVAL;
25e70c6162f207 Hoi Pok Wu 2022-10-25 204 goto err_release_metapage;
25e70c6162f207 Hoi Pok Wu 2022-10-25 205 }
25e70c6162f207 Hoi Pok Wu 2022-10-25 206
^1da177e4c3f41 Linus Torvalds 2005-04-16 207 for (i = 0; i < MAXAG; i++)
^1da177e4c3f41 Linus Torvalds 2005-04-16 208 bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]);
^1da177e4c3f41 Linus Torvalds 2005-04-16 209 bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize);
^1da177e4c3f41 Linus Torvalds 2005-04-16 210 bmp->db_maxfreebud = dbmp_le->dn_maxfreebud;
^1da177e4c3f41 Linus Torvalds 2005-04-16 211
^1da177e4c3f41 Linus Torvalds 2005-04-16 212 /* release the buffer. */
^1da177e4c3f41 Linus Torvalds 2005-04-16 213 release_metapage(mp);
^1da177e4c3f41 Linus Torvalds 2005-04-16 214
^1da177e4c3f41 Linus Torvalds 2005-04-16 215 /* bind the bmap inode and the bmap descriptor to each other. */
^1da177e4c3f41 Linus Torvalds 2005-04-16 216 bmp->db_ipbmap = ipbmap;
^1da177e4c3f41 Linus Torvalds 2005-04-16 217 JFS_SBI(ipbmap->i_sb)->bmap = bmp;
^1da177e4c3f41 Linus Torvalds 2005-04-16 218
^1da177e4c3f41 Linus Torvalds 2005-04-16 219 memset(bmp->db_active, 0, sizeof(bmp->db_active));
^1da177e4c3f41 Linus Torvalds 2005-04-16 220
^1da177e4c3f41 Linus Torvalds 2005-04-16 221 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 222 * allocate/initialize the bmap lock
^1da177e4c3f41 Linus Torvalds 2005-04-16 223 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 224 BMAP_LOCK_INIT(bmp);
^1da177e4c3f41 Linus Torvalds 2005-04-16 225
^1da177e4c3f41 Linus Torvalds 2005-04-16 226 return (0);
898f706695682b Dongliang Mu 2022-10-18 227
898f706695682b Dongliang Mu 2022-10-18 228 err_release_metapage:
898f706695682b Dongliang Mu 2022-10-18 229 release_metapage(mp);
898f706695682b Dongliang Mu 2022-10-18 230 err_kfree_bmp:
898f706695682b Dongliang Mu 2022-10-18 231 kfree(bmp);
898f706695682b Dongliang Mu 2022-10-18 232 return err;
^1da177e4c3f41 Linus Torvalds 2005-04-16 233 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 234
^1da177e4c3f41 Linus Torvalds 2005-04-16 235
^1da177e4c3f41 Linus Torvalds 2005-04-16 236 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 237 * NAME: dbUnmount()
^1da177e4c3f41 Linus Torvalds 2005-04-16 238 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 239 * FUNCTION: terminate the block allocation map in preparation for
^1da177e4c3f41 Linus Torvalds 2005-04-16 240 * file system unmount.
^1da177e4c3f41 Linus Torvalds 2005-04-16 241 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 242 * the in-core bmap descriptor is written to disk and
^1da177e4c3f41 Linus Torvalds 2005-04-16 243 * the memory for this descriptor is freed.
^1da177e4c3f41 Linus Torvalds 2005-04-16 244 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 245 * PARAMETERS:
^1da177e4c3f41 Linus Torvalds 2005-04-16 246 * ipbmap - pointer to in-core inode for the block map.
^1da177e4c3f41 Linus Torvalds 2005-04-16 247 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 248 * RETURN VALUES:
^1da177e4c3f41 Linus Torvalds 2005-04-16 249 * 0 - success
^1da177e4c3f41 Linus Torvalds 2005-04-16 250 * -EIO - i/o error
^1da177e4c3f41 Linus Torvalds 2005-04-16 251 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 252 int dbUnmount(struct inode *ipbmap, int mounterror)
^1da177e4c3f41 Linus Torvalds 2005-04-16 253 {
^1da177e4c3f41 Linus Torvalds 2005-04-16 254 struct bmap *bmp = JFS_SBI(ipbmap->i_sb)->bmap;
^1da177e4c3f41 Linus Torvalds 2005-04-16 255
^1da177e4c3f41 Linus Torvalds 2005-04-16 256 if (!(mounterror || isReadOnly(ipbmap)))
^1da177e4c3f41 Linus Torvalds 2005-04-16 257 dbSync(ipbmap);
^1da177e4c3f41 Linus Torvalds 2005-04-16 258
^1da177e4c3f41 Linus Torvalds 2005-04-16 259 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 260 * Invalidate the page cache buffers
^1da177e4c3f41 Linus Torvalds 2005-04-16 261 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 262 truncate_inode_pages(ipbmap->i_mapping, 0);
^1da177e4c3f41 Linus Torvalds 2005-04-16 263
^1da177e4c3f41 Linus Torvalds 2005-04-16 264 /* free the memory for the in-memory bmap. */
^1da177e4c3f41 Linus Torvalds 2005-04-16 265 kfree(bmp);
^1da177e4c3f41 Linus Torvalds 2005-04-16 266
^1da177e4c3f41 Linus Torvalds 2005-04-16 267 return (0);
^1da177e4c3f41 Linus Torvalds 2005-04-16 268 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 269
^1da177e4c3f41 Linus Torvalds 2005-04-16 270 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 271 * dbSync()
^1da177e4c3f41 Linus Torvalds 2005-04-16 272 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 273 int dbSync(struct inode *ipbmap)
^1da177e4c3f41 Linus Torvalds 2005-04-16 274 {
^1da177e4c3f41 Linus Torvalds 2005-04-16 275 struct dbmap_disk *dbmp_le;
^1da177e4c3f41 Linus Torvalds 2005-04-16 276 struct bmap *bmp = JFS_SBI(ipbmap->i_sb)->bmap;
^1da177e4c3f41 Linus Torvalds 2005-04-16 277 struct metapage *mp;
^1da177e4c3f41 Linus Torvalds 2005-04-16 278 int i;
^1da177e4c3f41 Linus Torvalds 2005-04-16 279
^1da177e4c3f41 Linus Torvalds 2005-04-16 280 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 281 * write bmap global control page
^1da177e4c3f41 Linus Torvalds 2005-04-16 282 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 283 /* get the buffer for the on-disk bmap descriptor. */
^1da177e4c3f41 Linus Torvalds 2005-04-16 284 mp = read_metapage(ipbmap,
^1da177e4c3f41 Linus Torvalds 2005-04-16 285 BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage,
^1da177e4c3f41 Linus Torvalds 2005-04-16 286 PSIZE, 0);
^1da177e4c3f41 Linus Torvalds 2005-04-16 287 if (mp == NULL) {
^1da177e4c3f41 Linus Torvalds 2005-04-16 288 jfs_err("dbSync: read_metapage failed!");
^1da177e4c3f41 Linus Torvalds 2005-04-16 289 return -EIO;
^1da177e4c3f41 Linus Torvalds 2005-04-16 290 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 291 /* copy the in-memory version of the bmap to the on-disk version */
^1da177e4c3f41 Linus Torvalds 2005-04-16 292 dbmp_le = (struct dbmap_disk *) mp->data;
^1da177e4c3f41 Linus Torvalds 2005-04-16 293 dbmp_le->dn_mapsize = cpu_to_le64(bmp->db_mapsize);
^1da177e4c3f41 Linus Torvalds 2005-04-16 294 dbmp_le->dn_nfree = cpu_to_le64(bmp->db_nfree);
^1da177e4c3f41 Linus Torvalds 2005-04-16 @295 dbmp_le->dn_l2nbperpage = cpu_to_le32(bmp->db_l2nbperpage);
^1da177e4c3f41 Linus Torvalds 2005-04-16 296 dbmp_le->dn_numag = cpu_to_le32(bmp->db_numag);
^1da177e4c3f41 Linus Torvalds 2005-04-16 297 dbmp_le->dn_maxlevel = cpu_to_le32(bmp->db_maxlevel);
^1da177e4c3f41 Linus Torvalds 2005-04-16 298 dbmp_le->dn_maxag = cpu_to_le32(bmp->db_maxag);
^1da177e4c3f41 Linus Torvalds 2005-04-16 299 dbmp_le->dn_agpref = cpu_to_le32(bmp->db_agpref);
^1da177e4c3f41 Linus Torvalds 2005-04-16 300 dbmp_le->dn_aglevel = cpu_to_le32(bmp->db_aglevel);
d7eecb483cc29e Daniel Mack 2010-01-28 301 dbmp_le->dn_agheight = cpu_to_le32(bmp->db_agheight);
^1da177e4c3f41 Linus Torvalds 2005-04-16 302 dbmp_le->dn_agwidth = cpu_to_le32(bmp->db_agwidth);
^1da177e4c3f41 Linus Torvalds 2005-04-16 303 dbmp_le->dn_agstart = cpu_to_le32(bmp->db_agstart);
^1da177e4c3f41 Linus Torvalds 2005-04-16 304 dbmp_le->dn_agl2size = cpu_to_le32(bmp->db_agl2size);
^1da177e4c3f41 Linus Torvalds 2005-04-16 305 for (i = 0; i < MAXAG; i++)
^1da177e4c3f41 Linus Torvalds 2005-04-16 306 dbmp_le->dn_agfree[i] = cpu_to_le64(bmp->db_agfree[i]);
^1da177e4c3f41 Linus Torvalds 2005-04-16 307 dbmp_le->dn_agsize = cpu_to_le64(bmp->db_agsize);
^1da177e4c3f41 Linus Torvalds 2005-04-16 308 dbmp_le->dn_maxfreebud = bmp->db_maxfreebud;
^1da177e4c3f41 Linus Torvalds 2005-04-16 309
^1da177e4c3f41 Linus Torvalds 2005-04-16 310 /* write the buffer */
^1da177e4c3f41 Linus Torvalds 2005-04-16 311 write_metapage(mp);
^1da177e4c3f41 Linus Torvalds 2005-04-16 312
^1da177e4c3f41 Linus Torvalds 2005-04-16 313 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 314 * write out dirty pages of bmap
^1da177e4c3f41 Linus Torvalds 2005-04-16 315 */
28fd129827b00e OGAWA Hirofumi 2006-01-08 316 filemap_write_and_wait(ipbmap->i_mapping);
^1da177e4c3f41 Linus Torvalds 2005-04-16 317
^1da177e4c3f41 Linus Torvalds 2005-04-16 318 diWriteSpecial(ipbmap, 0);
^1da177e4c3f41 Linus Torvalds 2005-04-16 319
^1da177e4c3f41 Linus Torvalds 2005-04-16 320 return (0);
^1da177e4c3f41 Linus Torvalds 2005-04-16 321 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 322
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree
@ 2023-04-07 20:47 ` kernel test robot
0 siblings, 0 replies; 9+ messages in thread
From: kernel test robot @ 2023-04-07 20:47 UTC (permalink / raw)
To: Anup Sharma, shaggy, r33s3n6, mudongliangabcd, liushixin2, wuhoipok
Cc: jfs-discussion, linux-kernel-mentees, linux-kernel,
oe-kbuild-all, shuah, syzbot+d2cd27dcf8e04b232eb2
Hi Anup,
kernel test robot noticed the following build warnings:
[auto build test WARNING on kleikamp-shaggy/jfs-next]
[also build test WARNING on linus/master v6.3-rc5 next-20230406]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Anup-Sharma/fs-jfs-fixed-UBSAN-shift-out-of-bounds-in-dbFree/20230407-220115
base: https://github.com/kleikamp/linux-shaggy jfs-next
patch link: https://lore.kernel.org/r/ZDAhrYVHTVEYIGUM%40yoga
patch subject: [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree
config: alpha-randconfig-s042-20230403 (https://download.01.org/0day-ci/archive/20230408/202304080405.7pWwoha3-lkp@intel.com/config)
compiler: alpha-linux-gcc (GCC) 12.1.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# apt-get install sparse
# sparse version: v0.6.4-39-gce1a6720-dirty
# https://github.com/intel-lab-lkp/linux/commit/b9353aee08c4a798b40d76fd540d524ea1147dfc
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Anup-Sharma/fs-jfs-fixed-UBSAN-shift-out-of-bounds-in-dbFree/20230407-220115
git checkout b9353aee08c4a798b40d76fd540d524ea1147dfc
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=alpha olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=alpha SHELL=/bin/bash fs/jfs/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202304080405.7pWwoha3-lkp@intel.com/
sparse warnings: (new ones prefixed by >>)
>> fs/jfs/jfs_dmap.c:181:31: sparse: sparse: cast to restricted __le32
>> fs/jfs/jfs_dmap.c:181:31: sparse: sparse: cast from restricted __le64
>> fs/jfs/jfs_dmap.c:295:33: sparse: sparse: incorrect type in assignment (different base types) @@ expected restricted __le64 [usertype] dn_l2nbperpage @@ got restricted __le32 [usertype] @@
fs/jfs/jfs_dmap.c:295:33: sparse: expected restricted __le64 [usertype] dn_l2nbperpage
fs/jfs/jfs_dmap.c:295:33: sparse: got restricted __le32 [usertype]
vim +181 fs/jfs/jfs_dmap.c
^1da177e4c3f41 Linus Torvalds 2005-04-16 135
^1da177e4c3f41 Linus Torvalds 2005-04-16 136 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 137 * NAME: dbMount()
^1da177e4c3f41 Linus Torvalds 2005-04-16 138 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 139 * FUNCTION: initializate the block allocation map.
^1da177e4c3f41 Linus Torvalds 2005-04-16 140 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 141 * memory is allocated for the in-core bmap descriptor and
^1da177e4c3f41 Linus Torvalds 2005-04-16 142 * the in-core descriptor is initialized from disk.
^1da177e4c3f41 Linus Torvalds 2005-04-16 143 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 144 * PARAMETERS:
^1da177e4c3f41 Linus Torvalds 2005-04-16 145 * ipbmap - pointer to in-core inode for the block map.
^1da177e4c3f41 Linus Torvalds 2005-04-16 146 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 147 * RETURN VALUES:
^1da177e4c3f41 Linus Torvalds 2005-04-16 148 * 0 - success
^1da177e4c3f41 Linus Torvalds 2005-04-16 149 * -ENOMEM - insufficient memory
^1da177e4c3f41 Linus Torvalds 2005-04-16 150 * -EIO - i/o error
2cc7cc01c15f57 Pavel Skripkin 2022-03-19 151 * -EINVAL - wrong bmap data
^1da177e4c3f41 Linus Torvalds 2005-04-16 152 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 153 int dbMount(struct inode *ipbmap)
^1da177e4c3f41 Linus Torvalds 2005-04-16 154 {
^1da177e4c3f41 Linus Torvalds 2005-04-16 155 struct bmap *bmp;
^1da177e4c3f41 Linus Torvalds 2005-04-16 156 struct dbmap_disk *dbmp_le;
^1da177e4c3f41 Linus Torvalds 2005-04-16 157 struct metapage *mp;
898f706695682b Dongliang Mu 2022-10-18 158 int i, err;
^1da177e4c3f41 Linus Torvalds 2005-04-16 159
^1da177e4c3f41 Linus Torvalds 2005-04-16 160 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 161 * allocate/initialize the in-memory bmap descriptor
^1da177e4c3f41 Linus Torvalds 2005-04-16 162 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 163 /* allocate memory for the in-memory bmap descriptor */
^1da177e4c3f41 Linus Torvalds 2005-04-16 164 bmp = kmalloc(sizeof(struct bmap), GFP_KERNEL);
^1da177e4c3f41 Linus Torvalds 2005-04-16 165 if (bmp == NULL)
^1da177e4c3f41 Linus Torvalds 2005-04-16 166 return -ENOMEM;
^1da177e4c3f41 Linus Torvalds 2005-04-16 167
^1da177e4c3f41 Linus Torvalds 2005-04-16 168 /* read the on-disk bmap descriptor. */
^1da177e4c3f41 Linus Torvalds 2005-04-16 169 mp = read_metapage(ipbmap,
^1da177e4c3f41 Linus Torvalds 2005-04-16 170 BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage,
^1da177e4c3f41 Linus Torvalds 2005-04-16 171 PSIZE, 0);
^1da177e4c3f41 Linus Torvalds 2005-04-16 172 if (mp == NULL) {
898f706695682b Dongliang Mu 2022-10-18 173 err = -EIO;
898f706695682b Dongliang Mu 2022-10-18 174 goto err_kfree_bmp;
^1da177e4c3f41 Linus Torvalds 2005-04-16 175 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 176
^1da177e4c3f41 Linus Torvalds 2005-04-16 177 /* copy the on-disk bmap descriptor to its in-memory version. */
^1da177e4c3f41 Linus Torvalds 2005-04-16 178 dbmp_le = (struct dbmap_disk *) mp->data;
^1da177e4c3f41 Linus Torvalds 2005-04-16 179 bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize);
^1da177e4c3f41 Linus Torvalds 2005-04-16 180 bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
^1da177e4c3f41 Linus Torvalds 2005-04-16 @181 bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
^1da177e4c3f41 Linus Torvalds 2005-04-16 182 bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
2cc7cc01c15f57 Pavel Skripkin 2022-03-19 183 if (!bmp->db_numag) {
898f706695682b Dongliang Mu 2022-10-18 184 err = -EINVAL;
898f706695682b Dongliang Mu 2022-10-18 185 goto err_release_metapage;
2cc7cc01c15f57 Pavel Skripkin 2022-03-19 186 }
2cc7cc01c15f57 Pavel Skripkin 2022-03-19 187
^1da177e4c3f41 Linus Torvalds 2005-04-16 188 bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
^1da177e4c3f41 Linus Torvalds 2005-04-16 189 bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
^1da177e4c3f41 Linus Torvalds 2005-04-16 190 bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
^1da177e4c3f41 Linus Torvalds 2005-04-16 191 bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel);
d7eecb483cc29e Daniel Mack 2010-01-28 192 bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight);
^1da177e4c3f41 Linus Torvalds 2005-04-16 193 bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
^1da177e4c3f41 Linus Torvalds 2005-04-16 194 bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
^1da177e4c3f41 Linus Torvalds 2005-04-16 195 bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
fad376fce0af58 Liu Shixin via Jfs-discussion 2022-11-03 196 if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG ||
fad376fce0af58 Liu Shixin via Jfs-discussion 2022-11-03 197 bmp->db_agl2size < 0) {
898f706695682b Dongliang Mu 2022-10-18 198 err = -EINVAL;
898f706695682b Dongliang Mu 2022-10-18 199 goto err_release_metapage;
898f706695682b Dongliang Mu 2022-10-18 200 }
898f706695682b Dongliang Mu 2022-10-18 201
25e70c6162f207 Hoi Pok Wu 2022-10-25 202 if (((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) {
25e70c6162f207 Hoi Pok Wu 2022-10-25 203 err = -EINVAL;
25e70c6162f207 Hoi Pok Wu 2022-10-25 204 goto err_release_metapage;
25e70c6162f207 Hoi Pok Wu 2022-10-25 205 }
25e70c6162f207 Hoi Pok Wu 2022-10-25 206
^1da177e4c3f41 Linus Torvalds 2005-04-16 207 for (i = 0; i < MAXAG; i++)
^1da177e4c3f41 Linus Torvalds 2005-04-16 208 bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]);
^1da177e4c3f41 Linus Torvalds 2005-04-16 209 bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize);
^1da177e4c3f41 Linus Torvalds 2005-04-16 210 bmp->db_maxfreebud = dbmp_le->dn_maxfreebud;
^1da177e4c3f41 Linus Torvalds 2005-04-16 211
^1da177e4c3f41 Linus Torvalds 2005-04-16 212 /* release the buffer. */
^1da177e4c3f41 Linus Torvalds 2005-04-16 213 release_metapage(mp);
^1da177e4c3f41 Linus Torvalds 2005-04-16 214
^1da177e4c3f41 Linus Torvalds 2005-04-16 215 /* bind the bmap inode and the bmap descriptor to each other. */
^1da177e4c3f41 Linus Torvalds 2005-04-16 216 bmp->db_ipbmap = ipbmap;
^1da177e4c3f41 Linus Torvalds 2005-04-16 217 JFS_SBI(ipbmap->i_sb)->bmap = bmp;
^1da177e4c3f41 Linus Torvalds 2005-04-16 218
^1da177e4c3f41 Linus Torvalds 2005-04-16 219 memset(bmp->db_active, 0, sizeof(bmp->db_active));
^1da177e4c3f41 Linus Torvalds 2005-04-16 220
^1da177e4c3f41 Linus Torvalds 2005-04-16 221 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 222 * allocate/initialize the bmap lock
^1da177e4c3f41 Linus Torvalds 2005-04-16 223 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 224 BMAP_LOCK_INIT(bmp);
^1da177e4c3f41 Linus Torvalds 2005-04-16 225
^1da177e4c3f41 Linus Torvalds 2005-04-16 226 return (0);
898f706695682b Dongliang Mu 2022-10-18 227
898f706695682b Dongliang Mu 2022-10-18 228 err_release_metapage:
898f706695682b Dongliang Mu 2022-10-18 229 release_metapage(mp);
898f706695682b Dongliang Mu 2022-10-18 230 err_kfree_bmp:
898f706695682b Dongliang Mu 2022-10-18 231 kfree(bmp);
898f706695682b Dongliang Mu 2022-10-18 232 return err;
^1da177e4c3f41 Linus Torvalds 2005-04-16 233 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 234
^1da177e4c3f41 Linus Torvalds 2005-04-16 235
^1da177e4c3f41 Linus Torvalds 2005-04-16 236 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 237 * NAME: dbUnmount()
^1da177e4c3f41 Linus Torvalds 2005-04-16 238 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 239 * FUNCTION: terminate the block allocation map in preparation for
^1da177e4c3f41 Linus Torvalds 2005-04-16 240 * file system unmount.
^1da177e4c3f41 Linus Torvalds 2005-04-16 241 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 242 * the in-core bmap descriptor is written to disk and
^1da177e4c3f41 Linus Torvalds 2005-04-16 243 * the memory for this descriptor is freed.
^1da177e4c3f41 Linus Torvalds 2005-04-16 244 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 245 * PARAMETERS:
^1da177e4c3f41 Linus Torvalds 2005-04-16 246 * ipbmap - pointer to in-core inode for the block map.
^1da177e4c3f41 Linus Torvalds 2005-04-16 247 *
^1da177e4c3f41 Linus Torvalds 2005-04-16 248 * RETURN VALUES:
^1da177e4c3f41 Linus Torvalds 2005-04-16 249 * 0 - success
^1da177e4c3f41 Linus Torvalds 2005-04-16 250 * -EIO - i/o error
^1da177e4c3f41 Linus Torvalds 2005-04-16 251 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 252 int dbUnmount(struct inode *ipbmap, int mounterror)
^1da177e4c3f41 Linus Torvalds 2005-04-16 253 {
^1da177e4c3f41 Linus Torvalds 2005-04-16 254 struct bmap *bmp = JFS_SBI(ipbmap->i_sb)->bmap;
^1da177e4c3f41 Linus Torvalds 2005-04-16 255
^1da177e4c3f41 Linus Torvalds 2005-04-16 256 if (!(mounterror || isReadOnly(ipbmap)))
^1da177e4c3f41 Linus Torvalds 2005-04-16 257 dbSync(ipbmap);
^1da177e4c3f41 Linus Torvalds 2005-04-16 258
^1da177e4c3f41 Linus Torvalds 2005-04-16 259 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 260 * Invalidate the page cache buffers
^1da177e4c3f41 Linus Torvalds 2005-04-16 261 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 262 truncate_inode_pages(ipbmap->i_mapping, 0);
^1da177e4c3f41 Linus Torvalds 2005-04-16 263
^1da177e4c3f41 Linus Torvalds 2005-04-16 264 /* free the memory for the in-memory bmap. */
^1da177e4c3f41 Linus Torvalds 2005-04-16 265 kfree(bmp);
^1da177e4c3f41 Linus Torvalds 2005-04-16 266
^1da177e4c3f41 Linus Torvalds 2005-04-16 267 return (0);
^1da177e4c3f41 Linus Torvalds 2005-04-16 268 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 269
^1da177e4c3f41 Linus Torvalds 2005-04-16 270 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 271 * dbSync()
^1da177e4c3f41 Linus Torvalds 2005-04-16 272 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 273 int dbSync(struct inode *ipbmap)
^1da177e4c3f41 Linus Torvalds 2005-04-16 274 {
^1da177e4c3f41 Linus Torvalds 2005-04-16 275 struct dbmap_disk *dbmp_le;
^1da177e4c3f41 Linus Torvalds 2005-04-16 276 struct bmap *bmp = JFS_SBI(ipbmap->i_sb)->bmap;
^1da177e4c3f41 Linus Torvalds 2005-04-16 277 struct metapage *mp;
^1da177e4c3f41 Linus Torvalds 2005-04-16 278 int i;
^1da177e4c3f41 Linus Torvalds 2005-04-16 279
^1da177e4c3f41 Linus Torvalds 2005-04-16 280 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 281 * write bmap global control page
^1da177e4c3f41 Linus Torvalds 2005-04-16 282 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 283 /* get the buffer for the on-disk bmap descriptor. */
^1da177e4c3f41 Linus Torvalds 2005-04-16 284 mp = read_metapage(ipbmap,
^1da177e4c3f41 Linus Torvalds 2005-04-16 285 BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage,
^1da177e4c3f41 Linus Torvalds 2005-04-16 286 PSIZE, 0);
^1da177e4c3f41 Linus Torvalds 2005-04-16 287 if (mp == NULL) {
^1da177e4c3f41 Linus Torvalds 2005-04-16 288 jfs_err("dbSync: read_metapage failed!");
^1da177e4c3f41 Linus Torvalds 2005-04-16 289 return -EIO;
^1da177e4c3f41 Linus Torvalds 2005-04-16 290 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 291 /* copy the in-memory version of the bmap to the on-disk version */
^1da177e4c3f41 Linus Torvalds 2005-04-16 292 dbmp_le = (struct dbmap_disk *) mp->data;
^1da177e4c3f41 Linus Torvalds 2005-04-16 293 dbmp_le->dn_mapsize = cpu_to_le64(bmp->db_mapsize);
^1da177e4c3f41 Linus Torvalds 2005-04-16 294 dbmp_le->dn_nfree = cpu_to_le64(bmp->db_nfree);
^1da177e4c3f41 Linus Torvalds 2005-04-16 @295 dbmp_le->dn_l2nbperpage = cpu_to_le32(bmp->db_l2nbperpage);
^1da177e4c3f41 Linus Torvalds 2005-04-16 296 dbmp_le->dn_numag = cpu_to_le32(bmp->db_numag);
^1da177e4c3f41 Linus Torvalds 2005-04-16 297 dbmp_le->dn_maxlevel = cpu_to_le32(bmp->db_maxlevel);
^1da177e4c3f41 Linus Torvalds 2005-04-16 298 dbmp_le->dn_maxag = cpu_to_le32(bmp->db_maxag);
^1da177e4c3f41 Linus Torvalds 2005-04-16 299 dbmp_le->dn_agpref = cpu_to_le32(bmp->db_agpref);
^1da177e4c3f41 Linus Torvalds 2005-04-16 300 dbmp_le->dn_aglevel = cpu_to_le32(bmp->db_aglevel);
d7eecb483cc29e Daniel Mack 2010-01-28 301 dbmp_le->dn_agheight = cpu_to_le32(bmp->db_agheight);
^1da177e4c3f41 Linus Torvalds 2005-04-16 302 dbmp_le->dn_agwidth = cpu_to_le32(bmp->db_agwidth);
^1da177e4c3f41 Linus Torvalds 2005-04-16 303 dbmp_le->dn_agstart = cpu_to_le32(bmp->db_agstart);
^1da177e4c3f41 Linus Torvalds 2005-04-16 304 dbmp_le->dn_agl2size = cpu_to_le32(bmp->db_agl2size);
^1da177e4c3f41 Linus Torvalds 2005-04-16 305 for (i = 0; i < MAXAG; i++)
^1da177e4c3f41 Linus Torvalds 2005-04-16 306 dbmp_le->dn_agfree[i] = cpu_to_le64(bmp->db_agfree[i]);
^1da177e4c3f41 Linus Torvalds 2005-04-16 307 dbmp_le->dn_agsize = cpu_to_le64(bmp->db_agsize);
^1da177e4c3f41 Linus Torvalds 2005-04-16 308 dbmp_le->dn_maxfreebud = bmp->db_maxfreebud;
^1da177e4c3f41 Linus Torvalds 2005-04-16 309
^1da177e4c3f41 Linus Torvalds 2005-04-16 310 /* write the buffer */
^1da177e4c3f41 Linus Torvalds 2005-04-16 311 write_metapage(mp);
^1da177e4c3f41 Linus Torvalds 2005-04-16 312
^1da177e4c3f41 Linus Torvalds 2005-04-16 313 /*
^1da177e4c3f41 Linus Torvalds 2005-04-16 314 * write out dirty pages of bmap
^1da177e4c3f41 Linus Torvalds 2005-04-16 315 */
28fd129827b00e OGAWA Hirofumi 2006-01-08 316 filemap_write_and_wait(ipbmap->i_mapping);
^1da177e4c3f41 Linus Torvalds 2005-04-16 317
^1da177e4c3f41 Linus Torvalds 2005-04-16 318 diWriteSpecial(ipbmap, 0);
^1da177e4c3f41 Linus Torvalds 2005-04-16 319
^1da177e4c3f41 Linus Torvalds 2005-04-16 320 return (0);
^1da177e4c3f41 Linus Torvalds 2005-04-16 321 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 322
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree
2023-04-14 13:53 ` anupsharma
@ 2023-06-20 20:24 ` Dave Kleikamp
-1 siblings, 0 replies; 9+ messages in thread
From: Dave Kleikamp @ 2023-06-20 20:24 UTC (permalink / raw)
To: anupsharma, r33s3n6, mudongliangabcd, liushixin2, wuhoipok
Cc: jfs-discussion, linux-kernel, linux-kernel-mentees, skhan
I want to apologize about this one. Recently, Siddh Raman Pant submitted
a similar patch and I picked that one up. I'm sorry that I let yours get
buried in my inbox, since it was submitted earlier.
I actually prefer his patch since it caught it earlier during mount
time, but that's no excuse to not give you a more timely response.
Thanks,
Shaggy
On 4/14/23 8:53AM, anupsharma wrote:
> Syzkaller reported the following issue:
> option from the mount to silence this warning.
> =======================================================
> find_entry called with index = 0
> read_mapping_page failed!
> ERROR: (device loop0): txCommit:
> ERROR: (device loop0): remounting filesystem as read-only
> ================================================================================
> UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:381:12
> shift exponent 134217736 is too large for 64-bit type 'long long'
> CPU: 1 PID: 5068 Comm: syz-executor350 Not tainted 6.3.0-rc2-syzkaller-00069-g0ddc84d2dd43 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
> ubsan_epilogue lib/ubsan.c:217 [inline]
> __ubsan_handle_shift_out_of_bounds+0x3c3/0x420 lib/ubsan.c:387
> dbFree+0x46e/0x650 fs/jfs/jfs_dmap.c:381
> txFreeMap+0x96a/0xd50 fs/jfs/jfs_txnmgr.c:2510
> xtTruncate+0xe5c/0x3260 fs/jfs/jfs_xtree.c:2467
> jfs_free_zero_link+0x46e/0x6e0 fs/jfs/namei.c:758
> jfs_evict_inode+0x35f/0x440 fs/jfs/inode.c:153
> evict+0x2a4/0x620 fs/inode.c:665
> __dentry_kill+0x436/0x650 fs/dcache.c:607
> shrink_dentry_list+0x39c/0x6a0 fs/dcache.c:1201
> shrink_dcache_parent+0xcd/0x480
> do_one_tree+0x23/0xe0 fs/dcache.c:1682
> shrink_dcache_for_umount+0x7d/0x120 fs/dcache.c:1699
> generic_shutdown_super+0x67/0x340 fs/super.c:472
> kill_block_super+0x7e/0xe0 fs/super.c:1398
> deactivate_locked_super+0xa4/0x110 fs/super.c:331
> cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177
> task_work_run+0x24a/0x300 kernel/task_work.c:179
> exit_task_work include/linux/task_work.h:38 [inline]
> do_exit+0x68f/0x2290 kernel/exit.c:869
> do_group_exit+0x206/0x2c0 kernel/exit.c:1019
> __do_sys_exit_group kernel/exit.c:1030 [inline]
> __se_sys_exit_group kernel/exit.c:1028 [inline]
> __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1028
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7fa87e2289b9
> Code: Unable to access opcode bytes at 0x7fa87e22898f.
> RSP: 002b:00007fff4bfe3938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 00007fa87e2a3330 RCX: 00007fa87e2289b9
> RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
> RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007fa87e29de40
> R10: 00007fff4bfe3850 R11: 0000000000000246 R12: 00007fa87e2a3330
> R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
> </TASK>
> ================================================================================
>
> db_l2nbperpage which is used as a shift exponent to get the buffer
> for the current dmap will be less than and equal to 64.
>
> Tested via syzbot.
>
> Reported-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715
>
> Signed-off-by: Anup Sharma <anupnewsmail@gmail.com>
> ---
> fs/jfs/jfs_dmap.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
> index a3eb1e826947..d2cf56dd8f91 100644
> --- a/fs/jfs/jfs_dmap.c
> +++ b/fs/jfs/jfs_dmap.c
> @@ -184,7 +184,10 @@ int dbMount(struct inode *ipbmap)
> err = -EINVAL;
> goto err_release_metapage;
> }
> -
> + if (bmp->db_l2nbperpage >= 64) {
> + err = -EINVAL;
> + goto err_release_metapage;
> + }
> bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
> bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
> bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree
@ 2023-06-20 20:24 ` Dave Kleikamp
0 siblings, 0 replies; 9+ messages in thread
From: Dave Kleikamp @ 2023-06-20 20:24 UTC (permalink / raw)
To: anupsharma, r33s3n6, mudongliangabcd, liushixin2, wuhoipok
Cc: jfs-discussion, linux-kernel-mentees, linux-kernel
I want to apologize about this one. Recently, Siddh Raman Pant submitted
a similar patch and I picked that one up. I'm sorry that I let yours get
buried in my inbox, since it was submitted earlier.
I actually prefer his patch since it caught it earlier during mount
time, but that's no excuse to not give you a more timely response.
Thanks,
Shaggy
On 4/14/23 8:53AM, anupsharma wrote:
> Syzkaller reported the following issue:
> option from the mount to silence this warning.
> =======================================================
> find_entry called with index = 0
> read_mapping_page failed!
> ERROR: (device loop0): txCommit:
> ERROR: (device loop0): remounting filesystem as read-only
> ================================================================================
> UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:381:12
> shift exponent 134217736 is too large for 64-bit type 'long long'
> CPU: 1 PID: 5068 Comm: syz-executor350 Not tainted 6.3.0-rc2-syzkaller-00069-g0ddc84d2dd43 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
> ubsan_epilogue lib/ubsan.c:217 [inline]
> __ubsan_handle_shift_out_of_bounds+0x3c3/0x420 lib/ubsan.c:387
> dbFree+0x46e/0x650 fs/jfs/jfs_dmap.c:381
> txFreeMap+0x96a/0xd50 fs/jfs/jfs_txnmgr.c:2510
> xtTruncate+0xe5c/0x3260 fs/jfs/jfs_xtree.c:2467
> jfs_free_zero_link+0x46e/0x6e0 fs/jfs/namei.c:758
> jfs_evict_inode+0x35f/0x440 fs/jfs/inode.c:153
> evict+0x2a4/0x620 fs/inode.c:665
> __dentry_kill+0x436/0x650 fs/dcache.c:607
> shrink_dentry_list+0x39c/0x6a0 fs/dcache.c:1201
> shrink_dcache_parent+0xcd/0x480
> do_one_tree+0x23/0xe0 fs/dcache.c:1682
> shrink_dcache_for_umount+0x7d/0x120 fs/dcache.c:1699
> generic_shutdown_super+0x67/0x340 fs/super.c:472
> kill_block_super+0x7e/0xe0 fs/super.c:1398
> deactivate_locked_super+0xa4/0x110 fs/super.c:331
> cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177
> task_work_run+0x24a/0x300 kernel/task_work.c:179
> exit_task_work include/linux/task_work.h:38 [inline]
> do_exit+0x68f/0x2290 kernel/exit.c:869
> do_group_exit+0x206/0x2c0 kernel/exit.c:1019
> __do_sys_exit_group kernel/exit.c:1030 [inline]
> __se_sys_exit_group kernel/exit.c:1028 [inline]
> __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1028
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7fa87e2289b9
> Code: Unable to access opcode bytes at 0x7fa87e22898f.
> RSP: 002b:00007fff4bfe3938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 00007fa87e2a3330 RCX: 00007fa87e2289b9
> RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
> RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007fa87e29de40
> R10: 00007fff4bfe3850 R11: 0000000000000246 R12: 00007fa87e2a3330
> R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
> </TASK>
> ================================================================================
>
> db_l2nbperpage which is used as a shift exponent to get the buffer
> for the current dmap will be less than and equal to 64.
>
> Tested via syzbot.
>
> Reported-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715
>
> Signed-off-by: Anup Sharma <anupnewsmail@gmail.com>
> ---
> fs/jfs/jfs_dmap.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
> index a3eb1e826947..d2cf56dd8f91 100644
> --- a/fs/jfs/jfs_dmap.c
> +++ b/fs/jfs/jfs_dmap.c
> @@ -184,7 +184,10 @@ int dbMount(struct inode *ipbmap)
> err = -EINVAL;
> goto err_release_metapage;
> }
> -
> + if (bmp->db_l2nbperpage >= 64) {
> + err = -EINVAL;
> + goto err_release_metapage;
> + }
> bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
> bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
> bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree
2023-04-14 13:53 ` anupsharma
(?)
@ 2023-05-07 5:28 ` Anup Sharma
-1 siblings, 0 replies; 9+ messages in thread
From: Anup Sharma @ 2023-05-07 5:28 UTC (permalink / raw)
To: shaggy, r33s3n6, mudongliangabcd, liushixin2, wuhoipok,
jfs-discussion, linux-kernel-mentees, linux-kernel, skhan
[-- Attachment #1.1: Type: text/plain, Size: 4057 bytes --]
On Fri, 14 Apr 2023 at 19:23, anupsharma <anupnewsmail@gmail.com> wrote:
> Syzkaller reported the following issue:
> option from the mount to silence this warning.
> =======================================================
> find_entry called with index = 0
> read_mapping_page failed!
> ERROR: (device loop0): txCommit:
> ERROR: (device loop0): remounting filesystem as read-only
>
> ================================================================================
> UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:381:12
> shift exponent 134217736 is too large for 64-bit type 'long long'
> CPU: 1 PID: 5068 Comm: syz-executor350 Not tainted
> 6.3.0-rc2-syzkaller-00069-g0ddc84d2dd43 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 03/02/2023
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
> ubsan_epilogue lib/ubsan.c:217 [inline]
> __ubsan_handle_shift_out_of_bounds+0x3c3/0x420 lib/ubsan.c:387
> dbFree+0x46e/0x650 fs/jfs/jfs_dmap.c:381
> txFreeMap+0x96a/0xd50 fs/jfs/jfs_txnmgr.c:2510
> xtTruncate+0xe5c/0x3260 fs/jfs/jfs_xtree.c:2467
> jfs_free_zero_link+0x46e/0x6e0 fs/jfs/namei.c:758
> jfs_evict_inode+0x35f/0x440 fs/jfs/inode.c:153
> evict+0x2a4/0x620 fs/inode.c:665
> __dentry_kill+0x436/0x650 fs/dcache.c:607
> shrink_dentry_list+0x39c/0x6a0 fs/dcache.c:1201
> shrink_dcache_parent+0xcd/0x480
> do_one_tree+0x23/0xe0 fs/dcache.c:1682
> shrink_dcache_for_umount+0x7d/0x120 fs/dcache.c:1699
> generic_shutdown_super+0x67/0x340 fs/super.c:472
> kill_block_super+0x7e/0xe0 fs/super.c:1398
> deactivate_locked_super+0xa4/0x110 fs/super.c:331
> cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177
> task_work_run+0x24a/0x300 kernel/task_work.c:179
> exit_task_work include/linux/task_work.h:38 [inline]
> do_exit+0x68f/0x2290 kernel/exit.c:869
> do_group_exit+0x206/0x2c0 kernel/exit.c:1019
> __do_sys_exit_group kernel/exit.c:1030 [inline]
> __se_sys_exit_group kernel/exit.c:1028 [inline]
> __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1028
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7fa87e2289b9
> Code: Unable to access opcode bytes at 0x7fa87e22898f.
> RSP: 002b:00007fff4bfe3938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 00007fa87e2a3330 RCX: 00007fa87e2289b9
> RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
> RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007fa87e29de40
> R10: 00007fff4bfe3850 R11: 0000000000000246 R12: 00007fa87e2a3330
> R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
> </TASK>
>
> ================================================================================
>
> db_l2nbperpage which is used as a shift exponent to get the buffer
> for the current dmap will be less than and equal to 64.
>
> Tested via syzbot.
>
> Reported-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com
> Link:
> https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715
>
> Signed-off-by: Anup Sharma <anupnewsmail@gmail.com>
> ---
> fs/jfs/jfs_dmap.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
> index a3eb1e826947..d2cf56dd8f91 100644
> --- a/fs/jfs/jfs_dmap.c
> +++ b/fs/jfs/jfs_dmap.c
> @@ -184,7 +184,10 @@ int dbMount(struct inode *ipbmap)
> err = -EINVAL;
> goto err_release_metapage;
> }
> -
> + if (bmp->db_l2nbperpage >= 64) {
> + err = -EINVAL;
> + goto err_release_metapage;
> + }
> bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
> bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
> bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
> --
> 2.34.1
>
> Hello All,
Just wanted to follow up on this patch submitted earlier. May I please
request
a review and feedback on this patch.
Thanks,
Anup
[-- Attachment #1.2: Type: text/html, Size: 5087 bytes --]
[-- Attachment #2: Type: text/plain, Size: 201 bytes --]
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree
@ 2023-04-14 13:53 ` anupsharma
0 siblings, 0 replies; 9+ messages in thread
From: anupsharma @ 2023-04-14 13:53 UTC (permalink / raw)
To: shaggy, r33s3n6, mudongliangabcd, liushixin2, wuhoipok
Cc: jfs-discussion, linux-kernel, linux-kernel-mentees, skhan
Syzkaller reported the following issue:
option from the mount to silence this warning.
=======================================================
find_entry called with index = 0
read_mapping_page failed!
ERROR: (device loop0): txCommit:
ERROR: (device loop0): remounting filesystem as read-only
================================================================================
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:381:12
shift exponent 134217736 is too large for 64-bit type 'long long'
CPU: 1 PID: 5068 Comm: syz-executor350 Not tainted 6.3.0-rc2-syzkaller-00069-g0ddc84d2dd43 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_shift_out_of_bounds+0x3c3/0x420 lib/ubsan.c:387
dbFree+0x46e/0x650 fs/jfs/jfs_dmap.c:381
txFreeMap+0x96a/0xd50 fs/jfs/jfs_txnmgr.c:2510
xtTruncate+0xe5c/0x3260 fs/jfs/jfs_xtree.c:2467
jfs_free_zero_link+0x46e/0x6e0 fs/jfs/namei.c:758
jfs_evict_inode+0x35f/0x440 fs/jfs/inode.c:153
evict+0x2a4/0x620 fs/inode.c:665
__dentry_kill+0x436/0x650 fs/dcache.c:607
shrink_dentry_list+0x39c/0x6a0 fs/dcache.c:1201
shrink_dcache_parent+0xcd/0x480
do_one_tree+0x23/0xe0 fs/dcache.c:1682
shrink_dcache_for_umount+0x7d/0x120 fs/dcache.c:1699
generic_shutdown_super+0x67/0x340 fs/super.c:472
kill_block_super+0x7e/0xe0 fs/super.c:1398
deactivate_locked_super+0xa4/0x110 fs/super.c:331
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177
task_work_run+0x24a/0x300 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x68f/0x2290 kernel/exit.c:869
do_group_exit+0x206/0x2c0 kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1028
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fa87e2289b9
Code: Unable to access opcode bytes at 0x7fa87e22898f.
RSP: 002b:00007fff4bfe3938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fa87e2a3330 RCX: 00007fa87e2289b9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007fa87e29de40
R10: 00007fff4bfe3850 R11: 0000000000000246 R12: 00007fa87e2a3330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
================================================================================
db_l2nbperpage which is used as a shift exponent to get the buffer
for the current dmap will be less than and equal to 64.
Tested via syzbot.
Reported-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715
Signed-off-by: Anup Sharma <anupnewsmail@gmail.com>
---
fs/jfs/jfs_dmap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index a3eb1e826947..d2cf56dd8f91 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -184,7 +184,10 @@ int dbMount(struct inode *ipbmap)
err = -EINVAL;
goto err_release_metapage;
}
-
+ if (bmp->db_l2nbperpage >= 64) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
--
2.34.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree
@ 2023-04-14 13:53 ` anupsharma
0 siblings, 0 replies; 9+ messages in thread
From: anupsharma @ 2023-04-14 13:53 UTC (permalink / raw)
To: shaggy, r33s3n6, mudongliangabcd, liushixin2, wuhoipok
Cc: jfs-discussion, linux-kernel-mentees, linux-kernel
Syzkaller reported the following issue:
option from the mount to silence this warning.
=======================================================
find_entry called with index = 0
read_mapping_page failed!
ERROR: (device loop0): txCommit:
ERROR: (device loop0): remounting filesystem as read-only
================================================================================
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:381:12
shift exponent 134217736 is too large for 64-bit type 'long long'
CPU: 1 PID: 5068 Comm: syz-executor350 Not tainted 6.3.0-rc2-syzkaller-00069-g0ddc84d2dd43 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_shift_out_of_bounds+0x3c3/0x420 lib/ubsan.c:387
dbFree+0x46e/0x650 fs/jfs/jfs_dmap.c:381
txFreeMap+0x96a/0xd50 fs/jfs/jfs_txnmgr.c:2510
xtTruncate+0xe5c/0x3260 fs/jfs/jfs_xtree.c:2467
jfs_free_zero_link+0x46e/0x6e0 fs/jfs/namei.c:758
jfs_evict_inode+0x35f/0x440 fs/jfs/inode.c:153
evict+0x2a4/0x620 fs/inode.c:665
__dentry_kill+0x436/0x650 fs/dcache.c:607
shrink_dentry_list+0x39c/0x6a0 fs/dcache.c:1201
shrink_dcache_parent+0xcd/0x480
do_one_tree+0x23/0xe0 fs/dcache.c:1682
shrink_dcache_for_umount+0x7d/0x120 fs/dcache.c:1699
generic_shutdown_super+0x67/0x340 fs/super.c:472
kill_block_super+0x7e/0xe0 fs/super.c:1398
deactivate_locked_super+0xa4/0x110 fs/super.c:331
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177
task_work_run+0x24a/0x300 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x68f/0x2290 kernel/exit.c:869
do_group_exit+0x206/0x2c0 kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1028
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fa87e2289b9
Code: Unable to access opcode bytes at 0x7fa87e22898f.
RSP: 002b:00007fff4bfe3938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fa87e2a3330 RCX: 00007fa87e2289b9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007fa87e29de40
R10: 00007fff4bfe3850 R11: 0000000000000246 R12: 00007fa87e2a3330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
================================================================================
db_l2nbperpage which is used as a shift exponent to get the buffer
for the current dmap will be less than and equal to 64.
Tested via syzbot.
Reported-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715
Signed-off-by: Anup Sharma <anupnewsmail@gmail.com>
---
fs/jfs/jfs_dmap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index a3eb1e826947..d2cf56dd8f91 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -184,7 +184,10 @@ int dbMount(struct inode *ipbmap)
err = -EINVAL;
goto err_release_metapage;
}
-
+ if (bmp->db_l2nbperpage >= 64) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
--
2.34.1
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply related [flat|nested] 9+ messages in thread
end of thread, other threads:[~2023-06-20 20:26 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-07 13:59 [PATCH] fs: jfs: fixed UBSAN: shift-out-of-bounds in dbFree Anup Sharma
2023-04-07 13:59 ` Anup Sharma
2023-04-07 20:47 ` kernel test robot
2023-04-07 20:47 ` kernel test robot
2023-04-14 13:53 anupsharma
2023-04-14 13:53 ` anupsharma
2023-05-07 5:28 ` Anup Sharma
2023-06-20 20:24 ` Dave Kleikamp
2023-06-20 20:24 ` Dave Kleikamp
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.