| Message ID | 20240918172026.2532-3-pvmohammedanees2003@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | ocfs2: Fix deadlock in extent_map and handle zero | expand |
On 9/19/24 01:20, Mohammed Anees wrote: > syzbot has found a kernel BUG in ocfs2_write_cluster_by_desc [1]. > > The issue arises because ocfs2_insert_extent receives start_blk > as 0, which incorrectly maps to a physical address of 0. This > occurs when block is 0 after the call to ocfs2_clusters_to_blocks > which is invoked inside the ocfs2_add_clusters_in_btree. The block > value is then passed to ocfs2_insert_extent, leading to the problem. > > [1] https://syzkaller.appspot.com/bug?extid=18a87160c7d64ba2e2f6 > > Reported-and-tested-by: syzbot+18a87160c7d64ba2e2f6@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=18a87160c7d64ba2e2f6 > Signed-off-by: Mohammed Anees <pvmohammedanees2003@gmail.com> > --- > fs/ocfs2/alloc.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c > index 395e23920..926ffeed8 100644 > --- a/fs/ocfs2/alloc.c > +++ b/fs/ocfs2/alloc.c > @@ -4843,6 +4843,13 @@ int ocfs2_add_clusters_in_btree(handle_t *handle, > } > > block = ocfs2_clusters_to_blocks(osb->sb, bit_off);> + if (block == 0) { > + mlog(ML_ERROR, "Conversion resulted in zero block number"); > + status = -EIO; > + need_free = 1; > + goto bail; > + } > + If you check this function, there is no IO operation, so -EIO is not suitable. In the the ocfs2_clusters_to_blocks() code, there are two possible cases where the result is zero: bit_off is 0 or bit_off is out of range for a u64 after a bit shift. It seems that the root cause is that __ocfs2_claim_clusters allocates an incorrect bit_off. -Heming > trace_ocfs2_add_clusters_in_btree( > (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci), > bit_off, num_bits);
Yes, you are absolutely right, __ocfs2_claim_clusters indeed allocates 0 as the bit_off, looking into this I believe the problem is triggered due to ocfs2_search_chain called by ocfs2_claim_suballoc_bits, what do you think would be the best approach to solve this issue, what function I be looking for, any insights will be highly appreciated. Thanks!
diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c index 395e23920..926ffeed8 100644 --- a/fs/ocfs2/alloc.c +++ b/fs/ocfs2/alloc.c @@ -4843,6 +4843,13 @@ int ocfs2_add_clusters_in_btree(handle_t *handle, } block = ocfs2_clusters_to_blocks(osb->sb, bit_off); + if (block == 0) { + mlog(ML_ERROR, "Conversion resulted in zero block number"); + status = -EIO; + need_free = 1; + goto bail; + } + trace_ocfs2_add_clusters_in_btree( (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci), bit_off, num_bits);
syzbot has found a kernel BUG in ocfs2_write_cluster_by_desc [1]. The issue arises because ocfs2_insert_extent receives start_blk as 0, which incorrectly maps to a physical address of 0. This occurs when block is 0 after the call to ocfs2_clusters_to_blocks which is invoked inside the ocfs2_add_clusters_in_btree. The block value is then passed to ocfs2_insert_extent, leading to the problem. [1] https://syzkaller.appspot.com/bug?extid=18a87160c7d64ba2e2f6 Reported-and-tested-by: syzbot+18a87160c7d64ba2e2f6@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=18a87160c7d64ba2e2f6 Signed-off-by: Mohammed Anees <pvmohammedanees2003@gmail.com> --- fs/ocfs2/alloc.c | 7 +++++++ 1 file changed, 7 insertions(+)