[PATCH] nilfs2: Fix nilfs_sufile_mark_dirty() not set segment usage as dirty

linux-nilfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Chen Zhongjin <chenzhongjin-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
To: linux-nilfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: chenzhongjin-hv44wF8Li93QT0dZR+AlfA@public.gmane.org,
	konishi.ryusuke-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
	akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org
Subject: [PATCH] nilfs2: Fix nilfs_sufile_mark_dirty() not set segment usage as dirty
Date: Fri, 18 Nov 2022 14:33:04 +0800	[thread overview]
Message-ID: <20221118063304.140187-1-chenzhongjin@huawei.com> (raw)

In nilfs_sufile_mark_dirty(), the buffer and inode are set dirty, but
nilfs_segment_usage is not set dirty, which makes it can be found by
nilfs_sufile_alloc() because it checks nilfs_segment_usage_clean(su).

This will cause the problem reported by syzkaller:
https://syzkaller.appspot.com/bug?id=c7c4748e11ffcc367cef04f76e02e931833cbd24

It's because the case starts with segbuf1.segnum = 3, nextnum = 4, and
nilfs_sufile_alloc() not called to allocate a new segment.

The first time nilfs_segctor_extend_segments() allocated segment
segbuf2.segnum = segbuf1.nextnum = 4, then nilfs_sufile_alloc() found
nextnextnum = 4 segment because its su is not set dirty.
So segbuf2.nextnum = 4, which causes next segbuf3.segnum = 4.

sb_getblk() will get same bh for segbuf2 and segbuf3, and this bh is
added to both buffer lists of two segbuf.
It makes the list head of second list linked to the first one. When
iterating the first one, it will access and deref the head of second,
which causes NULL pointer dereference.

Fixes: 9ff05123e3bf ("nilfs2: segment constructor")
Reported-by: syzbot+77e4f0...-Pl5Pbv+GP7P466ipTTIvnc23WoclnBCfAL8bYrjMMd8@public.gmane.org
Signed-off-by: Chen Zhongjin <chenzhongjin-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
---
 fs/nilfs2/sufile.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/nilfs2/sufile.c b/fs/nilfs2/sufile.c
index 77ff8e95421f..2962f9071490 100644
--- a/fs/nilfs2/sufile.c
+++ b/fs/nilfs2/sufile.c
@@ -495,12 +495,18 @@ void nilfs_sufile_do_free(struct inode *sufile, __u64 segnum,
 int nilfs_sufile_mark_dirty(struct inode *sufile, __u64 segnum)
 {
 	struct buffer_head *bh;
+	void *kaddr;
+	struct nilfs_segment_usage *su;
 	int ret;

 	ret = nilfs_sufile_get_segment_usage_block(sufile, segnum, 0, &bh);
 	if (!ret) {
 		mark_buffer_dirty(bh);
 		nilfs_mdt_mark_dirty(sufile);
+		kaddr = kmap_atomic(bh->b_page);
+		su = nilfs_sufile_block_get_segment_usage(sufile, segnum, bh, kaddr);
+		nilfs_segment_usage_set_dirty(su);
+		kunmap_atomic(kaddr);
 		brelse(bh);
 	}
 	return ret;
-- 
2.17.1

next             reply	other threads:[~2022-11-18  6:33 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-18  6:33 Chen Zhongjin [this message]
     [not found] ` <20221118063304.140187-1-chenzhongjin-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2022-11-18 22:11   ` [PATCH] nilfs2: Fix nilfs_sufile_mark_dirty() not set segment usage as dirty Andrew Morton
     [not found]     ` <20221118141138.c091445bdda36b78f6277c1f-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2022-11-19  4:11       ` Ryusuke Konishi
2022-11-19  5:24       ` Chen Zhongjin
     [not found]         ` <0e693d41-0bb5-b4a9-19b7-1c71e90e06bf-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2022-11-19  5:28           ` Chen Zhongjin
     [not found]             ` <55553de4-04c3-09f3-b075-f0112d2298cb-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2022-11-19  7:17               ` Ryusuke Konishi
     [not found]                 ` <CAKFNMom=vjGrXJoc02ut8GocQ6hMmHrkcdReEvk-ykcE4p0b-w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2022-11-19  7:51                   ` Ryusuke Konishi
2022-11-19  9:39                   ` Chen Zhongjin

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:77ff8e95421 dfblob:2962f907149
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221118063304.140187-1-chenzhongjin@huawei.com \
    --to=chenzhongjin-hv44wf8li93qt0dzr+alfa@public.gmane.org \
    --cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
    --cc=konishi.ryusuke-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
    --cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=linux-nilfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).