On Mon, Nov 14, 2022 at 05:33:49PM +0530, Siddh Raman Pant wrote: > The following calculation of iomap->length on line 798 in > z_erofs_iomap_begin_report() can yield 0: > if (iomap->offset >= inode->i_size) > iomap->length = length + map.m_la - offset; > > This triggers a WARN_ON in iomap_iter_done() (see line 34 of > fs/iomap/iter.c). > > Hence, return error when this scenario is encountered. > > ============================================================ > > This was reported as a crash by syzbot under an issue about > warning encountered in iomap_iter_done(), but unrelated to > erofs. Hence, not adding issue hash in Reported-by line. > > C reproducer: https://syzkaller.appspot.com/text?tag=ReproC&x=1037a6b2880000 > Kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=e2021a61197ebe02 > Dashboard link: https://syzkaller.appspot.com/bug?extid=a8e049cd3abd342936b6 > > Reported-by: syzbot@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Siddh Raman Pant <code@xxxxxxxx> > --- > fs/erofs/zmap.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c > index 0bb66927e3d0..bad852983eb9 100644 > --- a/fs/erofs/zmap.c > +++ b/fs/erofs/zmap.c > @@ -796,6 +796,9 @@ static int z_erofs_iomap_begin_report(struct inode *inode, loff_t offset, > */ > if (iomap->offset >= inode->i_size) > iomap->length = length + map.m_la - offset; > + > + if (iomap->length == 0) I just wonder if we should return -EINVAL for post-EOF cases or IOMAP_HOLE with arbitrary length? Thanks, Gao Xiang > + return -EINVAL; > } > iomap->flags = 0; > return 0; > -- > 2.35.1 >
