On 2022/10/01 20:24, Tetsuo Handa wrote: > syzbot is reporting lockdep warning followed by NULL pointer dereference > at nilfs_bmap_lookup_at_level() [1], for a crafted filesystem which > contains raw_inode->i_mode == 0 is poisoning checkpoint inode at > nilfs_read_inode_common() from nilfs_ifile_read() from > nilfs_attach_checkpoint() from nilfs_fill_super() from nilfs_mount(). > Check that filetype/uid/gid are valid as well as i_nlink is valid. > > Link: https://syzkaller.appspot.com/bug?extid=2b32eb36c1a825b7a74c [1] > Reported-by: syzot <syzbot+2b32eb36c1a825b7a74c@xxxxxxxxxxxxxxxxxxxxxxxxx> > Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> > --- > This patch solves crash but I don't know whether this patch is correct. Hmm, since bmap->b_sem and bmap->b_ops are initialized by nilfs_bmap_read(), and nilfs_bmap_read() is called from nilfs_read_inode_common() only if S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode) is true, I guess that the caller needs to verify that the returned inode is a regular file? But where to add that check?
