In nilfs_btree_do_lookup, if the number of children in the btree root node is 0,
path[x].bp_bh will not be initialized by __nilfs_btree_get_block,
which will result in uaf when executing nilfs-btree_get_nonroot_node
in nilfs_btree_prepare_insert.
In nilfs_bmap_do_insert will run bop_check_insert, so implement
bop_check_insert and determine the number of children in the btree root
node within it. If it is 0, return a negative value to avoid calling
bop_intsert.
#syz test
diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
index 862bdf23120e..d7fa4d914638 100644
--- a/fs/nilfs2/btree.c
+++ b/fs/nilfs2/btree.c
@@ -1231,6 +1231,17 @@ static void nilfs_btree_commit_insert(struct nilfs_bmap *btree,
nilfs_bmap_set_dirty(btree);
}
+static int nilfs_btree_check_insert(const struct nilfs_bmap *btree, __u64 key)
+{
+ struct nilfs_btree_node *node;
+ int level;
+
+ node = nilfs_btree_get_root(btree);
+ level = nilfs_btree_node_get_level(node);
+ return (level < NILFS_BTREE_LEVEL_NODE_MIN ||
+ nilfs_btree_node_get_nchildren(node) <= 0) ? -ENOENT : 0;
+}
+
static int nilfs_btree_insert(struct nilfs_bmap *btree, __u64 key, __u64 ptr)
{
struct nilfs_btree_path *path;
@@ -2385,7 +2396,7 @@ static const struct nilfs_bmap_operations nilfs_btree_ops = {
.bop_seek_key = nilfs_btree_seek_key,
.bop_last_key = nilfs_btree_last_key,
- .bop_check_insert = NULL,
+ .bop_check_insert = nilfs_btree_check_insert,
.bop_check_delete = nilfs_btree_check_delete,
.bop_gather_data = nilfs_btree_gather_data,
};
