On Sat, Feb 18, 2023 at 11:23:49PM +0900, Ryusuke Konishi wrote: > commit 99b9402a36f0799f25feee4465bfa4b8dfa74b4d upstream. > > Macro NILFS_SB2_OFFSET_BYTES, which computes the position of the second > superblock, underflows when the argument device size is less than 4096 > bytes. Therefore, when using this macro, it is necessary to check in > advance that the device size is not less than a lower limit, or at least > that underflow does not occur. > > The current nilfs2 implementation lacks this check, causing out-of-bound > block access when mounting devices smaller than 4096 bytes: > > I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0 > phys_seg 1 prio class 2 > NILFS (loop0): unable to read secondary superblock (blocksize = 1024) > > In addition, when trying to resize the filesystem to a size below 4096 > bytes, this underflow occurs in nilfs_resize_fs(), passing a huge number > of segments to nilfs_sufile_resize(), corrupting parameters such as the > number of segments in superblocks. This causes excessive loop iterations > in nilfs_sufile_resize() during a subsequent resize ioctl, causing > semaphore ns_segctor_sem to block for a long time and hang the writer > thread: > > INFO: task segctord:5067 blocked for more than 143 seconds. > Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0 > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > task:segctord state:D stack:23456 pid:5067 ppid:2 > flags:0x00004000 > Call Trace: > <TASK> > context_switch kernel/sched/core.c:5293 [inline] > __schedule+0x1409/0x43f0 kernel/sched/core.c:6606 > schedule+0xc3/0x190 kernel/sched/core.c:6682 > rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190 > nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357 > nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline] > nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570 > kthread+0x270/0x300 kernel/kthread.c:376 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 > </TASK> > ... > Call Trace: > <TASK> > folio_mark_accessed+0x51c/0xf00 mm/swap.c:515 > __nilfs_get_page_block fs/nilfs2/page.c:42 [inline] > nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61 > nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121 > nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176 > nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251 > nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline] > nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline] > nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777 > nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422 > nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline] > nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301 > ... > > This fixes these issues by inserting appropriate minimum device size > checks or anti-underflow checks, depending on where the macro is used. > > Link: https://lkml.kernel.org/r/0000000000004e1dfa05f4a48e6b@xxxxxxxxxx > Link: https://lkml.kernel.org/r/20230214224043.24141-1-konishi.ryusuke@xxxxxxxxx > Signed-off-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx> > Reported-by: <syzbot+f0c4082ce5ebebdac63b@xxxxxxxxxxxxxxxxxxxxxxxxx> > Tested-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx> > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > --- > Please apply this patch to the above stable trees instead of the patch > that could not be applied to them last time. > > This replaces bdev_nr_bytes() with its equivalent reference since it > does not yet exist in these kernels. With this tweak, this patch is > applicable from v5.9 to v5.15. Also, this patch has been tested against > the title stable trees. > Now queued up, thanks! greg k-h
