On Mon, Jun 19, 2023 at 07:55:24PM +0900, Ryusuke Konishi wrote: > commit 92c5d1b860e9581d64baca76779576c0ab0d943d upstream. > > The current sanity check for nilfs2 geometry information lacks checks for > the number of segments stored in superblocks, so even for device images > that have been destructively truncated or have an unusually high number of > segments, the mount operation may succeed. > > This causes out-of-bounds block I/O on file system block reads or log > writes to the segments, the latter in particular causing > "a_ops->writepages" to repeatedly fail, resulting in sync_inodes_sb() to > hang. > > Fix this issue by checking the number of segments stored in the superblock > and avoiding mounting devices that can cause out-of-bounds accesses. To > eliminate the possibility of overflow when calculating the number of > blocks required for the device from the number of segments, this also adds > a helper function to calculate the upper bound on the number of segments > and inserts a check using it. > > Link: https://lkml.kernel.org/r/20230526021332.3431-1-konishi.ryusuke@xxxxxxxxx > Signed-off-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx> > Reported-by: syzbot+7d50f1e54a12ba3aeae2@xxxxxxxxxxxxxxxxxxxxxxxxx > Link: https://syzkaller.appspot.com/bug?extid=7d50f1e54a12ba3aeae2 > Tested-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx> > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > --- > Please apply this patch to the above stable trees instead of the patch > that could not be applied to them. The hang issue reported by syzbot was > confirmed to reproduce on these stable kernels using its reproducer. > This fixes it. > > In this patch, "sb_bdev_nr_blocks()" and "nilfs_err()" are replaced with > their equivalents since they don't yet exist in these kernels. With these > tweaks, this patch is applicable from v4.8 to v5.8. Also, this patch has > been tested against the title stable trees. Now queued up, thanks. greg k-h
