From: Vasiliy Kovalev <kovalev@xxxxxxxxxxxx> Add a check in bfs_move_block to ensure the new buffer is up-to-date (buffer_uptodate) before calling mark_buffer_dirty. Found by Syzkaller: WARNING: CPU: 1 PID: 1046 at fs/buffer.c:1183 mark_buffer_dirty+0x394/0x3f0 CPU: 1 PID: 1046 Comm: mark_buffer_dir Not tainted 6.10.0-un-def-alt0.rc7.kasan Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 RIP: 0010:mark_buffer_dirty+0x394/0x3f0 Call Trace: <TASK> ? show_regs+0x8d/0xa0 ? __warn+0xe6/0x380 ? mark_buffer_dirty+0x394/0x3f0 ? report_bug+0x348/0x480 ? handle_bug+0x60/0xc0 ? exc_invalid_op+0x13/0x50 ? asm_exc_invalid_op+0x16/0x20 ? mark_buffer_dirty+0x394/0x3f0 ? mark_buffer_dirty+0x394/0x3f0 bfs_get_block+0x3ec/0xe80 [bfs] ? __pfx_bfs_get_block+0x10/0x10 [bfs] __block_write_begin_int+0x4ae/0x16a0 ? __pfx_bfs_get_block+0x10/0x10 [bfs] ? __pfx___block_write_begin_int+0x10/0x10 block_write_begin+0xb5/0x410 ? __pfx_bfs_get_block+0x10/0x10 [bfs] bfs_write_begin+0x32/0xe0 [bfs] generic_perform_write+0x265/0x610 ? __pfx_generic_perform_write+0x10/0x10 ? generic_write_checks+0x323/0x4a0 ? __pfx_generic_file_write_iter+0x10/0x10 __generic_file_write_iter+0x16a/0x1b0 generic_file_write_iter+0xf0/0x360 ? __pfx_generic_file_write_iter+0x10/0x10 vfs_write+0x670/0x1120 ? __pfx_vfs_write+0x10/0x10 ksys_write+0x127/0x260 ? __pfx_ksys_write+0x10/0x10 do_syscall_64+0x9f/0x190 ? do_syscall_64+0xab/0x190 ? syscall_exit_to_user_mode+0xbb/0x1d0 ? do_syscall_64+0xab/0x190 ? lock_release+0x241/0x730 ? __ct_user_enter+0xb3/0xc0 ? __pfx_lock_release+0x10/0x10 ? get_vtime_delta+0x116/0x270 ? ct_kernel_exit.isra.0+0xbb/0xe0 ? __ct_user_enter+0x74/0xc0 ? syscall_exit_to_user_mode+0xbb/0x1d0 ? do_syscall_64+0xab/0x190 ? do_syscall_64+0xab/0x190 ? ct_kernel_exit.isra.0+0xbb/0xe0 ? clear_bhb_loop+0x45/0xa0 ? clear_bhb_loop+0x45/0xa0 ? clear_bhb_loop+0x45/0xa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f5bb79a4d2 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+d98fd19acd08b36ff422@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://syzkaller.appspot.com/bug?extid=d98fd19acd08b36ff422 Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Vasiliy Kovalev <kovalev@xxxxxxxxxxxx> --- fs/bfs/file.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/bfs/file.c b/fs/bfs/file.c index cb41ca2a2854e4..da91af8f41e097 100644 --- a/fs/bfs/file.c +++ b/fs/bfs/file.c @@ -45,8 +45,13 @@ static int bfs_move_block(unsigned long from, unsigned long to, err = -EIO; goto out_err_new; } + if (!buffer_uptodate(new)) { + err = -EIO; + goto out_err; + } memcpy(new->b_data, bh->b_data, bh->b_size); mark_buffer_dirty(new); +out_err: brelse(new); out_err_new: bforget(bh); -- 2.33.8