On Tue, Jul 16, 2024 at 01:27:11AM +0900, Ryusuke Konishi wrote:
> commit a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 upstream.
>
> Syzbot reported that in rename directory operation on broken directory on
> nilfs2, __block_write_begin_int() called to prepare block write may fail
> BUG_ON check for access exceeding the folio/page size.
>
> This is because nilfs_dotdot(), which gets parent directory reference
> entry ("..") of the directory to be moved or renamed, does not check
> consistency enough, and may return location exceeding folio/page size for
> broken directories.
>
> Fix this issue by checking required directory entries ("." and "..") in
> the first chunk of the directory in nilfs_dotdot().
>
> Link: https://lkml.kernel.org/r/20240628165107.9006-1-konishi.ryusuke@xxxxxxxxx
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx>
> Reported-by: syzbot+d3abed1ad3d367fa2627@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627
> Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
> Tested-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> ---
> Please apply this patch to the stable trees indicated by the subject
> prefix instead of the patch that failed.
>
> This patch is tailored to take page/folio conversion into account and
> can be applied to these stable trees.
>
> Also, all the builds and tests I did on each stable tree passed.
Now queued up, thanks!
greg k-h
