linux

mirror of https://github.com/torvalds/linux.git synced 2024-11-22 12:11:40 +00:00

History

Dmitry Antipov 23aab03710 ocfs2: fix UBSAN warning in ocfs2_verify_volume() Syzbot has reported the following splat triggered by UBSAN: UBSAN: shift-out-of-bounds in fs/ocfs2/super.c:2336:10 shift exponent 32768 is too large for 32-bit type 'int' CPU: 2 UID: 0 PID: 5255 Comm: repro Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x241/0x360 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? __asan_memset+0x23/0x50 ? lockdep_init_map_type+0xa1/0x910 __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 ocfs2_fill_super+0xf9c/0x5750 ? __pfx_ocfs2_fill_super+0x10/0x10 ? __pfx_validate_chain+0x10/0x10 ? __pfx_validate_chain+0x10/0x10 ? validate_chain+0x11e/0x5920 ? __lock_acquire+0x1384/0x2050 ? __pfx_validate_chain+0x10/0x10 ? string+0x26a/0x2b0 ? widen_string+0x3a/0x310 ? string+0x26a/0x2b0 ? bdev_name+0x2b1/0x3c0 ? pointer+0x703/0x1210 ? __pfx_pointer+0x10/0x10 ? __pfx_format_decode+0x10/0x10 ? __lock_acquire+0x1384/0x2050 ? vsnprintf+0x1ccd/0x1da0 ? snprintf+0xda/0x120 ? __pfx_lock_release+0x10/0x10 ? do_raw_spin_lock+0x14f/0x370 ? __pfx_snprintf+0x10/0x10 ? set_blocksize+0x1f9/0x360 ? sb_set_blocksize+0x98/0xf0 ? setup_bdev_super+0x4e6/0x5d0 mount_bdev+0x20c/0x2d0 ? __pfx_ocfs2_fill_super+0x10/0x10 ? __pfx_mount_bdev+0x10/0x10 ? vfs_parse_fs_string+0x190/0x230 ? __pfx_vfs_parse_fs_string+0x10/0x10 legacy_get_tree+0xf0/0x190 ? __pfx_ocfs2_mount+0x10/0x10 vfs_get_tree+0x92/0x2b0 do_new_mount+0x2be/0xb40 ? __pfx_do_new_mount+0x10/0x10 __se_sys_mount+0x2d6/0x3c0 ? __pfx___se_sys_mount+0x10/0x10 ? do_syscall_64+0x100/0x230 ? __x64_sys_mount+0x20/0xc0 do_syscall_64+0xf3/0x230 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f37cae96fda Code: 48 8b 0d 51 ce 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1e ce 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007fff6c1aa228 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007fff6c1aa240 RCX: 00007f37cae96fda RDX: 00000000200002c0 RSI: 0000000020000040 RDI: 00007fff6c1aa240 RBP: 0000000000000004 R08: 00007fff6c1aa280 R09: 0000000000000000 R10: 00000000000008c0 R11: 0000000000000206 R12: 00000000000008c0 R13: 00007fff6c1aa280 R14: 0000000000000003 R15: 0000000001000000 </TASK> For a really damaged superblock, the value of 'i_super.s_blocksize_bits' may exceed the maximum possible shift for an underlying 'int'. So add an extra check whether the aforementioned field represents the valid block size, which is 512 bytes, 1K, 2K, or 4K. Link: https://lkml.kernel.org/r/20241106092100.2661330-1-dmantipov@yandex.ru Fixes: `ccd979bdbc` ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> Reported-by: syzbot+56f7cd1abe4b8e475180@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=56f7cd1abe4b8e475180 Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Jun Piao <piaojun@huawei.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>		2024-11-11 17:20:23 -08:00
..
cluster	introduce fd_file(), convert all accessors to it.	2024-08-12 22:00:43 -04:00
dlm	ocfs2: remove redundant assignment to variable status	2024-05-08 08:41:27 -07:00
dlmfs	ocfs2: remove SLAB_MEM_SPREAD flag usage	2024-03-14 09:17:29 -07:00
acl.c	ocfs2: convert to new timestamp accessors	2023-10-18 14:08:24 +02:00
acl.h	fs: port ->set_acl() to pass mnt_idmap	2023-01-19 09:24:27 +01:00
alloc.c	fs: convert block_write_full_page to block_write_full_folio	2023-12-29 11:58:35 -08:00
alloc.h
aops.c	ocfs2: fix uninit-value in ocfs2_get_block()	2024-09-26 14:01:45 -07:00
aops.h	fs: Convert aops->write_begin to take a folio	2024-08-07 11:33:21 +02:00
blockcheck.c
blockcheck.h
buffer_head_io.c	ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate	2024-09-09 15:15:54 -07:00
buffer_head_io.h
dcache.c	ocfs2_find_match(): there's no such thing as NULL or negative ->d_parent	2023-12-21 12:53:30 -05:00
dcache.h
dir.c	Many singleton patches - please see the various changelogs for details.	2024-09-21 08:20:50 -07:00
dir.h
dlmglue.c	ocfs2: use max() to improve ocfs2_dlm_seq_show()	2024-09-01 20:43:38 -07:00
dlmglue.h
export.c	ocfs2: fix sparse warnings	2024-04-25 21:07:04 -07:00
export.h
extent_map.c	ocfs2: fix deadlock in ocfs2_get_system_file_inode	2024-09-26 14:01:44 -07:00
extent_map.h
file.c	ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow	2024-10-28 21:40:40 -07:00
file.h	ocfs2: store cookie in private data	2024-09-12 11:58:44 +02:00
filecheck.c
filecheck.h
heartbeat.c	ocfs2: fix a typo in a comment	2022-07-29 18:12:36 -07:00
heartbeat.h
inode.c	ocfs2: fix sparse warnings	2024-04-25 21:07:04 -07:00
inode.h	quota: Properly annotate i_dquot arrays with __rcu	2024-02-08 12:04:59 +01:00
ioctl.c	ocfs2: update inode ctime in ocfs2_fileattr_set	2024-04-25 21:07:01 -07:00
ioctl.h	fs: port ->fileattr_set() to pass mnt_idmap	2023-01-19 09:24:27 +01:00
journal.c	ocfs2: fix null-ptr-deref when journal load failed.	2024-09-09 15:15:53 -07:00
journal.h	ocfs2: fix DIO failure due to insufficient transaction credits	2024-06-24 20:52:10 -07:00
Kconfig	fs: add CONFIG_BUFFER_HEAD	2023-08-02 09:13:09 -06:00
localalloc.c	ocfs2: fix the la space leak when unmounting an ocfs2 volume	2024-09-01 20:43:23 -07:00
localalloc.h
locks.c	ocfs2: adapt to breakup of struct file_lock	2024-02-05 13:11:43 +01:00
locks.h
Makefile
mmap.c	fs: Convert aops->write_begin to take a folio	2024-08-07 11:33:21 +02:00
mmap.h
move_extents.c	ocfs2: improve write IO performance when fragmentation is high	2024-04-25 21:07:03 -07:00
move_extents.h
namei.c	fs: add kernel-doc comments to ocfs2_prepare_orphan_dir()	2024-07-04 23:43:10 -07:00
namei.h
ocfs1_fs_compat.h
ocfs2_fs.h	ocfs2: improve write IO performance when fragmentation is high	2024-04-25 21:07:03 -07:00
ocfs2_ioctl.h
ocfs2_lockid.h
ocfs2_lockingver.h
ocfs2_trace.h	ocfs2: fix DIO failure due to insufficient transaction credits	2024-06-24 20:52:10 -07:00
ocfs2.h	ocfs2: constify struct ocfs2_lock_res_ops	2024-06-24 22:25:10 -07:00
quota_global.c	ocfs2: cleanup return value and mlog in ocfs2_global_read_info()	2024-09-09 16:47:43 -07:00
quota_local.c	ocfs2: cancel dqi_sync_work before freeing oinfo	2024-09-09 15:15:54 -07:00
quota.h
refcounttree.c	ocfs2: reserve space for inline xattr before attaching reflink tree	2024-09-26 14:01:44 -07:00
refcounttree.h
reservations.c	ocfs2: correctly use ocfs2_find_next_zero_bit()	2024-04-25 21:07:01 -07:00
reservations.h	ocfs2: change return type of ocfs2_resmap_init	2022-04-29 14:37:58 -07:00
resize.c	ocfs2: improve write IO performance when fragmentation is high	2024-04-25 21:07:03 -07:00
resize.h
slot_map.c	ocfs2: Annotate struct ocfs2_slot_info with __counted_by	2023-10-02 09:48:52 -07:00
slot_map.h
stack_o2cb.c	ocfs2: constify struct ocfs2_stack_operations	2024-06-24 22:25:10 -07:00
stack_user.c	ocfs2: constify struct ocfs2_stack_operations	2024-06-24 22:25:10 -07:00
stackglue.c	fs: Remove the now superfluous sentinel elements from ctl_table array	2023-12-28 04:57:57 -08:00
stackglue.h	ocfs2: constify struct ocfs2_stack_operations	2024-06-24 22:25:10 -07:00
suballoc.c	ocfs2: speed up chain-list searching	2024-04-25 21:07:04 -07:00
suballoc.h	ocfs2: improve write IO performance when fragmentation is high	2024-04-25 21:07:03 -07:00
super.c	ocfs2: fix UBSAN warning in ocfs2_verify_volume()	2024-11-11 17:20:23 -08:00
super.h
symlink.c	ocfs2: Convert ocfs2 to read_folio	2022-05-09 16:21:46 -04:00
symlink.h
sysfile.c
sysfile.h
uptodate.c
uptodate.h
xattr.c	ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()	2024-11-07 14:14:59 -08:00
xattr.h	ocfs2: move ocfs2_xattr_handlers and ocfs2_xattr_handler_map to .rodata	2023-10-09 16:24:20 +02:00