[v3] udf: refactor udf_current_aext()/udf_next_aext()/inode_bmap() to handle error

[PATCH v3 0/3] udf: refactor udf_current_aext()/udf_next_aext()/inode_bmap() to handle error

Posted by Zhao Mengmeng 1 month, 3 weeks ago

From: Zhao Mengmeng <zhaomengmeng@kylinos.cn>

syzbot reports a udf slab-out-of-bounds at [1] and I proposed a fix patch,
after talking with Jan, a better way to fix this is to refactor 
udf_current_aext() and udf_next_aext() to differentiate between error and
"hit EOF".
This series refactor udf_current_aext(), udf_next_aext() and inode_bmap(),
they take pointer to etype to store the extent type, return 1 when 
getting etype success, return 0 when hitting EOF and return -errno when
err. It has passed the syz repro test.

[1]. https://lore.kernel.org/all/0000000000005093590621340ecf@google.com/

changelog:
v3:
----
 - Change function return rules, On error, ret < 0, on EOF ret == 0, 
on success ret == 1.
 - minor fix on return check

v2:
----
 - Take advices of Jan to fix the error handling code
 - Check all other places that may involves EOF and error checking
 - Add two macros the simply the error checking of extent
 - https://lore.kernel.org/all/20240926120753.3639404-1-zhaomzhao@126.com/

v1:
----
 - https://lore.kernel.org/all/20240918093634.12906-1-zhaomzhao@126.com/

Zhao Mengmeng (3):
  udf: refactor udf_current_aext() to handle error
  udf: refactor udf_next_aext() to handle error
  udf: refactor inode_bmap() to handle error

 fs/udf/balloc.c    |  27 +++++---
 fs/udf/directory.c |  23 +++++--
 fs/udf/inode.c     | 167 +++++++++++++++++++++++++++++----------------
 fs/udf/partition.c |   6 +-
 fs/udf/super.c     |   3 +-
 fs/udf/truncate.c  |  41 ++++++++---
 fs/udf/udfdecl.h   |  15 ++--
 7 files changed, 190 insertions(+), 92 deletions(-)

-- 
2.43.0

Re: [PATCH v3 0/3] udf: refactor udf_current_aext()/udf_next_aext()/inode_bmap() to handle error

Posted by Jan Kara 1 month, 3 weeks ago

On Tue 01-10-24 19:54:22, Zhao Mengmeng wrote:
> From: Zhao Mengmeng <zhaomengmeng@kylinos.cn>
> 
> syzbot reports a udf slab-out-of-bounds at [1] and I proposed a fix patch,
> after talking with Jan, a better way to fix this is to refactor 
> udf_current_aext() and udf_next_aext() to differentiate between error and
> "hit EOF".
> This series refactor udf_current_aext(), udf_next_aext() and inode_bmap(),
> they take pointer to etype to store the extent type, return 1 when 
> getting etype success, return 0 when hitting EOF and return -errno when
> err. It has passed the syz repro test.
> 
> [1]. https://lore.kernel.org/all/0000000000005093590621340ecf@google.com/

Thanks! I did some minor code-style updates to the patches and picked them
up to my tree.

								Honza

> 
> changelog:
> v3:
> ----
>  - Change function return rules, On error, ret < 0, on EOF ret == 0, 
> on success ret == 1.
>  - minor fix on return check
> 
> v2:
> ----
>  - Take advices of Jan to fix the error handling code
>  - Check all other places that may involves EOF and error checking
>  - Add two macros the simply the error checking of extent
>  - https://lore.kernel.org/all/20240926120753.3639404-1-zhaomzhao@126.com/
> 
> v1:
> ----
>  - https://lore.kernel.org/all/20240918093634.12906-1-zhaomzhao@126.com/
> 
> Zhao Mengmeng (3):
>   udf: refactor udf_current_aext() to handle error
>   udf: refactor udf_next_aext() to handle error
>   udf: refactor inode_bmap() to handle error
> 
>  fs/udf/balloc.c    |  27 +++++---
>  fs/udf/directory.c |  23 +++++--
>  fs/udf/inode.c     | 167 +++++++++++++++++++++++++++++----------------
>  fs/udf/partition.c |   6 +-
>  fs/udf/super.c     |   3 +-
>  fs/udf/truncate.c  |  41 ++++++++---
>  fs/udf/udfdecl.h   |  15 ++--
>  7 files changed, 190 insertions(+), 92 deletions(-)
> 
> -- 
> 2.43.0
> 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR