From nobody Sat Feb 7 17:20:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3D67E23F36D for ; Mon, 3 Mar 2025 03:48:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740973690; cv=none; b=VnNaHqGA/YfQv1Sz25PluohMdbgc8/fBNf+JG+zQboClt0IRh6uboU2UINzXEfnguQzjAuSaQBAEgXgkmi6FR7TIOXN9kjtXtYLlmUpCtfuiNfFxxSMt+/6La5fTWxO+DOmZA79EGFdFDUcqOMqI0zm2dKyKclYjDanSWwF8gK0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740973690; c=relaxed/simple; bh=Q4EsHzFu7W+a0NYcnNSUCxAn6bGe2wN70WdlrxfrVUk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=hbitf+QOJV1jCrjMM9fqEdcctvyPtsHcJQMnhF7p/S1qtPpxrx4B4QWZxXLhKgrJ5Ot4i1PSxjKJVuAkgQo1g01pbr4yZ0B8mW0DpqYLT6ul+cJJkNUJx6q4VsYqYTmqrmUMub7mY5VDfHVQnrnHVYAlTgrQRrtKxKtsFYdzCPQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=uv3lF58d; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="uv3lF58d" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 545F5C4CED6; Mon, 3 Mar 2025 03:48:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1740973689; bh=Q4EsHzFu7W+a0NYcnNSUCxAn6bGe2wN70WdlrxfrVUk=; h=From:To:Cc:Subject:Date:From; b=uv3lF58dTmuX5e0dfQvHx3MjxyVxEWNiO0mbh11YhXyyw7Pn5loIPHJrk50qmtCPM RE/TdAIYDGNz9n4sEYW2snlHhymS7CPyqM4Ky2t0VQxyrS8CWVQBaGC+zy9U0EhArQ Op6lH02C9KTd+C4lWO0fufZbe/2TMaiWWr4IBUIXrws74vmS3En1nS3C4P/iYzMNYt XSBTlFdAkYKX1r8nraTX1JZxghwcqOvefV5EDsTVDOlMsVizURsxBTjh7pPPkMvaTm fjvM2NSBj6HHozBycTgGOjk+VgBNbVNGpUAaFonEpaGMOVsUFrStrpYYFg3jiTEtD+ ZckyXj3Vw5xAA== From: Chao Yu To: jaegeuk@kernel.org Cc: linux-f2fs-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org, Chao Yu , syzbot+6653f10281a1badc749e@syzkaller.appspotmail.com Subject: [PATCH] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Date: Mon, 3 Mar 2025 11:47:38 +0800 Message-ID: <20250303034738.1355927-1-chao@kernel.org> X-Mailer: git-send-email 2.48.1.711.g2feabab25a-goog Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" syzbot reports an UBSAN issue as below: Reported-by: syzbot+6653f10281a1badc749e@syzkaller.appspotmail.com ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10 index 18446744073709550692 is out of range for type '__le32[5]' (aka 'unsig= ned int[5]') CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-0006= 0-g6537cfb395f3 #0 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429 get_nid fs/f2fs/node.h:381 [inline] f2fs_truncate_inode_blocks+0xa5e/0xf60 fs/f2fs/node.c:1181 f2fs_do_truncate_blocks+0x782/0x1030 fs/f2fs/file.c:808 f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:836 f2fs_truncate+0x417/0x720 fs/f2fs/file.c:886 f2fs_file_write_iter+0x1bdb/0x2550 fs/f2fs/file.c:5093 aio_write+0x56b/0x7c0 fs/aio.c:1633 io_submit_one+0x8a7/0x18a0 fs/aio.c:2052 __do_sys_io_submit fs/aio.c:2111 [inline] __se_sys_io_submit+0x171/0x2e0 fs/aio.c:2081 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f238798cde9 index 18446744073709550692 (decimal, unsigned long long) =3D 0xfffffffffffffc64 (hexadecimal, unsigned long long) =3D -924 (decimal, long long) In f2fs_truncate_inode_blocks(), UBSAN detects that get_nid() tries to access .i_nid[-924], it means both offset[0] and level should zero. The possible case should be in f2fs_do_truncate_blocks(), we try to truncate inode size to zero, however, dn.ofs_in_node is zero and dn.node_page is not an inode page, so it fails to truncate inode page, and then pass zeroed free_from to f2fs_truncate_inode_blocks(), result in this issue. if (dn.ofs_in_node || IS_INODE(dn.node_page)) { f2fs_truncate_data_blocks_range(&dn, count); free_from +=3D count; } I guess the reason why dn.node_page is not an inode page could be: there are multiple nat entries share the same node block address, once the node block address was reused, f2fs_get_node_page() may load a non-inode block. Let's add a sanity check for such condition to avoid out-of-bounds access issue. Reported-by: syzbot+6653f10281a1badc749e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/66fdcdf3.050a0220.40bef.0025.GAE@google= .com Signed-off-by: Chao Yu --- fs/f2fs/node.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c index e1ed7ccfb690..36614a1c2590 100644 --- a/fs/f2fs/node.c +++ b/fs/f2fs/node.c @@ -1135,7 +1135,14 @@ int f2fs_truncate_inode_blocks(struct inode *inode, = pgoff_t from) trace_f2fs_truncate_inode_blocks_enter(inode, from); =20 level =3D get_node_path(inode, from, offset, noffset); - if (level < 0) { + if (level <=3D 0) { + if (!level) { + level =3D -EFSCORRUPTED; + f2fs_err(sbi, "%s: inode ino=3D%lx has corrupted node block, from:%lu a= ddrs:%u", + __func__, inode->i_ino, + from, ADDRS_PER_INODE(inode)); + set_sbi_flag(sbi, SBI_NEED_FSCK); + } trace_f2fs_truncate_inode_blocks_exit(inode, level); return level; } --=20 2.48.1