Forwarded: [PATCH] nilfs2: fix missing i_assoc_inode initialization in nilfs_iget_for_shadow

Posted by syzbot 2 weeks, 6 days ago
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] nilfs2: fix missing i_assoc_inode initialization in nilfs_iget_for_shadow
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master


When nilfs_iget_for_shadow() finds a cached shadow inode (I_NEW not
set), it returns the original inode instead of the cached shadow inode.
This causes nilfs_mdt_setup_shadow_map() to store the wrong inode as
shadow->inode, so subsequent calls to nilfs_mdt_save_to_shadow_map()
dereference the wrong inode's i_assoc_inode which may be NULL, leading
to a general protection fault.

Fix this by returning s_inode instead of inode on the cache hit path.

Reported-by: syzbot+4b4093b1f24ad789bf37@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4b4093b1f24ad789bf37
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/nilfs2/inode.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c
index 51bde45d5865..60cfcc209cf7 100644
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -686,6 +686,10 @@ struct inode *nilfs_iget_for_shadow(struct inode *inode)
 			       nilfs_iget_set, &args);
 	if (unlikely(!s_inode))
 		return ERR_PTR(-ENOMEM);
+	pr_err("NILFS DEBUG: s_inode=%px I_NEW=%d i_assoc=%px\n",
+	        s_inode,
+		!!(inode_state_read_once(s_inode) & I_NEW),
+		NILFS_I(s_inode)->i_assoc_inode);
 	if (!(inode_state_read_once(s_inode) & I_NEW))
 		return inode;
 
-- 
2.43.0