For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] nilfs2: fix missing continue after -ENOENT in nilfs_ioctl_mark_blocks_dirty()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


nilfs_ioctl_mark_blocks_dirty() calls nilfs_bmap_lookup_at_level() to
get the current block number of each block descriptor. When the lookup
returns -ENOENT, meaning the block does not exist, it sets bd_blocknr
to 0 and continues processing.

However, if bd_oblocknr is also 0, the subsequent check:

  if (bdescs[i].bd_blocknr != bdescs[i].bd_oblocknr)
          continue;

will not skip the block, and nilfs_bmap_mark() will be called on a
non-existent block. This causes nilfs_btree_do_lookup() to return
-ENOENT, triggering the WARN_ON(ret == -ENOENT).

Fix this by adding a continue statement after setting bd_blocknr to 0
when the lookup returns -ENOENT, so that dead blocks are always skipped
regardless of the value of bd_oblocknr.

Fixes: 7942b919f732 ("nilfs2: ioctl operations")
Reported-by: syzbot+98a040252119df0506f8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=98a040252119df0506f8
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/nilfs2/ioctl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index e17b8da66491..1615a314f557 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -745,6 +745,7 @@ static int nilfs_ioctl_mark_blocks_dirty(struct the_nilfs *nilfs,
 			if (ret != -ENOENT)
 				return ret;
 			bdescs[i].bd_blocknr = 0;
+			continue;
 		}
 		if (bdescs[i].bd_blocknr != bdescs[i].bd_oblocknr)
 			/* skip dead block */
-- 
2.43.0