From nobody Sun Dec 22 01:43:03 2024
Received: from out162-62-57-64.mail.qq.com (out162-62-57-64.mail.qq.com
 [162.62.57.64])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1DF7AB660
	for <linux-kernel@vger.kernel.org>; Sat, 21 Dec 2024 07:33:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=162.62.57.64
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1734766434; cv=none;
 b=oqBiolCZlbupWxm6r8noNsPZaWGFP/XjQETDc+k2SEPUWVAhOqZu5CzJWidSL+tWvdYMx3l1e4Qn+eiO+2rSR368Qg1fZvqO3RcaRgUbkyJljZjk5C5HHj8sT+yhhwhQDhcva2Pog/Ix+YoN0n+QNF0EUq53odaxrnYBr4YBKik=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1734766434; c=relaxed/simple;
	bh=lNwEUftdfOS69o7GUeuecGZX+2JJHs5To+CyHBXLN6E=;
	h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References:
	 MIME-Version;
 b=rvoAnLWvUBoI1a8TeVAma7m5CpSYerz5S+KCoZbsOHzmsTwCGbnVk8YhsekE94mfZ78idSJwxWYGbXwH0NTmOe+LaI6tIcBBeLjFwvFYXpGUMB7AXWOD5hMkBAK/QzGivVisgdsYHCUJGMzEo/T77O8R0WhO0RjfB5G7hVhzGIU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=qq.com;
 spf=pass smtp.mailfrom=qq.com;
 dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=wx0Ev82V;
 arc=none smtp.client-ip=162.62.57.64
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=qq.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="wx0Ev82V"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1734766419; bh=KOhmNmQvyg4HD/7gP7ne3VWirJWO8NDgsbmwZPUjGEQ=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=wx0Ev82VkIpYC7V2q1T0q/h8V29VAGDwZw92jnmp7Tc/sJKQON985e3oCmr5/J7/+
	 OU/EGj0cGqdp7G2o6evUQGDQq/78/vn3ISFu3hCI+h0EieUrV/SyLkbGWlf5ibWQBf
	 JG6xlekUiFAircSspKEqYZPT2hb2RJjulymhSFoE=
Received: from pek-lxu-l1.wrs.com ([114.244.57.34])
	by newxmesmtplogicsvrsza36-0.qq.com (NewEsmtp) with SMTP
	id 8651C47B; Sat, 21 Dec 2024 15:33:37 +0800
X-QQ-mid: xmsmtpt1734766417t1i9vhcd3
Message-ID: <tencent_9D234F848D9AA5F68DB912075DB4DDDC1907@qq.com>
X-QQ-XMAILINFO: OGbb9vXWxeDDGkqnyEhC+wdtpVyI9p3jmC+CE/OrSzqV2eyfpoJiSi5s673sPt
	 6YhRx8zurUVE6cxAy8u7KD4d+KsyHOitboSsNHr0SHSD35O4740AE7+DxlgfrXkzMWrn+ymcY8i5
	 5HfO/kCangAYZC9ZNPyYzyI6xQsdAKOGbnuj7WZBOWgcK7emLc4cSLXwYuTRIX9j/cIcw4IdKSs6
	 xfbcA415R4frqPx05uaJ8N4rw6LUJReXYkBy3EFKdiRKqTqWoakVJw2QOPxFWJOAlmWgWk+l/VQB
	 IWXCP66cgJqwSK6wt2PZXvQUbRBunoD1jFjk89KNknn7tVqqGLaElsCByieN7vUXfp7o4Mgz/RIE
	 +kQRRZoniusqIffX3Byg31RSbNfndT3LCkHt/T+f2jrJ9IltC9RpqlQ40HOsMrCtVqGgFxeemPnS
	 AEaIoXBYB3zs+nWZw3thgKrmoAIz2DQICq497QP4kajxSnbbSPdhkR1mH8TDHCCfh7HIDbhQrac3
	 ALLbJXhYmiQMU0laH+K688WsjMCw8lxT8w0NUi9QMijgH7mw3aEbB1okAtJhcXYyeW5wHhPLGnFD
	 iDcujA4Fk52D6bmlwGB39B/tZ5lmeDZKkE0eF5KnW6gvU/siVTv1koLSpxY/1QActXNr3Rp9J8HJ
	 2TFRA6xnm8BLo4BIERWmX/mdL8tDPmkzMyqT2yMfbk6TiHdgfOb/5tR2ely3/F0iIOHSweLScp03
	 FXmHHrftdNUgSTP2r1wKf6/rRki5W4JqUfL5Bbnyvb1+ab+KzVfNm6ByQBV8lCRW3w9Z1tXzE5WD
	 bvqhPNGKub24IfB82DrtA8/qF0KOHDRFCJ44IyLqqcC4f6LM0reIcE/nKqvlYLWgtPBy0BvClHRI
	 6JjOL9EC9m+TvmbwbDkN8=
X-QQ-XMRINFO: M/715EihBoGSf6IYSX1iLFg=
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+355da3b3a74881008e8f@syzkaller.appspotmail.com
Cc: jfs-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	shaggy@kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: [PATCH] jfs: Prevent setting of nlink with value 0 from disk inode
Date: Sat, 21 Dec 2024 15:33:38 +0800
X-OQ-MSGID: <20241221073337.850991-2-eadavis@qq.com>
X-Mailer: git-send-email 2.47.0
In-Reply-To: <673f2511.050a0220.3c9d61.016e.GAE@google.com>
References: <673f2511.050a0220.3c9d61.016e.GAE@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

syzbot report a deadlock in diFree. [1]

When calling "ioctl$LOOP_SET_STATUS64", the offset value passed in is 4,
which does not match the mounted loop device, causing the mapping of the
mounted loop device to be invalidated.

When creating the directory and creating the inode of iag in diReadSpecial(=
),
read the page of fixed disk inode (AIT) in raw mode in read_metapage(), the
metapage data it returns is corrupted, which causes the nlink value of 0 to=
 be
assigned to the iag inode when executing copy_from_dinode(), which ultimate=
ly
causes a deadlock when entering diFree().

To avoid this, first check the nlink value of dinode before setting iag ino=
de,
if the value is 0, set it to 1.

[1]
WARNING: possible recursive locking detected
6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted
Reported-by: syzbot+355da3b3a74881008e8f@syzkaller.appspotmail.com
--------------------------------------------
syz-executor301/5309 is trying to acquire lock:
ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/=
0x2fb0 fs/jfs/jfs_imap.c:889

but task is already holding lock:
ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6=
/0x1630

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&(imap->im_aglock[index]));
  lock(&(imap->im_aglock[index]));

 *** DEADLOCK ***

 May be due to missing lock nesting notation

5 locks held by syz-executor301/5309:
 #0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0=
x90 fs/namespace.c:515
 #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_l=
ock_nested include/linux/fs.h:850 [inline]
 #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filenam=
e_create+0x260/0x540 fs/namei.c:4026
 #2: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+=
0x1b6/0x1630
 #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs=
/jfs_imap.c:2460 [inline]
 #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocExt fs/j=
fs/jfs_imap.c:1905 [inline]
 #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7=
/0x1e50 fs/jfs/jfs_imap.c:1669
 #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jf=
s/jfs_imap.c:2477 [inline]
 #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/=
jfs/jfs_imap.c:1905 [inline]
 #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x86=
9/0x1e50 fs/jfs/jfs_imap.c:1669

stack backtrace:
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkal=
ler-00212-g4a5df3796467 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16=
.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037
 check_deadlock kernel/locking/lockdep.c:3089 [inline]
 validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891
 __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
 __mutex_lock_common kernel/locking/mutex.c:608 [inline]
 __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
 diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889
 jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156
 evict+0x4e8/0x9b0 fs/inode.c:725
 diFreeSpecial fs/jfs/jfs_imap.c:552 [inline]
 duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022
 diNewIAG fs/jfs/jfs_imap.c:2597 [inline]
 diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
 diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669
 diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590
 ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56
 jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225
 vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257
 do_mkdirat+0x264/0x3a0 fs/namei.c:4280
 __do_sys_mkdirat fs/namei.c:4295 [inline]
 __se_sys_mkdirat fs/namei.c:4293 [inline]
 __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-by: syzbot+355da3b3a74881008e8f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D355da3b3a74881008e8f
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/jfs/jfs_imap.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index a360b24ed320..78892d252159 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -3035,6 +3035,7 @@ static int copy_from_dinode(struct dinode * dip, stru=
ct inode *ip)
 {
 	struct jfs_inode_info *jfs_ip =3D JFS_IP(ip);
 	struct jfs_sb_info *sbi =3D JFS_SBI(ip->i_sb);
+	u32 di_nlink;
=20
 	jfs_ip->fileset =3D le32_to_cpu(dip->di_fileset);
 	jfs_ip->mode2 =3D le32_to_cpu(dip->di_mode);
@@ -3053,7 +3054,9 @@ static int copy_from_dinode(struct dinode * dip, stru=
ct inode *ip)
 				ip->i_mode |=3D 0001;
 		}
 	}
-	set_nlink(ip, le32_to_cpu(dip->di_nlink));
+
+	di_nlink =3D le32_to_cpu(dip->di_nlink);
+	set_nlink(ip, di_nlink > 0 ? di_nlink : 1);
=20
 	jfs_ip->saved_uid =3D make_kuid(&init_user_ns, le32_to_cpu(dip->di_uid));
 	if (!uid_valid(sbi->uid))
--=20
2.47.0