Skip to content

Commit a6a491c

Browse files
konisakpm00
konis
authored and
akpm00
committed
nilfs2: fix infinite loop in nilfs_mdt_get_block()
If the disk image that nilfs2 mounts is corrupted and a virtual block address obtained by block lookup for a metadata file is invalid, nilfs_bmap_lookup_at_level() may return the same internal return code as -ENOENT, meaning the block does not exist in the metadata file. This duplication of return codes confuses nilfs_mdt_get_block(), causing it to read and create a metadata block indefinitely. In particular, if this happens to the inode metadata file, ifile, semaphore i_rwsem can be left held, causing task hangs in lock_mount. Fix this issue by making nilfs_bmap_lookup_at_level() treat virtual block address translation failures with -ENOENT as metadata corruption instead of returning the error code. Link: https://lkml.kernel.org/r/20230430193046.6769-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+221d75710bde87fa0e97@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=221d75710bde87fa0e97 Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
1 parent 29417d2 commit a6a491c

File tree

1 file changed

+12
-4
lines changed

1 file changed

+12
-4
lines changed

fs/nilfs2/bmap.c

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -67,20 +67,28 @@ int nilfs_bmap_lookup_at_level(struct nilfs_bmap *bmap, __u64 key, int level,
6767

6868
down_read(&bmap->b_sem);
6969
ret = bmap->b_ops->bop_lookup(bmap, key, level, ptrp);
70-
if (ret < 0) {
71-
ret = nilfs_bmap_convert_error(bmap, __func__, ret);
70+
if (ret < 0)
7271
goto out;
73-
}
72+
7473
if (NILFS_BMAP_USE_VBN(bmap)) {
7574
ret = nilfs_dat_translate(nilfs_bmap_get_dat(bmap), *ptrp,
7675
&blocknr);
7776
if (!ret)
7877
*ptrp = blocknr;
78+
else if (ret == -ENOENT) {
79+
/*
80+
* If there was no valid entry in DAT for the block
81+
* address obtained by b_ops->bop_lookup, then pass
82+
* internal code -EINVAL to nilfs_bmap_convert_error
83+
* to treat it as metadata corruption.
84+
*/
85+
ret = -EINVAL;
86+
}
7987
}
8088

8189
out:
8290
up_read(&bmap->b_sem);
83-
return ret;
91+
return nilfs_bmap_convert_error(bmap, __func__, ret);
8492
}
8593

8694
int nilfs_bmap_lookup_contig(struct nilfs_bmap *bmap, __u64 key, __u64 *ptrp,

0 commit comments

Comments
 (0)