[syzbot] [ext4?] KASAN: use-after-free Write in ext4_insert_dentry

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 42f7652d3eb5 Linux 6.12-rc4
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15a89430580000
kernel config: https://syzkaller.appspot.com/x/.config?x=fc6f8ce8c5369043
dashboard link: https://syzkaller.appspot.com/bug?extid=0c99c3f90699936c1e77
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162e625f980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14695c87980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-42f7652d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/27fd6c638478/vmlinux-42f7652d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a5f529516264/bzImage-42f7652d.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/c97aae4b16ba/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0c99c3...@syzkaller.appspotmail.com

EXT4-fs error (device loop0): ext4_orphan_get:1393: comm syz-executor407: couldn't read orphan inode 15 (err -117)
EXT4-fs (loop0): mounted filesystem 00000007-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
==================================================================
BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
Write of size 251 at addr ffff88803f1f7f14 by task syz-executor407/5095

CPU: 0 UID: 0 PID: 5095 Comm: syz-executor407 Not tainted 6.12.0-rc4-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154
make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351
ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455
ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796
ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431
vfs_symlink+0x137/0x2e0 fs/namei.c:4615
do_symlinkat+0x222/0x3a0 fs/namei.c:4641
__do_sys_symlink fs/namei.c:4662 [inline]
__se_sys_symlink fs/namei.c:4660 [inline]
__x64_sys_symlink+0x7a/0x90 fs/namei.c:4660
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc65cf86b99
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffca8aeb358 EFLAGS: 00000246 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007fc65cf86b99
RDX: 0000000000000000 RSI: 0000000020000cc0 RDI: 0000000020000dc0
RBP: 00007fc65cffa5f0 R08: 00005555889c84c0 R09: 00005555889c84c0
R10: 00005555889c84c0 R11: 0000000000000246 R12: 00007ffca8aeb380
R13: 00007ffca8aeb5a8 R14: 431bde82d7b634db R15: 00007fc65cfcf03b
</TASK>

The buggy address belongs to the physical page:
page: refcount:3 mapcount:0 mapping:ffff888031cb4d78 index:0x3f pfn:0x3f1f7
memcg:ffff888030476000
aops:def_blk_aops ino:700000 dentry name(?):""
flags: 0x4fff08000004214(referenced|dirty|workingset|private|node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff08000004214 0000000000000000 dead000000000122 ffff888031cb4d78
raw: 000000000000003f ffff8880454cc658 00000003ffffffff ffff888030476000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5095, tgid 5095 (syz-executor407), ts 63020312683, free_ts 62616757387
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_pages_noprof mm/mempolicy.c:2345 [inline]
folio_alloc_noprof+0x128/0x180 mm/mempolicy.c:2352
filemap_alloc_folio_noprof+0xdf/0x500 mm/filemap.c:1010
__filemap_get_folio+0x446/0xbd0 mm/filemap.c:1952
grow_dev_folio fs/buffer.c:1043 [inline]
grow_buffers fs/buffer.c:1109 [inline]
__getblk_slow fs/buffer.c:1135 [inline]
bdev_getblk+0x1d8/0x550 fs/buffer.c:1437
__getblk include/linux/buffer_head.h:380 [inline]
sb_getblk include/linux/buffer_head.h:386 [inline]
ext4_getblk+0x303/0x800 fs/ext4/inode.c:859
ext4_bread+0x2e/0x180 fs/ext4/inode.c:905
ext4_append+0x327/0x5c0 fs/ext4/namei.c:83
make_indexed_dir+0x523/0x1600 fs/ext4/namei.c:2272
ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455
ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796
ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431
vfs_symlink+0x137/0x2e0 fs/namei.c:4615
page last free pid 5089 tgid 5089 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686
folios_put_refs+0x76c/0x860 mm/swap.c:1007
free_pages_and_swap_cache+0x2ea/0x690 mm/swap_state.c:332
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
vms_clear_ptes+0x437/0x530 mm/vma.c:1096
vms_complete_munmap_vmas+0x208/0x910 mm/vma.c:1140
do_vmi_align_munmap+0x613/0x730 mm/vma.c:1349
do_vmi_munmap+0x24e/0x2d0 mm/vma.c:1397
__vm_munmap+0x24c/0x480 mm/mmap.c:1610
__do_sys_munmap mm/mmap.c:1627 [inline]
__se_sys_munmap mm/mmap.c:1624 [inline]
__x64_sys_munmap+0x68/0x80 mm/mmap.c:1624
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
ffff88803f1f7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88803f1f7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88803f1f8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88803f1f8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88803f1f8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Edward Adam Davis]

directory entry space is too smaller than file name?

#syz test

diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index 790db7eac6c2..cf11dcffe4bf 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2105,8 +2105,9 @@ void ext4_insert_dentry(struct inode *dir,
de->file_type = EXT4_FT_UNKNOWN;
de->inode = cpu_to_le32(inode->i_ino);
ext4_set_de_type(inode->i_sb, de, inode->i_mode);
- de->name_len = fname_len(fname);
- memcpy(de->name, fname_name(fname), fname_len(fname));
+ de->name_len = min_t(int, fname_len(fname), rlen - 8);
+ printk("rec length: %d, buf_size: %d, name length:%d, %s\n", rlen, buf_size, fname_len(fname), __func__);
+ memcpy(de->name, fname_name(fname), de->name_len);
if (ext4_hash_in_dirent(dir)) {
struct dx_hash_info *hinfo = &fname->hinfo;

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Write in ext4_insert_dentry

rec length: 684, buf_size: 1024, name length:247, ext4_insert_dentry
rec length: 500, buf_size: 1024, name length:251, ext4_insert_dentry
==================================================================
BUG: KASAN: use-after-free in ext4_insert_dentry+0x3cb/0x790 fs/ext4/namei.c:2110
Write of size 251 at addr ffff888043963f14 by task syz.0.16/5618

CPU: 0 UID: 0 PID: 5618 Comm: syz.0.16 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106

ext4_insert_dentry+0x3cb/0x790 fs/ext4/namei.c:2110
add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2155
make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2352
ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2456
ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2797
ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3432

vfs_symlink+0x137/0x2e0 fs/namei.c:4615
do_symlinkat+0x222/0x3a0 fs/namei.c:4641
__do_sys_symlink fs/namei.c:4662 [inline]
__se_sys_symlink fs/namei.c:4660 [inline]
__x64_sys_symlink+0x7a/0x90 fs/namei.c:4660
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f055e17dff9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f055ef2c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 00007f055e335f80 RCX: 00007f055e17dff9

RDX: 0000000000000000 RSI: 0000000020000cc0 RDI: 0000000020000dc0

RBP: 00007f055e1f0296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f055e335f80 R15: 00007ffc1e1967c8

</TASK>

The buggy address belongs to the physical page:

page: refcount:3 mapcount:0 mapping:ffff888031d04d78 index:0x3f pfn:0x43963
memcg:ffff88803e45c000

aops:def_blk_aops ino:700000 dentry name(?):""
flags: 0x4fff08000004214(referenced|dirty|workingset|private|node=1|zone=1|lastcpupid=0x7ff)

raw: 04fff08000004214 0000000000000000 dead000000000122 ffff888031d04d78
raw: 000000000000003f ffff88804170d9f8 00000003ffffffff ffff88803e45c000

page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5618, tgid 5617 (syz.0.16), ts 118086176546, free_ts 118012117181

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_pages_noprof mm/mempolicy.c:2345 [inline]
folio_alloc_noprof+0x128/0x180 mm/mempolicy.c:2352
filemap_alloc_folio_noprof+0xdf/0x500 mm/filemap.c:1010
__filemap_get_folio+0x446/0xbd0 mm/filemap.c:1952
grow_dev_folio fs/buffer.c:1043 [inline]
grow_buffers fs/buffer.c:1109 [inline]
__getblk_slow fs/buffer.c:1135 [inline]
bdev_getblk+0x1d8/0x550 fs/buffer.c:1437
__getblk include/linux/buffer_head.h:380 [inline]
sb_getblk include/linux/buffer_head.h:386 [inline]
ext4_getblk+0x303/0x800 fs/ext4/inode.c:859
ext4_bread+0x2e/0x180 fs/ext4/inode.c:905
ext4_append+0x327/0x5c0 fs/ext4/namei.c:83

make_indexed_dir+0x523/0x1600 fs/ext4/namei.c:2273
ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2456
ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2797
ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3432
vfs_symlink+0x137/0x2e0 fs/namei.c:4615
page last free pid 5618 tgid 5617 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686
folios_put_refs+0x76c/0x860 mm/swap.c:1007

free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:335

__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
vms_clear_ptes+0x437/0x530 mm/vma.c:1096
vms_complete_munmap_vmas+0x208/0x910 mm/vma.c:1140
do_vmi_align_munmap+0x613/0x730 mm/vma.c:1349
do_vmi_munmap+0x24e/0x2d0 mm/vma.c:1397
__vm_munmap+0x24c/0x480 mm/mmap.c:1610
__do_sys_munmap mm/mmap.c:1627 [inline]
__se_sys_munmap mm/mmap.c:1624 [inline]
__x64_sys_munmap+0x68/0x80 mm/mmap.c:1624
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:

ffff888043963f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888043963f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888043964000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888043964080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888043964100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


Tested on:

commit: 850925a8 Merge tag '9p-for-6.12-rc5' of https://github..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13c6c940580000

kernel config: https://syzkaller.appspot.com/x/.config?x=fc6f8ce8c5369043
dashboard link: https://syzkaller.appspot.com/bug?extid=0c99c3f90699936c1e77
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=14569230580000

[Edward Adam Davis]

directory entry space is too smaller than file name?

#syz test


diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c

index 790db7eac6c2..cd1e1e8e0c04 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2098,15 +2098,19 @@ void ext4_insert_dentry(struct inode *dir,
if (de->inode) {
struct ext4_dir_entry_2 *de1 =
(struct ext4_dir_entry_2 *)((char *)de + nlen);
+ printk("old name: %s, old nl: %d, oonl: %d, %s\n", de->name, nlen, de->name_len, __func__);
de1->rec_len = ext4_rec_len_to_disk(rlen - nlen, buf_size);
de->rec_len = ext4_rec_len_to_disk(nlen, buf_size);
de = de1;
+ rlen = ext4_rec_len_from_disk(de->rec_len, buf_size);

}
de->file_type = EXT4_FT_UNKNOWN;
de->inode = cpu_to_le32(inode->i_ino);
ext4_set_de_type(inode->i_sb, de, inode->i_mode);
- de->name_len = fname_len(fname);
- memcpy(de->name, fname_name(fname), fname_len(fname));
+ de->name_len = min_t(int, fname_len(fname), rlen - 8);

+ printk("rec length: %d, buf_size: %d, old nl: %d, name length:%d, %s\n",
+ rlen, buf_size, nlen, fname_len(fname), __func__);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+0c99c3...@syzkaller.appspotmail.com
Tested-by: syzbot+0c99c3...@syzkaller.appspotmail.com

Tested on:

commit: 850925a8 Merge tag '9p-for-6.12-rc5' of https://github..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=11cb9230580000

kernel config: https://syzkaller.appspot.com/x/.config?x=fc6f8ce8c5369043
dashboard link: https://syzkaller.appspot.com/bug?extid=0c99c3f90699936c1e77
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=10ec24a7980000

Note: testing is done by a robot and is best-effort only.

[Edward Adam Davis]

check next directory entry space if it is too smaller than file name exit dentry insert and return -EINVAL

#syz test

diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 44b0d418143c..dbd062f80c22 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -2834,7 +2834,7 @@ extern int ext4_find_dest_de(struct inode *dir, struct inode *inode,
void *buf, int buf_size,
struct ext4_filename *fname,
struct ext4_dir_entry_2 **dest_de);
-void ext4_insert_dentry(struct inode *dir, struct inode *inode,
+static int ext4_insert_dentry(struct inode *dir, struct inode *inode,
struct ext4_dir_entry_2 *de,
int buf_size,
struct ext4_filename *fname);
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 3536ca7e4fcc..e318b13459d1 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1022,7 +1022,9 @@ static int ext4_add_dirent_to_inline(handle_t *handle,
EXT4_JTR_NONE);
if (err)
return err;
- ext4_insert_dentry(dir, inode, de, inline_size, fname);
+ err = ext4_insert_dentry(dir, inode, de, inline_size, fname);
+ if (err)
+ return err;

ext4_show_inline_dir(dir, iloc->bh, inline_start, inline_size);

diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index 790db7eac6c2..4ce1b207a4c0 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2084,24 +2084,38 @@ int ext4_find_dest_de(struct inode *dir, struct inode *inode,
return 0;
}

-void ext4_insert_dentry(struct inode *dir,
+static int ext4_check_next_dentry(struct inode *dir,
struct inode *inode,
struct ext4_dir_entry_2 *de,
int buf_size,
struct ext4_filename *fname)
{
-
int nlen, rlen;

nlen = ext4_dir_rec_len(de->name_len, dir);

rlen = ext4_rec_len_from_disk(de->rec_len, buf_size);

if (de->inode) {
- struct ext4_dir_entry_2 *de1 =
+ struct ext4_dir_entry_2 *nde =

(struct ext4_dir_entry_2 *)((char *)de + nlen);

- de1->rec_len = ext4_rec_len_to_disk(rlen - nlen, buf_size);
+ nde->rec_len = ext4_rec_len_to_disk(rlen - nlen, buf_size);

de->rec_len = ext4_rec_len_to_disk(nlen, buf_size);

- de = de1;
+ de = nde;

+ rlen = ext4_rec_len_from_disk(de->rec_len, buf_size);

+ return fname_len(fname) > rlen - EXT4_BASE_DIR_LEN;
}
+
+ return 0;
+}
+
+static int ext4_insert_dentry(struct inode *dir,
+ struct inode *inode,
+ struct ext4_dir_entry_2 *de,
+ int buf_size,
+ struct ext4_filename *fname)
+{
+ if (ext4_check_next_dentry(dir, inode, de, buf_size, fname))
+ return -EINVAL;
+

de->file_type = EXT4_FT_UNKNOWN;
de->inode = cpu_to_le32(inode->i_ino);
ext4_set_de_type(inode->i_sb, de, inode->i_mode);

@@ -2114,6 +2128,8 @@ void ext4_insert_dentry(struct inode *dir,
EXT4_DIRENT_HASHES(de)->minor_hash =
cpu_to_le32(hinfo->minor_hash);
}
+
+ return 0;
}

/*
@@ -2151,7 +2167,11 @@ static int add_dirent_to_buf(handle_t *handle, struct ext4_filename *fname,
}

/* By now the buffer is marked for journaling */
- ext4_insert_dentry(dir, inode, de, blocksize, fname);
+ err = ext4_insert_dentry(dir, inode, de, blocksize, fname);
+ if (err) {
+ ext4_std_error(dir->i_sb, err);
+ return err;
+ }

/*
* XXX shouldn't update any times until successful

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/ext4/inline.c:1025: undefined reference to `ext4_insert_dentry'

Tested on:

commit: 850925a8 Merge tag '9p-for-6.12-rc5' of https://github..
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=fc6f8ce8c5369043
dashboard link: https://syzkaller.appspot.com/bug?extid=0c99c3f90699936c1e77
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=106a24a7980000

[Edward Adam Davis]

check next directory entry space if it is too smaller than file name exit dentry insert and return -EINVAL

#syz test

diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 44b0d418143c..dbd062f80c22 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -2834,7 +2834,7 @@ extern int ext4_find_dest_de(struct inode *dir, struct inode *inode,
void *buf, int buf_size,
struct ext4_filename *fname,
struct ext4_dir_entry_2 **dest_de);
-void ext4_insert_dentry(struct inode *dir, struct inode *inode,

+int ext4_insert_dentry(struct inode *dir, struct inode *inode,

struct ext4_dir_entry_2 *de,
int buf_size,
struct ext4_filename *fname);
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 3536ca7e4fcc..e318b13459d1 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1022,7 +1022,9 @@ static int ext4_add_dirent_to_inline(handle_t *handle,
EXT4_JTR_NONE);
if (err)
return err;
- ext4_insert_dentry(dir, inode, de, inline_size, fname);
+ err = ext4_insert_dentry(dir, inode, de, inline_size, fname);
+ if (err)
+ return err;

ext4_show_inline_dir(dir, iloc->bh, inline_start, inline_size);

diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index 790db7eac6c2..4ce1b207a4c0 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2084,24 +2084,38 @@ int ext4_find_dest_de(struct inode *dir, struct inode *inode,
return 0;
}

-void ext4_insert_dentry(struct inode *dir,

+int ext4_check_next_dentry(struct inode *dir,

struct inode *inode,
struct ext4_dir_entry_2 *de,
int buf_size,
struct ext4_filename *fname)
{
-
int nlen, rlen;

nlen = ext4_dir_rec_len(de->name_len, dir);
rlen = ext4_rec_len_from_disk(de->rec_len, buf_size);
if (de->inode) {
- struct ext4_dir_entry_2 *de1 =
+ struct ext4_dir_entry_2 *nde =
(struct ext4_dir_entry_2 *)((char *)de + nlen);
- de1->rec_len = ext4_rec_len_to_disk(rlen - nlen, buf_size);
+ nde->rec_len = ext4_rec_len_to_disk(rlen - nlen, buf_size);
de->rec_len = ext4_rec_len_to_disk(nlen, buf_size);
- de = de1;
+ de = nde;
+ rlen = ext4_rec_len_from_disk(de->rec_len, buf_size);
+ return fname_len(fname) > rlen - EXT4_BASE_DIR_LEN;
}
+
+ return 0;
+}
+

+int ext4_insert_dentry(struct inode *dir,

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to copy syz-executor to VM: failed to run ["scp" "-P" "4280" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-executor" "root@localhost:/syz-executor"]: exit status 1
Warning: Permanently added '[localhost]:4280' (ED25519) to the list of known hosts.
scp: dest open "/syz-executor": Failure
scp: failed to upload file /syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-executor to /syz-executor




syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2867736819=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 14517542a3b
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=14517542a3bd08a1b323746361cf4d09eedeed9e -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241021-111043'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"14517542a3bd08a1b323746361cf4d09eedeed9e\"
/usr/bin/ld: /tmp/ccgVaAIk.o: in function `test_cover_filter()':
executor.cc:(.text+0x1424b): warning: the use of `tempnam' is dangerous, better use `mkstemp'
/usr/bin/ld: /tmp/ccgVaAIk.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

Tested on:

commit: 850925a8 Merge tag '9p-for-6.12-rc5' of https://github..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=fc6f8ce8c5369043
dashboard link: https://syzkaller.appspot.com/bug?extid=0c99c3f90699936c1e77
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=13493e5f980000

[Edward Adam Davis]

Syzbot reported a use-after-free in ext4_insert_dentry.

Before inserting the next directory entry, it is necessary to confirm
whether there is enough space in the next directory entry.
When the space is insufficient, it will not be inserted and an error code
-EINVAL will be returned.

Reported-by: syzbot+0c99c3...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0c99c3f90699936c1e77
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
fs/ext4/ext4.h | 2 +-
fs/ext4/inline.c | 4 +++-
fs/ext4/namei.c | 32 ++++++++++++++++++++++++++------
3 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 44b0d418143c..e07ac540ed00 100644

index 790db7eac6c2..843d23391b0c 100644

--
2.43.0

[kernel test robot]

Hi Edward,

kernel test robot noticed the following build warnings:

[auto build test WARNING on tytso-ext4/dev]
[also build test WARNING on linus/master v6.12-rc4 next-20241025]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url: https://github.com/intel-lab-lkp/linux/commits/Edward-Adam-Davis/ext4-Add-a-sanity-check-for-next-dentry-when-insert/20241027-191200
base: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev
patch link: https://lore.kernel.org/r/tencent_E4CFC65D09852ECE2EF28C83A7C3C6E41206%40qq.com
patch subject: [PATCH] ext4: Add a sanity check for next dentry when insert
config: x86_64-rhel-8.3 (https://download.01.org/0day-ci/archive/20241027/202410272114...@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241027/202410272114...@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <l...@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202410272114...@intel.com/

All warnings (new ones prefixed by >>):

>> fs/ext4/namei.c:2087:5: warning: no previous prototype for 'ext4_check_next_dentry' [-Wmissing-prototypes]
2087 | int ext4_check_next_dentry(struct inode *dir,
| ^~~~~~~~~~~~~~~~~~~~~~


vim +/ext4_check_next_dentry +2087 fs/ext4/namei.c

2086
> 2087 int ext4_check_next_dentry(struct inode *dir,
2088 struct inode *inode,
2089 struct ext4_dir_entry_2 *de,
2090 int buf_size,
2091 struct ext4_filename *fname)
2092 {
2093 int nlen, rlen;
2094
2095 nlen = ext4_dir_rec_len(de->name_len, dir);
2096 rlen = ext4_rec_len_from_disk(de->rec_len, buf_size);
2097 if (de->inode) {
2098 struct ext4_dir_entry_2 *nde =
2099 (struct ext4_dir_entry_2 *)((char *)de + nlen);
2100 nde->rec_len = ext4_rec_len_to_disk(rlen - nlen, buf_size);
2101 de->rec_len = ext4_rec_len_to_disk(nlen, buf_size);
2102 de = nde;
2103 rlen = ext4_rec_len_from_disk(de->rec_len, buf_size);
2104 return fname_len(fname) > rlen - EXT4_BASE_DIR_LEN;
2105 }
2106
2107 return 0;
2108 }
2109

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

[kernel test robot]

Hi Edward,

kernel test robot noticed the following build warnings:

[auto build test WARNING on tytso-ext4/dev]
[also build test WARNING on linus/master v6.12-rc4 next-20241025]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url: https://github.com/intel-lab-lkp/linux/commits/Edward-Adam-Davis/ext4-Add-a-sanity-check-for-next-dentry-when-insert/20241027-191200
base: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev
patch link: https://lore.kernel.org/r/tencent_E4CFC65D09852ECE2EF28C83A7C3C6E41206%40qq.com
patch subject: [PATCH] ext4: Add a sanity check for next dentry when insert

config: x86_64-kexec (https://download.01.org/0day-ci/archive/20241027/202410272335...@intel.com/config)
compiler: clang version 19.1.2 (https://github.com/llvm/llvm-project 7ba7d8e2f7b6445b60679da826210cdde29eaf8b)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241027/202410272335...@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <l...@intel.com>

| Closes: https://lore.kernel.org/oe-kbuild-all/202410272335...@intel.com/

All warnings (new ones prefixed by >>):

In file included from fs/ext4/namei.c:29:
In file included from include/linux/pagemap.h:8:
In file included from include/linux/mm.h:2213:
include/linux/vmstat.h:504:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion]
504 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS +
| ~~~~~~~~~~~~~~~~~~~~~ ^
505 | item];
| ~~~~
include/linux/vmstat.h:511:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion]
511 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS +
| ~~~~~~~~~~~~~~~~~~~~~ ^
512 | NR_VM_NUMA_EVENT_ITEMS +
| ~~~~~~~~~~~~~~~~~~~~~~
include/linux/vmstat.h:518:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
518 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
include/linux/vmstat.h:524:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion]
524 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS +
| ~~~~~~~~~~~~~~~~~~~~~ ^
525 | NR_VM_NUMA_EVENT_ITEMS +
| ~~~~~~~~~~~~~~~~~~~~~~
>> fs/ext4/namei.c:2087:5: warning: no previous prototype for function 'ext4_check_next_dentry' [-Wmissing-prototypes]

2087 | int ext4_check_next_dentry(struct inode *dir,
| ^

fs/ext4/namei.c:2087:1: note: declare 'static' if the function is not intended to be used outside of this translation unit

2087 | int ext4_check_next_dentry(struct inode *dir,
| ^

| static
5 warnings generated.

[Edward Adam Davis]

Syzbot reported a use-after-free in ext4_insert_dentry.

Before copying the file name to the next directory entry, it is necessary to

confirm whether there is enough space in the next directory entry.
When the space is insufficient, it will not be inserted and an error code
-EINVAL will be returned.

Reported-by: syzbot+0c99c3...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0c99c3f90699936c1e77
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---

V1 -> V2: change check_next_dentry to static and comments

index 790db7eac6c2..1c9fedf36fb0 100644

--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2084,24 +2084,38 @@ int ext4_find_dest_de(struct inode *dir, struct inode *inode,
return 0;
}

-void ext4_insert_dentry(struct inode *dir,

+static int check_next_dentry(struct inode *dir,

struct inode *inode,
struct ext4_dir_entry_2 *de,
int buf_size,
struct ext4_filename *fname)
{
-
int nlen, rlen;

nlen = ext4_dir_rec_len(de->name_len, dir);

rlen = ext4_rec_len_from_disk(de->rec_len, buf_size);

if (de->inode) {
- struct ext4_dir_entry_2 *de1 =
+ struct ext4_dir_entry_2 *nde =

(struct ext4_dir_entry_2 *)((char *)de + nlen);

- de1->rec_len = ext4_rec_len_to_disk(rlen - nlen, buf_size);
+ nde->rec_len = ext4_rec_len_to_disk(rlen - nlen, buf_size);

de->rec_len = ext4_rec_len_to_disk(nlen, buf_size);

- de = de1;
+ de = nde;
+ rlen = ext4_rec_len_from_disk(de->rec_len, buf_size);
+ return fname_len(fname) > rlen - EXT4_BASE_DIR_LEN;
}
+
+ return 0;
+}
+
+int ext4_insert_dentry(struct inode *dir,
+ struct inode *inode,
+ struct ext4_dir_entry_2 *de,
+ int buf_size,
+ struct ext4_filename *fname)
+{

+ if (check_next_dentry(dir, inode, de, buf_size, fname))

[kernel test robot]

Hi Edward,

kernel test robot noticed the following build warnings:

[auto build test WARNING on tytso-ext4/dev]

[also build test WARNING on linus/master v6.12-rc5 next-20241028]

[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url: https://github.com/intel-lab-lkp/linux/commits/Edward-Adam-Davis/ext4-Add-a-sanity-check-for-next-dentry-when-insert/20241027-191200
base: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev
patch link: https://lore.kernel.org/r/tencent_E4CFC65D09852ECE2EF28C83A7C3C6E41206%40qq.com
patch subject: [PATCH] ext4: Add a sanity check for next dentry when insert

config: x86_64-randconfig-121-20241028 (https://download.01.org/0day-ci/archive/20241028/202410282131...@intel.com/config)

compiler: clang version 19.1.2 (https://github.com/llvm/llvm-project 7ba7d8e2f7b6445b60679da826210cdde29eaf8b)

reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241028/202410282131...@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <l...@intel.com>

| Closes: https://lore.kernel.org/oe-kbuild-all/202410282131...@intel.com/

sparse warnings: (new ones prefixed by >>)
>> fs/ext4/namei.c:2087:5: sparse: sparse: symbol 'ext4_check_next_dentry' was not declared. Should it be static?
fs/ext4/namei.c: note: in included file (through include/linux/mmzone.h, include/linux/gfp.h, include/linux/xarray.h, ...):
include/linux/page-flags.h:237:46: sparse: sparse: self-comparison always evaluates to false
include/linux/page-flags.h:237:46: sparse: sparse: self-comparison always evaluates to false
fs/ext4/namei.c: note: in included file:
fs/ext4/ext4.h:2429:9: sparse: sparse: self-comparison always evaluates to false

[Edward Adam Davis]

check next directory entry space if it is too smaller than file name exit dentry insert and return -EINVAL

#syz test: upstream master

nlen = ext4_dir_rec_len(de->name_len, dir);

rlen = ext4_rec_len_from_disk(de->rec_len, buf_size);

if (de->inode) {
- struct ext4_dir_entry_2 *de1 =
+ struct ext4_dir_entry_2 *nde =

(struct ext4_dir_entry_2 *)((char *)de + nlen);

- de1->rec_len = ext4_rec_len_to_disk(rlen - nlen, buf_size);
+ nde->rec_len = ext4_rec_len_to_disk(rlen - nlen, buf_size);

de->rec_len = ext4_rec_len_to_disk(nlen, buf_size);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to copy syz-executor to VM: failed to run ["scp" "-P" "38194" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-executor" "root@localhost:/syz-executor"]: exit status 1
Warning: Permanently added '[localhost]:38194' (ED25519) to the list of known hosts.

GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1339989871=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 14517542a3b
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=14517542a3bd08a1b323746361cf4d09eedeed9e -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241021-111043'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"14517542a3bd08a1b323746361cf4d09eedeed9e\"

/usr/bin/ld: /tmp/ccC7uJRr.o: in function `test_cover_filter()':

executor.cc:(.text+0x1424b): warning: the use of `tempnam' is dangerous, better use `mkstemp'

/usr/bin/ld: /tmp/ccC7uJRr.o: in function `Connection::Connect(char const*, char const*)':

executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking



Tested on:

commit: c1e939a2 Merge tag 'cgroup-for-6.12-rc5-fixes' of git:..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=35698c25466f388c

dashboard link: https://syzkaller.appspot.com/bug?extid=0c99c3f90699936c1e77
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=10a4255f980000

[kernel test robot]

Hello,

kernel test robot noticed "xfstests.generic.080.fail" on:

commit: d29093707e013ca381d404c4444413df49c719c1 ("[PATCH V2] ext4: Add a sanity check for next dentry when insert")
url: https://github.com/intel-lab-lkp/linux/commits/Edward-Adam-Davis/ext4-Add-a-sanity-check-for-next-dentry-when-insert/20241028-220910
base: https://git.kernel.org/cgit/linux/kernel/git/tytso/ext4.git dev
patch link: https://lore.kernel.org/all/tencent_2EB5A7DB06DD92...@qq.com/
patch subject: [PATCH V2] ext4: Add a sanity check for next dentry when insert

in testcase: xfstests
version: xfstests-x86_64-891f4995-1_20241028
with following parameters:

disk: 4HDD
fs: ext4
fs2: smbv2
test: generic-080



config: x86_64-rhel-8.3-func
compiler: gcc-12
test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (Skylake) with 32G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags

| Reported-by: kernel test robot <olive...@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202411041103.a03...@intel.com

2024-10-31 17:45:57 mount /dev/sda1 /fs/sda1
2024-10-31 17:45:58 mkdir -p /smbv2//cifs/sda1
2024-10-31 17:45:58 export FSTYP=cifs
2024-10-31 17:45:58 export TEST_DEV=//localhost/fs/sda1
2024-10-31 17:45:58 export TEST_DIR=/smbv2//cifs/sda1
2024-10-31 17:45:58 export CIFS_MOUNT_OPTIONS=-ousername=root,password=pass,noperm,vers=2.0,mfsymlinks,actimeo=0
2024-10-31 17:45:58 echo generic/080
2024-10-31 17:45:58 ./check -E tests/cifs/exclude.incompatible-smb2.txt -E tests/cifs/exclude.very-slow.txt generic/080
FSTYP -- cifs
PLATFORM -- Linux/x86_64 lkp-skl-d05 6.12.0-rc1-00004-gd29093707e01 #1 SMP PREEMPT_DYNAMIC Wed Oct 30 22:27:17 CST 2024

generic/080 - output mismatch (see /lkp/benchmarks/xfstests/results//generic/080.out.bad)
--- tests/generic/080.out 2024-10-28 16:28:46.000000000 +0000
+++ /lkp/benchmarks/xfstests/results//generic/080.out.bad 2024-10-31 17:46:01.599410948 +0000
@@ -1,2 +1,3 @@
QA output created by 080
Silence is golden.
+rm: cannot remove '/smbv2/cifs/sda1/mmap_mtime_testfile': Permission denied
...
(Run 'diff -u /lkp/benchmarks/xfstests/tests/generic/080.out /lkp/benchmarks/xfstests/results//generic/080.out.bad' to see the entire diff)
Ran: generic/080
Failures: generic/080
Failed 1 of 1 tests




The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20241104/202411041103.a03...@intel.com

[syzbot]

syzbot has bisected this issue to:

commit 5872331b3d91820e14716632ebb56b1399b34fe1
Author: Eric Sandeen <san...@redhat.com>
Date: Wed Jun 17 19:19:04 2020 +0000

ext4: fix potential negative array index in do_split()

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15b9ce30580000
start commit: 2e1b3cc9d7f7 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=17b9ce30580000
console output: https://syzkaller.appspot.com/x/log.txt?x=13b9ce30580000
kernel config: https://syzkaller.appspot.com/x/.config?x=921b01cbfd887a9b
dashboard link: https://syzkaller.appspot.com/bug?extid=0c99c3f90699936c1e77
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=173636a7980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1600cf40580000

Reported-by: syzbot+0c99c3...@syzkaller.appspotmail.com
Fixes: 5872331b3d91 ("ext4: fix potential negative array index in do_split()")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[Thadeu Lima de Souza Cascardo]

#syz fix: ext4: fix off-by-one error in do_split