From patchwork Thu Sep  5 10:24:24 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Julian Sun <sunjunchao2870@gmail.com>
X-Patchwork-Id: 13792116
Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com
 [209.85.210.169])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 611D11991BE
	for <linux-fsdevel@vger.kernel.org>; Thu,  5 Sep 2024 10:24:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.169
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1725531873; cv=none;
 b=GwwKuJWrDxFuS5809wOdhg7+fAJ2MEGd0UE2DqC8+8CcKmiGzyVzTBgveRnNuiwv+7uaKmVGxSyA1zqRLd5YvPGWOnE7lEzOQPDV0c1PjUTCj2ejiAN2+8LjDPoeMA+4smQHUAOdISQdxPDwFxf8C4SeDeuExRNsDCqvojjSQJk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1725531873; c=relaxed/simple;
	bh=4QvaNv53VwpQxmWKJaO0cd5rVlygGoaLzyfS2iQQVtw=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=EqqfdqTWl8jpWkaL6BHACzFKwaJ/vChKFzORZ6I0SNFGZMwl33UT9O0VnQ1cpy5nPFm8UHaldLsO1YErvQSKtristC/j9Z8TJVvxfy7bLNckojEgqvt4ce6TlzKbShUqaRL4O2mfeURKfxMvJzAKK0a8ocItowrn8uhp4tdcr6o=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=W65BjEy3; arc=none smtp.client-ip=209.85.210.169
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="W65BjEy3"
Received: by mail-pf1-f169.google.com with SMTP id
 d2e1a72fcca58-717849c0dcaso483346b3a.3
        for <linux-fsdevel@vger.kernel.org>;
 Thu, 05 Sep 2024 03:24:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1725531871; x=1726136671;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=Pxh5ie7x+NlOqhRmkSQ2AsfzKM+eGqwQ9HCS3rFoI4Y=;
        b=W65BjEy3SAK/QrEnF/9WyPF/ZESl76lhRJIdbDzWOf/TZ0YX2QEKommmdwQ5wmKER7
         DizMhFw2dMc76BKoyre0U+u0msH55Xdim3XM5qb6R2CuROoOA9thQvxghQxA3OuDFavy
         FAT605fSOeKIhJsum3OAviojmhqMxtCww2z5RKu4ygm2CKX1q+xdKuuhBNkJXmBnAFs3
         8d6S0DySFxow64sG7ORpf71Qq9doJrGpESyCcz+62OCUeFplkN6DlaS6bKd0Yr0ASbBh
         p6uvCuULtCMD7o1oIWbg57DnKTf49ffyZvK6/QILA/89oQ8R2zYxHVS+kniAwA5hKbQF
         9ZqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1725531871; x=1726136671;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Pxh5ie7x+NlOqhRmkSQ2AsfzKM+eGqwQ9HCS3rFoI4Y=;
        b=YWo6jzf7lZhbNb+3VgGWQ5YqqOT1BDxtmwWUlDOJMkvpjjevuJNBJwASEFW3+DP36d
         cL3pEACoDaM7bpXpIxzfcXnSZgehO5K1jz9BoI9SANosaJy1i5daK0hVDIslKk+i1yw2
         v0T5XVB14GqRASs7Hkl6d6kx+IiscsiIKOqt4NS6vUMU/8uf/hQ/LtZqIGFIrdi1BkLm
         7/D2N5vnKE2uyEgDxBxMfNCzg5c9GuDdtM9onLXQ4GciR9GROUkcj9gcoN4ePuB/QosR
         b0YyI7cH6SWTEzVYtPYugjZfo13ZCKQS/34lC4J8HKfZ4NzNB7yM4cGVzCVmWkaEmXe9
         zRJw==
X-Gm-Message-State: AOJu0Yxp9wuVR88wF7jubQX5OCJZp/zM5TLGa7OQi1F7jsJIramFaYD0
	b1VyaPYr7ZKWKGqTkcwHDXou49w1bCfvxEnAsdEDqb8n0T2PJkBdPTIuJ7IqcPQ=
X-Google-Smtp-Source: 
 AGHT+IG6ImsUGLlwJS0dY12oSBPr+k8B5FCnlj6nHL4vaETzyuptME4i1E8PpH46+1alwKNPDqHQsw==
X-Received: by 2002:a05:6a21:3510:b0:1ca:c673:9793 with SMTP id
 adf61e73a8af0-1cecdf2956amr22417785637.23.1725531870696;
        Thu, 05 Sep 2024 03:24:30 -0700 (PDT)
Received: from localhost ([123.113.110.156])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-206aea38cecsm26247245ad.177.2024.09.05.03.24.29
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 Sep 2024 03:24:30 -0700 (PDT)
From: Julian Sun <sunjunchao2870@gmail.com>
To: linux-fsdevel@vger.kernel.org
Cc: jack@suse.cz,
	brauner@kernel.org,
	viro@zeniv.linux.org.uk,
	djwong@kernel.org,
	david@fromorbit.com,
	hch@lst.de,
	Julian Sun <sunjunchao2870@gmail.com>,
	syzbot+296b1c84b9cbf306e5a0@syzkaller.appspotmail.com
Subject: [PATCH 1/2] iomap: Do not unshare exents beyond EOF
Date: Thu,  5 Sep 2024 18:24:24 +0800
Message-Id: <20240905102425.1106040-1-sunjunchao2870@gmail.com>
X-Mailer: git-send-email 2.39.2
Precedence: bulk
X-Mailing-List: linux-fsdevel@vger.kernel.org
List-Id: <linux-fsdevel.vger.kernel.org>
List-Subscribe: <mailto:linux-fsdevel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-fsdevel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Attempting to unshare extents beyond EOF will trigger
the need zeroing case, which in turn triggers a warning.
Therefore, let's skip the unshare process if extents are
beyond EOF.

Reported-and-tested-by: syzbot+296b1c84b9cbf306e5a0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=296b1c84b9cbf306e5a0
Fixes: 32a38a499104 ("iomap: use write_begin to read pages to unshare")
Inspired-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Julian Sun <sunjunchao2870@gmail.com>
---
 fs/iomap/buffered-io.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
index f420c53d86ac..8898d5ec606f 100644
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -1340,6 +1340,9 @@ static loff_t iomap_unshare_iter(struct iomap_iter *iter)
 	/* don't bother with holes or unwritten extents */
 	if (srcmap->type == IOMAP_HOLE || srcmap->type == IOMAP_UNWRITTEN)
 		return length;
+	/* don't try to unshare any extents beyond EOF. */
+	if (pos > i_size_read(iter->inode))
+		return length;
 
 	do {
 		struct folio *folio;

From patchwork Thu Sep  5 10:26:56 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Julian Sun <sunjunchao2870@gmail.com>
X-Patchwork-Id: 13792134
Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com
 [209.85.215.170])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F3C64198833
	for <linux-fsdevel@vger.kernel.org>; Thu,  5 Sep 2024 10:27:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.170
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1725532025; cv=none;
 b=Y5kZNOU3WpaSpS/W5gTOjS0vTJlEYm8RV2YkwiY1omnjyqkS865C4HHUi2Q0IlDncd/DEUlBAieHCsFgzLYkjidEGfCn96nET2RSBOBGY5iY7vuOr2Ug4OHyl+k0uj3m9XFadb1vbhDdKcmJvXYqiTT8ijCTk6r2zjRdyVAeM9g=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1725532025; c=relaxed/simple;
	bh=WZzT5BpQnU/IDkY5TbnvVbnpeSboG8Cas3ZVjda00B4=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=pvCf2C/aCpA24lYBSO0t9EtgIPv1KoTOF3FV2e2dOxBtol4ZrRk1fK+3OHk6+RV9fUjtT+0BhPDrVva41XhW5WdeBcnWYH9/18nLoCcJTUpIp7dfvA2fWr6xUsi7jpVRF5gCIMV9YrNSpZ6to0YlLuDKQnOoH4f0a2Icg513M+Y=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=JtvbZT78; arc=none smtp.client-ip=209.85.215.170
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="JtvbZT78"
Received: by mail-pg1-f170.google.com with SMTP id
 41be03b00d2f7-7c6aee8e8daso494138a12.0
        for <linux-fsdevel@vger.kernel.org>;
 Thu, 05 Sep 2024 03:27:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1725532022; x=1726136822;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=gQLkYz851xV52gzNbD07f6SnIzvOfxOgXnNEUY/1Rw4=;
        b=JtvbZT78oCypxk8PtzWglUjUInChBdz/Uh4zhYCw72aVZ3j9ofgBq5+OjNiFYVAmQo
         9349ueD+itpsAcDDsUyJxkIviI52t1wHOM9RXpSebuEmlFOe9i8ne3nq8f0d7o+8HNKL
         bBorHkTq9c2hMQFWDeTgPqDdIgBubPwOj6yWKamR5w25HtrAA+aXAKJB5oDYIPQJXJq2
         mH6spnU8oDoaThrc8Z8zFfGuu4zTNI2YmXm7UkRW84AXMHfh5zN06PYRUs3vtBfKzArh
         RB3aotBz3uAhhENbfUuF0ECjC5zYmRwF8udSk1yS7Ut/lq9KBkPCUQ+ORAueIh+lUg+C
         E2Iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1725532022; x=1726136822;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=gQLkYz851xV52gzNbD07f6SnIzvOfxOgXnNEUY/1Rw4=;
        b=JTqYj/vtrTWR/JFfljCWJtxtPbI+5Nra0xfOsMb4LDgoYCMzCAXMgZdj8p6mEf71Ig
         fohQL/r6J+BZviqgB4gJeCjsLnyOag0Wf8GJHCFqoAb6qs6E3kkDT0EGsqShaaihDg+Y
         S5kX+YzjgdO7U08rLaS1kuhE3PzypuLjIl6IdkjRDo2rhNLNGTfzWmm/m70xR3NVEGBr
         CLjfFqLwyYORrV275NyJGtx88EOMc7SG0bXhf2cB8JFVmNABGXvKZldIkFiyy/ZSJthT
         z6flOt9fhwYikEM1a6yyvaCW9awGfPfMEyo89gj9dt8NRFnjeqsum1A9Uz8lxxFbRulw
         8TBA==
X-Gm-Message-State: AOJu0YypiyHSfHJ2DwE2pUxb2DO7PFup/yRZDaIg38AA1kHbJ5uCd7mX
	clrp8GwcHXyBp3xpmiDLIPdhQLV6RvgSuiYuVkuCSRUEB37TbsaAAUdbSOSVTK0=
X-Google-Smtp-Source: 
 AGHT+IEb2GyXWVt7vLLMhYWz5CUtpIDYWMUQt3IJvnl5f0aJxGTI6Yi1g6h9vXA52zG4PLsgoZ4zFg==
X-Received: by 2002:a05:6a20:b305:b0:1cc:9f24:42 with SMTP id
 adf61e73a8af0-1cecdf0fb63mr16659713637.20.1725532022226;
        Thu, 05 Sep 2024 03:27:02 -0700 (PDT)
Received: from localhost ([123.113.110.156])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-2da7532583bsm4650438a91.8.2024.09.05.03.27.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 Sep 2024 03:27:01 -0700 (PDT)
From: Julian Sun <sunjunchao2870@gmail.com>
To: linux-fsdevel@vger.kernel.org
Cc: jack@suse.cz,
	brauner@kernel.org,
	viro@zeniv.linux.org.uk,
	djwong@kernel.org,
	david@fromorbit.com,
	hch@lst.de,
	Julian Sun <sunjunchao2870@gmail.com>,
	syzbot+296b1c84b9cbf306e5a0@syzkaller.appspotmail.com
Subject: [PATCH 2/2] vfs: Fix implicit conversion problem when testing
 overflow case
Date: Thu,  5 Sep 2024 18:26:56 +0800
Message-Id: <20240905102656.1107446-1-sunjunchao2870@gmail.com>
X-Mailer: git-send-email 2.39.2
Precedence: bulk
X-Mailing-List: linux-fsdevel@vger.kernel.org
List-Id: <linux-fsdevel.vger.kernel.org>
List-Subscribe: <mailto:linux-fsdevel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-fsdevel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

The overflow check in generic_copy_file_checks() and generic_remap_checks()
is now broken because the result of the addition is implicitly converted to
an unsigned type, which disrupts the comparison with signed numbers.
This caused the kernel to not return EOVERFLOW in copy_file_range()
call with len is set to 0xffffffffa003e45bul.

Use the check_add_overflow() macro to fix this issue.

Reported-and-tested-by: syzbot+296b1c84b9cbf306e5a0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=296b1c84b9cbf306e5a0
Fixes: 1383a7ed6749 ("vfs: check file ranges before cloning files")
Fixes: 96e6e8f4a68d ("vfs: add missing checks to copy_file_range")
Inspired-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Julian Sun <sunjunchao2870@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
---
 fs/read_write.c  | 5 +++--
 fs/remap_range.c | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/fs/read_write.c b/fs/read_write.c
index 90e283b31ca1..349e4df5e0b0 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -1416,7 +1416,7 @@ static int generic_copy_file_checks(struct file *file_in, loff_t pos_in,
 	struct inode *inode_in = file_inode(file_in);
 	struct inode *inode_out = file_inode(file_out);
 	uint64_t count = *req_count;
-	loff_t size_in;
+	loff_t size_in, tmp;
 	int ret;
 
 	ret = generic_file_rw_checks(file_in, file_out);
@@ -1451,7 +1451,8 @@ static int generic_copy_file_checks(struct file *file_in, loff_t pos_in,
 		return -ETXTBSY;
 
 	/* Ensure offsets don't wrap. */
-	if (pos_in + count < pos_in || pos_out + count < pos_out)
+	if (check_add_overflow(pos_in, count, &tmp) ||
+	    check_add_overflow(pos_out, count, &tmp))
 		return -EOVERFLOW;
 
 	/* Shorten the copy to EOF */
diff --git a/fs/remap_range.c b/fs/remap_range.c
index 28246dfc8485..6fdeb3c8cb70 100644
--- a/fs/remap_range.c
+++ b/fs/remap_range.c
@@ -36,7 +36,7 @@ static int generic_remap_checks(struct file *file_in, loff_t pos_in,
 	struct inode *inode_out = file_out->f_mapping->host;
 	uint64_t count = *req_count;
 	uint64_t bcount;
-	loff_t size_in, size_out;
+	loff_t size_in, size_out, tmp;
 	loff_t bs = inode_out->i_sb->s_blocksize;
 	int ret;
 
@@ -45,7 +45,8 @@ static int generic_remap_checks(struct file *file_in, loff_t pos_in,
 		return -EINVAL;
 
 	/* Ensure offsets don't wrap. */
-	if (pos_in + count < pos_in || pos_out + count < pos_out)
+	if (check_add_overflow(pos_in, count, &tmp) ||
+	    check_add_overflow(pos_out, count, &tmp))
 		return -EINVAL;
 
 	size_in = i_size_read(inode_in);