On Tue, Aug 15, 2023 at 10:59:39AM +0300, Vladislav Efanov wrote:
From: Vladislav Efanov VEfanov@ispras.ru
commit 1e0d4adf17e7ef03281d7b16555e7c1508c8ed2d upstream
Bits, which are related to Bitmap Descriptor logical blocks, are not reset when buffer headers are allocated for them. As the result, these logical blocks can be treated as free and be used for other blocks.This can cause usage of one buffer header for several types of data. UDF issues WARNING in this situation:
WARNING: CPU: 0 PID: 2703 at fs/udf/inode.c:2014 __udf_add_aext+0x685/0x7d0 fs/udf/inode.c:2014
RIP: 0010:__udf_add_aext+0x685/0x7d0 fs/udf/inode.c:2014 Call Trace: udf_setup_indirect_aext+0x573/0x880 fs/udf/inode.c:1980 udf_add_aext+0x208/0x2e0 fs/udf/inode.c:2067 udf_insert_aext fs/udf/inode.c:2233 [inline] udf_update_extents fs/udf/inode.c:1181 [inline] inode_getblk+0x1981/0x3b70 fs/udf/inode.c:885
Found by Linux Verification Center (linuxtesting.org) with syzkaller.
[JK: Somewhat cleaned up the boundary checks]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Vladislav Efanov VEfanov@ispras.ru Signed-off-by: Jan Kara jack@suse.cz
Syzkaller reports this problem in 5.10 stable release. The problem has been fixed by the following patch which can be cleanly applied to the 5.10 branch.
We can not, for obvious reasons, take this only into the 5.10.y branch (same for the other udf patch you sent.) Please send patches for all applicable branches (5.10 and newer) so that we can apply these to the 5.10.y tree at that time.
I've dropped both of these from my review queue now, thanks.
greg k-h