erofs: handle NONHEAD !delta[1] lclusters gracefully

[ Upstream commit 0bc8061ffc733a0a246b8689b2d32a3e9204f43c ]

syzbot reported a WARNING in iomap_iter_done:
 iomap_fiemap+0x73b/0x9b0 fs/iomap/fiemap.c:80
 ioctl_fiemap fs/ioctl.c:220 [inline]

Generally, NONHEAD lclusters won't have delta[1]==0, except for crafted
images and filesystems created by pre-1.0 mkfs versions.

Previously, it would immediately bail out if delta[1]==0, which led to
inadequate decompressed lengths (thus FIEMAP is impacted).  Treat it as
delta[1]=1 to work around these legacy mkfs versions.

`lclusterbits > 14` is illegal for compact indexes, error out too.

Reported-by: syzbot+6c0b301317aa0156f9eb@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/67373c0c.050a0220.2a2fcc.0079.GAE@google.com
Tested-by: syzbot+6c0b301317aa0156f9eb@syzkaller.appspotmail.com
Fixes: d95ae5e25326 ("erofs: add support for the full decompressed length")
Fixes: 001b8ccd0650 ("erofs: fix compact 4B support for 16k block size")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Link: https://lore.kernel.org/r/20241115173651.3339514-1-hsiangkao@linux.alibaba.com
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c
index 403af6e31d5b2c798ae1736057c3f4d5158645c0..8d28cfc6a4b837f10ec912e71a7e4215eb54e7c7 100644 (file)
--- a/fs/erofs/zmap.c
+++ b/fs/erofs/zmap.c
@@ -223,7 +223,7 @@ static int z_erofs_load_compact_lcluster(struct z_erofs_maprecorder *m,
        unsigned int amortizedshift;
        erofs_off_t pos;
 
-       if (lcn >= totalidx)
+       if (lcn >= totalidx || vi->z_logical_clusterbits > 14)
                return -EINVAL;
 
        m->lcn = lcn;
@@ -398,7 +398,7 @@ static int z_erofs_get_extent_decompressedlen(struct z_erofs_maprecorder *m)
        u64 lcn = m->lcn, headlcn = map->m_la >> lclusterbits;
        int err;
 
-       do {
+       while (1) {
                /* handle the last EOF pcluster (no next HEAD lcluster) */
                if ((lcn << lclusterbits) >= inode->i_size) {
                        map->m_llen = inode->i_size - map->m_la;
@@ -410,14 +410,16 @@ static int z_erofs_get_extent_decompressedlen(struct z_erofs_maprecorder *m)
                        return err;
 
                if (m->type == Z_EROFS_LCLUSTER_TYPE_NONHEAD) {
-                       DBG_BUGON(!m->delta[1] &&
-                                 m->clusterofs != 1 << lclusterbits);
+                       /* work around invalid d1 generated by pre-1.0 mkfs */
+                       if (unlikely(!m->delta[1])) {
+                               m->delta[1] = 1;
+                               DBG_BUGON(1);
+                       }
                } else if (m->type == Z_EROFS_LCLUSTER_TYPE_PLAIN ||
                           m->type == Z_EROFS_LCLUSTER_TYPE_HEAD1 ||
                           m->type == Z_EROFS_LCLUSTER_TYPE_HEAD2) {
-                       /* go on until the next HEAD lcluster */
                        if (lcn != headlcn)
-                               break;
+                               break;  /* ends at the next HEAD lcluster */
                        m->delta[1] = 1;
                } else {
                        erofs_err(inode->i_sb, "unknown type %u @ lcn %llu of nid %llu",
@@ -426,8 +428,7 @@ static int z_erofs_get_extent_decompressedlen(struct z_erofs_maprecorder *m)
                        return -EOPNOTSUPP;
                }
                lcn += m->delta[1];
-       } while (m->delta[1]);
-
+       }
        map->m_llen = (lcn << lclusterbits) + m->clusterofs - map->m_la;
        return 0;
 }