[SRU K, HWE-5.17, J, OEM-5.14, F, B 1/1] nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level()

[Thadeu Lima de Souza Cascardo]

From: Ryusuke Konishi <konishi.ryusuke at gmail.com>

If the i_mode field in inode of metadata files is corrupted on disk, it
can cause the initialization of bmap structure, which should have been
called from nilfs_read_inode_common(), not to be called.  This causes a
lockdep warning followed by a NULL pointer dereference at
nilfs_bmap_lookup_at_level().

This patch fixes these issues by adding a missing sanitiy check for the
i_mode field of metadata file's inode.

Link: https://lkml.kernel.org/r/20221002030804.29978-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke at gmail.com>
Reported-by: syzbot+2b32eb36c1a825b7a74c at syzkaller.appspotmail.com
Reported-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
Tested-by: Ryusuke Konishi <konishi.ryusuke at gmail.com>
Cc: <stable at vger.kernel.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
(cherry picked from commit 21a87d88c2253350e115029f14fe2a10a7e6c856)
CVE-2022-3621
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
---
 fs/nilfs2/inode.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c
index 67f63cfeade5..d4e653d51869 100644
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -440,6 +440,8 @@ int nilfs_read_inode_common(struct inode *inode,
 	inode->i_atime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec);
 	inode->i_ctime.tv_nsec = le32_to_cpu(raw_inode->i_ctime_nsec);
 	inode->i_mtime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec);
+	if (nilfs_is_metadata_file_inode(inode) && !S_ISREG(inode->i_mode))
+		return -EIO; /* this inode is for metadata and corrupted */
 	if (inode->i_nlink == 0)
 		return -ESTALE; /* this inode is deleted */
 
-- 
2.34.1