[BUG] bfs: mount-time null-ptr-deref in range [0x28-0x2f] in bfs_move_block()

[Hyungjung Joo]

Hello,

I am reporting a filesystem bug reproduced on the current mainline
with KASAN enabled.

Target file: fs/bfs/file.c
Subsystem: fs/bfs
Git head: 5ee8dbf54602dc340d6235b1d6aa17c0f283f48c
Kernel release: 7.0.0-rc2+

Root cause:
`bfs_get_block()` relocates a non-last file to `where =
info->si_lf_eblk + 1` and only bounds-checks the intended new extent
with `where + block < info->si_blocks`. `bfs_move_blocks()` then
copies each source disk block `i` to `where + i` instead of `where +
(i - start)`, so it treats the absolute source block number as a
relative offset. For a one-block file whose `i_sblock` is greater than
1, appending one block after another file has advanced `si_lf_eblk`
near the end makes the real destination exceed the device.
`bfs_move_block()` blindly dereferences `sb_getblk(sb, to)` via
`memcpy(new->b_data, ...)`, producing a NULL dereference on a
filesystem-sized backing device.

Reproducer
C reproducer: https://pastebin.com/raw/awqH6UQb
KASAN full log: https://pastebin.com/raw/qsa54J7j
Kernel config: https://pastebin.com/raw/YrrmUMzr

Key config options:
- CONFIG_KASAN=y
- CONFIG_KASAN_GENERIC=y
- CONFIG_KASAN_MULTI_SHOT=y
- CONFIG_DEBUG_KERNEL=y
- CONFIG_FRAME_POINTER=y
- CONFIG_BFS_FS=y
- CONFIG_BLK_DEV_LOOP=y

Brief KASAN call trace:
[   63.935062][  T143] Oops: general protection fault, probably for
non-canonical address 0xdffffc0000000005: 0000 [#1] SMP
DEBUG_PAGEALLOC KASAN NOPTI
[   63.935560][  T143] KASAN: null-ptr-deref in range
[0x0000000000000028-0x000000000000002f]
[   63.936151][  T143] RIP: 0010:bfs_move_block+0x16e/0x280
[   63.937255][  T143] Call Trace:
[   63.937255][  T143]  bfs_get_block+0x205/0xd00
[   63.937255][  T143]  __block_write_begin_int+0x3bd/0xbc0
[   63.937255][  T143]  block_write_begin+0x85/0x240
[   63.937255][  T143]  bfs_write_begin+0x30/0x100
[   63.937255][  T143]  generic_perform_write+0x374/0x800
[   63.937255][  T143]  generic_file_write_iter+0xd7/0x340
[   63.937255][  T143]  vfs_write+0x9c9/0xfc0
[   63.937255][  T143]  __x64_sys_pwrite64+0x19f/0x200
[   63.937255][  T143]  do_syscall_64+0x141/0xf40
[   63.937255][  T143]  entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reproducibility notes:
- observed crash: mount-time null-ptr-deref in range
[0x0000000000000028-0x000000000000002f] in bfs_move_block()
- rootfs mode: busybox
- guest /init runs the case-specific trigger binary automatically

If you need anything else, please let me know.
Thank you.

Best regards,
Hyungjung Joo, jhj140711@xxxxxxxxx