--- /dev/null
+From 4d17e6fe9293d57081ffdc11e1cf313e25e8fd9e Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Wed, 27 Apr 2022 01:06:02 +0800
+Subject: f2fs: fix to avoid f2fs_bug_on() in dec_valid_node_count()
+
+From: Chao Yu <chao@kernel.org>
+
+commit 4d17e6fe9293d57081ffdc11e1cf313e25e8fd9e upstream.
+
+As Yanming reported in bugzilla:
+
+https://bugzilla.kernel.org/show_bug.cgi?id=215897
+
+I have encountered a bug in F2FS file system in kernel v5.17.
+
+The kernel should enable CONFIG_KASAN=y and CONFIG_KASAN_INLINE=y. You can
+reproduce the bug by running the following commands:
+
+The kernel message is shown below:
+
+kernel BUG at fs/f2fs/f2fs.h:2511!
+Call Trace:
+ f2fs_remove_inode_page+0x2a2/0x830
+ f2fs_evict_inode+0x9b7/0x1510
+ evict+0x282/0x4e0
+ do_unlinkat+0x33a/0x540
+ __x64_sys_unlinkat+0x8e/0xd0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The root cause is: .total_valid_block_count or .total_valid_node_count
+could fuzzed to zero, then once dec_valid_node_count() was called, it
+will cause BUG_ON(), this patch fixes to print warning info and set
+SBI_NEED_FSCK into CP instead of panic.
+
+Cc: stable@vger.kernel.org
+Reported-by: Ming Yan <yanming@tju.edu.cn>
+Signed-off-by: Chao Yu <chao.yu@oppo.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/f2fs.h | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -2487,11 +2487,17 @@ static inline void dec_valid_node_count(
+ {
+ spin_lock(&sbi->stat_lock);
+
+- f2fs_bug_on(sbi, !sbi->total_valid_block_count);
+- f2fs_bug_on(sbi, !sbi->total_valid_node_count);
++ if (unlikely(!sbi->total_valid_block_count ||
++ !sbi->total_valid_node_count)) {
++ f2fs_warn(sbi, "dec_valid_node_count: inconsistent block counts, total_valid_block:%u, total_valid_node:%u",
++ sbi->total_valid_block_count,
++ sbi->total_valid_node_count);
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ } else {
++ sbi->total_valid_block_count--;
++ sbi->total_valid_node_count--;
++ }
+
+- sbi->total_valid_node_count--;
+- sbi->total_valid_block_count--;
+ if (sbi->reserved_blocks &&
+ sbi->current_reserved_blocks < sbi->reserved_blocks)
+ sbi->current_reserved_blocks++;
--- /dev/null
+From 25f8236213a91efdf708b9d77e9e51b6fc3e141c Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Wed, 27 Apr 2022 17:51:40 +0800
+Subject: f2fs: fix to do sanity check on block address in f2fs_do_zero_range()
+
+From: Chao Yu <chao@kernel.org>
+
+commit 25f8236213a91efdf708b9d77e9e51b6fc3e141c upstream.
+
+As Yanming reported in bugzilla:
+
+https://bugzilla.kernel.org/show_bug.cgi?id=215894
+
+I have encountered a bug in F2FS file system in kernel v5.17.
+
+I have uploaded the system call sequence as case.c, and a fuzzed image can
+be found in google net disk
+
+The kernel should enable CONFIG_KASAN=y and CONFIG_KASAN_INLINE=y. You can
+reproduce the bug by running the following commands:
+
+kernel BUG at fs/f2fs/segment.c:2291!
+Call Trace:
+ f2fs_invalidate_blocks+0x193/0x2d0
+ f2fs_fallocate+0x2593/0x4a70
+ vfs_fallocate+0x2a5/0xac0
+ ksys_fallocate+0x35/0x70
+ __x64_sys_fallocate+0x8e/0xf0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The root cause is, after image was fuzzed, block mapping info in inode
+will be inconsistent with SIT table, so in f2fs_fallocate(), it will cause
+panic when updating SIT with invalid blkaddr.
+
+Let's fix the issue by adding sanity check on block address before updating
+SIT table with it.
+
+Cc: stable@vger.kernel.org
+Reported-by: Ming Yan <yanming@tju.edu.cn>
+Signed-off-by: Chao Yu <chao.yu@oppo.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/file.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -1436,11 +1436,19 @@ static int f2fs_do_zero_range(struct dno
+ ret = -ENOSPC;
+ break;
+ }
+- if (dn->data_blkaddr != NEW_ADDR) {
+- f2fs_invalidate_blocks(sbi, dn->data_blkaddr);
+- dn->data_blkaddr = NEW_ADDR;
+- f2fs_set_data_blkaddr(dn);
++
++ if (dn->data_blkaddr == NEW_ADDR)
++ continue;
++
++ if (!f2fs_is_valid_blkaddr(sbi, dn->data_blkaddr,
++ DATA_GENERIC_ENHANCE)) {
++ ret = -EFSCORRUPTED;
++ break;
+ }
++
++ f2fs_invalidate_blocks(sbi, dn->data_blkaddr);
++ dn->data_blkaddr = NEW_ADDR;
++ f2fs_set_data_blkaddr(dn);
+ }
+
+ f2fs_update_extent_cache_range(dn, start, 0, index - start);
nfs-create-a-new-nfs_alloc_fattr_with_label-function.patch
nfs-convert-gfp_nofs-to-gfp_kernel.patch
nfsv4.1-mark-qualified-async-operations-as-moveable-.patch
+f2fs-fix-to-avoid-f2fs_bug_on-in-dec_valid_node_count.patch
+f2fs-fix-to-do-sanity-check-on-block-address-in-f2fs_do_zero_range.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
