From: Greg Kroah-Hartman Date: Sun, 16 Oct 2022 12:44:38 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.219~125 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1d465a2a8ae0006450b96422edfd4aa62c38b4ad;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: f2fs-fix-to-do-sanity-check-on-destination-blkaddr-during-recovery.patch f2fs-fix-to-do-sanity-check-on-summary-info.patch f2fs-increase-the-limit-for-reserve_root.patch --- diff --git a/queue-5.10/f2fs-fix-to-do-sanity-check-on-destination-blkaddr-during-recovery.patch b/queue-5.10/f2fs-fix-to-do-sanity-check-on-destination-blkaddr-during-recovery.patch new file mode 100644 index 00000000000..7e9a1195617 --- /dev/null +++ b/queue-5.10/f2fs-fix-to-do-sanity-check-on-destination-blkaddr-during-recovery.patch @@ -0,0 +1,124 @@ +From 0ef4ca04a3f9223ff8bc440041c524b2123e09a3 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 13 Sep 2022 10:08:41 +0800 +Subject: f2fs: fix to do sanity check on destination blkaddr during recovery + +From: Chao Yu + +commit 0ef4ca04a3f9223ff8bc440041c524b2123e09a3 upstream. + +As Wenqing Liu reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=216456 + +loop5: detected capacity change from 0 to 131072 +F2FS-fs (loop5): recover_inode: ino = 6, name = hln, inline = 1 +F2FS-fs (loop5): recover_data: ino = 6 (i_size: recover) err = 0 +F2FS-fs (loop5): recover_inode: ino = 6, name = hln, inline = 1 +F2FS-fs (loop5): recover_data: ino = 6 (i_size: recover) err = 0 +F2FS-fs (loop5): recover_inode: ino = 6, name = hln, inline = 1 +F2FS-fs (loop5): recover_data: ino = 6 (i_size: recover) err = 0 +F2FS-fs (loop5): Bitmap was wrongly set, blk:5634 +------------[ cut here ]------------ +WARNING: CPU: 3 PID: 1013 at fs/f2fs/segment.c:2198 +RIP: 0010:update_sit_entry+0xa55/0x10b0 [f2fs] +Call Trace: + + f2fs_do_replace_block+0xa98/0x1890 [f2fs] + f2fs_replace_block+0xeb/0x180 [f2fs] + recover_data+0x1a69/0x6ae0 [f2fs] + f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs] + f2fs_fill_super+0x4665/0x61e0 [f2fs] + mount_bdev+0x2cf/0x3b0 + legacy_get_tree+0xed/0x1d0 + vfs_get_tree+0x81/0x2b0 + path_mount+0x47e/0x19d0 + do_mount+0xce/0xf0 + __x64_sys_mount+0x12c/0x1a0 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +If we enable CONFIG_F2FS_CHECK_FS config, it will trigger a kernel panic +instead of warning. + +The root cause is: in fuzzed image, SIT table is inconsistent with inode +mapping table, result in triggering such warning during SIT table update. + +This patch introduces a new flag DATA_GENERIC_ENHANCE_UPDATE, w/ this +flag, data block recovery flow can check destination blkaddr's validation +in SIT table, and skip f2fs_replace_block() to avoid inconsistent status. + +Cc: stable@vger.kernel.org +Reported-by: Wenqing Liu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/checkpoint.c | 10 +++++++++- + fs/f2fs/f2fs.h | 4 ++++ + fs/f2fs/recovery.c | 8 ++++++++ + 3 files changed, 21 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -136,7 +136,7 @@ static bool __is_bitmap_valid(struct f2f + unsigned int segno, offset; + bool exist; + +- if (type != DATA_GENERIC_ENHANCE && type != DATA_GENERIC_ENHANCE_READ) ++ if (type == DATA_GENERIC) + return true; + + segno = GET_SEGNO(sbi, blkaddr); +@@ -144,6 +144,13 @@ static bool __is_bitmap_valid(struct f2f + se = get_seg_entry(sbi, segno); + + exist = f2fs_test_bit(offset, se->cur_valid_map); ++ if (exist && type == DATA_GENERIC_ENHANCE_UPDATE) { ++ f2fs_err(sbi, "Inconsistent error blkaddr:%u, sit bitmap:%d", ++ blkaddr, exist); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ return exist; ++ } ++ + if (!exist && type == DATA_GENERIC_ENHANCE) { + f2fs_err(sbi, "Inconsistent error blkaddr:%u, sit bitmap:%d", + blkaddr, exist); +@@ -181,6 +188,7 @@ bool f2fs_is_valid_blkaddr(struct f2fs_s + case DATA_GENERIC: + case DATA_GENERIC_ENHANCE: + case DATA_GENERIC_ENHANCE_READ: ++ case DATA_GENERIC_ENHANCE_UPDATE: + if (unlikely(blkaddr >= MAX_BLKADDR(sbi) || + blkaddr < MAIN_BLKADDR(sbi))) { + f2fs_warn(sbi, "access invalid blkaddr:%u", +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -235,6 +235,10 @@ enum { + * condition of read on truncated area + * by extent_cache + */ ++ DATA_GENERIC_ENHANCE_UPDATE, /* ++ * strong check on range and segment ++ * bitmap for update case ++ */ + META_GENERIC, + }; + +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -661,6 +661,14 @@ retry_prev: + goto err; + } + ++ if (f2fs_is_valid_blkaddr(sbi, dest, ++ DATA_GENERIC_ENHANCE_UPDATE)) { ++ f2fs_err(sbi, "Inconsistent dest blkaddr:%u, ino:%lu, ofs:%u", ++ dest, inode->i_ino, dn.ofs_in_node); ++ err = -EFSCORRUPTED; ++ goto err; ++ } ++ + /* write dummy data page */ + f2fs_replace_block(sbi, &dn, src, dest, + ni.version, false, false); diff --git a/queue-5.10/f2fs-fix-to-do-sanity-check-on-summary-info.patch b/queue-5.10/f2fs-fix-to-do-sanity-check-on-summary-info.patch new file mode 100644 index 00000000000..2fe498d23db --- /dev/null +++ b/queue-5.10/f2fs-fix-to-do-sanity-check-on-summary-info.patch @@ -0,0 +1,123 @@ +From c6ad7fd16657ebd34a87a97d9588195aae87597d Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 14 Sep 2022 19:51:51 +0800 +Subject: f2fs: fix to do sanity check on summary info + +From: Chao Yu + +commit c6ad7fd16657ebd34a87a97d9588195aae87597d upstream. + +As Wenqing Liu reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=216456 + +BUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs] +Read of size 4 at addr ffff8881464dcd80 by task mount/1013 + +CPU: 3 PID: 1013 Comm: mount Tainted: G W 6.0.0-rc4 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +Call Trace: + dump_stack_lvl+0x45/0x5e + print_report.cold+0xf3/0x68d + kasan_report+0xa8/0x130 + recover_data+0x63ae/0x6ae0 [f2fs] + f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs] + f2fs_fill_super+0x4665/0x61e0 [f2fs] + mount_bdev+0x2cf/0x3b0 + legacy_get_tree+0xed/0x1d0 + vfs_get_tree+0x81/0x2b0 + path_mount+0x47e/0x19d0 + do_mount+0xce/0xf0 + __x64_sys_mount+0x12c/0x1a0 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The root cause is: in fuzzed image, SSA table is corrupted: ofs_in_node +is larger than ADDRS_PER_PAGE(), result in out-of-range access on 4k-size +page. + +- recover_data + - do_recover_data + - check_index_in_prev_nodes + - f2fs_data_blkaddr + +This patch adds sanity check on summary info in recovery and GC flow +in where the flows rely on them. + +After patch: +[ 29.310883] F2FS-fs (loop0): Inconsistent ofs_in_node:65286 in summary, ino:0, nid:6, max:1018 + +Cc: stable@vger.kernel.org +Reported-by: Wenqing Liu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/gc.c | 10 +++++++++- + fs/f2fs/recovery.c | 15 ++++++++++++--- + 2 files changed, 21 insertions(+), 4 deletions(-) + +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -977,7 +977,7 @@ static bool is_alive(struct f2fs_sb_info + { + struct page *node_page; + nid_t nid; +- unsigned int ofs_in_node; ++ unsigned int ofs_in_node, max_addrs; + block_t source_blkaddr; + + nid = le32_to_cpu(sum->nid); +@@ -1003,6 +1003,14 @@ static bool is_alive(struct f2fs_sb_info + return false; + } + ++ max_addrs = IS_INODE(node_page) ? DEF_ADDRS_PER_INODE : ++ DEF_ADDRS_PER_BLOCK; ++ if (ofs_in_node >= max_addrs) { ++ f2fs_err(sbi, "Inconsistent ofs_in_node:%u in summary, ino:%u, nid:%u, max:%u", ++ ofs_in_node, dni->ino, dni->nid, max_addrs); ++ return false; ++ } ++ + *nofs = ofs_of_node(node_page); + source_blkaddr = data_blkaddr(NULL, node_page, ofs_in_node); + f2fs_put_page(node_page, 1); +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -437,7 +437,7 @@ static int check_index_in_prev_nodes(str + struct dnode_of_data tdn = *dn; + nid_t ino, nid; + struct inode *inode; +- unsigned int offset; ++ unsigned int offset, ofs_in_node, max_addrs; + block_t bidx; + int i; + +@@ -463,15 +463,24 @@ static int check_index_in_prev_nodes(str + got_it: + /* Use the locked dnode page and inode */ + nid = le32_to_cpu(sum.nid); ++ ofs_in_node = le16_to_cpu(sum.ofs_in_node); ++ ++ max_addrs = ADDRS_PER_PAGE(dn->node_page, dn->inode); ++ if (ofs_in_node >= max_addrs) { ++ f2fs_err(sbi, "Inconsistent ofs_in_node:%u in summary, ino:%lu, nid:%u, max:%u", ++ ofs_in_node, dn->inode->i_ino, nid, max_addrs); ++ return -EFSCORRUPTED; ++ } ++ + if (dn->inode->i_ino == nid) { + tdn.nid = nid; + if (!dn->inode_page_locked) + lock_page(dn->inode_page); + tdn.node_page = dn->inode_page; +- tdn.ofs_in_node = le16_to_cpu(sum.ofs_in_node); ++ tdn.ofs_in_node = ofs_in_node; + goto truncate_out; + } else if (dn->nid == nid) { +- tdn.ofs_in_node = le16_to_cpu(sum.ofs_in_node); ++ tdn.ofs_in_node = ofs_in_node; + goto truncate_out; + } + diff --git a/queue-5.10/f2fs-increase-the-limit-for-reserve_root.patch b/queue-5.10/f2fs-increase-the-limit-for-reserve_root.patch new file mode 100644 index 00000000000..778b67d6683 --- /dev/null +++ b/queue-5.10/f2fs-increase-the-limit-for-reserve_root.patch @@ -0,0 +1,39 @@ +From da35fe96d12d15779f3cb74929b7ed03941cf983 Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Tue, 23 Aug 2022 10:18:42 -0700 +Subject: f2fs: increase the limit for reserve_root + +From: Jaegeuk Kim + +commit da35fe96d12d15779f3cb74929b7ed03941cf983 upstream. + +This patch increases the threshold that limits the reserved root space from 0.2% +to 12.5% by using simple shift operation. + +Typically Android sets 128MB, but if the storage capacity is 32GB, 0.2% which is +around 64MB becomes too small. Let's relax it. + +Cc: stable@vger.kernel.org +Reported-by: Aran Dalton +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -267,10 +267,10 @@ static int f2fs_sb_read_encoding(const s + + static inline void limit_reserve_root(struct f2fs_sb_info *sbi) + { +- block_t limit = min((sbi->user_block_count << 1) / 1000, ++ block_t limit = min((sbi->user_block_count >> 3), + sbi->user_block_count - sbi->reserved_blocks); + +- /* limit is 0.2% */ ++ /* limit is 12.5% */ + if (test_opt(sbi, RESERVE_ROOT) && + F2FS_OPTION(sbi).root_reserved_blocks > limit) { + F2FS_OPTION(sbi).root_reserved_blocks = limit; diff --git a/queue-5.10/series b/queue-5.10/series index b19139fe9e5..a6326012e3f 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -47,3 +47,6 @@ powerpc-boot-explicitly-disable-usage-of-spe-instructions.patch scsi-qedf-populate-sysfs-attributes-for-vport.patch fbdev-smscufx-fix-use-after-free-in-ufx_ops_open.patch btrfs-fix-race-between-quota-enable-and-quota-rescan-ioctl.patch +f2fs-increase-the-limit-for-reserve_root.patch +f2fs-fix-to-do-sanity-check-on-destination-blkaddr-during-recovery.patch +f2fs-fix-to-do-sanity-check-on-summary-info.patch