From: Sasha Levin Date: Sun, 2 Dec 2018 15:57:04 +0000 (-0500) Subject: patches for 4.14 X-Git-Tag: v4.19.7~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=816ebce7b27544e65460c12dbfe1ceda8ac96ddc;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/bpf-prevent-memory-disambiguation-attack.patch b/queue-4.14/bpf-prevent-memory-disambiguation-attack.patch new file mode 100644 index 00000000000..4f8aef788d1 --- /dev/null +++ b/queue-4.14/bpf-prevent-memory-disambiguation-attack.patch @@ -0,0 +1,153 @@ +From 24fc426c29e8caa7e8f69d3e5ca7a7440f0c9976 Mon Sep 17 00:00:00 2001 +From: Alexei Starovoitov +Date: Tue, 15 May 2018 09:27:05 -0700 +Subject: bpf: Prevent memory disambiguation attack + +commit af86ca4e3088fe5eacf2f7e58c01fa68ca067672 upstream. + +Detect code patterns where malicious 'speculative store bypass' can be used +and sanitize such patterns. + + 39: (bf) r3 = r10 + 40: (07) r3 += -216 + 41: (79) r8 = *(u64 *)(r7 +0) // slow read + 42: (7a) *(u64 *)(r10 -72) = 0 // verifier inserts this instruction + 43: (7b) *(u64 *)(r8 +0) = r3 // this store becomes slow due to r8 + 44: (79) r1 = *(u64 *)(r6 +0) // cpu speculatively executes this load + 45: (71) r2 = *(u8 *)(r1 +0) // speculatively arbitrary 'load byte' + // is now sanitized + +Above code after x86 JIT becomes: + e5: mov %rbp,%rdx + e8: add $0xffffffffffffff28,%rdx + ef: mov 0x0(%r13),%r14 + f3: movq $0x0,-0x48(%rbp) + fb: mov %rdx,0x0(%r14) + ff: mov 0x0(%rbx),%rdi +103: movzbq 0x0(%rdi),%rsi + +Signed-off-by: Alexei Starovoitov +Signed-off-by: Thomas Gleixner +[bwh: Backported to 4.14: + - Add bpf_verifier_env parameter to check_stack_write() + - Look up stack slot_types with state->stack_slot_type[] rather than + state->stack[].slot_type[] + - Drop bpf_verifier_env argument to verbose() + - Adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + include/linux/bpf_verifier.h | 1 + + kernel/bpf/verifier.c | 62 +++++++++++++++++++++++++++++++++--- + 2 files changed, 59 insertions(+), 4 deletions(-) + +diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h +index a3333004fd2b..8458cc5fbce5 100644 +--- a/include/linux/bpf_verifier.h ++++ b/include/linux/bpf_verifier.h +@@ -113,6 +113,7 @@ struct bpf_insn_aux_data { + struct bpf_map *map_ptr; /* pointer for call insn into lookup_elem */ + }; + int ctx_field_size; /* the ctx field size for load insn, maybe 0 */ ++ int sanitize_stack_off; /* stack slot to be cleared */ + bool seen; /* this insn was processed by the verifier */ + }; + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 013b0cd1958e..f6755fd5bae2 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -717,8 +717,9 @@ static bool is_spillable_regtype(enum bpf_reg_type type) + /* check_stack_read/write functions track spill/fill of registers, + * stack boundary and alignment are checked in check_mem_access() + */ +-static int check_stack_write(struct bpf_verifier_state *state, int off, +- int size, int value_regno) ++static int check_stack_write(struct bpf_verifier_env *env, ++ struct bpf_verifier_state *state, int off, ++ int size, int value_regno, int insn_idx) + { + int i, spi = (MAX_BPF_STACK + off) / BPF_REG_SIZE; + /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0, +@@ -738,8 +739,32 @@ static int check_stack_write(struct bpf_verifier_state *state, int off, + state->spilled_regs[spi] = state->regs[value_regno]; + state->spilled_regs[spi].live |= REG_LIVE_WRITTEN; + +- for (i = 0; i < BPF_REG_SIZE; i++) ++ for (i = 0; i < BPF_REG_SIZE; i++) { ++ if (state->stack_slot_type[MAX_BPF_STACK + off + i] == STACK_MISC && ++ !env->allow_ptr_leaks) { ++ int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off; ++ int soff = (-spi - 1) * BPF_REG_SIZE; ++ ++ /* detected reuse of integer stack slot with a pointer ++ * which means either llvm is reusing stack slot or ++ * an attacker is trying to exploit CVE-2018-3639 ++ * (speculative store bypass) ++ * Have to sanitize that slot with preemptive ++ * store of zero. ++ */ ++ if (*poff && *poff != soff) { ++ /* disallow programs where single insn stores ++ * into two different stack slots, since verifier ++ * cannot sanitize them ++ */ ++ verbose("insn %d cannot access two stack slots fp%d and fp%d", ++ insn_idx, *poff, soff); ++ return -EINVAL; ++ } ++ *poff = soff; ++ } + state->stack_slot_type[MAX_BPF_STACK + off + i] = STACK_SPILL; ++ } + } else { + /* regular write of data into stack */ + state->spilled_regs[spi] = (struct bpf_reg_state) {}; +@@ -1216,7 +1241,8 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn + verbose("attempt to corrupt spilled pointer on stack\n"); + return -EACCES; + } +- err = check_stack_write(state, off, size, value_regno); ++ err = check_stack_write(env, state, off, size, ++ value_regno, insn_idx); + } else { + err = check_stack_read(state, off, size, value_regno); + } +@@ -4270,6 +4296,34 @@ static int convert_ctx_accesses(struct bpf_verifier_env *env) + else + continue; + ++ if (type == BPF_WRITE && ++ env->insn_aux_data[i + delta].sanitize_stack_off) { ++ struct bpf_insn patch[] = { ++ /* Sanitize suspicious stack slot with zero. ++ * There are no memory dependencies for this store, ++ * since it's only using frame pointer and immediate ++ * constant of zero ++ */ ++ BPF_ST_MEM(BPF_DW, BPF_REG_FP, ++ env->insn_aux_data[i + delta].sanitize_stack_off, ++ 0), ++ /* the original STX instruction will immediately ++ * overwrite the same stack slot with appropriate value ++ */ ++ *insn, ++ }; ++ ++ cnt = ARRAY_SIZE(patch); ++ new_prog = bpf_patch_insn_data(env, i + delta, patch, cnt); ++ if (!new_prog) ++ return -ENOMEM; ++ ++ delta += cnt - 1; ++ env->prog = new_prog; ++ insn = new_prog->insnsi + i + delta; ++ continue; ++ } ++ + if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX) + continue; + +-- +2.17.1 + diff --git a/queue-4.14/btrfs-add-checker-for-extent_csum.patch b/queue-4.14/btrfs-add-checker-for-extent_csum.patch new file mode 100644 index 00000000000..7f3ddb40ecb --- /dev/null +++ b/queue-4.14/btrfs-add-checker-for-extent_csum.patch @@ -0,0 +1,73 @@ +From 45c4c6911e3d2c7198404928beb1deca7fca8931 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 23 Aug 2017 16:57:59 +0900 +Subject: btrfs: Add checker for EXTENT_CSUM + +commit 4b865cab96fe2a30ed512cf667b354bd291b3b0a upstream. + +EXTENT_CSUM checker is a relatively easy one, only needs to check: + +1) Objectid + Fixed to BTRFS_EXTENT_CSUM_OBJECTID + +2) Key offset alignment + Must be aligned to sectorsize + +3) Item size alignedment + Must be aligned to csum size + +Signed-off-by: Qu Wenruo +Reviewed-by: Nikolay Borisov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index ab8925b2efd1..53841d773a40 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -627,6 +627,27 @@ static int check_extent_data_item(struct btrfs_root *root, + return 0; + } + ++static int check_csum_item(struct btrfs_root *root, struct extent_buffer *leaf, ++ struct btrfs_key *key, int slot) ++{ ++ u32 sectorsize = root->fs_info->sectorsize; ++ u32 csumsize = btrfs_super_csum_size(root->fs_info->super_copy); ++ ++ if (key->objectid != BTRFS_EXTENT_CSUM_OBJECTID) { ++ CORRUPT("invalid objectid for csum item", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ if (!IS_ALIGNED(key->offset, sectorsize)) { ++ CORRUPT("unaligned key offset for csum item", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ if (!IS_ALIGNED(btrfs_item_size_nr(leaf, slot), csumsize)) { ++ CORRUPT("unaligned csum item size", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ return 0; ++} ++ + /* + * Common point to switch the item-specific validation. + */ +@@ -640,6 +661,9 @@ static int check_leaf_item(struct btrfs_root *root, + case BTRFS_EXTENT_DATA_KEY: + ret = check_extent_data_item(root, leaf, key, slot); + break; ++ case BTRFS_EXTENT_CSUM_KEY: ++ ret = check_csum_item(root, leaf, key, slot); ++ break; + } + return ret; + } +-- +2.17.1 + diff --git a/queue-4.14/btrfs-add-sanity-check-for-extent_data-when-reading-.patch b/queue-4.14/btrfs-add-sanity-check-for-extent_data-when-reading-.patch new file mode 100644 index 00000000000..e8bb04ee159 --- /dev/null +++ b/queue-4.14/btrfs-add-sanity-check-for-extent_data-when-reading-.patch @@ -0,0 +1,187 @@ +From 1776d7d1c91f2c6166e91eee40686610287b0ad8 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 23 Aug 2017 16:57:58 +0900 +Subject: btrfs: Add sanity check for EXTENT_DATA when reading out leaf + +commit 40c3c40947324d9f40bf47830c92c59a9bbadf4a upstream. + +Add extra checks for item with EXTENT_DATA type. This checks the +following thing: + +0) Key offset + All key offsets must be aligned to sectorsize. + Inline extent must have 0 for key offset. + +1) Item size + Uncompressed inline file extent size must match item size. + (Compressed inline file extent has no information about its on-disk size.) + Regular/preallocated file extent size must be a fixed value. + +2) Every member of regular file extent item + Including alignment for bytenr and offset, possible value for + compression/encryption/type. + +3) Type/compression/encode must be one of the valid values. + +This should be the most comprehensive and strict check in the context +of btrfs_item for EXTENT_DATA. + +Signed-off-by: Qu Wenruo +Reviewed-by: Nikolay Borisov +Reviewed-by: David Sterba +[ switch to BTRFS_FILE_EXTENT_TYPES, similar to what + BTRFS_COMPRESS_TYPES does ] +Signed-off-by: David Sterba +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 103 ++++++++++++++++++++++++++++++++ + include/uapi/linux/btrfs_tree.h | 1 + + 2 files changed, 104 insertions(+) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index da7b2039e4cb..ab8925b2efd1 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -550,6 +550,100 @@ static int check_tree_block_fsid(struct btrfs_fs_info *fs_info, + btrfs_header_level(eb) == 0 ? "leaf" : "node", \ + reason, btrfs_header_bytenr(eb), root->objectid, slot) + ++static int check_extent_data_item(struct btrfs_root *root, ++ struct extent_buffer *leaf, ++ struct btrfs_key *key, int slot) ++{ ++ struct btrfs_file_extent_item *fi; ++ u32 sectorsize = root->fs_info->sectorsize; ++ u32 item_size = btrfs_item_size_nr(leaf, slot); ++ ++ if (!IS_ALIGNED(key->offset, sectorsize)) { ++ CORRUPT("unaligned key offset for file extent", ++ leaf, root, slot); ++ return -EUCLEAN; ++ } ++ ++ fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item); ++ ++ if (btrfs_file_extent_type(leaf, fi) > BTRFS_FILE_EXTENT_TYPES) { ++ CORRUPT("invalid file extent type", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ ++ /* ++ * Support for new compression/encrption must introduce incompat flag, ++ * and must be caught in open_ctree(). ++ */ ++ if (btrfs_file_extent_compression(leaf, fi) > BTRFS_COMPRESS_TYPES) { ++ CORRUPT("invalid file extent compression", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ if (btrfs_file_extent_encryption(leaf, fi)) { ++ CORRUPT("invalid file extent encryption", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE) { ++ /* Inline extent must have 0 as key offset */ ++ if (key->offset) { ++ CORRUPT("inline extent has non-zero key offset", ++ leaf, root, slot); ++ return -EUCLEAN; ++ } ++ ++ /* Compressed inline extent has no on-disk size, skip it */ ++ if (btrfs_file_extent_compression(leaf, fi) != ++ BTRFS_COMPRESS_NONE) ++ return 0; ++ ++ /* Uncompressed inline extent size must match item size */ ++ if (item_size != BTRFS_FILE_EXTENT_INLINE_DATA_START + ++ btrfs_file_extent_ram_bytes(leaf, fi)) { ++ CORRUPT("plaintext inline extent has invalid size", ++ leaf, root, slot); ++ return -EUCLEAN; ++ } ++ return 0; ++ } ++ ++ /* Regular or preallocated extent has fixed item size */ ++ if (item_size != sizeof(*fi)) { ++ CORRUPT( ++ "regluar or preallocated extent data item size is invalid", ++ leaf, root, slot); ++ return -EUCLEAN; ++ } ++ if (!IS_ALIGNED(btrfs_file_extent_ram_bytes(leaf, fi), sectorsize) || ++ !IS_ALIGNED(btrfs_file_extent_disk_bytenr(leaf, fi), sectorsize) || ++ !IS_ALIGNED(btrfs_file_extent_disk_num_bytes(leaf, fi), sectorsize) || ++ !IS_ALIGNED(btrfs_file_extent_offset(leaf, fi), sectorsize) || ++ !IS_ALIGNED(btrfs_file_extent_num_bytes(leaf, fi), sectorsize)) { ++ CORRUPT( ++ "regular or preallocated extent data item has unaligned value", ++ leaf, root, slot); ++ return -EUCLEAN; ++ } ++ ++ return 0; ++} ++ ++/* ++ * Common point to switch the item-specific validation. ++ */ ++static int check_leaf_item(struct btrfs_root *root, ++ struct extent_buffer *leaf, ++ struct btrfs_key *key, int slot) ++{ ++ int ret = 0; ++ ++ switch (key->type) { ++ case BTRFS_EXTENT_DATA_KEY: ++ ret = check_extent_data_item(root, leaf, key, slot); ++ break; ++ } ++ return ret; ++} ++ + static noinline int check_leaf(struct btrfs_root *root, + struct extent_buffer *leaf) + { +@@ -606,9 +700,13 @@ static noinline int check_leaf(struct btrfs_root *root, + * 1) key order + * 2) item offset and size + * No overlap, no hole, all inside the leaf. ++ * 3) item content ++ * If possible, do comprehensive sanity check. ++ * NOTE: All checks must only rely on the item data itself. + */ + for (slot = 0; slot < nritems; slot++) { + u32 item_end_expected; ++ int ret; + + btrfs_item_key_to_cpu(leaf, &key, slot); + +@@ -651,6 +749,11 @@ static noinline int check_leaf(struct btrfs_root *root, + return -EUCLEAN; + } + ++ /* Check if the item size and content meet other criteria */ ++ ret = check_leaf_item(root, leaf, &key, slot); ++ if (ret < 0) ++ return ret; ++ + prev_key.objectid = key.objectid; + prev_key.type = key.type; + prev_key.offset = key.offset; +diff --git a/include/uapi/linux/btrfs_tree.h b/include/uapi/linux/btrfs_tree.h +index 7115838fbf2a..38ab0e06259a 100644 +--- a/include/uapi/linux/btrfs_tree.h ++++ b/include/uapi/linux/btrfs_tree.h +@@ -734,6 +734,7 @@ struct btrfs_balance_item { + #define BTRFS_FILE_EXTENT_INLINE 0 + #define BTRFS_FILE_EXTENT_REG 1 + #define BTRFS_FILE_EXTENT_PREALLOC 2 ++#define BTRFS_FILE_EXTENT_TYPES 2 + + struct btrfs_file_extent_item { + /* +-- +2.17.1 + diff --git a/queue-4.14/btrfs-check-if-item-pointer-overlaps-with-the-item-i.patch b/queue-4.14/btrfs-check-if-item-pointer-overlaps-with-the-item-i.patch new file mode 100644 index 00000000000..39a2c446e19 --- /dev/null +++ b/queue-4.14/btrfs-check-if-item-pointer-overlaps-with-the-item-i.patch @@ -0,0 +1,44 @@ +From 712e44f4d7a2e30a87cc97bf043607ea01d0a39b Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 23 Aug 2017 16:57:57 +0900 +Subject: btrfs: Check if item pointer overlaps with the item itself + +commit 7f43d4affb2a254d421ab20b0cf65ac2569909fb upstream. + +Function check_leaf() checks if any item pointer points outside of the +leaf, but it doesn't check if the pointer overlaps with the item itself. + +Normally only the last item may be the victim, but adding such check is +never a bad idea anyway. + +Signed-off-by: Qu Wenruo +Reviewed-by: Nikolay Borisov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 4a1e63df1183..da7b2039e4cb 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -644,6 +644,13 @@ static noinline int check_leaf(struct btrfs_root *root, + return -EUCLEAN; + } + ++ /* Also check if the item pointer overlaps with btrfs item. */ ++ if (btrfs_item_nr_offset(slot) + sizeof(struct btrfs_item) > ++ btrfs_item_ptr_offset(leaf, slot)) { ++ CORRUPT("slot overlap with its data", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ + prev_key.objectid = key.objectid; + prev_key.type = key.type; + prev_key.offset = key.offset; +-- +2.17.1 + diff --git a/queue-4.14/btrfs-check-that-each-block-group-has-corresponding-.patch b/queue-4.14/btrfs-check-that-each-block-group-has-corresponding-.patch new file mode 100644 index 00000000000..28c497a1f8d --- /dev/null +++ b/queue-4.14/btrfs-check-that-each-block-group-has-corresponding-.patch @@ -0,0 +1,86 @@ +From 42ed835b434453459cc94a951a2f51db4ce38aa7 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 1 Aug 2018 10:37:16 +0800 +Subject: btrfs: Check that each block group has corresponding chunk at mount + time + +commit 514c7dca85a0bf40be984dab0b477403a6db901f upstream. + +A crafted btrfs image with incorrect chunk<->block group mapping will +trigger a lot of unexpected things as the mapping is essential. + +Although the problem can be caught by block group item checker +added in "btrfs: tree-checker: Verify block_group_item", it's still not +sufficient. A sufficiently valid block group item can pass the check +added by the mentioned patch but could fail to match the existing chunk. + +This patch will add extra block group -> chunk mapping check, to ensure +we have a completely matching (start, len, flags) chunk for each block +group at mount time. + +Here we reuse the original helper find_first_block_group(), which is +already doing the basic bg -> chunk checks, adding further checks of the +start/len and type flags. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199837 +Reported-by: Xu Wen +Signed-off-by: Qu Wenruo +Reviewed-by: Su Yue +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent-tree.c | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index fdc42eddccc2..83791d13c204 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -9828,6 +9828,8 @@ static int find_first_block_group(struct btrfs_fs_info *fs_info, + int ret = 0; + struct btrfs_key found_key; + struct extent_buffer *leaf; ++ struct btrfs_block_group_item bg; ++ u64 flags; + int slot; + + ret = btrfs_search_slot(NULL, root, key, path, 0, 0); +@@ -9862,8 +9864,32 @@ static int find_first_block_group(struct btrfs_fs_info *fs_info, + "logical %llu len %llu found bg but no related chunk", + found_key.objectid, found_key.offset); + ret = -ENOENT; ++ } else if (em->start != found_key.objectid || ++ em->len != found_key.offset) { ++ btrfs_err(fs_info, ++ "block group %llu len %llu mismatch with chunk %llu len %llu", ++ found_key.objectid, found_key.offset, ++ em->start, em->len); ++ ret = -EUCLEAN; + } else { +- ret = 0; ++ read_extent_buffer(leaf, &bg, ++ btrfs_item_ptr_offset(leaf, slot), ++ sizeof(bg)); ++ flags = btrfs_block_group_flags(&bg) & ++ BTRFS_BLOCK_GROUP_TYPE_MASK; ++ ++ if (flags != (em->map_lookup->type & ++ BTRFS_BLOCK_GROUP_TYPE_MASK)) { ++ btrfs_err(fs_info, ++"block group %llu len %llu type flags 0x%llx mismatch with chunk type flags 0x%llx", ++ found_key.objectid, ++ found_key.offset, flags, ++ (BTRFS_BLOCK_GROUP_TYPE_MASK & ++ em->map_lookup->type)); ++ ret = -EUCLEAN; ++ } else { ++ ret = 0; ++ } + } + free_extent_map(em); + goto out; +-- +2.17.1 + diff --git a/queue-4.14/btrfs-move-leaf-and-node-validation-checker-to-tree-.patch b/queue-4.14/btrfs-move-leaf-and-node-validation-checker-to-tree-.patch new file mode 100644 index 00000000000..fe76929a959 --- /dev/null +++ b/queue-4.14/btrfs-move-leaf-and-node-validation-checker-to-tree-.patch @@ -0,0 +1,708 @@ +From be96701e27044da9dc0d219df741b7b26fbc0e64 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Mon, 9 Oct 2017 01:51:02 +0000 +Subject: btrfs: Move leaf and node validation checker to tree-checker.c + +commit 557ea5dd003d371536f6b4e8f7c8209a2b6fd4e3 upstream. + +It's no doubt the comprehensive tree block checker will become larger, +so moving them into their own files is quite reasonable. + +Signed-off-by: Qu Wenruo +[ wording adjustments ] +Signed-off-by: David Sterba +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/Makefile | 2 +- + fs/btrfs/disk-io.c | 285 +----------------------------------- + fs/btrfs/tree-checker.c | 309 ++++++++++++++++++++++++++++++++++++++++ + fs/btrfs/tree-checker.h | 26 ++++ + 4 files changed, 340 insertions(+), 282 deletions(-) + create mode 100644 fs/btrfs/tree-checker.c + create mode 100644 fs/btrfs/tree-checker.h + +diff --git a/fs/btrfs/Makefile b/fs/btrfs/Makefile +index f2cd9dedb037..195229df5ba0 100644 +--- a/fs/btrfs/Makefile ++++ b/fs/btrfs/Makefile +@@ -10,7 +10,7 @@ btrfs-y += super.o ctree.o extent-tree.o print-tree.o root-tree.o dir-item.o \ + export.o tree-log.o free-space-cache.o zlib.o lzo.o zstd.o \ + compression.o delayed-ref.o relocation.o delayed-inode.o scrub.o \ + reada.o backref.o ulist.o qgroup.o send.o dev-replace.o raid56.o \ +- uuid-tree.o props.o hash.o free-space-tree.o ++ uuid-tree.o props.o hash.o free-space-tree.o tree-checker.o + + btrfs-$(CONFIG_BTRFS_FS_POSIX_ACL) += acl.o + btrfs-$(CONFIG_BTRFS_FS_CHECK_INTEGRITY) += check-integrity.o +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 53841d773a40..2df5e906db08 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -50,6 +50,7 @@ + #include "sysfs.h" + #include "qgroup.h" + #include "compression.h" ++#include "tree-checker.h" + + #ifdef CONFIG_X86 + #include +@@ -544,284 +545,6 @@ static int check_tree_block_fsid(struct btrfs_fs_info *fs_info, + return ret; + } + +-#define CORRUPT(reason, eb, root, slot) \ +- btrfs_crit(root->fs_info, \ +- "corrupt %s, %s: block=%llu, root=%llu, slot=%d", \ +- btrfs_header_level(eb) == 0 ? "leaf" : "node", \ +- reason, btrfs_header_bytenr(eb), root->objectid, slot) +- +-static int check_extent_data_item(struct btrfs_root *root, +- struct extent_buffer *leaf, +- struct btrfs_key *key, int slot) +-{ +- struct btrfs_file_extent_item *fi; +- u32 sectorsize = root->fs_info->sectorsize; +- u32 item_size = btrfs_item_size_nr(leaf, slot); +- +- if (!IS_ALIGNED(key->offset, sectorsize)) { +- CORRUPT("unaligned key offset for file extent", +- leaf, root, slot); +- return -EUCLEAN; +- } +- +- fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item); +- +- if (btrfs_file_extent_type(leaf, fi) > BTRFS_FILE_EXTENT_TYPES) { +- CORRUPT("invalid file extent type", leaf, root, slot); +- return -EUCLEAN; +- } +- +- /* +- * Support for new compression/encrption must introduce incompat flag, +- * and must be caught in open_ctree(). +- */ +- if (btrfs_file_extent_compression(leaf, fi) > BTRFS_COMPRESS_TYPES) { +- CORRUPT("invalid file extent compression", leaf, root, slot); +- return -EUCLEAN; +- } +- if (btrfs_file_extent_encryption(leaf, fi)) { +- CORRUPT("invalid file extent encryption", leaf, root, slot); +- return -EUCLEAN; +- } +- if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE) { +- /* Inline extent must have 0 as key offset */ +- if (key->offset) { +- CORRUPT("inline extent has non-zero key offset", +- leaf, root, slot); +- return -EUCLEAN; +- } +- +- /* Compressed inline extent has no on-disk size, skip it */ +- if (btrfs_file_extent_compression(leaf, fi) != +- BTRFS_COMPRESS_NONE) +- return 0; +- +- /* Uncompressed inline extent size must match item size */ +- if (item_size != BTRFS_FILE_EXTENT_INLINE_DATA_START + +- btrfs_file_extent_ram_bytes(leaf, fi)) { +- CORRUPT("plaintext inline extent has invalid size", +- leaf, root, slot); +- return -EUCLEAN; +- } +- return 0; +- } +- +- /* Regular or preallocated extent has fixed item size */ +- if (item_size != sizeof(*fi)) { +- CORRUPT( +- "regluar or preallocated extent data item size is invalid", +- leaf, root, slot); +- return -EUCLEAN; +- } +- if (!IS_ALIGNED(btrfs_file_extent_ram_bytes(leaf, fi), sectorsize) || +- !IS_ALIGNED(btrfs_file_extent_disk_bytenr(leaf, fi), sectorsize) || +- !IS_ALIGNED(btrfs_file_extent_disk_num_bytes(leaf, fi), sectorsize) || +- !IS_ALIGNED(btrfs_file_extent_offset(leaf, fi), sectorsize) || +- !IS_ALIGNED(btrfs_file_extent_num_bytes(leaf, fi), sectorsize)) { +- CORRUPT( +- "regular or preallocated extent data item has unaligned value", +- leaf, root, slot); +- return -EUCLEAN; +- } +- +- return 0; +-} +- +-static int check_csum_item(struct btrfs_root *root, struct extent_buffer *leaf, +- struct btrfs_key *key, int slot) +-{ +- u32 sectorsize = root->fs_info->sectorsize; +- u32 csumsize = btrfs_super_csum_size(root->fs_info->super_copy); +- +- if (key->objectid != BTRFS_EXTENT_CSUM_OBJECTID) { +- CORRUPT("invalid objectid for csum item", leaf, root, slot); +- return -EUCLEAN; +- } +- if (!IS_ALIGNED(key->offset, sectorsize)) { +- CORRUPT("unaligned key offset for csum item", leaf, root, slot); +- return -EUCLEAN; +- } +- if (!IS_ALIGNED(btrfs_item_size_nr(leaf, slot), csumsize)) { +- CORRUPT("unaligned csum item size", leaf, root, slot); +- return -EUCLEAN; +- } +- return 0; +-} +- +-/* +- * Common point to switch the item-specific validation. +- */ +-static int check_leaf_item(struct btrfs_root *root, +- struct extent_buffer *leaf, +- struct btrfs_key *key, int slot) +-{ +- int ret = 0; +- +- switch (key->type) { +- case BTRFS_EXTENT_DATA_KEY: +- ret = check_extent_data_item(root, leaf, key, slot); +- break; +- case BTRFS_EXTENT_CSUM_KEY: +- ret = check_csum_item(root, leaf, key, slot); +- break; +- } +- return ret; +-} +- +-static noinline int check_leaf(struct btrfs_root *root, +- struct extent_buffer *leaf) +-{ +- struct btrfs_fs_info *fs_info = root->fs_info; +- /* No valid key type is 0, so all key should be larger than this key */ +- struct btrfs_key prev_key = {0, 0, 0}; +- struct btrfs_key key; +- u32 nritems = btrfs_header_nritems(leaf); +- int slot; +- +- /* +- * Extent buffers from a relocation tree have a owner field that +- * corresponds to the subvolume tree they are based on. So just from an +- * extent buffer alone we can not find out what is the id of the +- * corresponding subvolume tree, so we can not figure out if the extent +- * buffer corresponds to the root of the relocation tree or not. So skip +- * this check for relocation trees. +- */ +- if (nritems == 0 && !btrfs_header_flag(leaf, BTRFS_HEADER_FLAG_RELOC)) { +- struct btrfs_root *check_root; +- +- key.objectid = btrfs_header_owner(leaf); +- key.type = BTRFS_ROOT_ITEM_KEY; +- key.offset = (u64)-1; +- +- check_root = btrfs_get_fs_root(fs_info, &key, false); +- /* +- * The only reason we also check NULL here is that during +- * open_ctree() some roots has not yet been set up. +- */ +- if (!IS_ERR_OR_NULL(check_root)) { +- struct extent_buffer *eb; +- +- eb = btrfs_root_node(check_root); +- /* if leaf is the root, then it's fine */ +- if (leaf != eb) { +- CORRUPT("non-root leaf's nritems is 0", +- leaf, check_root, 0); +- free_extent_buffer(eb); +- return -EUCLEAN; +- } +- free_extent_buffer(eb); +- } +- return 0; +- } +- +- if (nritems == 0) +- return 0; +- +- /* +- * Check the following things to make sure this is a good leaf, and +- * leaf users won't need to bother with similar sanity checks: +- * +- * 1) key order +- * 2) item offset and size +- * No overlap, no hole, all inside the leaf. +- * 3) item content +- * If possible, do comprehensive sanity check. +- * NOTE: All checks must only rely on the item data itself. +- */ +- for (slot = 0; slot < nritems; slot++) { +- u32 item_end_expected; +- int ret; +- +- btrfs_item_key_to_cpu(leaf, &key, slot); +- +- /* Make sure the keys are in the right order */ +- if (btrfs_comp_cpu_keys(&prev_key, &key) >= 0) { +- CORRUPT("bad key order", leaf, root, slot); +- return -EUCLEAN; +- } +- +- /* +- * Make sure the offset and ends are right, remember that the +- * item data starts at the end of the leaf and grows towards the +- * front. +- */ +- if (slot == 0) +- item_end_expected = BTRFS_LEAF_DATA_SIZE(fs_info); +- else +- item_end_expected = btrfs_item_offset_nr(leaf, +- slot - 1); +- if (btrfs_item_end_nr(leaf, slot) != item_end_expected) { +- CORRUPT("slot offset bad", leaf, root, slot); +- return -EUCLEAN; +- } +- +- /* +- * Check to make sure that we don't point outside of the leaf, +- * just in case all the items are consistent to each other, but +- * all point outside of the leaf. +- */ +- if (btrfs_item_end_nr(leaf, slot) > +- BTRFS_LEAF_DATA_SIZE(fs_info)) { +- CORRUPT("slot end outside of leaf", leaf, root, slot); +- return -EUCLEAN; +- } +- +- /* Also check if the item pointer overlaps with btrfs item. */ +- if (btrfs_item_nr_offset(slot) + sizeof(struct btrfs_item) > +- btrfs_item_ptr_offset(leaf, slot)) { +- CORRUPT("slot overlap with its data", leaf, root, slot); +- return -EUCLEAN; +- } +- +- /* Check if the item size and content meet other criteria */ +- ret = check_leaf_item(root, leaf, &key, slot); +- if (ret < 0) +- return ret; +- +- prev_key.objectid = key.objectid; +- prev_key.type = key.type; +- prev_key.offset = key.offset; +- } +- +- return 0; +-} +- +-static int check_node(struct btrfs_root *root, struct extent_buffer *node) +-{ +- unsigned long nr = btrfs_header_nritems(node); +- struct btrfs_key key, next_key; +- int slot; +- u64 bytenr; +- int ret = 0; +- +- if (nr == 0 || nr > BTRFS_NODEPTRS_PER_BLOCK(root->fs_info)) { +- btrfs_crit(root->fs_info, +- "corrupt node: block %llu root %llu nritems %lu", +- node->start, root->objectid, nr); +- return -EIO; +- } +- +- for (slot = 0; slot < nr - 1; slot++) { +- bytenr = btrfs_node_blockptr(node, slot); +- btrfs_node_key_to_cpu(node, &key, slot); +- btrfs_node_key_to_cpu(node, &next_key, slot + 1); +- +- if (!bytenr) { +- CORRUPT("invalid item slot", node, root, slot); +- ret = -EIO; +- goto out; +- } +- +- if (btrfs_comp_cpu_keys(&key, &next_key) >= 0) { +- CORRUPT("bad key order", node, root, slot); +- ret = -EIO; +- goto out; +- } +- } +-out: +- return ret; +-} +- + static int btree_readpage_end_io_hook(struct btrfs_io_bio *io_bio, + u64 phy_offset, struct page *page, + u64 start, u64 end, int mirror) +@@ -887,12 +610,12 @@ static int btree_readpage_end_io_hook(struct btrfs_io_bio *io_bio, + * that we don't try and read the other copies of this block, just + * return -EIO. + */ +- if (found_level == 0 && check_leaf(root, eb)) { ++ if (found_level == 0 && btrfs_check_leaf(root, eb)) { + set_bit(EXTENT_BUFFER_CORRUPT, &eb->bflags); + ret = -EIO; + } + +- if (found_level > 0 && check_node(root, eb)) ++ if (found_level > 0 && btrfs_check_node(root, eb)) + ret = -EIO; + + if (!ret) +@@ -4147,7 +3870,7 @@ void btrfs_mark_buffer_dirty(struct extent_buffer *buf) + buf->len, + fs_info->dirty_metadata_batch); + #ifdef CONFIG_BTRFS_FS_CHECK_INTEGRITY +- if (btrfs_header_level(buf) == 0 && check_leaf(root, buf)) { ++ if (btrfs_header_level(buf) == 0 && btrfs_check_leaf(root, buf)) { + btrfs_print_leaf(buf); + ASSERT(0); + } +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +new file mode 100644 +index 000000000000..56e25a630103 +--- /dev/null ++++ b/fs/btrfs/tree-checker.c +@@ -0,0 +1,309 @@ ++/* ++ * Copyright (C) Qu Wenruo 2017. All rights reserved. ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public ++ * License v2 as published by the Free Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public ++ * License along with this program. ++ */ ++ ++/* ++ * The module is used to catch unexpected/corrupted tree block data. ++ * Such behavior can be caused either by a fuzzed image or bugs. ++ * ++ * The objective is to do leaf/node validation checks when tree block is read ++ * from disk, and check *every* possible member, so other code won't ++ * need to checking them again. ++ * ++ * Due to the potential and unwanted damage, every checker needs to be ++ * carefully reviewed otherwise so it does not prevent mount of valid images. ++ */ ++ ++#include "ctree.h" ++#include "tree-checker.h" ++#include "disk-io.h" ++#include "compression.h" ++ ++#define CORRUPT(reason, eb, root, slot) \ ++ btrfs_crit(root->fs_info, \ ++ "corrupt %s, %s: block=%llu, root=%llu, slot=%d", \ ++ btrfs_header_level(eb) == 0 ? "leaf" : "node", \ ++ reason, btrfs_header_bytenr(eb), root->objectid, slot) ++ ++static int check_extent_data_item(struct btrfs_root *root, ++ struct extent_buffer *leaf, ++ struct btrfs_key *key, int slot) ++{ ++ struct btrfs_file_extent_item *fi; ++ u32 sectorsize = root->fs_info->sectorsize; ++ u32 item_size = btrfs_item_size_nr(leaf, slot); ++ ++ if (!IS_ALIGNED(key->offset, sectorsize)) { ++ CORRUPT("unaligned key offset for file extent", ++ leaf, root, slot); ++ return -EUCLEAN; ++ } ++ ++ fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item); ++ ++ if (btrfs_file_extent_type(leaf, fi) > BTRFS_FILE_EXTENT_TYPES) { ++ CORRUPT("invalid file extent type", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ ++ /* ++ * Support for new compression/encrption must introduce incompat flag, ++ * and must be caught in open_ctree(). ++ */ ++ if (btrfs_file_extent_compression(leaf, fi) > BTRFS_COMPRESS_TYPES) { ++ CORRUPT("invalid file extent compression", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ if (btrfs_file_extent_encryption(leaf, fi)) { ++ CORRUPT("invalid file extent encryption", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE) { ++ /* Inline extent must have 0 as key offset */ ++ if (key->offset) { ++ CORRUPT("inline extent has non-zero key offset", ++ leaf, root, slot); ++ return -EUCLEAN; ++ } ++ ++ /* Compressed inline extent has no on-disk size, skip it */ ++ if (btrfs_file_extent_compression(leaf, fi) != ++ BTRFS_COMPRESS_NONE) ++ return 0; ++ ++ /* Uncompressed inline extent size must match item size */ ++ if (item_size != BTRFS_FILE_EXTENT_INLINE_DATA_START + ++ btrfs_file_extent_ram_bytes(leaf, fi)) { ++ CORRUPT("plaintext inline extent has invalid size", ++ leaf, root, slot); ++ return -EUCLEAN; ++ } ++ return 0; ++ } ++ ++ /* Regular or preallocated extent has fixed item size */ ++ if (item_size != sizeof(*fi)) { ++ CORRUPT( ++ "regluar or preallocated extent data item size is invalid", ++ leaf, root, slot); ++ return -EUCLEAN; ++ } ++ if (!IS_ALIGNED(btrfs_file_extent_ram_bytes(leaf, fi), sectorsize) || ++ !IS_ALIGNED(btrfs_file_extent_disk_bytenr(leaf, fi), sectorsize) || ++ !IS_ALIGNED(btrfs_file_extent_disk_num_bytes(leaf, fi), sectorsize) || ++ !IS_ALIGNED(btrfs_file_extent_offset(leaf, fi), sectorsize) || ++ !IS_ALIGNED(btrfs_file_extent_num_bytes(leaf, fi), sectorsize)) { ++ CORRUPT( ++ "regular or preallocated extent data item has unaligned value", ++ leaf, root, slot); ++ return -EUCLEAN; ++ } ++ ++ return 0; ++} ++ ++static int check_csum_item(struct btrfs_root *root, struct extent_buffer *leaf, ++ struct btrfs_key *key, int slot) ++{ ++ u32 sectorsize = root->fs_info->sectorsize; ++ u32 csumsize = btrfs_super_csum_size(root->fs_info->super_copy); ++ ++ if (key->objectid != BTRFS_EXTENT_CSUM_OBJECTID) { ++ CORRUPT("invalid objectid for csum item", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ if (!IS_ALIGNED(key->offset, sectorsize)) { ++ CORRUPT("unaligned key offset for csum item", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ if (!IS_ALIGNED(btrfs_item_size_nr(leaf, slot), csumsize)) { ++ CORRUPT("unaligned csum item size", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ return 0; ++} ++ ++/* ++ * Common point to switch the item-specific validation. ++ */ ++static int check_leaf_item(struct btrfs_root *root, ++ struct extent_buffer *leaf, ++ struct btrfs_key *key, int slot) ++{ ++ int ret = 0; ++ ++ switch (key->type) { ++ case BTRFS_EXTENT_DATA_KEY: ++ ret = check_extent_data_item(root, leaf, key, slot); ++ break; ++ case BTRFS_EXTENT_CSUM_KEY: ++ ret = check_csum_item(root, leaf, key, slot); ++ break; ++ } ++ return ret; ++} ++ ++int btrfs_check_leaf(struct btrfs_root *root, struct extent_buffer *leaf) ++{ ++ struct btrfs_fs_info *fs_info = root->fs_info; ++ /* No valid key type is 0, so all key should be larger than this key */ ++ struct btrfs_key prev_key = {0, 0, 0}; ++ struct btrfs_key key; ++ u32 nritems = btrfs_header_nritems(leaf); ++ int slot; ++ ++ /* ++ * Extent buffers from a relocation tree have a owner field that ++ * corresponds to the subvolume tree they are based on. So just from an ++ * extent buffer alone we can not find out what is the id of the ++ * corresponding subvolume tree, so we can not figure out if the extent ++ * buffer corresponds to the root of the relocation tree or not. So ++ * skip this check for relocation trees. ++ */ ++ if (nritems == 0 && !btrfs_header_flag(leaf, BTRFS_HEADER_FLAG_RELOC)) { ++ struct btrfs_root *check_root; ++ ++ key.objectid = btrfs_header_owner(leaf); ++ key.type = BTRFS_ROOT_ITEM_KEY; ++ key.offset = (u64)-1; ++ ++ check_root = btrfs_get_fs_root(fs_info, &key, false); ++ /* ++ * The only reason we also check NULL here is that during ++ * open_ctree() some roots has not yet been set up. ++ */ ++ if (!IS_ERR_OR_NULL(check_root)) { ++ struct extent_buffer *eb; ++ ++ eb = btrfs_root_node(check_root); ++ /* if leaf is the root, then it's fine */ ++ if (leaf != eb) { ++ CORRUPT("non-root leaf's nritems is 0", ++ leaf, check_root, 0); ++ free_extent_buffer(eb); ++ return -EUCLEAN; ++ } ++ free_extent_buffer(eb); ++ } ++ return 0; ++ } ++ ++ if (nritems == 0) ++ return 0; ++ ++ /* ++ * Check the following things to make sure this is a good leaf, and ++ * leaf users won't need to bother with similar sanity checks: ++ * ++ * 1) key ordering ++ * 2) item offset and size ++ * No overlap, no hole, all inside the leaf. ++ * 3) item content ++ * If possible, do comprehensive sanity check. ++ * NOTE: All checks must only rely on the item data itself. ++ */ ++ for (slot = 0; slot < nritems; slot++) { ++ u32 item_end_expected; ++ int ret; ++ ++ btrfs_item_key_to_cpu(leaf, &key, slot); ++ ++ /* Make sure the keys are in the right order */ ++ if (btrfs_comp_cpu_keys(&prev_key, &key) >= 0) { ++ CORRUPT("bad key order", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ ++ /* ++ * Make sure the offset and ends are right, remember that the ++ * item data starts at the end of the leaf and grows towards the ++ * front. ++ */ ++ if (slot == 0) ++ item_end_expected = BTRFS_LEAF_DATA_SIZE(fs_info); ++ else ++ item_end_expected = btrfs_item_offset_nr(leaf, ++ slot - 1); ++ if (btrfs_item_end_nr(leaf, slot) != item_end_expected) { ++ CORRUPT("slot offset bad", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ ++ /* ++ * Check to make sure that we don't point outside of the leaf, ++ * just in case all the items are consistent to each other, but ++ * all point outside of the leaf. ++ */ ++ if (btrfs_item_end_nr(leaf, slot) > ++ BTRFS_LEAF_DATA_SIZE(fs_info)) { ++ CORRUPT("slot end outside of leaf", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ ++ /* Also check if the item pointer overlaps with btrfs item. */ ++ if (btrfs_item_nr_offset(slot) + sizeof(struct btrfs_item) > ++ btrfs_item_ptr_offset(leaf, slot)) { ++ CORRUPT("slot overlap with its data", leaf, root, slot); ++ return -EUCLEAN; ++ } ++ ++ /* Check if the item size and content meet other criteria */ ++ ret = check_leaf_item(root, leaf, &key, slot); ++ if (ret < 0) ++ return ret; ++ ++ prev_key.objectid = key.objectid; ++ prev_key.type = key.type; ++ prev_key.offset = key.offset; ++ } ++ ++ return 0; ++} ++ ++int btrfs_check_node(struct btrfs_root *root, struct extent_buffer *node) ++{ ++ unsigned long nr = btrfs_header_nritems(node); ++ struct btrfs_key key, next_key; ++ int slot; ++ u64 bytenr; ++ int ret = 0; ++ ++ if (nr == 0 || nr > BTRFS_NODEPTRS_PER_BLOCK(root->fs_info)) { ++ btrfs_crit(root->fs_info, ++ "corrupt node: block %llu root %llu nritems %lu", ++ node->start, root->objectid, nr); ++ return -EIO; ++ } ++ ++ for (slot = 0; slot < nr - 1; slot++) { ++ bytenr = btrfs_node_blockptr(node, slot); ++ btrfs_node_key_to_cpu(node, &key, slot); ++ btrfs_node_key_to_cpu(node, &next_key, slot + 1); ++ ++ if (!bytenr) { ++ CORRUPT("invalid item slot", node, root, slot); ++ ret = -EIO; ++ goto out; ++ } ++ ++ if (btrfs_comp_cpu_keys(&key, &next_key) >= 0) { ++ CORRUPT("bad key order", node, root, slot); ++ ret = -EIO; ++ goto out; ++ } ++ } ++out: ++ return ret; ++} +diff --git a/fs/btrfs/tree-checker.h b/fs/btrfs/tree-checker.h +new file mode 100644 +index 000000000000..96c486e95d70 +--- /dev/null ++++ b/fs/btrfs/tree-checker.h +@@ -0,0 +1,26 @@ ++/* ++ * Copyright (C) Qu Wenruo 2017. All rights reserved. ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public ++ * License v2 as published by the Free Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public ++ * License along with this program. ++ */ ++ ++#ifndef __BTRFS_TREE_CHECKER__ ++#define __BTRFS_TREE_CHECKER__ ++ ++#include "ctree.h" ++#include "extent_io.h" ++ ++int btrfs_check_leaf(struct btrfs_root *root, struct extent_buffer *leaf); ++int btrfs_check_node(struct btrfs_root *root, struct extent_buffer *node); ++ ++#endif +-- +2.17.1 + diff --git a/queue-4.14/btrfs-refactor-check_leaf-function-for-later-expansi.patch b/queue-4.14/btrfs-refactor-check_leaf-function-for-later-expansi.patch new file mode 100644 index 00000000000..0207f038ca9 --- /dev/null +++ b/queue-4.14/btrfs-refactor-check_leaf-function-for-later-expansi.patch @@ -0,0 +1,137 @@ +From 0bcc74f859da60de8ae0fcd116bead1cb0f30ae0 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 23 Aug 2017 16:57:56 +0900 +Subject: btrfs: Refactor check_leaf function for later expansion + +commit c3267bbaa9cae09b62960eafe33ad19196803285 upstream. + +Current check_leaf() function does a good job checking key order and +item offset/size. + +However it only checks from slot 0 to the last but one slot, this is +good but makes later expansion hard. + +So this refactoring iterates from slot 0 to the last slot. +For key comparison, it uses a key with all 0 as initial key, so all +valid keys should be larger than that. + +And for item size/offset checks, it compares current item end with +previous item offset. +For slot 0, use leaf end as a special case. + +This makes later item/key offset checks and item size checks easier to +be implemented. + +Also, makes check_leaf() to return -EUCLEAN other than -EIO to indicate +error. + +Signed-off-by: Qu Wenruo +Reviewed-by: Nikolay Borisov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 50 +++++++++++++++++++++++++--------------------- + 1 file changed, 27 insertions(+), 23 deletions(-) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 0e67cee73c53..4a1e63df1183 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -554,8 +554,9 @@ static noinline int check_leaf(struct btrfs_root *root, + struct extent_buffer *leaf) + { + struct btrfs_fs_info *fs_info = root->fs_info; ++ /* No valid key type is 0, so all key should be larger than this key */ ++ struct btrfs_key prev_key = {0, 0, 0}; + struct btrfs_key key; +- struct btrfs_key leaf_key; + u32 nritems = btrfs_header_nritems(leaf); + int slot; + +@@ -588,7 +589,7 @@ static noinline int check_leaf(struct btrfs_root *root, + CORRUPT("non-root leaf's nritems is 0", + leaf, check_root, 0); + free_extent_buffer(eb); +- return -EIO; ++ return -EUCLEAN; + } + free_extent_buffer(eb); + } +@@ -598,28 +599,23 @@ static noinline int check_leaf(struct btrfs_root *root, + if (nritems == 0) + return 0; + +- /* Check the 0 item */ +- if (btrfs_item_offset_nr(leaf, 0) + btrfs_item_size_nr(leaf, 0) != +- BTRFS_LEAF_DATA_SIZE(fs_info)) { +- CORRUPT("invalid item offset size pair", leaf, root, 0); +- return -EIO; +- } +- + /* +- * Check to make sure each items keys are in the correct order and their +- * offsets make sense. We only have to loop through nritems-1 because +- * we check the current slot against the next slot, which verifies the +- * next slot's offset+size makes sense and that the current's slot +- * offset is correct. ++ * Check the following things to make sure this is a good leaf, and ++ * leaf users won't need to bother with similar sanity checks: ++ * ++ * 1) key order ++ * 2) item offset and size ++ * No overlap, no hole, all inside the leaf. + */ +- for (slot = 0; slot < nritems - 1; slot++) { +- btrfs_item_key_to_cpu(leaf, &leaf_key, slot); +- btrfs_item_key_to_cpu(leaf, &key, slot + 1); ++ for (slot = 0; slot < nritems; slot++) { ++ u32 item_end_expected; ++ ++ btrfs_item_key_to_cpu(leaf, &key, slot); + + /* Make sure the keys are in the right order */ +- if (btrfs_comp_cpu_keys(&leaf_key, &key) >= 0) { ++ if (btrfs_comp_cpu_keys(&prev_key, &key) >= 0) { + CORRUPT("bad key order", leaf, root, slot); +- return -EIO; ++ return -EUCLEAN; + } + + /* +@@ -627,10 +623,14 @@ static noinline int check_leaf(struct btrfs_root *root, + * item data starts at the end of the leaf and grows towards the + * front. + */ +- if (btrfs_item_offset_nr(leaf, slot) != +- btrfs_item_end_nr(leaf, slot + 1)) { ++ if (slot == 0) ++ item_end_expected = BTRFS_LEAF_DATA_SIZE(fs_info); ++ else ++ item_end_expected = btrfs_item_offset_nr(leaf, ++ slot - 1); ++ if (btrfs_item_end_nr(leaf, slot) != item_end_expected) { + CORRUPT("slot offset bad", leaf, root, slot); +- return -EIO; ++ return -EUCLEAN; + } + + /* +@@ -641,8 +641,12 @@ static noinline int check_leaf(struct btrfs_root *root, + if (btrfs_item_end_nr(leaf, slot) > + BTRFS_LEAF_DATA_SIZE(fs_info)) { + CORRUPT("slot end outside of leaf", leaf, root, slot); +- return -EIO; ++ return -EUCLEAN; + } ++ ++ prev_key.objectid = key.objectid; ++ prev_key.type = key.type; ++ prev_key.offset = key.offset; + } + + return 0; +-- +2.17.1 + diff --git a/queue-4.14/btrfs-tree-check-reduce-stack-consumption-in-check_d.patch b/queue-4.14/btrfs-tree-check-reduce-stack-consumption-in-check_d.patch new file mode 100644 index 00000000000..53b4500c1e6 --- /dev/null +++ b/queue-4.14/btrfs-tree-check-reduce-stack-consumption-in-check_d.patch @@ -0,0 +1,52 @@ +From 70e47c83b8c7ff52cfa24011a60f3ef7ac9ad797 Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Wed, 10 Jan 2018 15:13:07 +0100 +Subject: btrfs: tree-check: reduce stack consumption in check_dir_item + +commit e2683fc9d219430f5b78889b50cde7f40efeba7b upstream. + +I've noticed that the updated item checker stack consumption increased +dramatically in 542f5385e20cf97447 ("btrfs: tree-checker: Add checker +for dir item") + +tree-checker.c:check_leaf +552 (176 -> 728) + +The array is 255 bytes long, dynamic allocation would slow down the +sanity checks so it's more reasonable to keep it on-stack. Moving the +variable to the scope of use reduces the stack usage again + +tree-checker.c:check_leaf -264 (728 -> 464) + +Reviewed-by: Josef Bacik +Reviewed-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index 9376739a4cc8..f7e7a455b710 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -212,7 +212,6 @@ static int check_dir_item(struct btrfs_root *root, + + di = btrfs_item_ptr(leaf, slot, struct btrfs_dir_item); + while (cur < item_size) { +- char namebuf[max(BTRFS_NAME_LEN, XATTR_NAME_MAX)]; + u32 name_len; + u32 data_len; + u32 max_name_len; +@@ -295,6 +294,8 @@ static int check_dir_item(struct btrfs_root *root, + */ + if (key->type == BTRFS_DIR_ITEM_KEY || + key->type == BTRFS_XATTR_ITEM_KEY) { ++ char namebuf[max(BTRFS_NAME_LEN, XATTR_NAME_MAX)]; ++ + read_extent_buffer(leaf, namebuf, + (unsigned long)(di + 1), name_len); + name_hash = btrfs_name_hash(namebuf, name_len); +-- +2.17.1 + diff --git a/queue-4.14/btrfs-tree-checker-add-checker-for-dir-item.patch b/queue-4.14/btrfs-tree-checker-add-checker-for-dir-item.patch new file mode 100644 index 00000000000..653f524b232 --- /dev/null +++ b/queue-4.14/btrfs-tree-checker-add-checker-for-dir-item.patch @@ -0,0 +1,210 @@ +From 02e824b52c042ed07e5658e87a6bd0e4291480d3 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 8 Nov 2017 08:54:25 +0800 +Subject: btrfs: tree-checker: Add checker for dir item + +commit ad7b0368f33cffe67fecd302028915926e50ef7e upstream. + +Add checker for dir item, for key types DIR_ITEM, DIR_INDEX and +XATTR_ITEM. + +This checker does comprehensive checks for: + +1) dir_item header and its data size + Against item boundary and maximum name/xattr length. + This part is mostly the same as old verify_dir_item(). + +2) dir_type + Against maximum file types, and against key type. + Since XATTR key should only have FT_XATTR dir item, and normal dir + item type should not have XATTR key. + + The check between key->type and dir_type is newly introduced by this + patch. + +3) name hash + For XATTR and DIR_ITEM key, key->offset is name hash (crc32c). + Check the hash of the name against the key to ensure it's correct. + + The name hash check is only found in btrfs-progs before this patch. + +Signed-off-by: Qu Wenruo +Reviewed-by: Nikolay Borisov +Reviewed-by: Su Yue +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 141 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 141 insertions(+) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index ff4fa8f905d3..b32df86de9bf 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -30,6 +30,7 @@ + #include "tree-checker.h" + #include "disk-io.h" + #include "compression.h" ++#include "hash.h" + + #define CORRUPT(reason, eb, root, slot) \ + btrfs_crit(root->fs_info, \ +@@ -175,6 +176,141 @@ static int check_csum_item(struct btrfs_root *root, struct extent_buffer *leaf, + return 0; + } + ++/* ++ * Customized reported for dir_item, only important new info is key->objectid, ++ * which represents inode number ++ */ ++__printf(4, 5) ++static void dir_item_err(const struct btrfs_root *root, ++ const struct extent_buffer *eb, int slot, ++ const char *fmt, ...) ++{ ++ struct btrfs_key key; ++ struct va_format vaf; ++ va_list args; ++ ++ btrfs_item_key_to_cpu(eb, &key, slot); ++ va_start(args, fmt); ++ ++ vaf.fmt = fmt; ++ vaf.va = &args; ++ ++ btrfs_crit(root->fs_info, ++ "corrupt %s: root=%llu block=%llu slot=%d ino=%llu, %pV", ++ btrfs_header_level(eb) == 0 ? "leaf" : "node", root->objectid, ++ btrfs_header_bytenr(eb), slot, key.objectid, &vaf); ++ va_end(args); ++} ++ ++static int check_dir_item(struct btrfs_root *root, ++ struct extent_buffer *leaf, ++ struct btrfs_key *key, int slot) ++{ ++ struct btrfs_dir_item *di; ++ u32 item_size = btrfs_item_size_nr(leaf, slot); ++ u32 cur = 0; ++ ++ di = btrfs_item_ptr(leaf, slot, struct btrfs_dir_item); ++ while (cur < item_size) { ++ char namebuf[max(BTRFS_NAME_LEN, XATTR_NAME_MAX)]; ++ u32 name_len; ++ u32 data_len; ++ u32 max_name_len; ++ u32 total_size; ++ u32 name_hash; ++ u8 dir_type; ++ ++ /* header itself should not cross item boundary */ ++ if (cur + sizeof(*di) > item_size) { ++ dir_item_err(root, leaf, slot, ++ "dir item header crosses item boundary, have %lu boundary %u", ++ cur + sizeof(*di), item_size); ++ return -EUCLEAN; ++ } ++ ++ /* dir type check */ ++ dir_type = btrfs_dir_type(leaf, di); ++ if (dir_type >= BTRFS_FT_MAX) { ++ dir_item_err(root, leaf, slot, ++ "invalid dir item type, have %u expect [0, %u)", ++ dir_type, BTRFS_FT_MAX); ++ return -EUCLEAN; ++ } ++ ++ if (key->type == BTRFS_XATTR_ITEM_KEY && ++ dir_type != BTRFS_FT_XATTR) { ++ dir_item_err(root, leaf, slot, ++ "invalid dir item type for XATTR key, have %u expect %u", ++ dir_type, BTRFS_FT_XATTR); ++ return -EUCLEAN; ++ } ++ if (dir_type == BTRFS_FT_XATTR && ++ key->type != BTRFS_XATTR_ITEM_KEY) { ++ dir_item_err(root, leaf, slot, ++ "xattr dir type found for non-XATTR key"); ++ return -EUCLEAN; ++ } ++ if (dir_type == BTRFS_FT_XATTR) ++ max_name_len = XATTR_NAME_MAX; ++ else ++ max_name_len = BTRFS_NAME_LEN; ++ ++ /* Name/data length check */ ++ name_len = btrfs_dir_name_len(leaf, di); ++ data_len = btrfs_dir_data_len(leaf, di); ++ if (name_len > max_name_len) { ++ dir_item_err(root, leaf, slot, ++ "dir item name len too long, have %u max %u", ++ name_len, max_name_len); ++ return -EUCLEAN; ++ } ++ if (name_len + data_len > BTRFS_MAX_XATTR_SIZE(root->fs_info)) { ++ dir_item_err(root, leaf, slot, ++ "dir item name and data len too long, have %u max %u", ++ name_len + data_len, ++ BTRFS_MAX_XATTR_SIZE(root->fs_info)); ++ return -EUCLEAN; ++ } ++ ++ if (data_len && dir_type != BTRFS_FT_XATTR) { ++ dir_item_err(root, leaf, slot, ++ "dir item with invalid data len, have %u expect 0", ++ data_len); ++ return -EUCLEAN; ++ } ++ ++ total_size = sizeof(*di) + name_len + data_len; ++ ++ /* header and name/data should not cross item boundary */ ++ if (cur + total_size > item_size) { ++ dir_item_err(root, leaf, slot, ++ "dir item data crosses item boundary, have %u boundary %u", ++ cur + total_size, item_size); ++ return -EUCLEAN; ++ } ++ ++ /* ++ * Special check for XATTR/DIR_ITEM, as key->offset is name ++ * hash, should match its name ++ */ ++ if (key->type == BTRFS_DIR_ITEM_KEY || ++ key->type == BTRFS_XATTR_ITEM_KEY) { ++ read_extent_buffer(leaf, namebuf, ++ (unsigned long)(di + 1), name_len); ++ name_hash = btrfs_name_hash(namebuf, name_len); ++ if (key->offset != name_hash) { ++ dir_item_err(root, leaf, slot, ++ "name hash mismatch with key, have 0x%016x expect 0x%016llx", ++ name_hash, key->offset); ++ return -EUCLEAN; ++ } ++ } ++ cur += total_size; ++ di = (struct btrfs_dir_item *)((void *)di + total_size); ++ } ++ return 0; ++} ++ + /* + * Common point to switch the item-specific validation. + */ +@@ -191,6 +327,11 @@ static int check_leaf_item(struct btrfs_root *root, + case BTRFS_EXTENT_CSUM_KEY: + ret = check_csum_item(root, leaf, key, slot); + break; ++ case BTRFS_DIR_ITEM_KEY: ++ case BTRFS_DIR_INDEX_KEY: ++ case BTRFS_XATTR_ITEM_KEY: ++ ret = check_dir_item(root, leaf, key, slot); ++ break; + } + return ret; + } +-- +2.17.1 + diff --git a/queue-4.14/btrfs-tree-checker-check-level-for-leaves-and-nodes.patch b/queue-4.14/btrfs-tree-checker-check-level-for-leaves-and-nodes.patch new file mode 100644 index 00000000000..6ff40b05784 --- /dev/null +++ b/queue-4.14/btrfs-tree-checker-check-level-for-leaves-and-nodes.patch @@ -0,0 +1,66 @@ +From f6ae0283f3ec4931e03f5ba2f6a5fce995f156b3 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Fri, 28 Sep 2018 07:59:34 +0800 +Subject: btrfs: tree-checker: Check level for leaves and nodes + +commit f556faa46eb4e96d0d0772e74ecf66781e132f72 upstream. + +Although we have tree level check at tree read runtime, it's completely +based on its parent level. +We still need to do accurate level check to avoid invalid tree blocks +sneak into kernel space. + +The check itself is simple, for leaf its level should always be 0. +For nodes its level should be in range [1, BTRFS_MAX_LEVEL - 1]. + +Signed-off-by: Qu Wenruo +Reviewed-by: Su Yue +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[bwh: Backported to 4.14: + - Pass root instead of fs_info to generic_err() + - Adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index 31756bac75b4..fa8f64119e6f 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -447,6 +447,13 @@ static int check_leaf(struct btrfs_root *root, struct extent_buffer *leaf, + u32 nritems = btrfs_header_nritems(leaf); + int slot; + ++ if (btrfs_header_level(leaf) != 0) { ++ generic_err(root, leaf, 0, ++ "invalid level for leaf, have %d expect 0", ++ btrfs_header_level(leaf)); ++ return -EUCLEAN; ++ } ++ + /* + * Extent buffers from a relocation tree have a owner field that + * corresponds to the subvolume tree they are based on. So just from an +@@ -589,9 +596,16 @@ int btrfs_check_node(struct btrfs_root *root, struct extent_buffer *node) + unsigned long nr = btrfs_header_nritems(node); + struct btrfs_key key, next_key; + int slot; ++ int level = btrfs_header_level(node); + u64 bytenr; + int ret = 0; + ++ if (level <= 0 || level >= BTRFS_MAX_LEVEL) { ++ generic_err(root, node, 0, ++ "invalid level for node, have %d expect [1, %d]", ++ level, BTRFS_MAX_LEVEL - 1); ++ return -EUCLEAN; ++ } + if (nr == 0 || nr > BTRFS_NODEPTRS_PER_BLOCK(root->fs_info)) { + btrfs_crit(root->fs_info, + "corrupt node: root=%llu block=%llu, nritems too %s, have %lu expect range [1,%u]", +-- +2.17.1 + diff --git a/queue-4.14/btrfs-tree-checker-detect-invalid-and-empty-essentia.patch b/queue-4.14/btrfs-tree-checker-detect-invalid-and-empty-essentia.patch new file mode 100644 index 00000000000..b7659b18756 --- /dev/null +++ b/queue-4.14/btrfs-tree-checker-detect-invalid-and-empty-essentia.patch @@ -0,0 +1,74 @@ +From b052353d845bb223565a30201c705d5a37b40c91 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Tue, 3 Jul 2018 17:10:06 +0800 +Subject: btrfs: tree-checker: Detect invalid and empty essential trees + +commit ba480dd4db9f1798541eb2d1c423fc95feee8d36 upstream. + +A crafted image has empty root tree block, which will later cause NULL +pointer dereference. + +The following trees should never be empty: +1) Tree root + Must contain at least root items for extent tree, device tree and fs + tree + +2) Chunk tree + Or we can't even bootstrap as it contains the mapping. + +3) Fs tree + At least inode item for top level inode (.). + +4) Device tree + Dev extents for chunks + +5) Extent tree + Must have corresponding extent for each chunk. + +If any of them is empty, we are sure the fs is corrupted and no need to +mount it. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199847 +Reported-by: Xu Wen +Signed-off-by: Qu Wenruo +Tested-by: Gu Jinxiang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[bwh: Backported to 4.14: Pass root instead of fs_info to generic_err()] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index cf9b10a07134..31756bac75b4 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -456,9 +456,22 @@ static int check_leaf(struct btrfs_root *root, struct extent_buffer *leaf, + * skip this check for relocation trees. + */ + if (nritems == 0 && !btrfs_header_flag(leaf, BTRFS_HEADER_FLAG_RELOC)) { ++ u64 owner = btrfs_header_owner(leaf); + struct btrfs_root *check_root; + +- key.objectid = btrfs_header_owner(leaf); ++ /* These trees must never be empty */ ++ if (owner == BTRFS_ROOT_TREE_OBJECTID || ++ owner == BTRFS_CHUNK_TREE_OBJECTID || ++ owner == BTRFS_EXTENT_TREE_OBJECTID || ++ owner == BTRFS_DEV_TREE_OBJECTID || ++ owner == BTRFS_FS_TREE_OBJECTID || ++ owner == BTRFS_DATA_RELOC_TREE_OBJECTID) { ++ generic_err(root, leaf, 0, ++ "invalid root, root %llu must never be empty", ++ owner); ++ return -EUCLEAN; ++ } ++ key.objectid = owner; + key.type = BTRFS_ROOT_ITEM_KEY; + key.offset = (u64)-1; + +-- +2.17.1 + diff --git a/queue-4.14/btrfs-tree-checker-enhance-btrfs_check_node-output.patch b/queue-4.14/btrfs-tree-checker-enhance-btrfs_check_node-output.patch new file mode 100644 index 00000000000..760647a4e24 --- /dev/null +++ b/queue-4.14/btrfs-tree-checker-enhance-btrfs_check_node-output.patch @@ -0,0 +1,130 @@ +From 22251244069d0801d767fc7539c44971cd8e9574 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Mon, 9 Oct 2017 01:51:03 +0000 +Subject: btrfs: tree-checker: Enhance btrfs_check_node output + +commit bba4f29896c986c4cec17bc0f19f2ce644fceae1 upstream. + +Use inline function to replace macro since we don't need +stringification. +(Macro still exists until all callers get updated) + +And add more info about the error, and replace EIO with EUCLEAN. + +For nr_items error, report if it's too large or too small, and output +the valid value range. + +For node block pointer, added a new alignment checker. + +For key order, also output the next key to make the problem more +obvious. + +Signed-off-by: Qu Wenruo +[ wording adjustments, unindented long strings ] +Signed-off-by: David Sterba +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 68 ++++++++++++++++++++++++++++++++++++----- + 1 file changed, 61 insertions(+), 7 deletions(-) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index 56e25a630103..5acdf3355a3f 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -37,6 +37,46 @@ + btrfs_header_level(eb) == 0 ? "leaf" : "node", \ + reason, btrfs_header_bytenr(eb), root->objectid, slot) + ++/* ++ * Error message should follow the following format: ++ * corrupt : , [, ] ++ * ++ * @type: leaf or node ++ * @identifier: the necessary info to locate the leaf/node. ++ * It's recommened to decode key.objecitd/offset if it's ++ * meaningful. ++ * @reason: describe the error ++ * @bad_value: optional, it's recommened to output bad value and its ++ * expected value (range). ++ * ++ * Since comma is used to separate the components, only space is allowed ++ * inside each component. ++ */ ++ ++/* ++ * Append generic "corrupt leaf/node root=%llu block=%llu slot=%d: " to @fmt. ++ * Allows callers to customize the output. ++ */ ++__printf(4, 5) ++static void generic_err(const struct btrfs_root *root, ++ const struct extent_buffer *eb, int slot, ++ const char *fmt, ...) ++{ ++ struct va_format vaf; ++ va_list args; ++ ++ va_start(args, fmt); ++ ++ vaf.fmt = fmt; ++ vaf.va = &args; ++ ++ btrfs_crit(root->fs_info, ++ "corrupt %s: root=%llu block=%llu slot=%d, %pV", ++ btrfs_header_level(eb) == 0 ? "leaf" : "node", ++ root->objectid, btrfs_header_bytenr(eb), slot, &vaf); ++ va_end(args); ++} ++ + static int check_extent_data_item(struct btrfs_root *root, + struct extent_buffer *leaf, + struct btrfs_key *key, int slot) +@@ -282,9 +322,11 @@ int btrfs_check_node(struct btrfs_root *root, struct extent_buffer *node) + + if (nr == 0 || nr > BTRFS_NODEPTRS_PER_BLOCK(root->fs_info)) { + btrfs_crit(root->fs_info, +- "corrupt node: block %llu root %llu nritems %lu", +- node->start, root->objectid, nr); +- return -EIO; ++"corrupt node: root=%llu block=%llu, nritems too %s, have %lu expect range [1,%u]", ++ root->objectid, node->start, ++ nr == 0 ? "small" : "large", nr, ++ BTRFS_NODEPTRS_PER_BLOCK(root->fs_info)); ++ return -EUCLEAN; + } + + for (slot = 0; slot < nr - 1; slot++) { +@@ -293,14 +335,26 @@ int btrfs_check_node(struct btrfs_root *root, struct extent_buffer *node) + btrfs_node_key_to_cpu(node, &next_key, slot + 1); + + if (!bytenr) { +- CORRUPT("invalid item slot", node, root, slot); +- ret = -EIO; ++ generic_err(root, node, slot, ++ "invalid NULL node pointer"); ++ ret = -EUCLEAN; ++ goto out; ++ } ++ if (!IS_ALIGNED(bytenr, root->fs_info->sectorsize)) { ++ generic_err(root, node, slot, ++ "unaligned pointer, have %llu should be aligned to %u", ++ bytenr, root->fs_info->sectorsize); ++ ret = -EUCLEAN; + goto out; + } + + if (btrfs_comp_cpu_keys(&key, &next_key) >= 0) { +- CORRUPT("bad key order", node, root, slot); +- ret = -EIO; ++ generic_err(root, node, slot, ++ "bad key order, current (%llu %u %llu) next (%llu %u %llu)", ++ key.objectid, key.type, key.offset, ++ next_key.objectid, next_key.type, ++ next_key.offset); ++ ret = -EUCLEAN; + goto out; + } + } +-- +2.17.1 + diff --git a/queue-4.14/btrfs-tree-checker-fix-false-panic-for-sanity-test.patch b/queue-4.14/btrfs-tree-checker-fix-false-panic-for-sanity-test.patch new file mode 100644 index 00000000000..bc374087db4 --- /dev/null +++ b/queue-4.14/btrfs-tree-checker-fix-false-panic-for-sanity-test.patch @@ -0,0 +1,169 @@ +From ee3011e4d4a6962b1f161a1b6055b727358d628a Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 8 Nov 2017 08:54:24 +0800 +Subject: btrfs: tree-checker: Fix false panic for sanity test + +commit 69fc6cbbac542c349b3d350d10f6e394c253c81d upstream. + +[BUG] +If we run btrfs with CONFIG_BTRFS_FS_RUN_SANITY_TESTS=y, it will +instantly cause kernel panic like: + +------ +... +assertion failed: 0, file: fs/btrfs/disk-io.c, line: 3853 +... +Call Trace: + btrfs_mark_buffer_dirty+0x187/0x1f0 [btrfs] + setup_items_for_insert+0x385/0x650 [btrfs] + __btrfs_drop_extents+0x129a/0x1870 [btrfs] +... +----- + +[Cause] +Btrfs will call btrfs_check_leaf() in btrfs_mark_buffer_dirty() to check +if the leaf is valid with CONFIG_BTRFS_FS_RUN_SANITY_TESTS=y. + +However quite some btrfs_mark_buffer_dirty() callers(*) don't really +initialize its item data but only initialize its item pointers, leaving +item data uninitialized. + +This makes tree-checker catch uninitialized data as error, causing +such panic. + +*: These callers include but not limited to +setup_items_for_insert() +btrfs_split_item() +btrfs_expand_item() + +[Fix] +Add a new parameter @check_item_data to btrfs_check_leaf(). +With @check_item_data set to false, item data check will be skipped and +fallback to old btrfs_check_leaf() behavior. + +So we can still get early warning if we screw up item pointers, and +avoid false panic. + +Cc: Filipe Manana +Reported-by: Lakshmipathi.G +Signed-off-by: Qu Wenruo +Reviewed-by: Liu Bo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Ben Hutchings + +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 10 ++++++++-- + fs/btrfs/tree-checker.c | 27 ++++++++++++++++++++++----- + fs/btrfs/tree-checker.h | 14 +++++++++++++- + 3 files changed, 43 insertions(+), 8 deletions(-) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 2df5e906db08..e42673477c25 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -610,7 +610,7 @@ static int btree_readpage_end_io_hook(struct btrfs_io_bio *io_bio, + * that we don't try and read the other copies of this block, just + * return -EIO. + */ +- if (found_level == 0 && btrfs_check_leaf(root, eb)) { ++ if (found_level == 0 && btrfs_check_leaf_full(root, eb)) { + set_bit(EXTENT_BUFFER_CORRUPT, &eb->bflags); + ret = -EIO; + } +@@ -3870,7 +3870,13 @@ void btrfs_mark_buffer_dirty(struct extent_buffer *buf) + buf->len, + fs_info->dirty_metadata_batch); + #ifdef CONFIG_BTRFS_FS_CHECK_INTEGRITY +- if (btrfs_header_level(buf) == 0 && btrfs_check_leaf(root, buf)) { ++ /* ++ * Since btrfs_mark_buffer_dirty() can be called with item pointer set ++ * but item data not updated. ++ * So here we should only check item pointers, not item data. ++ */ ++ if (btrfs_header_level(buf) == 0 && ++ btrfs_check_leaf_relaxed(root, buf)) { + btrfs_print_leaf(buf); + ASSERT(0); + } +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index 5acdf3355a3f..ff4fa8f905d3 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -195,7 +195,8 @@ static int check_leaf_item(struct btrfs_root *root, + return ret; + } + +-int btrfs_check_leaf(struct btrfs_root *root, struct extent_buffer *leaf) ++static int check_leaf(struct btrfs_root *root, struct extent_buffer *leaf, ++ bool check_item_data) + { + struct btrfs_fs_info *fs_info = root->fs_info; + /* No valid key type is 0, so all key should be larger than this key */ +@@ -299,10 +300,15 @@ int btrfs_check_leaf(struct btrfs_root *root, struct extent_buffer *leaf) + return -EUCLEAN; + } + +- /* Check if the item size and content meet other criteria */ +- ret = check_leaf_item(root, leaf, &key, slot); +- if (ret < 0) +- return ret; ++ if (check_item_data) { ++ /* ++ * Check if the item size and content meet other ++ * criteria ++ */ ++ ret = check_leaf_item(root, leaf, &key, slot); ++ if (ret < 0) ++ return ret; ++ } + + prev_key.objectid = key.objectid; + prev_key.type = key.type; +@@ -312,6 +318,17 @@ int btrfs_check_leaf(struct btrfs_root *root, struct extent_buffer *leaf) + return 0; + } + ++int btrfs_check_leaf_full(struct btrfs_root *root, struct extent_buffer *leaf) ++{ ++ return check_leaf(root, leaf, true); ++} ++ ++int btrfs_check_leaf_relaxed(struct btrfs_root *root, ++ struct extent_buffer *leaf) ++{ ++ return check_leaf(root, leaf, false); ++} ++ + int btrfs_check_node(struct btrfs_root *root, struct extent_buffer *node) + { + unsigned long nr = btrfs_header_nritems(node); +diff --git a/fs/btrfs/tree-checker.h b/fs/btrfs/tree-checker.h +index 96c486e95d70..3d53e8d6fda0 100644 +--- a/fs/btrfs/tree-checker.h ++++ b/fs/btrfs/tree-checker.h +@@ -20,7 +20,19 @@ + #include "ctree.h" + #include "extent_io.h" + +-int btrfs_check_leaf(struct btrfs_root *root, struct extent_buffer *leaf); ++/* ++ * Comprehensive leaf checker. ++ * Will check not only the item pointers, but also every possible member ++ * in item data. ++ */ ++int btrfs_check_leaf_full(struct btrfs_root *root, struct extent_buffer *leaf); ++ ++/* ++ * Less strict leaf checker. ++ * Will only check item pointers, not reading item data. ++ */ ++int btrfs_check_leaf_relaxed(struct btrfs_root *root, ++ struct extent_buffer *leaf); + int btrfs_check_node(struct btrfs_root *root, struct extent_buffer *node); + + #endif +-- +2.17.1 + diff --git a/queue-4.14/btrfs-tree-checker-fix-misleading-group-system-infor.patch b/queue-4.14/btrfs-tree-checker-fix-misleading-group-system-infor.patch new file mode 100644 index 00000000000..c89b1ae062e --- /dev/null +++ b/queue-4.14/btrfs-tree-checker-fix-misleading-group-system-infor.patch @@ -0,0 +1,40 @@ +From 2dfa491a5fca41357974482926c0ad6abe7cc360 Mon Sep 17 00:00:00 2001 +From: Shaokun Zhang +Date: Mon, 5 Nov 2018 18:49:09 +0800 +Subject: btrfs: tree-checker: Fix misleading group system information + +commit 761333f2f50ccc887aa9957ae829300262c0d15b upstream. + +block_group_err shows the group system as a decimal value with a '0x' +prefix, which is somewhat misleading. + +Fix it to print hexadecimal, as was intended. + +Fixes: fce466eab7ac6 ("btrfs: tree-checker: Verify block_group_item") +Reviewed-by: Nikolay Borisov +Reviewed-by: Qu Wenruo +Signed-off-by: Shaokun Zhang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index fa8f64119e6f..f206aec1525d 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -399,7 +399,7 @@ static int check_block_group_item(struct btrfs_fs_info *fs_info, + type != (BTRFS_BLOCK_GROUP_METADATA | + BTRFS_BLOCK_GROUP_DATA)) { + block_group_err(fs_info, leaf, slot, +-"invalid type, have 0x%llx (%lu bits set) expect either 0x%llx, 0x%llx, 0x%llu or 0x%llx", ++"invalid type, have 0x%llx (%lu bits set) expect either 0x%llx, 0x%llx, 0x%llx or 0x%llx", + type, hweight64(type), + BTRFS_BLOCK_GROUP_DATA, BTRFS_BLOCK_GROUP_METADATA, + BTRFS_BLOCK_GROUP_SYSTEM, +-- +2.17.1 + diff --git a/queue-4.14/btrfs-tree-checker-use-zu-format-string-for-size_t.patch b/queue-4.14/btrfs-tree-checker-use-zu-format-string-for-size_t.patch new file mode 100644 index 00000000000..2fbb89fad92 --- /dev/null +++ b/queue-4.14/btrfs-tree-checker-use-zu-format-string-for-size_t.patch @@ -0,0 +1,40 @@ +From faa30fcea2a773bc5a19c199e204d9c8ee40a0e2 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 6 Dec 2017 15:18:14 +0100 +Subject: btrfs: tree-checker: use %zu format string for size_t + +commit 7cfad65297bfe0aa2996cd72d21c898aa84436d9 upstream. + +The return value of sizeof() is of type size_t, so we must print it +using the %z format modifier rather than %l to avoid this warning +on some architectures: + +fs/btrfs/tree-checker.c: In function 'check_dir_item': +fs/btrfs/tree-checker.c:273:50: error: format '%lu' expects argument of type 'long unsigned int', but argument 5 has type 'u32' {aka 'unsigned int'} [-Werror=format=] + +Fixes: 005887f2e3e0 ("btrfs: tree-checker: Add checker for dir item") +Signed-off-by: Arnd Bergmann +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index b32df86de9bf..9376739a4cc8 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -223,7 +223,7 @@ static int check_dir_item(struct btrfs_root *root, + /* header itself should not cross item boundary */ + if (cur + sizeof(*di) > item_size) { + dir_item_err(root, leaf, slot, +- "dir item header crosses item boundary, have %lu boundary %u", ++ "dir item header crosses item boundary, have %zu boundary %u", + cur + sizeof(*di), item_size); + return -EUCLEAN; + } +-- +2.17.1 + diff --git a/queue-4.14/btrfs-tree-checker-verify-block_group_item.patch b/queue-4.14/btrfs-tree-checker-verify-block_group_item.patch new file mode 100644 index 00000000000..c594d6a9e8b --- /dev/null +++ b/queue-4.14/btrfs-tree-checker-verify-block_group_item.patch @@ -0,0 +1,198 @@ +From eedbbc2fea1f26d5554fcba0eb3d19ce53a9b77c Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Tue, 3 Jul 2018 17:10:05 +0800 +Subject: btrfs: tree-checker: Verify block_group_item + +commit fce466eab7ac6baa9d2dcd88abcf945be3d4a089 upstream. + +A crafted image with invalid block group items could make free space cache +code to cause panic. + +We could detect such invalid block group item by checking: +1) Item size + Known fixed value. +2) Block group size (key.offset) + We have an upper limit on block group item (10G) +3) Chunk objectid + Known fixed value. +4) Type + Only 4 valid type values, DATA, METADATA, SYSTEM and DATA|METADATA. + No more than 1 bit set for profile type. +5) Used space + No more than the block group size. + +This should allow btrfs to detect and refuse to mount the crafted image. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199849 +Reported-by: Xu Wen +Signed-off-by: Qu Wenruo +Reviewed-by: Gu Jinxiang +Reviewed-by: Nikolay Borisov +Tested-by: Gu Jinxiang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[bwh: Backported to 4.14: + - In check_leaf_item(), pass root->fs_info to check_block_group_item() + - Adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-checker.c | 100 ++++++++++++++++++++++++++++++++++++++++ + fs/btrfs/volumes.c | 2 +- + fs/btrfs/volumes.h | 2 + + 3 files changed, 103 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index f7e7a455b710..cf9b10a07134 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -31,6 +31,7 @@ + #include "disk-io.h" + #include "compression.h" + #include "hash.h" ++#include "volumes.h" + + #define CORRUPT(reason, eb, root, slot) \ + btrfs_crit(root->fs_info, \ +@@ -312,6 +313,102 @@ static int check_dir_item(struct btrfs_root *root, + return 0; + } + ++__printf(4, 5) ++__cold ++static void block_group_err(const struct btrfs_fs_info *fs_info, ++ const struct extent_buffer *eb, int slot, ++ const char *fmt, ...) ++{ ++ struct btrfs_key key; ++ struct va_format vaf; ++ va_list args; ++ ++ btrfs_item_key_to_cpu(eb, &key, slot); ++ va_start(args, fmt); ++ ++ vaf.fmt = fmt; ++ vaf.va = &args; ++ ++ btrfs_crit(fs_info, ++ "corrupt %s: root=%llu block=%llu slot=%d bg_start=%llu bg_len=%llu, %pV", ++ btrfs_header_level(eb) == 0 ? "leaf" : "node", ++ btrfs_header_owner(eb), btrfs_header_bytenr(eb), slot, ++ key.objectid, key.offset, &vaf); ++ va_end(args); ++} ++ ++static int check_block_group_item(struct btrfs_fs_info *fs_info, ++ struct extent_buffer *leaf, ++ struct btrfs_key *key, int slot) ++{ ++ struct btrfs_block_group_item bgi; ++ u32 item_size = btrfs_item_size_nr(leaf, slot); ++ u64 flags; ++ u64 type; ++ ++ /* ++ * Here we don't really care about alignment since extent allocator can ++ * handle it. We care more about the size, as if one block group is ++ * larger than maximum size, it's must be some obvious corruption. ++ */ ++ if (key->offset > BTRFS_MAX_DATA_CHUNK_SIZE || key->offset == 0) { ++ block_group_err(fs_info, leaf, slot, ++ "invalid block group size, have %llu expect (0, %llu]", ++ key->offset, BTRFS_MAX_DATA_CHUNK_SIZE); ++ return -EUCLEAN; ++ } ++ ++ if (item_size != sizeof(bgi)) { ++ block_group_err(fs_info, leaf, slot, ++ "invalid item size, have %u expect %zu", ++ item_size, sizeof(bgi)); ++ return -EUCLEAN; ++ } ++ ++ read_extent_buffer(leaf, &bgi, btrfs_item_ptr_offset(leaf, slot), ++ sizeof(bgi)); ++ if (btrfs_block_group_chunk_objectid(&bgi) != ++ BTRFS_FIRST_CHUNK_TREE_OBJECTID) { ++ block_group_err(fs_info, leaf, slot, ++ "invalid block group chunk objectid, have %llu expect %llu", ++ btrfs_block_group_chunk_objectid(&bgi), ++ BTRFS_FIRST_CHUNK_TREE_OBJECTID); ++ return -EUCLEAN; ++ } ++ ++ if (btrfs_block_group_used(&bgi) > key->offset) { ++ block_group_err(fs_info, leaf, slot, ++ "invalid block group used, have %llu expect [0, %llu)", ++ btrfs_block_group_used(&bgi), key->offset); ++ return -EUCLEAN; ++ } ++ ++ flags = btrfs_block_group_flags(&bgi); ++ if (hweight64(flags & BTRFS_BLOCK_GROUP_PROFILE_MASK) > 1) { ++ block_group_err(fs_info, leaf, slot, ++"invalid profile flags, have 0x%llx (%lu bits set) expect no more than 1 bit set", ++ flags & BTRFS_BLOCK_GROUP_PROFILE_MASK, ++ hweight64(flags & BTRFS_BLOCK_GROUP_PROFILE_MASK)); ++ return -EUCLEAN; ++ } ++ ++ type = flags & BTRFS_BLOCK_GROUP_TYPE_MASK; ++ if (type != BTRFS_BLOCK_GROUP_DATA && ++ type != BTRFS_BLOCK_GROUP_METADATA && ++ type != BTRFS_BLOCK_GROUP_SYSTEM && ++ type != (BTRFS_BLOCK_GROUP_METADATA | ++ BTRFS_BLOCK_GROUP_DATA)) { ++ block_group_err(fs_info, leaf, slot, ++"invalid type, have 0x%llx (%lu bits set) expect either 0x%llx, 0x%llx, 0x%llu or 0x%llx", ++ type, hweight64(type), ++ BTRFS_BLOCK_GROUP_DATA, BTRFS_BLOCK_GROUP_METADATA, ++ BTRFS_BLOCK_GROUP_SYSTEM, ++ BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA); ++ return -EUCLEAN; ++ } ++ return 0; ++} ++ + /* + * Common point to switch the item-specific validation. + */ +@@ -333,6 +430,9 @@ static int check_leaf_item(struct btrfs_root *root, + case BTRFS_XATTR_ITEM_KEY: + ret = check_dir_item(root, leaf, key, slot); + break; ++ case BTRFS_BLOCK_GROUP_ITEM_KEY: ++ ret = check_block_group_item(root->fs_info, leaf, key, slot); ++ break; + } + return ret; + } +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index cfd5728e7519..9663b6aa2a56 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -4647,7 +4647,7 @@ static int __btrfs_alloc_chunk(struct btrfs_trans_handle *trans, + + if (type & BTRFS_BLOCK_GROUP_DATA) { + max_stripe_size = SZ_1G; +- max_chunk_size = 10 * max_stripe_size; ++ max_chunk_size = BTRFS_MAX_DATA_CHUNK_SIZE; + if (!devs_max) + devs_max = BTRFS_MAX_DEVS(info->chunk_root); + } else if (type & BTRFS_BLOCK_GROUP_METADATA) { +diff --git a/fs/btrfs/volumes.h b/fs/btrfs/volumes.h +index c5dd48eb7b3d..76fb6e84f201 100644 +--- a/fs/btrfs/volumes.h ++++ b/fs/btrfs/volumes.h +@@ -24,6 +24,8 @@ + #include + #include "async-thread.h" + ++#define BTRFS_MAX_DATA_CHUNK_SIZE (10ULL * SZ_1G) ++ + extern struct mutex uuid_mutex; + + #define BTRFS_STRIPE_LEN SZ_64K +-- +2.17.1 + diff --git a/queue-4.14/btrfs-validate-type-when-reading-a-chunk.patch b/queue-4.14/btrfs-validate-type-when-reading-a-chunk.patch new file mode 100644 index 00000000000..e545021c939 --- /dev/null +++ b/queue-4.14/btrfs-validate-type-when-reading-a-chunk.patch @@ -0,0 +1,73 @@ +From 905aad8e5b31afab2b5c9840e6de4fce9b226995 Mon Sep 17 00:00:00 2001 +From: Gu Jinxiang +Date: Wed, 4 Jul 2018 18:16:39 +0800 +Subject: btrfs: validate type when reading a chunk + +commit 315409b0098fb2651d86553f0436b70502b29bb2 upstream. + +Reported in https://bugzilla.kernel.org/show_bug.cgi?id=199839, with an +image that has an invalid chunk type but does not return an error. + +Add chunk type check in btrfs_check_chunk_valid, to detect the wrong +type combinations. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199839 +Reported-by: Xu Wen +Reviewed-by: Qu Wenruo +Signed-off-by: Gu Jinxiang +Signed-off-by: David Sterba +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index a0947f4a3e87..cfd5728e7519 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -6353,6 +6353,8 @@ static int btrfs_check_chunk_valid(struct btrfs_fs_info *fs_info, + u16 num_stripes; + u16 sub_stripes; + u64 type; ++ u64 features; ++ bool mixed = false; + + length = btrfs_chunk_length(leaf, chunk); + stripe_len = btrfs_chunk_stripe_len(leaf, chunk); +@@ -6391,6 +6393,32 @@ static int btrfs_check_chunk_valid(struct btrfs_fs_info *fs_info, + btrfs_chunk_type(leaf, chunk)); + return -EIO; + } ++ ++ if ((type & BTRFS_BLOCK_GROUP_TYPE_MASK) == 0) { ++ btrfs_err(fs_info, "missing chunk type flag: 0x%llx", type); ++ return -EIO; ++ } ++ ++ if ((type & BTRFS_BLOCK_GROUP_SYSTEM) && ++ (type & (BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA))) { ++ btrfs_err(fs_info, ++ "system chunk with data or metadata type: 0x%llx", type); ++ return -EIO; ++ } ++ ++ features = btrfs_super_incompat_flags(fs_info->super_copy); ++ if (features & BTRFS_FEATURE_INCOMPAT_MIXED_GROUPS) ++ mixed = true; ++ ++ if (!mixed) { ++ if ((type & BTRFS_BLOCK_GROUP_METADATA) && ++ (type & BTRFS_BLOCK_GROUP_DATA)) { ++ btrfs_err(fs_info, ++ "mixed chunk type in non-mixed mode: 0x%llx", type); ++ return -EIO; ++ } ++ } ++ + if ((type & BTRFS_BLOCK_GROUP_RAID10 && sub_stripes != 2) || + (type & BTRFS_BLOCK_GROUP_RAID1 && num_stripes < 1) || + (type & BTRFS_BLOCK_GROUP_RAID5 && num_stripes < 2) || +-- +2.17.1 + diff --git a/queue-4.14/btrfs-verify-that-every-chunk-has-corresponding-bloc.patch b/queue-4.14/btrfs-verify-that-every-chunk-has-corresponding-bloc.patch new file mode 100644 index 00000000000..4e4ec6e939c --- /dev/null +++ b/queue-4.14/btrfs-verify-that-every-chunk-has-corresponding-bloc.patch @@ -0,0 +1,109 @@ +From f642dd8fb8b207d53dce466b9442ee7553f39ce8 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 1 Aug 2018 10:37:17 +0800 +Subject: btrfs: Verify that every chunk has corresponding block group at mount + time + +commit 7ef49515fa6727cb4b6f2f5b0ffbc5fc20a9f8c6 upstream. + +If a crafted image has missing block group items, it could cause +unexpected behavior and breaks the assumption of 1:1 chunk<->block group +mapping. + +Although we have the block group -> chunk mapping check, we still need +chunk -> block group mapping check. + +This patch will do extra check to ensure each chunk has its +corresponding block group. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199847 +Reported-by: Xu Wen +Signed-off-by: Qu Wenruo +Reviewed-by: Gu Jinxiang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent-tree.c | 58 +++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 57 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 2cb3569ac548..fdc42eddccc2 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -10092,6 +10092,62 @@ btrfs_create_block_group_cache(struct btrfs_fs_info *fs_info, + return cache; + } + ++ ++/* ++ * Iterate all chunks and verify that each of them has the corresponding block ++ * group ++ */ ++static int check_chunk_block_group_mappings(struct btrfs_fs_info *fs_info) ++{ ++ struct btrfs_mapping_tree *map_tree = &fs_info->mapping_tree; ++ struct extent_map *em; ++ struct btrfs_block_group_cache *bg; ++ u64 start = 0; ++ int ret = 0; ++ ++ while (1) { ++ read_lock(&map_tree->map_tree.lock); ++ /* ++ * lookup_extent_mapping will return the first extent map ++ * intersecting the range, so setting @len to 1 is enough to ++ * get the first chunk. ++ */ ++ em = lookup_extent_mapping(&map_tree->map_tree, start, 1); ++ read_unlock(&map_tree->map_tree.lock); ++ if (!em) ++ break; ++ ++ bg = btrfs_lookup_block_group(fs_info, em->start); ++ if (!bg) { ++ btrfs_err(fs_info, ++ "chunk start=%llu len=%llu doesn't have corresponding block group", ++ em->start, em->len); ++ ret = -EUCLEAN; ++ free_extent_map(em); ++ break; ++ } ++ if (bg->key.objectid != em->start || ++ bg->key.offset != em->len || ++ (bg->flags & BTRFS_BLOCK_GROUP_TYPE_MASK) != ++ (em->map_lookup->type & BTRFS_BLOCK_GROUP_TYPE_MASK)) { ++ btrfs_err(fs_info, ++"chunk start=%llu len=%llu flags=0x%llx doesn't match block group start=%llu len=%llu flags=0x%llx", ++ em->start, em->len, ++ em->map_lookup->type & BTRFS_BLOCK_GROUP_TYPE_MASK, ++ bg->key.objectid, bg->key.offset, ++ bg->flags & BTRFS_BLOCK_GROUP_TYPE_MASK); ++ ret = -EUCLEAN; ++ free_extent_map(em); ++ btrfs_put_block_group(bg); ++ break; ++ } ++ start = em->start + em->len; ++ free_extent_map(em); ++ btrfs_put_block_group(bg); ++ } ++ return ret; ++} ++ + int btrfs_read_block_groups(struct btrfs_fs_info *info) + { + struct btrfs_path *path; +@@ -10264,7 +10320,7 @@ int btrfs_read_block_groups(struct btrfs_fs_info *info) + } + + init_global_block_rsv(info); +- ret = 0; ++ ret = check_chunk_block_group_mappings(info); + error: + btrfs_free_path(path); + return ret; +-- +2.17.1 + diff --git a/queue-4.14/f2fs-add-sanity_check_inode-function.patch b/queue-4.14/f2fs-add-sanity_check_inode-function.patch new file mode 100644 index 00000000000..3933a927c5d --- /dev/null +++ b/queue-4.14/f2fs-add-sanity_check_inode-function.patch @@ -0,0 +1,49 @@ +From 1dc2b68b778c9974a278c8b3b0c7db03a125366b Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Thu, 29 Nov 2018 19:17:34 +0000 +Subject: f2fs: Add sanity_check_inode() function + +This was done as part of commit 5d64600d4f33 "f2fs: avoid bug_on on +corrupted inode" upstream, but the specific check that commit added is +not applicable to 4.14. + +Cc: Jaegeuk Kim +Cc: Chao Yu +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/f2fs/inode.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index b1c0eb433841..917a6c3d5649 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -180,6 +180,13 @@ void f2fs_inode_chksum_set(struct f2fs_sb_info *sbi, struct page *page) + ri->i_inode_checksum = cpu_to_le32(f2fs_inode_chksum(sbi, page)); + } + ++static bool sanity_check_inode(struct inode *inode) ++{ ++ struct f2fs_sb_info *sbi = F2FS_I_SB(inode); ++ ++ return true; ++} ++ + static int do_read_inode(struct inode *inode) + { + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); +@@ -281,6 +288,10 @@ struct inode *f2fs_iget(struct super_block *sb, unsigned long ino) + ret = do_read_inode(inode); + if (ret) + goto bad_inode; ++ if (!sanity_check_inode(inode)) { ++ ret = -EINVAL; ++ goto bad_inode; ++ } + make_now: + if (ino == F2FS_NODE_INO(sbi)) { + inode->i_mapping->a_ops = &f2fs_node_aops; +-- +2.17.1 + diff --git a/queue-4.14/f2fs-check-blkaddr-more-accuratly-before-issue-a-bio.patch b/queue-4.14/f2fs-check-blkaddr-more-accuratly-before-issue-a-bio.patch new file mode 100644 index 00000000000..524de0eee5a --- /dev/null +++ b/queue-4.14/f2fs-check-blkaddr-more-accuratly-before-issue-a-bio.patch @@ -0,0 +1,128 @@ +From d6f4d5a016326c1141f92ae931a66dab9d7c7d5e Mon Sep 17 00:00:00 2001 +From: Yunlei He +Date: Thu, 8 Mar 2018 16:29:13 +0800 +Subject: f2fs: check blkaddr more accuratly before issue a bio + +commit 0833721ec3658a4e9d5e58b6fa82cf9edc431e59 upstream. + +This patch check blkaddr more accuratly before issue a +write or read bio. + +Signed-off-by: Yunlei He +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 2 ++ + fs/f2fs/data.c | 5 +++-- + fs/f2fs/f2fs.h | 1 + + fs/f2fs/segment.h | 25 +++++++++++++++++++------ + 4 files changed, 25 insertions(+), 8 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index 41fce930f44c..1bd4cd8c79c6 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -69,6 +69,7 @@ static struct page *__get_meta_page(struct f2fs_sb_info *sbi, pgoff_t index, + .old_blkaddr = index, + .new_blkaddr = index, + .encrypted_page = NULL, ++ .is_meta = is_meta, + }; + + if (unlikely(!is_meta)) +@@ -163,6 +164,7 @@ int ra_meta_pages(struct f2fs_sb_info *sbi, block_t start, int nrpages, + .op_flags = sync ? (REQ_META | REQ_PRIO) : REQ_RAHEAD, + .encrypted_page = NULL, + .in_list = false, ++ .is_meta = (type != META_POR), + }; + struct blk_plug plug; + +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index 6fbb6d75318a..5913de3f661d 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -369,6 +369,7 @@ int f2fs_submit_page_bio(struct f2fs_io_info *fio) + struct page *page = fio->encrypted_page ? + fio->encrypted_page : fio->page; + ++ verify_block_addr(fio, fio->new_blkaddr); + trace_f2fs_submit_page_bio(page, fio); + f2fs_trace_ios(fio, 0); + +@@ -413,8 +414,8 @@ next: + } + + if (fio->old_blkaddr != NEW_ADDR) +- verify_block_addr(sbi, fio->old_blkaddr); +- verify_block_addr(sbi, fio->new_blkaddr); ++ verify_block_addr(fio, fio->old_blkaddr); ++ verify_block_addr(fio, fio->new_blkaddr); + + bio_page = fio->encrypted_page ? fio->encrypted_page : fio->page; + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 54f8520ad7a2..aa7b033af1b0 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -910,6 +910,7 @@ struct f2fs_io_info { + bool submitted; /* indicate IO submission */ + int need_lock; /* indicate we need to lock cp_rwsem */ + bool in_list; /* indicate fio is in io_list */ ++ bool is_meta; /* indicate borrow meta inode mapping or not */ + enum iostat_type io_type; /* io type */ + }; + +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index 4dfb5080098f..4b635e8c91b0 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -53,13 +53,19 @@ + ((secno) == CURSEG_I(sbi, CURSEG_COLD_NODE)->segno / \ + (sbi)->segs_per_sec)) \ + +-#define MAIN_BLKADDR(sbi) (SM_I(sbi)->main_blkaddr) +-#define SEG0_BLKADDR(sbi) (SM_I(sbi)->seg0_blkaddr) ++#define MAIN_BLKADDR(sbi) \ ++ (SM_I(sbi) ? SM_I(sbi)->main_blkaddr : \ ++ le32_to_cpu(F2FS_RAW_SUPER(sbi)->main_blkaddr)) ++#define SEG0_BLKADDR(sbi) \ ++ (SM_I(sbi) ? SM_I(sbi)->seg0_blkaddr : \ ++ le32_to_cpu(F2FS_RAW_SUPER(sbi)->segment0_blkaddr)) + + #define MAIN_SEGS(sbi) (SM_I(sbi)->main_segments) + #define MAIN_SECS(sbi) ((sbi)->total_sections) + +-#define TOTAL_SEGS(sbi) (SM_I(sbi)->segment_count) ++#define TOTAL_SEGS(sbi) \ ++ (SM_I(sbi) ? SM_I(sbi)->segment_count : \ ++ le32_to_cpu(F2FS_RAW_SUPER(sbi)->segment_count)) + #define TOTAL_BLKS(sbi) (TOTAL_SEGS(sbi) << (sbi)->log_blocks_per_seg) + + #define MAX_BLKADDR(sbi) (SEG0_BLKADDR(sbi) + TOTAL_BLKS(sbi)) +@@ -619,10 +625,17 @@ static inline void check_seg_range(struct f2fs_sb_info *sbi, unsigned int segno) + f2fs_bug_on(sbi, segno > TOTAL_SEGS(sbi) - 1); + } + +-static inline void verify_block_addr(struct f2fs_sb_info *sbi, block_t blk_addr) ++static inline void verify_block_addr(struct f2fs_io_info *fio, block_t blk_addr) + { +- BUG_ON(blk_addr < SEG0_BLKADDR(sbi) +- || blk_addr >= MAX_BLKADDR(sbi)); ++ struct f2fs_sb_info *sbi = fio->sbi; ++ ++ if (PAGE_TYPE_OF_BIO(fio->type) == META && ++ (!is_read_io(fio->op) || fio->is_meta)) ++ BUG_ON(blk_addr < SEG0_BLKADDR(sbi) || ++ blk_addr >= MAIN_BLKADDR(sbi)); ++ else ++ BUG_ON(blk_addr < MAIN_BLKADDR(sbi) || ++ blk_addr >= MAX_BLKADDR(sbi)); + } + + /* +-- +2.17.1 + diff --git a/queue-4.14/f2fs-clean-up-with-is_valid_blkaddr.patch b/queue-4.14/f2fs-clean-up-with-is_valid_blkaddr.patch new file mode 100644 index 00000000000..d5398bb552f --- /dev/null +++ b/queue-4.14/f2fs-clean-up-with-is_valid_blkaddr.patch @@ -0,0 +1,252 @@ +From 188bc3eea6c9e3b66cbcc504e4faf8047af815a1 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 23 May 2018 22:25:08 +0800 +Subject: f2fs: clean up with is_valid_blkaddr() + +commit 7b525dd01365c6764018e374d391c92466be1b7a upstream. + +- rename is_valid_blkaddr() to is_valid_meta_blkaddr() for readability. +- introduce is_valid_blkaddr() for cleanup. + +No logic change in this patch. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 4 ++-- + fs/f2fs/data.c | 18 +++++------------- + fs/f2fs/f2fs.h | 9 ++++++++- + fs/f2fs/file.c | 2 +- + fs/f2fs/inode.c | 2 +- + fs/f2fs/node.c | 5 ++--- + fs/f2fs/recovery.c | 6 +++--- + fs/f2fs/segment.c | 4 ++-- + fs/f2fs/segment.h | 2 +- + 9 files changed, 25 insertions(+), 27 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index 1bd4cd8c79c6..2b951046657e 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -118,7 +118,7 @@ struct page *get_tmp_page(struct f2fs_sb_info *sbi, pgoff_t index) + return __get_meta_page(sbi, index, false); + } + +-bool is_valid_blkaddr(struct f2fs_sb_info *sbi, block_t blkaddr, int type) ++bool is_valid_meta_blkaddr(struct f2fs_sb_info *sbi, block_t blkaddr, int type) + { + switch (type) { + case META_NAT: +@@ -174,7 +174,7 @@ int ra_meta_pages(struct f2fs_sb_info *sbi, block_t start, int nrpages, + blk_start_plug(&plug); + for (; nrpages-- > 0; blkno++) { + +- if (!is_valid_blkaddr(sbi, blkno, type)) ++ if (!is_valid_meta_blkaddr(sbi, blkno, type)) + goto out; + + switch (type) { +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index 5913de3f661d..f7b2909e9c5f 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -413,7 +413,7 @@ next: + spin_unlock(&io->io_lock); + } + +- if (fio->old_blkaddr != NEW_ADDR) ++ if (is_valid_blkaddr(fio->old_blkaddr)) + verify_block_addr(fio, fio->old_blkaddr); + verify_block_addr(fio, fio->new_blkaddr); + +@@ -946,7 +946,7 @@ next_dnode: + next_block: + blkaddr = datablock_addr(dn.inode, dn.node_page, dn.ofs_in_node); + +- if (blkaddr == NEW_ADDR || blkaddr == NULL_ADDR) { ++ if (!is_valid_blkaddr(blkaddr)) { + if (create) { + if (unlikely(f2fs_cp_error(sbi))) { + err = -EIO; +@@ -1388,15 +1388,6 @@ static inline bool need_inplace_update(struct f2fs_io_info *fio) + return need_inplace_update_policy(inode, fio); + } + +-static inline bool valid_ipu_blkaddr(struct f2fs_io_info *fio) +-{ +- if (fio->old_blkaddr == NEW_ADDR) +- return false; +- if (fio->old_blkaddr == NULL_ADDR) +- return false; +- return true; +-} +- + int do_write_data_page(struct f2fs_io_info *fio) + { + struct page *page = fio->page; +@@ -1411,7 +1402,7 @@ int do_write_data_page(struct f2fs_io_info *fio) + f2fs_lookup_extent_cache(inode, page->index, &ei)) { + fio->old_blkaddr = ei.blk + page->index - ei.fofs; + +- if (valid_ipu_blkaddr(fio)) { ++ if (is_valid_blkaddr(fio->old_blkaddr)) { + ipu_force = true; + fio->need_lock = LOCK_DONE; + goto got_it; +@@ -1438,7 +1429,8 @@ got_it: + * If current allocation needs SSR, + * it had better in-place writes for updated data. + */ +- if (ipu_force || (valid_ipu_blkaddr(fio) && need_inplace_update(fio))) { ++ if (ipu_force || (is_valid_blkaddr(fio->old_blkaddr) && ++ need_inplace_update(fio))) { + err = encrypt_one_page(fio); + if (err) + goto out_writepage; +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index aa7b033af1b0..d74c77b51b71 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -2355,6 +2355,13 @@ static inline void f2fs_update_iostat(struct f2fs_sb_info *sbi, + spin_unlock(&sbi->iostat_lock); + } + ++static inline bool is_valid_blkaddr(block_t blkaddr) ++{ ++ if (blkaddr == NEW_ADDR || blkaddr == NULL_ADDR) ++ return false; ++ return true; ++} ++ + /* + * file.c + */ +@@ -2565,7 +2572,7 @@ void f2fs_stop_checkpoint(struct f2fs_sb_info *sbi, bool end_io); + struct page *grab_meta_page(struct f2fs_sb_info *sbi, pgoff_t index); + struct page *get_meta_page(struct f2fs_sb_info *sbi, pgoff_t index); + struct page *get_tmp_page(struct f2fs_sb_info *sbi, pgoff_t index); +-bool is_valid_blkaddr(struct f2fs_sb_info *sbi, block_t blkaddr, int type); ++bool is_valid_meta_blkaddr(struct f2fs_sb_info *sbi, block_t blkaddr, int type); + int ra_meta_pages(struct f2fs_sb_info *sbi, block_t start, int nrpages, + int type, bool sync); + void ra_meta_pages_cond(struct f2fs_sb_info *sbi, pgoff_t index); +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 6f589730782d..d368eda462bb 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -334,7 +334,7 @@ static bool __found_offset(block_t blkaddr, pgoff_t dirty, pgoff_t pgofs, + switch (whence) { + case SEEK_DATA: + if ((blkaddr == NEW_ADDR && dirty == pgofs) || +- (blkaddr != NEW_ADDR && blkaddr != NULL_ADDR)) ++ is_valid_blkaddr(blkaddr)) + return true; + break; + case SEEK_HOLE: +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index 259b0aa283f0..2bcbbf566f0c 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -66,7 +66,7 @@ static bool __written_first_block(struct f2fs_inode *ri) + { + block_t addr = le32_to_cpu(ri->i_addr[offset_in_addr(ri)]); + +- if (addr != NEW_ADDR && addr != NULL_ADDR) ++ if (is_valid_blkaddr(addr)) + return true; + return false; + } +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index 712505ec5de4..5f212fb2d62b 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -334,8 +334,7 @@ static void set_node_addr(struct f2fs_sb_info *sbi, struct node_info *ni, + new_blkaddr == NULL_ADDR); + f2fs_bug_on(sbi, nat_get_blkaddr(e) == NEW_ADDR && + new_blkaddr == NEW_ADDR); +- f2fs_bug_on(sbi, nat_get_blkaddr(e) != NEW_ADDR && +- nat_get_blkaddr(e) != NULL_ADDR && ++ f2fs_bug_on(sbi, is_valid_blkaddr(nat_get_blkaddr(e)) && + new_blkaddr == NEW_ADDR); + + /* increment version no as node is removed */ +@@ -350,7 +349,7 @@ static void set_node_addr(struct f2fs_sb_info *sbi, struct node_info *ni, + + /* change address */ + nat_set_blkaddr(e, new_blkaddr); +- if (new_blkaddr == NEW_ADDR || new_blkaddr == NULL_ADDR) ++ if (!is_valid_blkaddr(new_blkaddr)) + set_nat_flag(e, IS_CHECKPOINTED, false); + __set_nat_cache_dirty(nm_i, e); + +diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c +index 765fadf954af..53f41ad4cbe1 100644 +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -236,7 +236,7 @@ static int find_fsync_dnodes(struct f2fs_sb_info *sbi, struct list_head *head, + while (1) { + struct fsync_inode_entry *entry; + +- if (!is_valid_blkaddr(sbi, blkaddr, META_POR)) ++ if (!is_valid_meta_blkaddr(sbi, blkaddr, META_POR)) + return 0; + + page = get_tmp_page(sbi, blkaddr); +@@ -479,7 +479,7 @@ retry_dn: + } + + /* dest is valid block, try to recover from src to dest */ +- if (is_valid_blkaddr(sbi, dest, META_POR)) { ++ if (is_valid_meta_blkaddr(sbi, dest, META_POR)) { + + if (src == NULL_ADDR) { + err = reserve_new_block(&dn); +@@ -540,7 +540,7 @@ static int recover_data(struct f2fs_sb_info *sbi, struct list_head *inode_list, + while (1) { + struct fsync_inode_entry *entry; + +- if (!is_valid_blkaddr(sbi, blkaddr, META_POR)) ++ if (!is_valid_meta_blkaddr(sbi, blkaddr, META_POR)) + break; + + ra_meta_pages_cond(sbi, blkaddr); +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 1104a6c80251..483d7a869679 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -1758,7 +1758,7 @@ bool is_checkpointed_data(struct f2fs_sb_info *sbi, block_t blkaddr) + struct seg_entry *se; + bool is_cp = false; + +- if (blkaddr == NEW_ADDR || blkaddr == NULL_ADDR) ++ if (!is_valid_blkaddr(blkaddr)) + return true; + + mutex_lock(&sit_i->sentry_lock); +@@ -2571,7 +2571,7 @@ void f2fs_wait_on_block_writeback(struct f2fs_sb_info *sbi, block_t blkaddr) + { + struct page *cpage; + +- if (blkaddr == NEW_ADDR || blkaddr == NULL_ADDR) ++ if (!is_valid_blkaddr(blkaddr)) + return; + + cpage = find_lock_page(META_MAPPING(sbi), blkaddr); +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index 4b635e8c91b0..f977774338c3 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -85,7 +85,7 @@ + (GET_SEGOFF_FROM_SEG0(sbi, blk_addr) & ((sbi)->blocks_per_seg - 1)) + + #define GET_SEGNO(sbi, blk_addr) \ +- ((((blk_addr) == NULL_ADDR) || ((blk_addr) == NEW_ADDR)) ? \ ++ ((!is_valid_blkaddr(blk_addr)) ? \ + NULL_SEGNO : GET_L2R_SEGNO(FREE_I(sbi), \ + GET_SEGNO_FROM_SEG0(sbi, blk_addr))) + #define BLKS_PER_SEC(sbi) \ +-- +2.17.1 + diff --git a/queue-4.14/f2fs-enhance-sanity_check_raw_super-to-avoid-potenti.patch b/queue-4.14/f2fs-enhance-sanity_check_raw_super-to-avoid-potenti.patch new file mode 100644 index 00000000000..4d7e0c65cf9 --- /dev/null +++ b/queue-4.14/f2fs-enhance-sanity_check_raw_super-to-avoid-potenti.patch @@ -0,0 +1,182 @@ +From 5a15dbbc9f6d8abb1721458c97f040b72aab25e5 Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Fri, 27 Apr 2018 19:03:22 -0700 +Subject: f2fs: enhance sanity_check_raw_super() to avoid potential overflow + +commit 0cfe75c5b011994651a4ca6d74f20aa997bfc69a upstream. + +In order to avoid the below overflow issue, we should have checked the +boundaries in superblock before reaching out to allocation. As Linus suggested, +the right place should be sanity_check_raw_super(). + +Dr Silvio Cesare of InfoSect reported: + +There are integer overflows with using the cp_payload superblock field in the +f2fs filesystem potentially leading to memory corruption. + +include/linux/f2fs_fs.h + +struct f2fs_super_block { +... + __le32 cp_payload; + +fs/f2fs/f2fs.h + +typedef u32 block_t; /* + * should not change u32, since it is the on-disk block + * address format, __le32. + */ +... + +static inline block_t __cp_payload(struct f2fs_sb_info *sbi) +{ + return le32_to_cpu(F2FS_RAW_SUPER(sbi)->cp_payload); +} + +fs/f2fs/checkpoint.c + + block_t start_blk, orphan_blocks, i, j; +... + start_blk = __start_cp_addr(sbi) + 1 + __cp_payload(sbi); + orphan_blocks = __start_sum_addr(sbi) - 1 - __cp_payload(sbi); + ++++ integer overflows + +... + unsigned int cp_blks = 1 + __cp_payload(sbi); +... + sbi->ckpt = kzalloc(cp_blks * blk_size, GFP_KERNEL); + ++++ integer overflow leading to incorrect heap allocation. + + int cp_payload_blks = __cp_payload(sbi); +... + ckpt->cp_pack_start_sum = cpu_to_le32(1 + cp_payload_blks + + orphan_blocks); + ++++ sign bug and integer overflow + +... + for (i = 1; i < 1 + cp_payload_blks; i++) + ++++ integer overflow + +... + + sbi->max_orphans = (sbi->blocks_per_seg - F2FS_CP_PACKS - + NR_CURSEG_TYPE - __cp_payload(sbi)) * + F2FS_ORPHANS_PER_BLOCK; + ++++ integer overflow + +Reported-by: Greg KH +Reported-by: Silvio Cesare +Suggested-by: Linus Torvalds +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[bwh: Backported to 4.14: No hot file extension support] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 71 ++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 64 insertions(+), 7 deletions(-) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 7cda685296b2..c3e1090e7c0a 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1807,6 +1807,8 @@ static inline bool sanity_check_area_boundary(struct f2fs_sb_info *sbi, + static int sanity_check_raw_super(struct f2fs_sb_info *sbi, + struct buffer_head *bh) + { ++ block_t segment_count, segs_per_sec, secs_per_zone; ++ block_t total_sections, blocks_per_seg; + struct f2fs_super_block *raw_super = (struct f2fs_super_block *) + (bh->b_data + F2FS_SUPER_OFFSET); + struct super_block *sb = sbi->sb; +@@ -1863,6 +1865,68 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi, + return 1; + } + ++ segment_count = le32_to_cpu(raw_super->segment_count); ++ segs_per_sec = le32_to_cpu(raw_super->segs_per_sec); ++ secs_per_zone = le32_to_cpu(raw_super->secs_per_zone); ++ total_sections = le32_to_cpu(raw_super->section_count); ++ ++ /* blocks_per_seg should be 512, given the above check */ ++ blocks_per_seg = 1 << le32_to_cpu(raw_super->log_blocks_per_seg); ++ ++ if (segment_count > F2FS_MAX_SEGMENT || ++ segment_count < F2FS_MIN_SEGMENTS) { ++ f2fs_msg(sb, KERN_INFO, ++ "Invalid segment count (%u)", ++ segment_count); ++ return 1; ++ } ++ ++ if (total_sections > segment_count || ++ total_sections < F2FS_MIN_SEGMENTS || ++ segs_per_sec > segment_count || !segs_per_sec) { ++ f2fs_msg(sb, KERN_INFO, ++ "Invalid segment/section count (%u, %u x %u)", ++ segment_count, total_sections, segs_per_sec); ++ return 1; ++ } ++ ++ if ((segment_count / segs_per_sec) < total_sections) { ++ f2fs_msg(sb, KERN_INFO, ++ "Small segment_count (%u < %u * %u)", ++ segment_count, segs_per_sec, total_sections); ++ return 1; ++ } ++ ++ if (segment_count > (le32_to_cpu(raw_super->block_count) >> 9)) { ++ f2fs_msg(sb, KERN_INFO, ++ "Wrong segment_count / block_count (%u > %u)", ++ segment_count, le32_to_cpu(raw_super->block_count)); ++ return 1; ++ } ++ ++ if (secs_per_zone > total_sections) { ++ f2fs_msg(sb, KERN_INFO, ++ "Wrong secs_per_zone (%u > %u)", ++ secs_per_zone, total_sections); ++ return 1; ++ } ++ if (le32_to_cpu(raw_super->extension_count) > F2FS_MAX_EXTENSION) { ++ f2fs_msg(sb, KERN_INFO, ++ "Corrupted extension count (%u > %u)", ++ le32_to_cpu(raw_super->extension_count), ++ F2FS_MAX_EXTENSION); ++ return 1; ++ } ++ ++ if (le32_to_cpu(raw_super->cp_payload) > ++ (blocks_per_seg - F2FS_CP_PACKS)) { ++ f2fs_msg(sb, KERN_INFO, ++ "Insane cp_payload (%u > %u)", ++ le32_to_cpu(raw_super->cp_payload), ++ blocks_per_seg - F2FS_CP_PACKS); ++ return 1; ++ } ++ + /* check reserved ino info */ + if (le32_to_cpu(raw_super->node_ino) != 1 || + le32_to_cpu(raw_super->meta_ino) != 2 || +@@ -1875,13 +1939,6 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi, + return 1; + } + +- if (le32_to_cpu(raw_super->segment_count) > F2FS_MAX_SEGMENT) { +- f2fs_msg(sb, KERN_INFO, +- "Invalid segment count (%u)", +- le32_to_cpu(raw_super->segment_count)); +- return 1; +- } +- + /* check CP/SIT/NAT/SSA/MAIN_AREA area boundary */ + if (sanity_check_area_boundary(sbi, bh)) + return 1; +-- +2.17.1 + diff --git a/queue-4.14/f2fs-fix-to-do-sanity-check-with-block-address-in-ma.patch b/queue-4.14/f2fs-fix-to-do-sanity-check-with-block-address-in-ma.patch new file mode 100644 index 00000000000..1b167d7a5eb --- /dev/null +++ b/queue-4.14/f2fs-fix-to-do-sanity-check-with-block-address-in-ma.patch @@ -0,0 +1,524 @@ +From c97fadd6a7ce75e4c0b37a9c6d8eca02abb9464c Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 1 Aug 2018 19:13:44 +0800 +Subject: f2fs: fix to do sanity check with block address in main area + +commit c9b60788fc760d136211853f10ce73dc152d1f4a upstream. + +This patch add to do sanity check with below field: +- cp_pack_total_block_count +- blkaddr of data/node +- extent info + +- Overview +BUG() in verify_block_addr() when writing to a corrupted f2fs image + +- Reproduce (4.18 upstream kernel) + +- POC (poc.c) + +static void activity(char *mpoint) { + + char *foo_bar_baz; + int err; + + static int buf[8192]; + memset(buf, 0, sizeof(buf)); + + err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint); + + int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777); + if (fd >= 0) { + write(fd, (char *)buf, sizeof(buf)); + fdatasync(fd); + close(fd); + } +} + +int main(int argc, char *argv[]) { + activity(argv[1]); + return 0; +} + +- Kernel message +[ 689.349473] F2FS-fs (loop0): Mounted with checkpoint version = 3 +[ 699.728662] WARNING: CPU: 0 PID: 1309 at fs/f2fs/segment.c:2860 f2fs_inplace_write_data+0x232/0x240 +[ 699.728670] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy +[ 699.729056] CPU: 0 PID: 1309 Comm: a.out Not tainted 4.18.0-rc1+ #4 +[ 699.729064] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 699.729074] RIP: 0010:f2fs_inplace_write_data+0x232/0x240 +[ 699.729076] Code: ff e9 cf fe ff ff 49 8d 7d 10 e8 39 45 ad ff 4d 8b 7d 10 be 04 00 00 00 49 8d 7f 48 e8 07 49 ad ff 45 8b 7f 48 e9 fb fe ff ff <0f> 0b f0 41 80 4d 48 04 e9 65 fe ff ff 90 66 66 66 66 90 55 48 8d +[ 699.729130] RSP: 0018:ffff8801f43af568 EFLAGS: 00010202 +[ 699.729139] RAX: 000000000000003f RBX: ffff8801f43af7b8 RCX: ffffffffb88c9113 +[ 699.729142] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffff8802024e5540 +[ 699.729144] RBP: ffff8801f43af590 R08: 0000000000000009 R09: ffffffffffffffe8 +[ 699.729147] R10: 0000000000000001 R11: ffffed0039b0596a R12: ffff8802024e5540 +[ 699.729149] R13: ffff8801f0335500 R14: ffff8801e3e7a700 R15: ffff8801e1ee4450 +[ 699.729154] FS: 00007f9bf97f5700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 +[ 699.729156] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 699.729159] CR2: 00007f9bf925d170 CR3: 00000001f0c34000 CR4: 00000000000006f0 +[ 699.729171] Call Trace: +[ 699.729192] f2fs_do_write_data_page+0x2e2/0xe00 +[ 699.729203] ? f2fs_should_update_outplace+0xd0/0xd0 +[ 699.729238] ? memcg_drain_all_list_lrus+0x280/0x280 +[ 699.729269] ? __radix_tree_replace+0xa3/0x120 +[ 699.729276] __write_data_page+0x5c7/0xe30 +[ 699.729291] ? kasan_check_read+0x11/0x20 +[ 699.729310] ? page_mapped+0x8a/0x110 +[ 699.729321] ? page_mkclean+0xe9/0x160 +[ 699.729327] ? f2fs_do_write_data_page+0xe00/0xe00 +[ 699.729331] ? invalid_page_referenced_vma+0x130/0x130 +[ 699.729345] ? clear_page_dirty_for_io+0x332/0x450 +[ 699.729351] f2fs_write_cache_pages+0x4ca/0x860 +[ 699.729358] ? __write_data_page+0xe30/0xe30 +[ 699.729374] ? percpu_counter_add_batch+0x22/0xa0 +[ 699.729380] ? kasan_check_write+0x14/0x20 +[ 699.729391] ? _raw_spin_lock+0x17/0x40 +[ 699.729403] ? f2fs_mark_inode_dirty_sync.part.18+0x16/0x30 +[ 699.729413] ? iov_iter_advance+0x113/0x640 +[ 699.729418] ? f2fs_write_end+0x133/0x2e0 +[ 699.729423] ? balance_dirty_pages_ratelimited+0x239/0x640 +[ 699.729428] f2fs_write_data_pages+0x329/0x520 +[ 699.729433] ? generic_perform_write+0x250/0x320 +[ 699.729438] ? f2fs_write_cache_pages+0x860/0x860 +[ 699.729454] ? current_time+0x110/0x110 +[ 699.729459] ? f2fs_preallocate_blocks+0x1ef/0x370 +[ 699.729464] do_writepages+0x37/0xb0 +[ 699.729468] ? f2fs_write_cache_pages+0x860/0x860 +[ 699.729472] ? do_writepages+0x37/0xb0 +[ 699.729478] __filemap_fdatawrite_range+0x19a/0x1f0 +[ 699.729483] ? delete_from_page_cache_batch+0x4e0/0x4e0 +[ 699.729496] ? __vfs_write+0x2b2/0x410 +[ 699.729501] file_write_and_wait_range+0x66/0xb0 +[ 699.729506] f2fs_do_sync_file+0x1f9/0xd90 +[ 699.729511] ? truncate_partial_data_page+0x290/0x290 +[ 699.729521] ? __sb_end_write+0x30/0x50 +[ 699.729526] ? vfs_write+0x20f/0x260 +[ 699.729530] f2fs_sync_file+0x9a/0xb0 +[ 699.729534] ? f2fs_do_sync_file+0xd90/0xd90 +[ 699.729548] vfs_fsync_range+0x68/0x100 +[ 699.729554] ? __fget_light+0xc9/0xe0 +[ 699.729558] do_fsync+0x3d/0x70 +[ 699.729562] __x64_sys_fdatasync+0x24/0x30 +[ 699.729585] do_syscall_64+0x78/0x170 +[ 699.729595] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 699.729613] RIP: 0033:0x7f9bf930d800 +[ 699.729615] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 49 bf 2c 00 00 75 10 b8 4b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be 78 01 00 48 89 04 24 +[ 699.729668] RSP: 002b:00007ffee3606c68 EFLAGS: 00000246 ORIG_RAX: 000000000000004b +[ 699.729673] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bf930d800 +[ 699.729675] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003 +[ 699.729678] RBP: 00007ffee3606ca0 R08: 0000000001503010 R09: 0000000000000000 +[ 699.729680] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400610 +[ 699.729683] R13: 00007ffee3606da0 R14: 0000000000000000 R15: 0000000000000000 +[ 699.729687] ---[ end trace 4ce02f25ff7d3df5 ]--- +[ 699.729782] ------------[ cut here ]------------ +[ 699.729785] kernel BUG at fs/f2fs/segment.h:654! +[ 699.731055] invalid opcode: 0000 [#1] SMP KASAN PTI +[ 699.732104] CPU: 0 PID: 1309 Comm: a.out Tainted: G W 4.18.0-rc1+ #4 +[ 699.733684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 699.735611] RIP: 0010:f2fs_submit_page_bio+0x29b/0x730 +[ 699.736649] Code: 54 49 8d bd 18 04 00 00 e8 b2 59 af ff 41 8b 8d 18 04 00 00 8b 45 b8 41 d3 e6 44 01 f0 4c 8d 73 14 41 39 c7 0f 82 37 fe ff ff <0f> 0b 65 8b 05 2c 04 77 47 89 c0 48 0f a3 05 52 c1 d5 01 0f 92 c0 +[ 699.740524] RSP: 0018:ffff8801f43af508 EFLAGS: 00010283 +[ 699.741573] RAX: 0000000000000000 RBX: ffff8801f43af7b8 RCX: ffffffffb88a7cef +[ 699.743006] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffff8801e3e7a64c +[ 699.744426] RBP: ffff8801f43af558 R08: ffffed003e066b55 R09: ffffed003e066b55 +[ 699.745833] R10: 0000000000000001 R11: ffffed003e066b54 R12: ffffea0007876940 +[ 699.747256] R13: ffff8801f0335500 R14: ffff8801e3e7a600 R15: 0000000000000001 +[ 699.748683] FS: 00007f9bf97f5700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 +[ 699.750293] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 699.751462] CR2: 00007f9bf925d170 CR3: 00000001f0c34000 CR4: 00000000000006f0 +[ 699.752874] Call Trace: +[ 699.753386] ? f2fs_inplace_write_data+0x93/0x240 +[ 699.754341] f2fs_inplace_write_data+0xd2/0x240 +[ 699.755271] f2fs_do_write_data_page+0x2e2/0xe00 +[ 699.756214] ? f2fs_should_update_outplace+0xd0/0xd0 +[ 699.757215] ? memcg_drain_all_list_lrus+0x280/0x280 +[ 699.758209] ? __radix_tree_replace+0xa3/0x120 +[ 699.759164] __write_data_page+0x5c7/0xe30 +[ 699.760002] ? kasan_check_read+0x11/0x20 +[ 699.760823] ? page_mapped+0x8a/0x110 +[ 699.761573] ? page_mkclean+0xe9/0x160 +[ 699.762345] ? f2fs_do_write_data_page+0xe00/0xe00 +[ 699.763332] ? invalid_page_referenced_vma+0x130/0x130 +[ 699.764374] ? clear_page_dirty_for_io+0x332/0x450 +[ 699.765347] f2fs_write_cache_pages+0x4ca/0x860 +[ 699.766276] ? __write_data_page+0xe30/0xe30 +[ 699.767161] ? percpu_counter_add_batch+0x22/0xa0 +[ 699.768112] ? kasan_check_write+0x14/0x20 +[ 699.768951] ? _raw_spin_lock+0x17/0x40 +[ 699.769739] ? f2fs_mark_inode_dirty_sync.part.18+0x16/0x30 +[ 699.770885] ? iov_iter_advance+0x113/0x640 +[ 699.771743] ? f2fs_write_end+0x133/0x2e0 +[ 699.772569] ? balance_dirty_pages_ratelimited+0x239/0x640 +[ 699.773680] f2fs_write_data_pages+0x329/0x520 +[ 699.774603] ? generic_perform_write+0x250/0x320 +[ 699.775544] ? f2fs_write_cache_pages+0x860/0x860 +[ 699.776510] ? current_time+0x110/0x110 +[ 699.777299] ? f2fs_preallocate_blocks+0x1ef/0x370 +[ 699.778279] do_writepages+0x37/0xb0 +[ 699.779026] ? f2fs_write_cache_pages+0x860/0x860 +[ 699.779978] ? do_writepages+0x37/0xb0 +[ 699.780755] __filemap_fdatawrite_range+0x19a/0x1f0 +[ 699.781746] ? delete_from_page_cache_batch+0x4e0/0x4e0 +[ 699.782820] ? __vfs_write+0x2b2/0x410 +[ 699.783597] file_write_and_wait_range+0x66/0xb0 +[ 699.784540] f2fs_do_sync_file+0x1f9/0xd90 +[ 699.785381] ? truncate_partial_data_page+0x290/0x290 +[ 699.786415] ? __sb_end_write+0x30/0x50 +[ 699.787204] ? vfs_write+0x20f/0x260 +[ 699.787941] f2fs_sync_file+0x9a/0xb0 +[ 699.788694] ? f2fs_do_sync_file+0xd90/0xd90 +[ 699.789572] vfs_fsync_range+0x68/0x100 +[ 699.790360] ? __fget_light+0xc9/0xe0 +[ 699.791128] do_fsync+0x3d/0x70 +[ 699.791779] __x64_sys_fdatasync+0x24/0x30 +[ 699.792614] do_syscall_64+0x78/0x170 +[ 699.793371] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 699.794406] RIP: 0033:0x7f9bf930d800 +[ 699.795134] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 49 bf 2c 00 00 75 10 b8 4b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be 78 01 00 48 89 04 24 +[ 699.798960] RSP: 002b:00007ffee3606c68 EFLAGS: 00000246 ORIG_RAX: 000000000000004b +[ 699.800483] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bf930d800 +[ 699.801923] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003 +[ 699.803373] RBP: 00007ffee3606ca0 R08: 0000000001503010 R09: 0000000000000000 +[ 699.804798] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400610 +[ 699.806233] R13: 00007ffee3606da0 R14: 0000000000000000 R15: 0000000000000000 +[ 699.807667] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy +[ 699.817079] ---[ end trace 4ce02f25ff7d3df6 ]--- +[ 699.818068] RIP: 0010:f2fs_submit_page_bio+0x29b/0x730 +[ 699.819114] Code: 54 49 8d bd 18 04 00 00 e8 b2 59 af ff 41 8b 8d 18 04 00 00 8b 45 b8 41 d3 e6 44 01 f0 4c 8d 73 14 41 39 c7 0f 82 37 fe ff ff <0f> 0b 65 8b 05 2c 04 77 47 89 c0 48 0f a3 05 52 c1 d5 01 0f 92 c0 +[ 699.822919] RSP: 0018:ffff8801f43af508 EFLAGS: 00010283 +[ 699.823977] RAX: 0000000000000000 RBX: ffff8801f43af7b8 RCX: ffffffffb88a7cef +[ 699.825436] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffff8801e3e7a64c +[ 699.826881] RBP: ffff8801f43af558 R08: ffffed003e066b55 R09: ffffed003e066b55 +[ 699.828292] R10: 0000000000000001 R11: ffffed003e066b54 R12: ffffea0007876940 +[ 699.829750] R13: ffff8801f0335500 R14: ffff8801e3e7a600 R15: 0000000000000001 +[ 699.831192] FS: 00007f9bf97f5700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 +[ 699.832793] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 699.833981] CR2: 00007f9bf925d170 CR3: 00000001f0c34000 CR4: 00000000000006f0 +[ 699.835556] ================================================================== +[ 699.837029] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0 +[ 699.838462] Read of size 8 at addr ffff8801f43af970 by task a.out/1309 + +[ 699.840086] CPU: 0 PID: 1309 Comm: a.out Tainted: G D W 4.18.0-rc1+ #4 +[ 699.841603] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 699.843475] Call Trace: +[ 699.843982] dump_stack+0x7b/0xb5 +[ 699.844661] print_address_description+0x70/0x290 +[ 699.845607] kasan_report+0x291/0x390 +[ 699.846351] ? update_stack_state+0x38c/0x3e0 +[ 699.853831] __asan_load8+0x54/0x90 +[ 699.854569] update_stack_state+0x38c/0x3e0 +[ 699.855428] ? __read_once_size_nocheck.constprop.7+0x20/0x20 +[ 699.856601] ? __save_stack_trace+0x5e/0x100 +[ 699.857476] unwind_next_frame.part.5+0x18e/0x490 +[ 699.858448] ? unwind_dump+0x290/0x290 +[ 699.859217] ? clear_page_dirty_for_io+0x332/0x450 +[ 699.860185] __unwind_start+0x106/0x190 +[ 699.860974] __save_stack_trace+0x5e/0x100 +[ 699.861808] ? __save_stack_trace+0x5e/0x100 +[ 699.862691] ? unlink_anon_vmas+0xba/0x2c0 +[ 699.863525] save_stack_trace+0x1f/0x30 +[ 699.864312] save_stack+0x46/0xd0 +[ 699.864993] ? __alloc_pages_slowpath+0x1420/0x1420 +[ 699.865990] ? flush_tlb_mm_range+0x15e/0x220 +[ 699.866889] ? kasan_check_write+0x14/0x20 +[ 699.867724] ? __dec_node_state+0x92/0xb0 +[ 699.868543] ? lock_page_memcg+0x85/0xf0 +[ 699.869350] ? unlock_page_memcg+0x16/0x80 +[ 699.870185] ? page_remove_rmap+0x198/0x520 +[ 699.871048] ? mark_page_accessed+0x133/0x200 +[ 699.871930] ? _cond_resched+0x1a/0x50 +[ 699.872700] ? unmap_page_range+0xcd4/0xe50 +[ 699.873551] ? rb_next+0x58/0x80 +[ 699.874217] ? rb_next+0x58/0x80 +[ 699.874895] __kasan_slab_free+0x13c/0x1a0 +[ 699.875734] ? unlink_anon_vmas+0xba/0x2c0 +[ 699.876563] kasan_slab_free+0xe/0x10 +[ 699.877315] kmem_cache_free+0x89/0x1e0 +[ 699.878095] unlink_anon_vmas+0xba/0x2c0 +[ 699.878913] free_pgtables+0x101/0x1b0 +[ 699.879677] exit_mmap+0x146/0x2a0 +[ 699.880378] ? __ia32_sys_munmap+0x50/0x50 +[ 699.881214] ? kasan_check_read+0x11/0x20 +[ 699.882052] ? mm_update_next_owner+0x322/0x380 +[ 699.882985] mmput+0x8b/0x1d0 +[ 699.883602] do_exit+0x43a/0x1390 +[ 699.884288] ? mm_update_next_owner+0x380/0x380 +[ 699.885212] ? f2fs_sync_file+0x9a/0xb0 +[ 699.885995] ? f2fs_do_sync_file+0xd90/0xd90 +[ 699.886877] ? vfs_fsync_range+0x68/0x100 +[ 699.887694] ? __fget_light+0xc9/0xe0 +[ 699.888442] ? do_fsync+0x3d/0x70 +[ 699.889118] ? __x64_sys_fdatasync+0x24/0x30 +[ 699.889996] rewind_stack_do_exit+0x17/0x20 +[ 699.890860] RIP: 0033:0x7f9bf930d800 +[ 699.891585] Code: Bad RIP value. +[ 699.892268] RSP: 002b:00007ffee3606c68 EFLAGS: 00000246 ORIG_RAX: 000000000000004b +[ 699.893781] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bf930d800 +[ 699.895220] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003 +[ 699.896643] RBP: 00007ffee3606ca0 R08: 0000000001503010 R09: 0000000000000000 +[ 699.898069] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400610 +[ 699.899505] R13: 00007ffee3606da0 R14: 0000000000000000 R15: 0000000000000000 + +[ 699.901241] The buggy address belongs to the page: +[ 699.902215] page:ffffea0007d0ebc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +[ 699.903811] flags: 0x2ffff0000000000() +[ 699.904585] raw: 02ffff0000000000 0000000000000000 ffffffff07d00101 0000000000000000 +[ 699.906125] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000 +[ 699.907673] page dumped because: kasan: bad access detected + +[ 699.909108] Memory state around the buggy address: +[ 699.910077] ffff8801f43af800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 +[ 699.911528] ffff8801f43af880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 699.912953] >ffff8801f43af900: 00 00 00 00 00 00 00 00 f1 01 f4 f4 f4 f2 f2 f2 +[ 699.914392] ^ +[ 699.915758] ffff8801f43af980: f2 00 f4 f4 00 00 00 00 f2 00 00 00 00 00 00 00 +[ 699.917193] ffff8801f43afa00: 00 00 00 00 00 00 00 00 00 f3 f3 f3 00 00 00 00 +[ 699.918634] ================================================================== + +- Location +https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.h#L644 + +Reported-by Wen Xu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[bwh: Backported to 4.14: + - Error label is different in validate_checkpoint() due to the earlier + backport of "f2fs: fix invalid memory access" + - Adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 22 +++++++++++++++++++--- + fs/f2fs/data.c | 33 +++++++++++++++++++++++++++------ + fs/f2fs/f2fs.h | 3 +++ + fs/f2fs/file.c | 12 ++++++++++++ + fs/f2fs/inode.c | 17 +++++++++++++++++ + fs/f2fs/node.c | 4 ++++ + fs/f2fs/segment.h | 3 +-- + 7 files changed, 83 insertions(+), 11 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index d7bd9745e883..c81cd5057b8e 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -86,8 +86,10 @@ repeat: + fio.page = page; + + if (f2fs_submit_page_bio(&fio)) { +- f2fs_put_page(page, 1); +- goto repeat; ++ memset(page_address(page), 0, PAGE_SIZE); ++ f2fs_stop_checkpoint(sbi, false); ++ f2fs_bug_on(sbi, 1); ++ return page; + } + + lock_page(page); +@@ -141,8 +143,14 @@ bool f2fs_is_valid_blkaddr(struct f2fs_sb_info *sbi, + case META_POR: + case DATA_GENERIC: + if (unlikely(blkaddr >= MAX_BLKADDR(sbi) || +- blkaddr < MAIN_BLKADDR(sbi))) ++ blkaddr < MAIN_BLKADDR(sbi))) { ++ if (type == DATA_GENERIC) { ++ f2fs_msg(sbi->sb, KERN_WARNING, ++ "access invalid blkaddr:%u", blkaddr); ++ WARN_ON(1); ++ } + return false; ++ } + break; + case META_GENERIC: + if (unlikely(blkaddr < SEG0_BLKADDR(sbi) || +@@ -746,6 +754,14 @@ static struct page *validate_checkpoint(struct f2fs_sb_info *sbi, + &cp_page_1, version); + if (err) + return NULL; ++ ++ if (le32_to_cpu(cp_block->cp_pack_total_block_count) > ++ sbi->blocks_per_seg) { ++ f2fs_msg(sbi->sb, KERN_WARNING, ++ "invalid cp_pack_total_block_count:%u", ++ le32_to_cpu(cp_block->cp_pack_total_block_count)); ++ goto invalid_cp; ++ } + pre_version = *version; + + cp_addr += le32_to_cpu(cp_block->cp_pack_total_block_count) - 1; +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index 615878806611..8f6e7c3a10f8 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -369,7 +369,10 @@ int f2fs_submit_page_bio(struct f2fs_io_info *fio) + struct page *page = fio->encrypted_page ? + fio->encrypted_page : fio->page; + +- verify_block_addr(fio, fio->new_blkaddr); ++ if (!f2fs_is_valid_blkaddr(fio->sbi, fio->new_blkaddr, ++ __is_meta_io(fio) ? META_GENERIC : DATA_GENERIC)) ++ return -EFAULT; ++ + trace_f2fs_submit_page_bio(page, fio); + f2fs_trace_ios(fio, 0); + +@@ -946,6 +949,12 @@ next_dnode: + next_block: + blkaddr = datablock_addr(dn.inode, dn.node_page, dn.ofs_in_node); + ++ if (__is_valid_data_blkaddr(blkaddr) && ++ !f2fs_is_valid_blkaddr(sbi, blkaddr, DATA_GENERIC)) { ++ err = -EFAULT; ++ goto sync_out; ++ } ++ + if (!is_valid_data_blkaddr(sbi, blkaddr)) { + if (create) { + if (unlikely(f2fs_cp_error(sbi))) { +@@ -1264,6 +1273,10 @@ got_it: + SetPageUptodate(page); + goto confused; + } ++ ++ if (!f2fs_is_valid_blkaddr(F2FS_I_SB(inode), block_nr, ++ DATA_GENERIC)) ++ goto set_error_page; + } else { + zero_user_segment(page, 0, PAGE_SIZE); + if (!PageUptodate(page)) +@@ -1402,11 +1415,13 @@ int do_write_data_page(struct f2fs_io_info *fio) + f2fs_lookup_extent_cache(inode, page->index, &ei)) { + fio->old_blkaddr = ei.blk + page->index - ei.fofs; + +- if (is_valid_data_blkaddr(fio->sbi, fio->old_blkaddr)) { +- ipu_force = true; +- fio->need_lock = LOCK_DONE; +- goto got_it; +- } ++ if (!f2fs_is_valid_blkaddr(fio->sbi, fio->old_blkaddr, ++ DATA_GENERIC)) ++ return -EFAULT; ++ ++ ipu_force = true; ++ fio->need_lock = LOCK_DONE; ++ goto got_it; + } + + /* Deadlock due to between page->lock and f2fs_lock_op */ +@@ -1425,6 +1440,12 @@ int do_write_data_page(struct f2fs_io_info *fio) + goto out_writepage; + } + got_it: ++ if (__is_valid_data_blkaddr(fio->old_blkaddr) && ++ !f2fs_is_valid_blkaddr(fio->sbi, fio->old_blkaddr, ++ DATA_GENERIC)) { ++ err = -EFAULT; ++ goto out_writepage; ++ } + /* + * If current allocation needs SSR, + * it had better in-place writes for updated data. +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index d15d79457f5c..3f1a44696036 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -2357,6 +2357,9 @@ static inline void f2fs_update_iostat(struct f2fs_sb_info *sbi, + spin_unlock(&sbi->iostat_lock); + } + ++#define __is_meta_io(fio) (PAGE_TYPE_OF_BIO(fio->type) == META && \ ++ (!is_read_io(fio->op) || fio->is_meta)) ++ + bool f2fs_is_valid_blkaddr(struct f2fs_sb_info *sbi, + block_t blkaddr, int type); + void f2fs_msg(struct super_block *sb, const char *level, const char *fmt, ...); +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index e9c575ef70b5..7d3189f1941c 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -397,6 +397,13 @@ static loff_t f2fs_seek_block(struct file *file, loff_t offset, int whence) + blkaddr = datablock_addr(dn.inode, + dn.node_page, dn.ofs_in_node); + ++ if (__is_valid_data_blkaddr(blkaddr) && ++ !f2fs_is_valid_blkaddr(F2FS_I_SB(inode), ++ blkaddr, DATA_GENERIC)) { ++ f2fs_put_dnode(&dn); ++ goto fail; ++ } ++ + if (__found_offset(F2FS_I_SB(inode), blkaddr, dirty, + pgofs, whence)) { + f2fs_put_dnode(&dn); +@@ -496,6 +503,11 @@ int truncate_data_blocks_range(struct dnode_of_data *dn, int count) + + dn->data_blkaddr = NULL_ADDR; + set_data_blkaddr(dn); ++ ++ if (__is_valid_data_blkaddr(blkaddr) && ++ !f2fs_is_valid_blkaddr(sbi, blkaddr, DATA_GENERIC)) ++ continue; ++ + invalidate_blocks(sbi, blkaddr); + if (dn->ofs_in_node == 0 && IS_INODE(dn->node_page)) + clear_inode_flag(dn->inode, FI_FIRST_BLOCK_WRITTEN); +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index be7d9773d291..aeed9943836a 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -214,6 +214,23 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) + __func__, inode->i_ino); + return false; + } ++ ++ if (F2FS_I(inode)->extent_tree) { ++ struct extent_info *ei = &F2FS_I(inode)->extent_tree->largest; ++ ++ if (ei->len && ++ (!f2fs_is_valid_blkaddr(sbi, ei->blk, DATA_GENERIC) || ++ !f2fs_is_valid_blkaddr(sbi, ei->blk + ei->len - 1, ++ DATA_GENERIC))) { ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ f2fs_msg(sbi->sb, KERN_WARNING, ++ "%s: inode (ino=%lx) extent info [%u, %u, %u] " ++ "is incorrect, run fsck to fix", ++ __func__, inode->i_ino, ++ ei->blk, ei->fofs, ei->len); ++ return false; ++ } ++ } + return true; + } + +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index 999814c8cbea..6adb6c60f017 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -1398,6 +1398,10 @@ static int __write_node_page(struct page *page, bool atomic, bool *submitted, + return 0; + } + ++ if (__is_valid_data_blkaddr(ni.blk_addr) && ++ !f2fs_is_valid_blkaddr(sbi, ni.blk_addr, DATA_GENERIC)) ++ goto redirty_out; ++ + if (atomic && !test_opt(sbi, NOBARRIER)) + fio.op_flags |= REQ_PREFLUSH | REQ_FUA; + +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index dd8f977fc273..47348d98165b 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -629,8 +629,7 @@ static inline void verify_block_addr(struct f2fs_io_info *fio, block_t blk_addr) + { + struct f2fs_sb_info *sbi = fio->sbi; + +- if (PAGE_TYPE_OF_BIO(fio->type) == META && +- (!is_read_io(fio->op) || fio->is_meta)) ++ if (__is_meta_io(fio)) + verify_blkaddr(sbi, blk_addr, META_GENERIC); + else + verify_blkaddr(sbi, blk_addr, DATA_GENERIC); +-- +2.17.1 + diff --git a/queue-4.14/f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch b/queue-4.14/f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch new file mode 100644 index 00000000000..e5b2f827a4d --- /dev/null +++ b/queue-4.14/f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch @@ -0,0 +1,354 @@ +From 06d37d52b3328742dc420dffd1ac72d71e12d846 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 1 Aug 2018 19:16:11 +0800 +Subject: f2fs: fix to do sanity check with cp_pack_start_sum + +commit e494c2f995d6181d6e29c4927d68e0f295ecf75b upstream. + +After fuzzing, cp_pack_start_sum could be corrupted, so current log's +summary info should be wrong due to loading incorrect summary block. +Then, if segment's type in current log is exceeded NR_CURSEG_TYPE, it +can lead accessing invalid dirty_i->dirty_segmap bitmap finally. + +Add sanity check for cp_pack_start_sum to fix this issue. + +https://bugzilla.kernel.org/show_bug.cgi?id=200419 + +- Reproduce + +- Kernel message (f2fs-dev w/ KASAN) +[ 3117.578432] F2FS-fs (loop0): Invalid log blocks per segment (8) + +[ 3117.578445] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock +[ 3117.581364] F2FS-fs (loop0): invalid crc_offset: 30716 +[ 3117.583564] WARNING: CPU: 1 PID: 1225 at fs/f2fs/checkpoint.c:90 __get_meta_page+0x448/0x4b0 +[ 3117.583570] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer joydev input_leds serio_raw snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel psmouse aes_x86_64 8139cp crypto_simd cryptd mii glue_helper pata_acpi floppy +[ 3117.584014] CPU: 1 PID: 1225 Comm: mount Not tainted 4.17.0+ #1 +[ 3117.584017] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 3117.584022] RIP: 0010:__get_meta_page+0x448/0x4b0 +[ 3117.584023] Code: 00 49 8d bc 24 84 00 00 00 e8 74 54 da ff 41 83 8c 24 84 00 00 00 08 4c 89 f6 4c 89 ef e8 c0 d9 95 00 48 89 ef e8 18 e3 00 00 <0f> 0b f0 80 4d 48 04 e9 0f fe ff ff 0f 0b 48 89 c7 48 89 04 24 e8 +[ 3117.584072] RSP: 0018:ffff88018eb678c0 EFLAGS: 00010286 +[ 3117.584082] RAX: ffff88018f0a6a78 RBX: ffffea0007a46600 RCX: ffffffff9314d1b2 +[ 3117.584085] RDX: ffffffff00000001 RSI: 0000000000000000 RDI: ffff88018f0a6a98 +[ 3117.584087] RBP: ffff88018ebe9980 R08: 0000000000000002 R09: 0000000000000001 +[ 3117.584090] R10: 0000000000000001 R11: ffffed00326e4450 R12: ffff880193722200 +[ 3117.584092] R13: ffff88018ebe9afc R14: 0000000000000206 R15: ffff88018eb67900 +[ 3117.584096] FS: 00007f5694636840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000 +[ 3117.584098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3117.584101] CR2: 00000000016f21b8 CR3: 0000000191c22000 CR4: 00000000000006e0 +[ 3117.584112] Call Trace: +[ 3117.584121] ? f2fs_set_meta_page_dirty+0x150/0x150 +[ 3117.584127] ? f2fs_build_segment_manager+0xbf9/0x3190 +[ 3117.584133] ? f2fs_npages_for_summary_flush+0x75/0x120 +[ 3117.584145] f2fs_build_segment_manager+0xda8/0x3190 +[ 3117.584151] ? f2fs_get_valid_checkpoint+0x298/0xa00 +[ 3117.584156] ? f2fs_flush_sit_entries+0x10e0/0x10e0 +[ 3117.584184] ? map_id_range_down+0x17c/0x1b0 +[ 3117.584188] ? __put_user_ns+0x30/0x30 +[ 3117.584206] ? find_next_bit+0x53/0x90 +[ 3117.584237] ? cpumask_next+0x16/0x20 +[ 3117.584249] f2fs_fill_super+0x1948/0x2b40 +[ 3117.584258] ? f2fs_commit_super+0x1a0/0x1a0 +[ 3117.584279] ? sget_userns+0x65e/0x690 +[ 3117.584296] ? set_blocksize+0x88/0x130 +[ 3117.584302] ? f2fs_commit_super+0x1a0/0x1a0 +[ 3117.584305] mount_bdev+0x1c0/0x200 +[ 3117.584310] mount_fs+0x5c/0x190 +[ 3117.584320] vfs_kern_mount+0x64/0x190 +[ 3117.584330] do_mount+0x2e4/0x1450 +[ 3117.584343] ? lockref_put_return+0x130/0x130 +[ 3117.584347] ? copy_mount_string+0x20/0x20 +[ 3117.584357] ? kasan_unpoison_shadow+0x31/0x40 +[ 3117.584362] ? kasan_kmalloc+0xa6/0xd0 +[ 3117.584373] ? memcg_kmem_put_cache+0x16/0x90 +[ 3117.584377] ? __kmalloc_track_caller+0x196/0x210 +[ 3117.584383] ? _copy_from_user+0x61/0x90 +[ 3117.584396] ? memdup_user+0x3e/0x60 +[ 3117.584401] ksys_mount+0x7e/0xd0 +[ 3117.584405] __x64_sys_mount+0x62/0x70 +[ 3117.584427] do_syscall_64+0x73/0x160 +[ 3117.584440] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 3117.584455] RIP: 0033:0x7f5693f14b9a +[ 3117.584456] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 +[ 3117.584505] RSP: 002b:00007fff27346488 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 3117.584510] RAX: ffffffffffffffda RBX: 00000000016e2030 RCX: 00007f5693f14b9a +[ 3117.584512] RDX: 00000000016e2210 RSI: 00000000016e3f30 RDI: 00000000016ee040 +[ 3117.584514] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 +[ 3117.584516] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 00000000016ee040 +[ 3117.584519] R13: 00000000016e2210 R14: 0000000000000000 R15: 0000000000000003 +[ 3117.584523] ---[ end trace a8e0d899985faf31 ]--- +[ 3117.685663] F2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=2, run fsck to fix. +[ 3117.685673] F2FS-fs (loop0): recover_data: ino = 2 (i_size: recover) recovered = 1, err = 0 +[ 3117.685707] ================================================================== +[ 3117.685955] BUG: KASAN: slab-out-of-bounds in __remove_dirty_segment+0xdd/0x1e0 +[ 3117.686175] Read of size 8 at addr ffff88018f0a63d0 by task mount/1225 + +[ 3117.686477] CPU: 0 PID: 1225 Comm: mount Tainted: G W 4.17.0+ #1 +[ 3117.686481] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 3117.686483] Call Trace: +[ 3117.686494] dump_stack+0x71/0xab +[ 3117.686512] print_address_description+0x6b/0x290 +[ 3117.686517] kasan_report+0x28e/0x390 +[ 3117.686522] ? __remove_dirty_segment+0xdd/0x1e0 +[ 3117.686527] __remove_dirty_segment+0xdd/0x1e0 +[ 3117.686532] locate_dirty_segment+0x189/0x190 +[ 3117.686538] f2fs_allocate_new_segments+0xa9/0xe0 +[ 3117.686543] recover_data+0x703/0x2c20 +[ 3117.686547] ? f2fs_recover_fsync_data+0x48f/0xd50 +[ 3117.686553] ? ksys_mount+0x7e/0xd0 +[ 3117.686564] ? policy_nodemask+0x1a/0x90 +[ 3117.686567] ? policy_node+0x56/0x70 +[ 3117.686571] ? add_fsync_inode+0xf0/0xf0 +[ 3117.686592] ? blk_finish_plug+0x44/0x60 +[ 3117.686597] ? f2fs_ra_meta_pages+0x38b/0x5e0 +[ 3117.686602] ? find_inode_fast+0xac/0xc0 +[ 3117.686606] ? f2fs_is_valid_blkaddr+0x320/0x320 +[ 3117.686618] ? __radix_tree_lookup+0x150/0x150 +[ 3117.686633] ? dqget+0x670/0x670 +[ 3117.686648] ? pagecache_get_page+0x29/0x410 +[ 3117.686656] ? kmem_cache_alloc+0x176/0x1e0 +[ 3117.686660] ? f2fs_is_valid_blkaddr+0x11d/0x320 +[ 3117.686664] f2fs_recover_fsync_data+0xc23/0xd50 +[ 3117.686670] ? f2fs_space_for_roll_forward+0x60/0x60 +[ 3117.686674] ? rb_insert_color+0x323/0x3d0 +[ 3117.686678] ? f2fs_recover_orphan_inodes+0xa5/0x700 +[ 3117.686683] ? proc_register+0x153/0x1d0 +[ 3117.686686] ? f2fs_remove_orphan_inode+0x10/0x10 +[ 3117.686695] ? f2fs_attr_store+0x50/0x50 +[ 3117.686700] ? proc_create_single_data+0x52/0x60 +[ 3117.686707] f2fs_fill_super+0x1d06/0x2b40 +[ 3117.686728] ? f2fs_commit_super+0x1a0/0x1a0 +[ 3117.686735] ? sget_userns+0x65e/0x690 +[ 3117.686740] ? set_blocksize+0x88/0x130 +[ 3117.686745] ? f2fs_commit_super+0x1a0/0x1a0 +[ 3117.686748] mount_bdev+0x1c0/0x200 +[ 3117.686753] mount_fs+0x5c/0x190 +[ 3117.686758] vfs_kern_mount+0x64/0x190 +[ 3117.686762] do_mount+0x2e4/0x1450 +[ 3117.686769] ? lockref_put_return+0x130/0x130 +[ 3117.686773] ? copy_mount_string+0x20/0x20 +[ 3117.686777] ? kasan_unpoison_shadow+0x31/0x40 +[ 3117.686780] ? kasan_kmalloc+0xa6/0xd0 +[ 3117.686786] ? memcg_kmem_put_cache+0x16/0x90 +[ 3117.686790] ? __kmalloc_track_caller+0x196/0x210 +[ 3117.686795] ? _copy_from_user+0x61/0x90 +[ 3117.686801] ? memdup_user+0x3e/0x60 +[ 3117.686804] ksys_mount+0x7e/0xd0 +[ 3117.686809] __x64_sys_mount+0x62/0x70 +[ 3117.686816] do_syscall_64+0x73/0x160 +[ 3117.686824] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 3117.686829] RIP: 0033:0x7f5693f14b9a +[ 3117.686830] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 +[ 3117.686887] RSP: 002b:00007fff27346488 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 3117.686892] RAX: ffffffffffffffda RBX: 00000000016e2030 RCX: 00007f5693f14b9a +[ 3117.686894] RDX: 00000000016e2210 RSI: 00000000016e3f30 RDI: 00000000016ee040 +[ 3117.686896] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 +[ 3117.686899] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 00000000016ee040 +[ 3117.686901] R13: 00000000016e2210 R14: 0000000000000000 R15: 0000000000000003 + +[ 3117.687005] Allocated by task 1225: +[ 3117.687152] kasan_kmalloc+0xa6/0xd0 +[ 3117.687157] kmem_cache_alloc_trace+0xfd/0x200 +[ 3117.687161] f2fs_build_segment_manager+0x2d09/0x3190 +[ 3117.687165] f2fs_fill_super+0x1948/0x2b40 +[ 3117.687168] mount_bdev+0x1c0/0x200 +[ 3117.687171] mount_fs+0x5c/0x190 +[ 3117.687174] vfs_kern_mount+0x64/0x190 +[ 3117.687177] do_mount+0x2e4/0x1450 +[ 3117.687180] ksys_mount+0x7e/0xd0 +[ 3117.687182] __x64_sys_mount+0x62/0x70 +[ 3117.687186] do_syscall_64+0x73/0x160 +[ 3117.687190] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 3117.687285] Freed by task 19: +[ 3117.687412] __kasan_slab_free+0x137/0x190 +[ 3117.687416] kfree+0x8b/0x1b0 +[ 3117.687460] ttm_bo_man_put_node+0x61/0x80 [ttm] +[ 3117.687476] ttm_bo_cleanup_refs+0x15f/0x250 [ttm] +[ 3117.687492] ttm_bo_delayed_delete+0x2f0/0x300 [ttm] +[ 3117.687507] ttm_bo_delayed_workqueue+0x17/0x50 [ttm] +[ 3117.687528] process_one_work+0x2f9/0x740 +[ 3117.687531] worker_thread+0x78/0x6b0 +[ 3117.687541] kthread+0x177/0x1c0 +[ 3117.687545] ret_from_fork+0x35/0x40 + +[ 3117.687638] The buggy address belongs to the object at ffff88018f0a6300 + which belongs to the cache kmalloc-192 of size 192 +[ 3117.688014] The buggy address is located 16 bytes to the right of + 192-byte region [ffff88018f0a6300, ffff88018f0a63c0) +[ 3117.688382] The buggy address belongs to the page: +[ 3117.688554] page:ffffea00063c2980 count:1 mapcount:0 mapping:ffff8801f3403180 index:0x0 +[ 3117.688788] flags: 0x17fff8000000100(slab) +[ 3117.688944] raw: 017fff8000000100 ffffea00063c2840 0000000e0000000e ffff8801f3403180 +[ 3117.689166] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 +[ 3117.689386] page dumped because: kasan: bad access detected + +[ 3117.689653] Memory state around the buggy address: +[ 3117.689816] ffff88018f0a6280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ 3117.690027] ffff88018f0a6300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 3117.690239] >ffff88018f0a6380: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 3117.690448] ^ +[ 3117.690644] ffff88018f0a6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 3117.690868] ffff88018f0a6480: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 3117.691077] ================================================================== +[ 3117.691290] Disabling lock debugging due to kernel taint +[ 3117.693893] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 +[ 3117.694120] PGD 80000001f01bc067 P4D 80000001f01bc067 PUD 1d9638067 PMD 0 +[ 3117.694338] Oops: 0002 [#1] SMP KASAN PTI +[ 3117.694490] CPU: 1 PID: 1225 Comm: mount Tainted: G B W 4.17.0+ #1 +[ 3117.694703] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 3117.695073] RIP: 0010:__remove_dirty_segment+0xe2/0x1e0 +[ 3117.695246] Code: c4 48 89 c7 e8 cf bb d7 ff 45 0f b6 24 24 41 83 e4 3f 44 88 64 24 07 41 83 e4 3f 4a 8d 7c e3 08 e8 b3 bc d7 ff 4a 8b 4c e3 08 4c 0f b3 29 0f 82 94 00 00 00 48 8d bd 20 04 00 00 e8 97 bb d7 +[ 3117.695793] RSP: 0018:ffff88018eb67638 EFLAGS: 00010292 +[ 3117.695969] RAX: 0000000000000000 RBX: ffff88018f0a6300 RCX: 0000000000000000 +[ 3117.696182] RDX: 0000000000000000 RSI: 0000000000000297 RDI: 0000000000000297 +[ 3117.696391] RBP: ffff88018ebe9980 R08: ffffed003e743ebb R09: ffffed003e743ebb +[ 3117.696604] R10: 0000000000000001 R11: ffffed003e743eba R12: 0000000000000019 +[ 3117.696813] R13: 0000000000000014 R14: 0000000000000320 R15: ffff88018ebe99e0 +[ 3117.697032] FS: 00007f5694636840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000 +[ 3117.697280] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3117.702357] CR2: 00007fe89bb1a000 CR3: 0000000191c22000 CR4: 00000000000006e0 +[ 3117.707235] Call Trace: +[ 3117.712077] locate_dirty_segment+0x189/0x190 +[ 3117.716891] f2fs_allocate_new_segments+0xa9/0xe0 +[ 3117.721617] recover_data+0x703/0x2c20 +[ 3117.726316] ? f2fs_recover_fsync_data+0x48f/0xd50 +[ 3117.730957] ? ksys_mount+0x7e/0xd0 +[ 3117.735573] ? policy_nodemask+0x1a/0x90 +[ 3117.740198] ? policy_node+0x56/0x70 +[ 3117.744829] ? add_fsync_inode+0xf0/0xf0 +[ 3117.749487] ? blk_finish_plug+0x44/0x60 +[ 3117.754152] ? f2fs_ra_meta_pages+0x38b/0x5e0 +[ 3117.758831] ? find_inode_fast+0xac/0xc0 +[ 3117.763448] ? f2fs_is_valid_blkaddr+0x320/0x320 +[ 3117.768046] ? __radix_tree_lookup+0x150/0x150 +[ 3117.772603] ? dqget+0x670/0x670 +[ 3117.777159] ? pagecache_get_page+0x29/0x410 +[ 3117.781648] ? kmem_cache_alloc+0x176/0x1e0 +[ 3117.786067] ? f2fs_is_valid_blkaddr+0x11d/0x320 +[ 3117.790476] f2fs_recover_fsync_data+0xc23/0xd50 +[ 3117.794790] ? f2fs_space_for_roll_forward+0x60/0x60 +[ 3117.799086] ? rb_insert_color+0x323/0x3d0 +[ 3117.803304] ? f2fs_recover_orphan_inodes+0xa5/0x700 +[ 3117.807563] ? proc_register+0x153/0x1d0 +[ 3117.811766] ? f2fs_remove_orphan_inode+0x10/0x10 +[ 3117.815947] ? f2fs_attr_store+0x50/0x50 +[ 3117.820087] ? proc_create_single_data+0x52/0x60 +[ 3117.824262] f2fs_fill_super+0x1d06/0x2b40 +[ 3117.828367] ? f2fs_commit_super+0x1a0/0x1a0 +[ 3117.832432] ? sget_userns+0x65e/0x690 +[ 3117.836500] ? set_blocksize+0x88/0x130 +[ 3117.840501] ? f2fs_commit_super+0x1a0/0x1a0 +[ 3117.844420] mount_bdev+0x1c0/0x200 +[ 3117.848275] mount_fs+0x5c/0x190 +[ 3117.852053] vfs_kern_mount+0x64/0x190 +[ 3117.855810] do_mount+0x2e4/0x1450 +[ 3117.859441] ? lockref_put_return+0x130/0x130 +[ 3117.862996] ? copy_mount_string+0x20/0x20 +[ 3117.866417] ? kasan_unpoison_shadow+0x31/0x40 +[ 3117.869719] ? kasan_kmalloc+0xa6/0xd0 +[ 3117.872948] ? memcg_kmem_put_cache+0x16/0x90 +[ 3117.876121] ? __kmalloc_track_caller+0x196/0x210 +[ 3117.879333] ? _copy_from_user+0x61/0x90 +[ 3117.882467] ? memdup_user+0x3e/0x60 +[ 3117.885604] ksys_mount+0x7e/0xd0 +[ 3117.888700] __x64_sys_mount+0x62/0x70 +[ 3117.891742] do_syscall_64+0x73/0x160 +[ 3117.894692] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 3117.897669] RIP: 0033:0x7f5693f14b9a +[ 3117.900563] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 +[ 3117.906922] RSP: 002b:00007fff27346488 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 3117.910159] RAX: ffffffffffffffda RBX: 00000000016e2030 RCX: 00007f5693f14b9a +[ 3117.913469] RDX: 00000000016e2210 RSI: 00000000016e3f30 RDI: 00000000016ee040 +[ 3117.916764] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 +[ 3117.920071] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 00000000016ee040 +[ 3117.923393] R13: 00000000016e2210 R14: 0000000000000000 R15: 0000000000000003 +[ 3117.926680] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer joydev input_leds serio_raw snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel psmouse aes_x86_64 8139cp crypto_simd cryptd mii glue_helper pata_acpi floppy +[ 3117.949979] CR2: 0000000000000000 +[ 3117.954283] ---[ end trace a8e0d899985faf32 ]--- +[ 3117.958575] RIP: 0010:__remove_dirty_segment+0xe2/0x1e0 +[ 3117.962810] Code: c4 48 89 c7 e8 cf bb d7 ff 45 0f b6 24 24 41 83 e4 3f 44 88 64 24 07 41 83 e4 3f 4a 8d 7c e3 08 e8 b3 bc d7 ff 4a 8b 4c e3 08 4c 0f b3 29 0f 82 94 00 00 00 48 8d bd 20 04 00 00 e8 97 bb d7 +[ 3117.971789] RSP: 0018:ffff88018eb67638 EFLAGS: 00010292 +[ 3117.976333] RAX: 0000000000000000 RBX: ffff88018f0a6300 RCX: 0000000000000000 +[ 3117.980926] RDX: 0000000000000000 RSI: 0000000000000297 RDI: 0000000000000297 +[ 3117.985497] RBP: ffff88018ebe9980 R08: ffffed003e743ebb R09: ffffed003e743ebb +[ 3117.990098] R10: 0000000000000001 R11: ffffed003e743eba R12: 0000000000000019 +[ 3117.994761] R13: 0000000000000014 R14: 0000000000000320 R15: ffff88018ebe99e0 +[ 3117.999392] FS: 00007f5694636840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000 +[ 3118.004096] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3118.008816] CR2: 00007fe89bb1a000 CR3: 0000000191c22000 CR4: 00000000000006e0 + +- Location +https://elixir.bootlin.com/linux/v4.18-rc3/source/fs/f2fs/segment.c#L775 + if (test_and_clear_bit(segno, dirty_i->dirty_segmap[t])) + dirty_i->nr_dirty[t]--; +Here dirty_i->dirty_segmap[t] can be NULL which leads to crash in test_and_clear_bit() + +Reported-by Wen Xu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[bwh: Backported to 4.14: The function is called sanity_check_ckpt()] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 8 ++++---- + fs/f2fs/super.c | 12 ++++++++++++ + 2 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index c81cd5057b8e..624817eeb25e 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -825,15 +825,15 @@ int get_valid_checkpoint(struct f2fs_sb_info *sbi) + cp_block = (struct f2fs_checkpoint *)page_address(cur_page); + memcpy(sbi->ckpt, cp_block, blk_size); + +- /* Sanity checking of checkpoint */ +- if (sanity_check_ckpt(sbi)) +- goto free_fail_no_cp; +- + if (cur_page == cp1) + sbi->cur_cp_pack = 1; + else + sbi->cur_cp_pack = 2; + ++ /* Sanity checking of checkpoint */ ++ if (sanity_check_ckpt(sbi)) ++ goto free_fail_no_cp; ++ + if (cp_blks <= 1) + goto done; + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 9fafb1404f39..de4de4ebe64c 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1957,6 +1957,7 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) + unsigned int sit_bitmap_size, nat_bitmap_size; + unsigned int log_blocks_per_seg; + unsigned int segment_count_main; ++ unsigned int cp_pack_start_sum, cp_payload; + block_t user_block_count; + int i; + +@@ -2017,6 +2018,17 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) + return 1; + } + ++ cp_pack_start_sum = __start_sum_addr(sbi); ++ cp_payload = __cp_payload(sbi); ++ if (cp_pack_start_sum < cp_payload + 1 || ++ cp_pack_start_sum > blocks_per_seg - 1 - ++ NR_CURSEG_TYPE) { ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "Wrong cp_pack_start_sum: %u", ++ cp_pack_start_sum); ++ return 1; ++ } ++ + if (unlikely(f2fs_cp_error(sbi))) { + f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck"); + return 1; +-- +2.17.1 + diff --git a/queue-4.14/f2fs-fix-to-do-sanity-check-with-extra_attr-feature.patch b/queue-4.14/f2fs-fix-to-do-sanity-check-with-extra_attr-feature.patch new file mode 100644 index 00000000000..b815679e3eb --- /dev/null +++ b/queue-4.14/f2fs-fix-to-do-sanity-check-with-extra_attr-feature.patch @@ -0,0 +1,305 @@ +From a54a955bfc0c026d40d6550af736d7b6d57a8eea Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 25 Jun 2018 23:29:49 +0800 +Subject: f2fs: fix to do sanity check with extra_attr feature + +commit 76d56d4ab4f2a9e4f085c7d77172194ddaccf7d2 upstream. + +If FI_EXTRA_ATTR is set in inode by fuzzing, inode.i_addr[0] will be +parsed as inode.i_extra_isize, then in __recover_inline_status, inline +data address will beyond boundary of page, result in accessing invalid +memory. + +So in this condition, during reading inode page, let's do sanity check +with EXTRA_ATTR feature of fs and extra_attr bit of inode, if they're +inconsistent, deny to load this inode. + +- Overview +Out-of-bound access in f2fs_iget() when mounting a corrupted f2fs image + +- Reproduce + +The following message will be got in KASAN build of 4.18 upstream kernel. +[ 819.392227] ================================================================== +[ 819.393901] BUG: KASAN: slab-out-of-bounds in f2fs_iget+0x736/0x1530 +[ 819.395329] Read of size 4 at addr ffff8801f099c968 by task mount/1292 + +[ 819.397079] CPU: 1 PID: 1292 Comm: mount Not tainted 4.18.0-rc1+ #4 +[ 819.397082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 819.397088] Call Trace: +[ 819.397124] dump_stack+0x7b/0xb5 +[ 819.397154] print_address_description+0x70/0x290 +[ 819.397159] kasan_report+0x291/0x390 +[ 819.397163] ? f2fs_iget+0x736/0x1530 +[ 819.397176] check_memory_region+0x139/0x190 +[ 819.397182] __asan_loadN+0xf/0x20 +[ 819.397185] f2fs_iget+0x736/0x1530 +[ 819.397197] f2fs_fill_super+0x1b4f/0x2b40 +[ 819.397202] ? f2fs_fill_super+0x1b4f/0x2b40 +[ 819.397208] ? f2fs_commit_super+0x1b0/0x1b0 +[ 819.397227] ? set_blocksize+0x90/0x140 +[ 819.397241] mount_bdev+0x1c5/0x210 +[ 819.397245] ? f2fs_commit_super+0x1b0/0x1b0 +[ 819.397252] f2fs_mount+0x15/0x20 +[ 819.397256] mount_fs+0x60/0x1a0 +[ 819.397267] ? alloc_vfsmnt+0x309/0x360 +[ 819.397272] vfs_kern_mount+0x6b/0x1a0 +[ 819.397282] do_mount+0x34a/0x18c0 +[ 819.397300] ? lockref_put_or_lock+0xcf/0x160 +[ 819.397306] ? copy_mount_string+0x20/0x20 +[ 819.397318] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 819.397324] ? kasan_check_write+0x14/0x20 +[ 819.397334] ? _copy_from_user+0x6a/0x90 +[ 819.397353] ? memdup_user+0x42/0x60 +[ 819.397359] ksys_mount+0x83/0xd0 +[ 819.397365] __x64_sys_mount+0x67/0x80 +[ 819.397388] do_syscall_64+0x78/0x170 +[ 819.397403] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 819.397422] RIP: 0033:0x7f54c667cb9a +[ 819.397424] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 +[ 819.397483] RSP: 002b:00007ffd8f46cd08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 819.397496] RAX: ffffffffffffffda RBX: 0000000000dfa030 RCX: 00007f54c667cb9a +[ 819.397498] RDX: 0000000000dfa210 RSI: 0000000000dfbf30 RDI: 0000000000e02ec0 +[ 819.397501] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 +[ 819.397503] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000000e02ec0 +[ 819.397505] R13: 0000000000dfa210 R14: 0000000000000000 R15: 0000000000000003 + +[ 819.397866] Allocated by task 139: +[ 819.398702] save_stack+0x46/0xd0 +[ 819.398705] kasan_kmalloc+0xad/0xe0 +[ 819.398709] kasan_slab_alloc+0x11/0x20 +[ 819.398713] kmem_cache_alloc+0xd1/0x1e0 +[ 819.398717] dup_fd+0x50/0x4c0 +[ 819.398740] copy_process.part.37+0xbed/0x32e0 +[ 819.398744] _do_fork+0x16e/0x590 +[ 819.398748] __x64_sys_clone+0x69/0x80 +[ 819.398752] do_syscall_64+0x78/0x170 +[ 819.398756] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 819.399097] Freed by task 159: +[ 819.399743] save_stack+0x46/0xd0 +[ 819.399747] __kasan_slab_free+0x13c/0x1a0 +[ 819.399750] kasan_slab_free+0xe/0x10 +[ 819.399754] kmem_cache_free+0x89/0x1e0 +[ 819.399757] put_files_struct+0x132/0x150 +[ 819.399761] exit_files+0x62/0x70 +[ 819.399766] do_exit+0x47b/0x1390 +[ 819.399770] do_group_exit+0x86/0x130 +[ 819.399774] __x64_sys_exit_group+0x2c/0x30 +[ 819.399778] do_syscall_64+0x78/0x170 +[ 819.399782] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 819.400115] The buggy address belongs to the object at ffff8801f099c680 + which belongs to the cache files_cache of size 704 +[ 819.403234] The buggy address is located 40 bytes to the right of + 704-byte region [ffff8801f099c680, ffff8801f099c940) +[ 819.405689] The buggy address belongs to the page: +[ 819.406709] page:ffffea0007c26700 count:1 mapcount:0 mapping:ffff8801f69a3340 index:0xffff8801f099d380 compound_mapcount: 0 +[ 819.408984] flags: 0x2ffff0000008100(slab|head) +[ 819.409932] raw: 02ffff0000008100 ffffea00077fb600 0000000200000002 ffff8801f69a3340 +[ 819.411514] raw: ffff8801f099d380 0000000080130000 00000001ffffffff 0000000000000000 +[ 819.413073] page dumped because: kasan: bad access detected + +[ 819.414539] Memory state around the buggy address: +[ 819.415521] ffff8801f099c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 819.416981] ffff8801f099c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 819.418454] >ffff8801f099c900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ 819.419921] ^ +[ 819.421265] ffff8801f099c980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb +[ 819.422745] ffff8801f099ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 819.424206] ================================================================== +[ 819.425668] Disabling lock debugging due to kernel taint +[ 819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3 + +The kernel still mounts the image. If you run the following program on the mounted folder mnt, + +(poc.c) + +static void activity(char *mpoint) { + + char *foo_bar_baz; + int err; + + static int buf[8192]; + memset(buf, 0, sizeof(buf)); + + err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint); + int fd = open(foo_bar_baz, O_RDONLY, 0); + if (fd >= 0) { + read(fd, (char *)buf, 11); + close(fd); + } +} + +int main(int argc, char *argv[]) { + activity(argv[1]); + return 0; +} + +You can get kernel crash: +[ 819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3 +[ 918.028501] BUG: unable to handle kernel paging request at ffffed0048000d82 +[ 918.044020] PGD 23ffee067 P4D 23ffee067 PUD 23fbef067 PMD 0 +[ 918.045207] Oops: 0000 [#1] SMP KASAN PTI +[ 918.046048] CPU: 0 PID: 1309 Comm: poc Tainted: G B 4.18.0-rc1+ #4 +[ 918.047573] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 918.049552] RIP: 0010:check_memory_region+0x5e/0x190 +[ 918.050565] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0 +[ 918.054322] RSP: 0018:ffff8801e3a1f258 EFLAGS: 00010202 +[ 918.055400] RAX: ffffed0048000d82 RBX: ffff880240006c11 RCX: ffffffffb8867d14 +[ 918.056832] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff880240006c10 +[ 918.058253] RBP: ffff8801e3a1f268 R08: 1ffff10048000d82 R09: ffffed0048000d82 +[ 918.059717] R10: 0000000000000001 R11: ffffed0048000d82 R12: ffffed0048000d83 +[ 918.061159] R13: ffff8801e3a1f390 R14: 0000000000000000 R15: ffff880240006c08 +[ 918.062614] FS: 00007fac9732c700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 +[ 918.064246] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 918.065412] CR2: ffffed0048000d82 CR3: 00000001df77a000 CR4: 00000000000006f0 +[ 918.066882] Call Trace: +[ 918.067410] __asan_loadN+0xf/0x20 +[ 918.068149] f2fs_find_target_dentry+0xf4/0x270 +[ 918.069083] ? __get_node_page+0x331/0x5b0 +[ 918.069925] f2fs_find_in_inline_dir+0x24b/0x310 +[ 918.070881] ? f2fs_recover_inline_data+0x4c0/0x4c0 +[ 918.071905] ? unwind_next_frame.part.5+0x34f/0x490 +[ 918.072901] ? unwind_dump+0x290/0x290 +[ 918.073695] ? is_bpf_text_address+0xe/0x20 +[ 918.074566] __f2fs_find_entry+0x599/0x670 +[ 918.075408] ? kasan_unpoison_shadow+0x36/0x50 +[ 918.076315] ? kasan_kmalloc+0xad/0xe0 +[ 918.077100] ? memcg_kmem_put_cache+0x55/0xa0 +[ 918.077998] ? f2fs_find_target_dentry+0x270/0x270 +[ 918.079006] ? d_set_d_op+0x30/0x100 +[ 918.079749] ? __d_lookup_rcu+0x69/0x2e0 +[ 918.080556] ? __d_alloc+0x275/0x450 +[ 918.081297] ? kasan_check_write+0x14/0x20 +[ 918.082135] ? memset+0x31/0x40 +[ 918.082820] ? fscrypt_setup_filename+0x1ec/0x4c0 +[ 918.083782] ? d_alloc_parallel+0x5bb/0x8c0 +[ 918.084640] f2fs_find_entry+0xe9/0x110 +[ 918.085432] ? __f2fs_find_entry+0x670/0x670 +[ 918.086308] ? kasan_check_write+0x14/0x20 +[ 918.087163] f2fs_lookup+0x297/0x590 +[ 918.087902] ? f2fs_link+0x2b0/0x2b0 +[ 918.088646] ? legitimize_path.isra.29+0x61/0xa0 +[ 918.089589] __lookup_slow+0x12e/0x240 +[ 918.090371] ? may_delete+0x2b0/0x2b0 +[ 918.091123] ? __nd_alloc_stack+0xa0/0xa0 +[ 918.091944] lookup_slow+0x44/0x60 +[ 918.092642] walk_component+0x3ee/0xa40 +[ 918.093428] ? is_bpf_text_address+0xe/0x20 +[ 918.094283] ? pick_link+0x3e0/0x3e0 +[ 918.095047] ? in_group_p+0xa5/0xe0 +[ 918.095771] ? generic_permission+0x53/0x1e0 +[ 918.096666] ? security_inode_permission+0x1d/0x70 +[ 918.097646] ? inode_permission+0x7a/0x1f0 +[ 918.098497] link_path_walk+0x2a2/0x7b0 +[ 918.099298] ? apparmor_capget+0x3d0/0x3d0 +[ 918.100140] ? walk_component+0xa40/0xa40 +[ 918.100958] ? path_init+0x2e6/0x580 +[ 918.101695] path_openat+0x1bb/0x2160 +[ 918.102471] ? __save_stack_trace+0x92/0x100 +[ 918.103352] ? save_stack+0xb5/0xd0 +[ 918.104070] ? vfs_unlink+0x250/0x250 +[ 918.104822] ? save_stack+0x46/0xd0 +[ 918.105538] ? kasan_slab_alloc+0x11/0x20 +[ 918.106370] ? kmem_cache_alloc+0xd1/0x1e0 +[ 918.107213] ? getname_flags+0x76/0x2c0 +[ 918.107997] ? getname+0x12/0x20 +[ 918.108677] ? do_sys_open+0x14b/0x2c0 +[ 918.109450] ? __x64_sys_open+0x4c/0x60 +[ 918.110255] ? do_syscall_64+0x78/0x170 +[ 918.111083] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 918.112148] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 918.113204] ? f2fs_empty_inline_dir+0x1e0/0x1e0 +[ 918.114150] ? timespec64_trunc+0x5c/0x90 +[ 918.114993] ? wb_io_lists_depopulated+0x1a/0xc0 +[ 918.115937] ? inode_io_list_move_locked+0x102/0x110 +[ 918.116949] do_filp_open+0x12b/0x1d0 +[ 918.117709] ? may_open_dev+0x50/0x50 +[ 918.118475] ? kasan_kmalloc+0xad/0xe0 +[ 918.119246] do_sys_open+0x17c/0x2c0 +[ 918.119983] ? do_sys_open+0x17c/0x2c0 +[ 918.120751] ? filp_open+0x60/0x60 +[ 918.121463] ? task_work_run+0x4d/0xf0 +[ 918.122237] __x64_sys_open+0x4c/0x60 +[ 918.123001] do_syscall_64+0x78/0x170 +[ 918.123759] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 918.124802] RIP: 0033:0x7fac96e3e040 +[ 918.125537] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 09 27 2d 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 7e e0 01 00 48 89 04 24 +[ 918.129341] RSP: 002b:00007fff1b37f848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 +[ 918.130870] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fac96e3e040 +[ 918.132295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000122d080 +[ 918.133748] RBP: 00007fff1b37f9b0 R08: 00007fac9710bbd8 R09: 0000000000000001 +[ 918.135209] R10: 000000000000069d R11: 0000000000000246 R12: 0000000000400c20 +[ 918.136650] R13: 00007fff1b37fab0 R14: 0000000000000000 R15: 0000000000000000 +[ 918.138093] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy +[ 918.147924] CR2: ffffed0048000d82 +[ 918.148619] ---[ end trace 4ce02f25ff7d3df5 ]--- +[ 918.149563] RIP: 0010:check_memory_region+0x5e/0x190 +[ 918.150576] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0 +[ 918.154360] RSP: 0018:ffff8801e3a1f258 EFLAGS: 00010202 +[ 918.155411] RAX: ffffed0048000d82 RBX: ffff880240006c11 RCX: ffffffffb8867d14 +[ 918.156833] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff880240006c10 +[ 918.158257] RBP: ffff8801e3a1f268 R08: 1ffff10048000d82 R09: ffffed0048000d82 +[ 918.159722] R10: 0000000000000001 R11: ffffed0048000d82 R12: ffffed0048000d83 +[ 918.161149] R13: ffff8801e3a1f390 R14: 0000000000000000 R15: ffff880240006c08 +[ 918.162587] FS: 00007fac9732c700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 +[ 918.164203] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 918.165356] CR2: ffffed0048000d82 CR3: 00000001df77a000 CR4: 00000000000006f0 + +Reported-by: Wen Xu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[bwh: Backported to 4.14: adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/f2fs/inode.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index 917a6c3d5649..428d502f23e8 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -184,6 +184,15 @@ static bool sanity_check_inode(struct inode *inode) + { + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + ++ if (f2fs_has_extra_attr(inode) && ++ !f2fs_sb_has_extra_attr(sbi->sb)) { ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ f2fs_msg(sbi->sb, KERN_WARNING, ++ "%s: inode (ino=%lx) is with extra_attr, " ++ "but extra_attr feature is off", ++ __func__, inode->i_ino); ++ return false; ++ } + return true; + } + +@@ -233,6 +242,11 @@ static int do_read_inode(struct inode *inode) + + get_inline_info(inode, ri); + ++ if (!sanity_check_inode(inode)) { ++ f2fs_put_page(node_page, 1); ++ return -EINVAL; ++ } ++ + fi->i_extra_isize = f2fs_has_extra_attr(inode) ? + le16_to_cpu(ri->i_extra_isize) : 0; + +@@ -288,10 +302,6 @@ struct inode *f2fs_iget(struct super_block *sb, unsigned long ino) + ret = do_read_inode(inode); + if (ret) + goto bad_inode; +- if (!sanity_check_inode(inode)) { +- ret = -EINVAL; +- goto bad_inode; +- } + make_now: + if (ino == F2FS_NODE_INO(sbi)) { + inode->i_mapping->a_ops = &f2fs_node_aops; +-- +2.17.1 + diff --git a/queue-4.14/f2fs-fix-to-do-sanity-check-with-i_extra_isize.patch b/queue-4.14/f2fs-fix-to-do-sanity-check-with-i_extra_isize.patch new file mode 100644 index 00000000000..b16a7b6ba18 --- /dev/null +++ b/queue-4.14/f2fs-fix-to-do-sanity-check-with-i_extra_isize.patch @@ -0,0 +1,297 @@ +From 228d309db8003933868870058a16ef8d144e7074 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Sun, 8 Jul 2018 22:16:55 +0800 +Subject: f2fs: fix to do sanity check with i_extra_isize + +commit 18dd6470c2d14d10f5a2dd926925dc80dbd3abfd upstream. + +If inode.i_extra_isize was fuzzed to an abnormal value, when +calculating inline data size, the result will overflow, result +in accessing invalid memory area when operating inline data. + +Let's do sanity check with i_extra_isize during inode loading +for fixing. + +https://bugzilla.kernel.org/show_bug.cgi?id=200421 + +- Reproduce + +- POC (poc.c) + #define _GNU_SOURCE + #include + #include + #include + #include + #include + + #include + #include + #include + #include + #include + #include + #include + #include + + #include + #include + + static void activity(char *mpoint) { + + char *foo_bar_baz; + char *foo_baz; + char *xattr; + int err; + + err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint); + err = asprintf(&foo_baz, "%s/foo/baz", mpoint); + err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint); + + rename(foo_bar_baz, foo_baz); + + char buf2[113]; + memset(buf2, 0, sizeof(buf2)); + listxattr(xattr, buf2, sizeof(buf2)); + removexattr(xattr, "user.mime_type"); + + } + + int main(int argc, char *argv[]) { + activity(argv[1]); + return 0; + } + +- Kernel message +Umount the image will leave the following message +[ 2910.995489] F2FS-fs (loop0): Mounted with checkpoint version = 2 +[ 2918.416465] ================================================================== +[ 2918.416807] BUG: KASAN: slab-out-of-bounds in f2fs_iget+0xcb9/0x1a80 +[ 2918.417009] Read of size 4 at addr ffff88018efc2068 by task a.out/1229 + +[ 2918.417311] CPU: 1 PID: 1229 Comm: a.out Not tainted 4.17.0+ #1 +[ 2918.417314] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 2918.417323] Call Trace: +[ 2918.417366] dump_stack+0x71/0xab +[ 2918.417401] print_address_description+0x6b/0x290 +[ 2918.417407] kasan_report+0x28e/0x390 +[ 2918.417411] ? f2fs_iget+0xcb9/0x1a80 +[ 2918.417415] f2fs_iget+0xcb9/0x1a80 +[ 2918.417422] ? f2fs_lookup+0x2e7/0x580 +[ 2918.417425] f2fs_lookup+0x2e7/0x580 +[ 2918.417433] ? __recover_dot_dentries+0x400/0x400 +[ 2918.417447] ? legitimize_path.isra.29+0x5a/0xa0 +[ 2918.417453] __lookup_slow+0x11c/0x220 +[ 2918.417457] ? may_delete+0x2a0/0x2a0 +[ 2918.417475] ? deref_stack_reg+0xe0/0xe0 +[ 2918.417479] ? __lookup_hash+0xb0/0xb0 +[ 2918.417483] lookup_slow+0x3e/0x60 +[ 2918.417488] walk_component+0x3ac/0x990 +[ 2918.417492] ? generic_permission+0x51/0x1e0 +[ 2918.417495] ? inode_permission+0x51/0x1d0 +[ 2918.417499] ? pick_link+0x3e0/0x3e0 +[ 2918.417502] ? link_path_walk+0x4b1/0x770 +[ 2918.417513] ? _raw_spin_lock_irqsave+0x25/0x50 +[ 2918.417518] ? walk_component+0x990/0x990 +[ 2918.417522] ? path_init+0x2e6/0x580 +[ 2918.417526] path_lookupat+0x13f/0x430 +[ 2918.417531] ? trailing_symlink+0x3a0/0x3a0 +[ 2918.417534] ? do_renameat2+0x270/0x7b0 +[ 2918.417538] ? __kasan_slab_free+0x14c/0x190 +[ 2918.417541] ? do_renameat2+0x270/0x7b0 +[ 2918.417553] ? kmem_cache_free+0x85/0x1e0 +[ 2918.417558] ? do_renameat2+0x270/0x7b0 +[ 2918.417563] filename_lookup+0x13c/0x280 +[ 2918.417567] ? filename_parentat+0x2b0/0x2b0 +[ 2918.417572] ? kasan_unpoison_shadow+0x31/0x40 +[ 2918.417575] ? kasan_kmalloc+0xa6/0xd0 +[ 2918.417593] ? strncpy_from_user+0xaa/0x1c0 +[ 2918.417598] ? getname_flags+0x101/0x2b0 +[ 2918.417614] ? path_listxattr+0x87/0x110 +[ 2918.417619] path_listxattr+0x87/0x110 +[ 2918.417623] ? listxattr+0xc0/0xc0 +[ 2918.417637] ? mm_fault_error+0x1b0/0x1b0 +[ 2918.417654] do_syscall_64+0x73/0x160 +[ 2918.417660] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 2918.417676] RIP: 0033:0x7f2f3a3480d7 +[ 2918.417677] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48 +[ 2918.417732] RSP: 002b:00007fff4095b7d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000c2 +[ 2918.417744] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2f3a3480d7 +[ 2918.417746] RDX: 0000000000000071 RSI: 00007fff4095b810 RDI: 000000000126a0c0 +[ 2918.417749] RBP: 00007fff4095b890 R08: 000000000126a010 R09: 0000000000000000 +[ 2918.417751] R10: 00000000000001ab R11: 0000000000000206 R12: 00000000004005e0 +[ 2918.417753] R13: 00007fff4095b990 R14: 0000000000000000 R15: 0000000000000000 + +[ 2918.417853] Allocated by task 329: +[ 2918.418002] kasan_kmalloc+0xa6/0xd0 +[ 2918.418007] kmem_cache_alloc+0xc8/0x1e0 +[ 2918.418023] mempool_init_node+0x194/0x230 +[ 2918.418027] mempool_init+0x12/0x20 +[ 2918.418042] bioset_init+0x2bd/0x380 +[ 2918.418052] blk_alloc_queue_node+0xe9/0x540 +[ 2918.418075] dm_create+0x2c0/0x800 +[ 2918.418080] dev_create+0xd2/0x530 +[ 2918.418083] ctl_ioctl+0x2a3/0x5b0 +[ 2918.418087] dm_ctl_ioctl+0xa/0x10 +[ 2918.418092] do_vfs_ioctl+0x13e/0x8c0 +[ 2918.418095] ksys_ioctl+0x66/0x70 +[ 2918.418098] __x64_sys_ioctl+0x3d/0x50 +[ 2918.418102] do_syscall_64+0x73/0x160 +[ 2918.418106] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 2918.418204] Freed by task 0: +[ 2918.418301] (stack is not available) + +[ 2918.418521] The buggy address belongs to the object at ffff88018efc0000 + which belongs to the cache biovec-max of size 8192 +[ 2918.418894] The buggy address is located 104 bytes to the right of + 8192-byte region [ffff88018efc0000, ffff88018efc2000) +[ 2918.419257] The buggy address belongs to the page: +[ 2918.419431] page:ffffea00063bf000 count:1 mapcount:0 mapping:ffff8801f2242540 index:0x0 compound_mapcount: 0 +[ 2918.419702] flags: 0x17fff8000008100(slab|head) +[ 2918.419879] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f2242540 +[ 2918.420101] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000 +[ 2918.420322] page dumped because: kasan: bad access detected + +[ 2918.420599] Memory state around the buggy address: +[ 2918.420764] ffff88018efc1f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 2918.420975] ffff88018efc1f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 2918.421194] >ffff88018efc2000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 2918.421406] ^ +[ 2918.421627] ffff88018efc2080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 2918.421838] ffff88018efc2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 2918.422046] ================================================================== +[ 2918.422264] Disabling lock debugging due to kernel taint +[ 2923.901641] BUG: unable to handle kernel paging request at ffff88018f0db000 +[ 2923.901884] PGD 22226a067 P4D 22226a067 PUD 222273067 PMD 18e642063 PTE 800000018f0db061 +[ 2923.902120] Oops: 0003 [#1] SMP KASAN PTI +[ 2923.902274] CPU: 1 PID: 1231 Comm: umount Tainted: G B 4.17.0+ #1 +[ 2923.902490] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 2923.902761] RIP: 0010:__memset+0x24/0x30 +[ 2923.902906] Code: 90 90 90 90 90 90 66 66 90 66 90 49 89 f9 48 89 d1 83 e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3 +[ 2923.903446] RSP: 0018:ffff88018ddf7ae0 EFLAGS: 00010206 +[ 2923.903622] RAX: 0000000000000000 RBX: ffff8801d549d888 RCX: 1ffffffffffdaffb +[ 2923.903833] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88018f0daffc +[ 2923.904062] RBP: ffff88018efc206c R08: 1ffff10031df840d R09: ffff88018efc206c +[ 2923.904273] R10: ffffffffffffe1ee R11: ffffed0031df65fa R12: 0000000000000000 +[ 2923.904485] R13: ffff8801d549dc98 R14: 00000000ffffc3db R15: ffffea00063bec80 +[ 2923.904693] FS: 00007fa8b2f8a840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000 +[ 2923.904937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2923.910080] CR2: ffff88018f0db000 CR3: 000000018f892000 CR4: 00000000000006e0 +[ 2923.914930] Call Trace: +[ 2923.919724] f2fs_truncate_inline_inode+0x114/0x170 +[ 2923.924487] f2fs_truncate_blocks+0x11b/0x7c0 +[ 2923.929178] ? f2fs_truncate_data_blocks+0x10/0x10 +[ 2923.933834] ? dqget+0x670/0x670 +[ 2923.938437] ? f2fs_destroy_extent_tree+0xd6/0x270 +[ 2923.943107] ? __radix_tree_lookup+0x2f/0x150 +[ 2923.947772] f2fs_truncate+0xd4/0x1a0 +[ 2923.952491] f2fs_evict_inode+0x5ab/0x610 +[ 2923.957204] evict+0x15f/0x280 +[ 2923.961898] __dentry_kill+0x161/0x250 +[ 2923.966634] shrink_dentry_list+0xf3/0x250 +[ 2923.971897] shrink_dcache_parent+0xa9/0x100 +[ 2923.976561] ? shrink_dcache_sb+0x1f0/0x1f0 +[ 2923.981177] ? wait_for_completion+0x8a/0x210 +[ 2923.985781] ? migrate_swap_stop+0x2d0/0x2d0 +[ 2923.990332] do_one_tree+0xe/0x40 +[ 2923.994735] shrink_dcache_for_umount+0x3a/0xa0 +[ 2923.999077] generic_shutdown_super+0x3e/0x1c0 +[ 2924.003350] kill_block_super+0x4b/0x70 +[ 2924.007619] deactivate_locked_super+0x65/0x90 +[ 2924.011812] cleanup_mnt+0x5c/0xa0 +[ 2924.015995] task_work_run+0xce/0xf0 +[ 2924.020174] exit_to_usermode_loop+0x115/0x120 +[ 2924.024293] do_syscall_64+0x12f/0x160 +[ 2924.028479] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 2924.032709] RIP: 0033:0x7fa8b2868487 +[ 2924.036888] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48 +[ 2924.045750] RSP: 002b:00007ffc39824d58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 +[ 2924.050190] RAX: 0000000000000000 RBX: 00000000008ea030 RCX: 00007fa8b2868487 +[ 2924.054604] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000008f4360 +[ 2924.058940] RBP: 00000000008f4360 R08: 0000000000000000 R09: 0000000000000014 +[ 2924.063186] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007fa8b2d7183c +[ 2924.067418] R13: 0000000000000000 R14: 00000000008ea210 R15: 00007ffc39824fe0 +[ 2924.071534] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer joydev input_leds serio_raw snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel psmouse aes_x86_64 8139cp crypto_simd cryptd mii glue_helper pata_acpi floppy +[ 2924.098044] CR2: ffff88018f0db000 +[ 2924.102520] ---[ end trace a8e0d899985faf31 ]--- +[ 2924.107012] RIP: 0010:__memset+0x24/0x30 +[ 2924.111448] Code: 90 90 90 90 90 90 66 66 90 66 90 49 89 f9 48 89 d1 83 e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3 +[ 2924.120724] RSP: 0018:ffff88018ddf7ae0 EFLAGS: 00010206 +[ 2924.125312] RAX: 0000000000000000 RBX: ffff8801d549d888 RCX: 1ffffffffffdaffb +[ 2924.129931] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88018f0daffc +[ 2924.134537] RBP: ffff88018efc206c R08: 1ffff10031df840d R09: ffff88018efc206c +[ 2924.139175] R10: ffffffffffffe1ee R11: ffffed0031df65fa R12: 0000000000000000 +[ 2924.143825] R13: ffff8801d549dc98 R14: 00000000ffffc3db R15: ffffea00063bec80 +[ 2924.148500] FS: 00007fa8b2f8a840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000 +[ 2924.153247] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2924.158003] CR2: ffff88018f0db000 CR3: 000000018f892000 CR4: 00000000000006e0 +[ 2924.164641] BUG: Bad rss-counter state mm:00000000fa04621e idx:0 val:4 +[ 2924.170007] BUG: Bad rss-counter +tate mm:00000000fa04621e idx:1 val:2 + +- Location +https://elixir.bootlin.com/linux/v4.18-rc3/source/fs/f2fs/inline.c#L78 + memset(addr + from, 0, MAX_INLINE_DATA(inode) - from); +Here the length can be negative. + +Reported-by Wen Xu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[bwh: Backported to 4.14: adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/f2fs/inode.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index aeed9943836a..9a40724dbaa6 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -183,6 +183,7 @@ void f2fs_inode_chksum_set(struct f2fs_sb_info *sbi, struct page *page) + static bool sanity_check_inode(struct inode *inode, struct page *node_page) + { + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); ++ struct f2fs_inode_info *fi = F2FS_I(inode); + unsigned long long iblocks; + + iblocks = le64_to_cpu(F2FS_INODE(node_page)->i_blocks); +@@ -215,6 +216,17 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) + return false; + } + ++ if (fi->i_extra_isize > F2FS_TOTAL_EXTRA_ATTR_SIZE || ++ fi->i_extra_isize % sizeof(__le32)) { ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ f2fs_msg(sbi->sb, KERN_WARNING, ++ "%s: inode (ino=%lx) has corrupted i_extra_isize: %d, " ++ "max: %zu", ++ __func__, inode->i_ino, fi->i_extra_isize, ++ F2FS_TOTAL_EXTRA_ATTR_SIZE); ++ return false; ++ } ++ + if (F2FS_I(inode)->extent_tree) { + struct extent_info *ei = &F2FS_I(inode)->extent_tree->largest; + +@@ -280,14 +292,14 @@ static int do_read_inode(struct inode *inode) + + get_inline_info(inode, ri); + ++ fi->i_extra_isize = f2fs_has_extra_attr(inode) ? ++ le16_to_cpu(ri->i_extra_isize) : 0; ++ + if (!sanity_check_inode(inode, node_page)) { + f2fs_put_page(node_page, 1); + return -EINVAL; + } + +- fi->i_extra_isize = f2fs_has_extra_attr(inode) ? +- le16_to_cpu(ri->i_extra_isize) : 0; +- + /* check data exist */ + if (f2fs_has_inline_data(inode) && !f2fs_exist_data(inode)) + __recover_inline_status(inode, node_page); +-- +2.17.1 + diff --git a/queue-4.14/f2fs-fix-to-do-sanity-check-with-node-footer-and-ibl.patch b/queue-4.14/f2fs-fix-to-do-sanity-check-with-node-footer-and-ibl.patch new file mode 100644 index 00000000000..9ce2c26bbc2 --- /dev/null +++ b/queue-4.14/f2fs-fix-to-do-sanity-check-with-node-footer-and-ibl.patch @@ -0,0 +1,243 @@ +From e823b46ea58cc739c4ae39d35e2d2f6022fbab5b Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Fri, 29 Jun 2018 13:55:22 +0800 +Subject: f2fs: fix to do sanity check with node footer and iblocks + +commit e34438c903b653daca2b2a7de95aed46226f8ed3 upstream. + +This patch adds to do sanity check with below fields of inode to +avoid reported panic. +- node footer +- iblocks + +https://bugzilla.kernel.org/show_bug.cgi?id=200223 + +- Overview +BUG() triggered in f2fs_truncate_inode_blocks() when un-mounting a mounted f2fs image after writing to it + +- Reproduce + +- POC (poc.c) + +static void activity(char *mpoint) { + + char *foo_bar_baz; + int err; + + static int buf[8192]; + memset(buf, 0, sizeof(buf)); + + err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint); + + // open / write / read + int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777); + if (fd >= 0) { + write(fd, (char *)buf, 517); + write(fd, (char *)buf, sizeof(buf)); + close(fd); + } + +} + +int main(int argc, char *argv[]) { + activity(argv[1]); + return 0; +} + +- Kernel meesage +[ 552.479723] F2FS-fs (loop0): Mounted with checkpoint version = 2 +[ 556.451891] ------------[ cut here ]------------ +[ 556.451899] kernel BUG at fs/f2fs/node.c:987! +[ 556.452920] invalid opcode: 0000 [#1] SMP KASAN PTI +[ 556.453936] CPU: 1 PID: 1310 Comm: umount Not tainted 4.18.0-rc1+ #4 +[ 556.455213] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 556.457140] RIP: 0010:f2fs_truncate_inode_blocks+0x4a7/0x6f0 +[ 556.458280] Code: e8 ae ea ff ff 41 89 c7 c1 e8 1f 84 c0 74 0a 41 83 ff fe 0f 85 35 ff ff ff 81 85 b0 fe ff ff fb 03 00 00 e9 f7 fd ff ff 0f 0b <0f> 0b e8 62 b7 9a 00 48 8b bd a0 fe ff ff e8 56 54 ae ff 48 8b b5 +[ 556.462015] RSP: 0018:ffff8801f292f808 EFLAGS: 00010286 +[ 556.463068] RAX: ffffed003e73242d RBX: ffff8801f292f958 RCX: ffffffffb88b81bc +[ 556.464479] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8801f3992164 +[ 556.465901] RBP: ffff8801f292f980 R08: ffffed003e73242d R09: ffffed003e73242d +[ 556.467311] R10: 0000000000000001 R11: ffffed003e73242c R12: 00000000fffffc64 +[ 556.468706] R13: ffff8801f3992000 R14: 0000000000000058 R15: 00000000ffff8801 +[ 556.470117] FS: 00007f8029297840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 +[ 556.471702] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 556.472838] CR2: 000055f5f57305d8 CR3: 00000001f18b0000 CR4: 00000000000006e0 +[ 556.474265] Call Trace: +[ 556.474782] ? f2fs_alloc_nid_failed+0xf0/0xf0 +[ 556.475686] ? truncate_nodes+0x980/0x980 +[ 556.476516] ? pagecache_get_page+0x21f/0x2f0 +[ 556.477412] ? __asan_loadN+0xf/0x20 +[ 556.478153] ? __get_node_page+0x331/0x5b0 +[ 556.478992] ? reweight_entity+0x1e6/0x3b0 +[ 556.479826] f2fs_truncate_blocks+0x55e/0x740 +[ 556.480709] ? f2fs_truncate_data_blocks+0x20/0x20 +[ 556.481689] ? __radix_tree_lookup+0x34/0x160 +[ 556.482630] ? radix_tree_lookup+0xd/0x10 +[ 556.483445] f2fs_truncate+0xd4/0x1a0 +[ 556.484206] f2fs_evict_inode+0x5ce/0x630 +[ 556.485032] evict+0x16f/0x290 +[ 556.485664] iput+0x280/0x300 +[ 556.486300] dentry_unlink_inode+0x165/0x1e0 +[ 556.487169] __dentry_kill+0x16a/0x260 +[ 556.487936] dentry_kill+0x70/0x250 +[ 556.488651] shrink_dentry_list+0x125/0x260 +[ 556.489504] shrink_dcache_parent+0xc1/0x110 +[ 556.490379] ? shrink_dcache_sb+0x200/0x200 +[ 556.491231] ? bit_wait_timeout+0xc0/0xc0 +[ 556.492047] do_one_tree+0x12/0x40 +[ 556.492743] shrink_dcache_for_umount+0x3f/0xa0 +[ 556.493656] generic_shutdown_super+0x43/0x1c0 +[ 556.494561] kill_block_super+0x52/0x80 +[ 556.495341] kill_f2fs_super+0x62/0x70 +[ 556.496105] deactivate_locked_super+0x6f/0xa0 +[ 556.497004] deactivate_super+0x5e/0x80 +[ 556.497785] cleanup_mnt+0x61/0xa0 +[ 556.498492] __cleanup_mnt+0x12/0x20 +[ 556.499218] task_work_run+0xc8/0xf0 +[ 556.499949] exit_to_usermode_loop+0x125/0x130 +[ 556.500846] do_syscall_64+0x138/0x170 +[ 556.501609] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 556.502659] RIP: 0033:0x7f8028b77487 +[ 556.503384] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48 +[ 556.507137] RSP: 002b:00007fff9f2e3598 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 +[ 556.508637] RAX: 0000000000000000 RBX: 0000000000ebd030 RCX: 00007f8028b77487 +[ 556.510069] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000ec41e0 +[ 556.511481] RBP: 0000000000ec41e0 R08: 0000000000000000 R09: 0000000000000014 +[ 556.512892] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f802908083c +[ 556.514320] R13: 0000000000000000 R14: 0000000000ebd210 R15: 00007fff9f2e3820 +[ 556.515745] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy +[ 556.529276] ---[ end trace 4ce02f25ff7d3df5 ]--- +[ 556.530340] RIP: 0010:f2fs_truncate_inode_blocks+0x4a7/0x6f0 +[ 556.531513] Code: e8 ae ea ff ff 41 89 c7 c1 e8 1f 84 c0 74 0a 41 83 ff fe 0f 85 35 ff ff ff 81 85 b0 fe ff ff fb 03 00 00 e9 f7 fd ff ff 0f 0b <0f> 0b e8 62 b7 9a 00 48 8b bd a0 fe ff ff e8 56 54 ae ff 48 8b b5 +[ 556.535330] RSP: 0018:ffff8801f292f808 EFLAGS: 00010286 +[ 556.536395] RAX: ffffed003e73242d RBX: ffff8801f292f958 RCX: ffffffffb88b81bc +[ 556.537824] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8801f3992164 +[ 556.539290] RBP: ffff8801f292f980 R08: ffffed003e73242d R09: ffffed003e73242d +[ 556.540709] R10: 0000000000000001 R11: ffffed003e73242c R12: 00000000fffffc64 +[ 556.542131] R13: ffff8801f3992000 R14: 0000000000000058 R15: 00000000ffff8801 +[ 556.543579] FS: 00007f8029297840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 +[ 556.545180] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 556.546338] CR2: 000055f5f57305d8 CR3: 00000001f18b0000 CR4: 00000000000006e0 +[ 556.547809] ================================================================== +[ 556.549248] BUG: KASAN: stack-out-of-bounds in arch_tlb_gather_mmu+0x52/0x170 +[ 556.550672] Write of size 8 at addr ffff8801f292fd10 by task umount/1310 + +[ 556.552338] CPU: 1 PID: 1310 Comm: umount Tainted: G D 4.18.0-rc1+ #4 +[ 556.553886] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 556.555756] Call Trace: +[ 556.556264] dump_stack+0x7b/0xb5 +[ 556.556944] print_address_description+0x70/0x290 +[ 556.557903] kasan_report+0x291/0x390 +[ 556.558649] ? arch_tlb_gather_mmu+0x52/0x170 +[ 556.559537] __asan_store8+0x57/0x90 +[ 556.560268] arch_tlb_gather_mmu+0x52/0x170 +[ 556.561110] tlb_gather_mmu+0x12/0x40 +[ 556.561862] exit_mmap+0x123/0x2a0 +[ 556.562555] ? __ia32_sys_munmap+0x50/0x50 +[ 556.563384] ? exit_aio+0x98/0x230 +[ 556.564079] ? __x32_compat_sys_io_submit+0x260/0x260 +[ 556.565099] ? taskstats_exit+0x1f4/0x640 +[ 556.565925] ? kasan_check_read+0x11/0x20 +[ 556.566739] ? mm_update_next_owner+0x322/0x380 +[ 556.567652] mmput+0x8b/0x1d0 +[ 556.568260] do_exit+0x43a/0x1390 +[ 556.568937] ? mm_update_next_owner+0x380/0x380 +[ 556.569855] ? deactivate_super+0x5e/0x80 +[ 556.570668] ? cleanup_mnt+0x61/0xa0 +[ 556.571395] ? __cleanup_mnt+0x12/0x20 +[ 556.572156] ? task_work_run+0xc8/0xf0 +[ 556.572917] ? exit_to_usermode_loop+0x125/0x130 +[ 556.573861] rewind_stack_do_exit+0x17/0x20 +[ 556.574707] RIP: 0033:0x7f8028b77487 +[ 556.575428] Code: Bad RIP value. +[ 556.576106] RSP: 002b:00007fff9f2e3598 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 +[ 556.577599] RAX: 0000000000000000 RBX: 0000000000ebd030 RCX: 00007f8028b77487 +[ 556.579020] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000ec41e0 +[ 556.580422] RBP: 0000000000ec41e0 R08: 0000000000000000 R09: 0000000000000014 +[ 556.581833] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f802908083c +[ 556.583252] R13: 0000000000000000 R14: 0000000000ebd210 R15: 00007fff9f2e3820 + +[ 556.584983] The buggy address belongs to the page: +[ 556.585961] page:ffffea0007ca4bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +[ 556.587540] flags: 0x2ffff0000000000() +[ 556.588296] raw: 02ffff0000000000 0000000000000000 dead000000000200 0000000000000000 +[ 556.589822] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +[ 556.591359] page dumped because: kasan: bad access detected + +[ 556.592786] Memory state around the buggy address: +[ 556.593753] ffff8801f292fc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 556.595191] ffff8801f292fc80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 +[ 556.596613] >ffff8801f292fd00: 00 00 f3 00 00 00 00 f3 f3 00 00 00 00 f4 f4 f4 +[ 556.598044] ^ +[ 556.598797] ffff8801f292fd80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 +[ 556.600225] ffff8801f292fe00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 +[ 556.601647] ================================================================== + +- Location +https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/node.c#L987 + case NODE_DIND_BLOCK: + err = truncate_nodes(&dn, nofs, offset[1], 3); + cont = 0; + break; + + default: + BUG(); <--- + } + +Reported-by Wen Xu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/f2fs/inode.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index 428d502f23e8..be7d9773d291 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -180,9 +180,30 @@ void f2fs_inode_chksum_set(struct f2fs_sb_info *sbi, struct page *page) + ri->i_inode_checksum = cpu_to_le32(f2fs_inode_chksum(sbi, page)); + } + +-static bool sanity_check_inode(struct inode *inode) ++static bool sanity_check_inode(struct inode *inode, struct page *node_page) + { + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); ++ unsigned long long iblocks; ++ ++ iblocks = le64_to_cpu(F2FS_INODE(node_page)->i_blocks); ++ if (!iblocks) { ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ f2fs_msg(sbi->sb, KERN_WARNING, ++ "%s: corrupted inode i_blocks i_ino=%lx iblocks=%llu, " ++ "run fsck to fix.", ++ __func__, inode->i_ino, iblocks); ++ return false; ++ } ++ ++ if (ino_of_node(node_page) != nid_of_node(node_page)) { ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ f2fs_msg(sbi->sb, KERN_WARNING, ++ "%s: corrupted inode footer i_ino=%lx, ino,nid: " ++ "[%u, %u] run fsck to fix.", ++ __func__, inode->i_ino, ++ ino_of_node(node_page), nid_of_node(node_page)); ++ return false; ++ } + + if (f2fs_has_extra_attr(inode) && + !f2fs_sb_has_extra_attr(sbi->sb)) { +@@ -242,7 +263,7 @@ static int do_read_inode(struct inode *inode) + + get_inline_info(inode, ri); + +- if (!sanity_check_inode(inode)) { ++ if (!sanity_check_inode(inode, node_page)) { + f2fs_put_page(node_page, 1); + return -EINVAL; + } +-- +2.17.1 + diff --git a/queue-4.14/f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch b/queue-4.14/f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch new file mode 100644 index 00000000000..fc75fb1221d --- /dev/null +++ b/queue-4.14/f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch @@ -0,0 +1,101 @@ +From 2d3a5dc812c7a6bc3a74431dafc1bd8e0bf721a0 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Sat, 23 Jun 2018 00:12:36 +0800 +Subject: f2fs: fix to do sanity check with secs_per_zone + +commit 42bf546c1fe3f3654bdf914e977acbc2b80a5be5 upstream. + +As Wen Xu reported in below link: + +https://bugzilla.kernel.org/show_bug.cgi?id=200183 + +- Overview +Divide zero in reset_curseg() when mounting a crafted f2fs image + +- Reproduce + +- Kernel message +[ 588.281510] divide error: 0000 [#1] SMP KASAN PTI +[ 588.282701] CPU: 0 PID: 1293 Comm: mount Not tainted 4.18.0-rc1+ #4 +[ 588.284000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 588.286178] RIP: 0010:reset_curseg+0x94/0x1a0 +[ 588.298166] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246 +[ 588.299360] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b +[ 588.300809] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64 +[ 588.305272] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000 +[ 588.306822] FS: 00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 +[ 588.308456] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 588.309623] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0 +[ 588.311085] Call Trace: +[ 588.311637] f2fs_build_segment_manager+0x103f/0x3410 +[ 588.316136] ? f2fs_commit_super+0x1b0/0x1b0 +[ 588.317031] ? set_blocksize+0x90/0x140 +[ 588.319473] f2fs_mount+0x15/0x20 +[ 588.320166] mount_fs+0x60/0x1a0 +[ 588.320847] ? alloc_vfsmnt+0x309/0x360 +[ 588.321647] vfs_kern_mount+0x6b/0x1a0 +[ 588.322432] do_mount+0x34a/0x18c0 +[ 588.323175] ? strndup_user+0x46/0x70 +[ 588.323937] ? copy_mount_string+0x20/0x20 +[ 588.324793] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 588.325702] ? kasan_check_write+0x14/0x20 +[ 588.326562] ? _copy_from_user+0x6a/0x90 +[ 588.327375] ? memdup_user+0x42/0x60 +[ 588.328118] ksys_mount+0x83/0xd0 +[ 588.328808] __x64_sys_mount+0x67/0x80 +[ 588.329607] do_syscall_64+0x78/0x170 +[ 588.330400] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 588.331461] RIP: 0033:0x7fad848e8b9a +[ 588.336022] RSP: 002b:00007ffd7c5b6be8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 588.337547] RAX: ffffffffffffffda RBX: 00000000016f8030 RCX: 00007fad848e8b9a +[ 588.338999] RDX: 00000000016f8210 RSI: 00000000016f9f30 RDI: 0000000001700ec0 +[ 588.340442] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 +[ 588.341887] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001700ec0 +[ 588.343341] R13: 00000000016f8210 R14: 0000000000000000 R15: 0000000000000003 +[ 588.354891] ---[ end trace 4ce02f25ff7d3df5 ]--- +[ 588.355862] RIP: 0010:reset_curseg+0x94/0x1a0 +[ 588.360742] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246 +[ 588.361812] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b +[ 588.363485] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64 +[ 588.365213] RBP: ffff8801e88d7968 R08: ffffed003c32266f R09: ffffed003c32266f +[ 588.366661] R10: 0000000000000001 R11: ffffed003c32266e R12: ffff8801f0337700 +[ 588.368110] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000 +[ 588.370057] FS: 00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 +[ 588.372099] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 588.373291] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0 + +- Location +https://elixir.bootlin.com/linux/latest/source/fs/f2fs/segment.c#L2147 + curseg->zone = GET_ZONE_FROM_SEG(sbi, curseg->segno); + +If secs_per_zone is corrupted due to fuzzing test, it will cause divide +zero operation when using GET_ZONE_FROM_SEG macro, so we should do more +sanity check with secs_per_zone during mount to avoid this issue. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index c3e1090e7c0a..084ff9c82a37 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1904,9 +1904,9 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi, + return 1; + } + +- if (secs_per_zone > total_sections) { ++ if (secs_per_zone > total_sections || !secs_per_zone) { + f2fs_msg(sb, KERN_INFO, +- "Wrong secs_per_zone (%u > %u)", ++ "Wrong secs_per_zone / total_sections (%u, %u)", + secs_per_zone, total_sections); + return 1; + } +-- +2.17.1 + diff --git a/queue-4.14/f2fs-fix-to-do-sanity-check-with-user_block_count.patch b/queue-4.14/f2fs-fix-to-do-sanity-check-with-user_block_count.patch new file mode 100644 index 00000000000..8295254ced8 --- /dev/null +++ b/queue-4.14/f2fs-fix-to-do-sanity-check-with-user_block_count.patch @@ -0,0 +1,151 @@ +From 541ea5aaed0979a635b3552db12a4f724cd62a73 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 27 Jun 2018 18:05:54 +0800 +Subject: f2fs: fix to do sanity check with user_block_count + +commit 9dc956b2c8523aed39d1e6508438be9fea28c8fc upstream. + +This patch fixs to do sanity check with user_block_count. + +- Overview +Divide zero in utilization when mount() a corrupted f2fs image + +- Reproduce (4.18 upstream kernel) + +- Kernel message +[ 564.099503] F2FS-fs (loop0): invalid crc value +[ 564.101991] divide error: 0000 [#1] SMP KASAN PTI +[ 564.103103] CPU: 1 PID: 1298 Comm: f2fs_discard-7: Not tainted 4.18.0-rc1+ #4 +[ 564.104584] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 564.106624] RIP: 0010:issue_discard_thread+0x248/0x5c0 +[ 564.107692] Code: ff ff 48 8b bd e8 fe ff ff 41 8b 9d 4c 04 00 00 e8 cd b8 ad ff 41 8b 85 50 04 00 00 31 d2 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <48> f7 f3 83 f8 50 7e 16 41 c7 86 7c ff ff ff 01 00 00 00 41 c7 86 +[ 564.111686] RSP: 0018:ffff8801f3117dc0 EFLAGS: 00010206 +[ 564.112775] RAX: 0000000000000384 RBX: 0000000000000000 RCX: ffffffffb88c1e03 +[ 564.114250] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e3aa4850 +[ 564.115706] RBP: ffff8801f3117f00 R08: 1ffffffff751a1d0 R09: fffffbfff751a1d0 +[ 564.117177] R10: 0000000000000001 R11: fffffbfff751a1d0 R12: 00000000fffffffc +[ 564.118634] R13: ffff8801e3aa4400 R14: ffff8801f3117ed8 R15: ffff8801e2050000 +[ 564.120094] FS: 0000000000000000(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 +[ 564.121748] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 564.122923] CR2: 000000000202b078 CR3: 00000001f11ac000 CR4: 00000000000006e0 +[ 564.124383] Call Trace: +[ 564.124924] ? __issue_discard_cmd+0x480/0x480 +[ 564.125882] ? __sched_text_start+0x8/0x8 +[ 564.126756] ? __kthread_parkme+0xcb/0x100 +[ 564.127620] ? kthread_blkcg+0x70/0x70 +[ 564.128412] kthread+0x180/0x1d0 +[ 564.129105] ? __issue_discard_cmd+0x480/0x480 +[ 564.130029] ? kthread_associate_blkcg+0x150/0x150 +[ 564.131033] ret_from_fork+0x35/0x40 +[ 564.131794] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy +[ 564.141798] ---[ end trace 4ce02f25ff7d3df5 ]--- +[ 564.142773] RIP: 0010:issue_discard_thread+0x248/0x5c0 +[ 564.143885] Code: ff ff 48 8b bd e8 fe ff ff 41 8b 9d 4c 04 00 00 e8 cd b8 ad ff 41 8b 85 50 04 00 00 31 d2 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <48> f7 f3 83 f8 50 7e 16 41 c7 86 7c ff ff ff 01 00 00 00 41 c7 86 +[ 564.147776] RSP: 0018:ffff8801f3117dc0 EFLAGS: 00010206 +[ 564.148856] RAX: 0000000000000384 RBX: 0000000000000000 RCX: ffffffffb88c1e03 +[ 564.150424] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e3aa4850 +[ 564.151906] RBP: ffff8801f3117f00 R08: 1ffffffff751a1d0 R09: fffffbfff751a1d0 +[ 564.153463] R10: 0000000000000001 R11: fffffbfff751a1d0 R12: 00000000fffffffc +[ 564.154915] R13: ffff8801e3aa4400 R14: ffff8801f3117ed8 R15: ffff8801e2050000 +[ 564.156405] FS: 0000000000000000(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 +[ 564.158070] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 564.159279] CR2: 000000000202b078 CR3: 00000001f11ac000 CR4: 00000000000006e0 +[ 564.161043] ================================================================== +[ 564.162587] BUG: KASAN: stack-out-of-bounds in from_kuid_munged+0x1d/0x50 +[ 564.163994] Read of size 4 at addr ffff8801f3117c84 by task f2fs_discard-7:/1298 + +[ 564.165852] CPU: 1 PID: 1298 Comm: f2fs_discard-7: Tainted: G D 4.18.0-rc1+ #4 +[ 564.167593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 564.169522] Call Trace: +[ 564.170057] dump_stack+0x7b/0xb5 +[ 564.170778] print_address_description+0x70/0x290 +[ 564.171765] kasan_report+0x291/0x390 +[ 564.172540] ? from_kuid_munged+0x1d/0x50 +[ 564.173408] __asan_load4+0x78/0x80 +[ 564.174148] from_kuid_munged+0x1d/0x50 +[ 564.174962] do_notify_parent+0x1f5/0x4f0 +[ 564.175808] ? send_sigqueue+0x390/0x390 +[ 564.176639] ? css_set_move_task+0x152/0x340 +[ 564.184197] do_exit+0x1290/0x1390 +[ 564.184950] ? __issue_discard_cmd+0x480/0x480 +[ 564.185884] ? mm_update_next_owner+0x380/0x380 +[ 564.186829] ? __sched_text_start+0x8/0x8 +[ 564.187672] ? __kthread_parkme+0xcb/0x100 +[ 564.188528] ? kthread_blkcg+0x70/0x70 +[ 564.189333] ? kthread+0x180/0x1d0 +[ 564.190052] ? __issue_discard_cmd+0x480/0x480 +[ 564.190983] rewind_stack_do_exit+0x17/0x20 + +[ 564.192190] The buggy address belongs to the page: +[ 564.193213] page:ffffea0007cc45c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +[ 564.194856] flags: 0x2ffff0000000000() +[ 564.195644] raw: 02ffff0000000000 0000000000000000 dead000000000200 0000000000000000 +[ 564.197247] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +[ 564.198826] page dumped because: kasan: bad access detected + +[ 564.200299] Memory state around the buggy address: +[ 564.201306] ffff8801f3117b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 564.202779] ffff8801f3117c00: 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 +[ 564.204252] >ffff8801f3117c80: f3 f3 f3 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 +[ 564.205742] ^ +[ 564.206424] ffff8801f3117d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 564.207908] ffff8801f3117d80: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 +[ 564.209389] ================================================================== +[ 564.231795] F2FS-fs (loop0): Mounted with checkpoint version = 2 + +- Location +https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.h#L586 + return div_u64((u64)valid_user_blocks(sbi) * 100, + sbi->user_block_count); +Missing checks on sbi->user_block_count. + +Reported-by: Wen Xu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 084ff9c82a37..9fafb1404f39 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1956,6 +1956,8 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) + unsigned int sit_segs, nat_segs; + unsigned int sit_bitmap_size, nat_bitmap_size; + unsigned int log_blocks_per_seg; ++ unsigned int segment_count_main; ++ block_t user_block_count; + int i; + + total = le32_to_cpu(raw_super->segment_count); +@@ -1980,6 +1982,16 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) + return 1; + } + ++ user_block_count = le64_to_cpu(ckpt->user_block_count); ++ segment_count_main = le32_to_cpu(raw_super->segment_count_main); ++ log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg); ++ if (!user_block_count || user_block_count >= ++ segment_count_main << log_blocks_per_seg) { ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "Wrong user_block_count: %u", user_block_count); ++ return 1; ++ } ++ + main_segs = le32_to_cpu(raw_super->segment_count_main); + blocks_per_seg = sbi->blocks_per_seg; + +@@ -1996,7 +2008,6 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) + + sit_bitmap_size = le32_to_cpu(ckpt->sit_ver_bitmap_bytesize); + nat_bitmap_size = le32_to_cpu(ckpt->nat_ver_bitmap_bytesize); +- log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg); + + if (sit_bitmap_size != ((sit_segs / 2) << log_blocks_per_seg) / 8 || + nat_bitmap_size != ((nat_segs / 2) << log_blocks_per_seg) / 8) { +-- +2.17.1 + diff --git a/queue-4.14/f2fs-introduce-and-spread-verify_blkaddr.patch b/queue-4.14/f2fs-introduce-and-spread-verify_blkaddr.patch new file mode 100644 index 00000000000..e0155a31bab --- /dev/null +++ b/queue-4.14/f2fs-introduce-and-spread-verify_blkaddr.patch @@ -0,0 +1,345 @@ +From ab3a3eca9f4d090652c5575a0631642dffb8b367 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 5 Jun 2018 17:44:11 +0800 +Subject: f2fs: introduce and spread verify_blkaddr + +commit e1da7872f6eda977bd812346bf588c35e4495a1e upstream. + +This patch introduces verify_blkaddr to check meta/data block address +with valid range to detect bug earlier. + +In addition, once we encounter an invalid blkaddr, notice user to run +fsck to fix, and let the kernel panic. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[bwh: Backported to 4.14: I skipped an earlier renaming of + is_valid_meta_blkaddr() to f2fs_is_valid_meta_blkaddr()] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 11 +++++++++-- + fs/f2fs/data.c | 8 ++++---- + fs/f2fs/f2fs.h | 32 +++++++++++++++++++++++++++++--- + fs/f2fs/file.c | 9 +++++---- + fs/f2fs/inode.c | 7 ++++--- + fs/f2fs/node.c | 4 ++-- + fs/f2fs/recovery.c | 6 +++--- + fs/f2fs/segment.c | 4 ++-- + fs/f2fs/segment.h | 8 +++----- + 9 files changed, 61 insertions(+), 28 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index 2b951046657e..d7bd9745e883 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -118,7 +118,8 @@ struct page *get_tmp_page(struct f2fs_sb_info *sbi, pgoff_t index) + return __get_meta_page(sbi, index, false); + } + +-bool is_valid_meta_blkaddr(struct f2fs_sb_info *sbi, block_t blkaddr, int type) ++bool f2fs_is_valid_blkaddr(struct f2fs_sb_info *sbi, ++ block_t blkaddr, int type) + { + switch (type) { + case META_NAT: +@@ -138,10 +139,16 @@ bool is_valid_meta_blkaddr(struct f2fs_sb_info *sbi, block_t blkaddr, int type) + return false; + break; + case META_POR: ++ case DATA_GENERIC: + if (unlikely(blkaddr >= MAX_BLKADDR(sbi) || + blkaddr < MAIN_BLKADDR(sbi))) + return false; + break; ++ case META_GENERIC: ++ if (unlikely(blkaddr < SEG0_BLKADDR(sbi) || ++ blkaddr >= MAIN_BLKADDR(sbi))) ++ return false; ++ break; + default: + BUG(); + } +@@ -174,7 +181,7 @@ int ra_meta_pages(struct f2fs_sb_info *sbi, block_t start, int nrpages, + blk_start_plug(&plug); + for (; nrpages-- > 0; blkno++) { + +- if (!is_valid_meta_blkaddr(sbi, blkno, type)) ++ if (!f2fs_is_valid_blkaddr(sbi, blkno, type)) + goto out; + + switch (type) { +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index f7b2909e9c5f..615878806611 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -413,7 +413,7 @@ next: + spin_unlock(&io->io_lock); + } + +- if (is_valid_blkaddr(fio->old_blkaddr)) ++ if (__is_valid_data_blkaddr(fio->old_blkaddr)) + verify_block_addr(fio, fio->old_blkaddr); + verify_block_addr(fio, fio->new_blkaddr); + +@@ -946,7 +946,7 @@ next_dnode: + next_block: + blkaddr = datablock_addr(dn.inode, dn.node_page, dn.ofs_in_node); + +- if (!is_valid_blkaddr(blkaddr)) { ++ if (!is_valid_data_blkaddr(sbi, blkaddr)) { + if (create) { + if (unlikely(f2fs_cp_error(sbi))) { + err = -EIO; +@@ -1402,7 +1402,7 @@ int do_write_data_page(struct f2fs_io_info *fio) + f2fs_lookup_extent_cache(inode, page->index, &ei)) { + fio->old_blkaddr = ei.blk + page->index - ei.fofs; + +- if (is_valid_blkaddr(fio->old_blkaddr)) { ++ if (is_valid_data_blkaddr(fio->sbi, fio->old_blkaddr)) { + ipu_force = true; + fio->need_lock = LOCK_DONE; + goto got_it; +@@ -1429,7 +1429,7 @@ got_it: + * If current allocation needs SSR, + * it had better in-place writes for updated data. + */ +- if (ipu_force || (is_valid_blkaddr(fio->old_blkaddr) && ++ if (ipu_force || (is_valid_data_blkaddr(fio->sbi, fio->old_blkaddr) && + need_inplace_update(fio))) { + err = encrypt_one_page(fio); + if (err) +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index d74c77b51b71..d15d79457f5c 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -162,7 +162,7 @@ struct cp_control { + }; + + /* +- * For CP/NAT/SIT/SSA readahead ++ * indicate meta/data type + */ + enum { + META_CP, +@@ -170,6 +170,8 @@ enum { + META_SIT, + META_SSA, + META_POR, ++ DATA_GENERIC, ++ META_GENERIC, + }; + + /* for the list of ino */ +@@ -2355,13 +2357,36 @@ static inline void f2fs_update_iostat(struct f2fs_sb_info *sbi, + spin_unlock(&sbi->iostat_lock); + } + +-static inline bool is_valid_blkaddr(block_t blkaddr) ++bool f2fs_is_valid_blkaddr(struct f2fs_sb_info *sbi, ++ block_t blkaddr, int type); ++void f2fs_msg(struct super_block *sb, const char *level, const char *fmt, ...); ++static inline void verify_blkaddr(struct f2fs_sb_info *sbi, ++ block_t blkaddr, int type) ++{ ++ if (!f2fs_is_valid_blkaddr(sbi, blkaddr, type)) { ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "invalid blkaddr: %u, type: %d, run fsck to fix.", ++ blkaddr, type); ++ f2fs_bug_on(sbi, 1); ++ } ++} ++ ++static inline bool __is_valid_data_blkaddr(block_t blkaddr) + { + if (blkaddr == NEW_ADDR || blkaddr == NULL_ADDR) + return false; + return true; + } + ++static inline bool is_valid_data_blkaddr(struct f2fs_sb_info *sbi, ++ block_t blkaddr) ++{ ++ if (!__is_valid_data_blkaddr(blkaddr)) ++ return false; ++ verify_blkaddr(sbi, blkaddr, DATA_GENERIC); ++ return true; ++} ++ + /* + * file.c + */ +@@ -2572,7 +2597,8 @@ void f2fs_stop_checkpoint(struct f2fs_sb_info *sbi, bool end_io); + struct page *grab_meta_page(struct f2fs_sb_info *sbi, pgoff_t index); + struct page *get_meta_page(struct f2fs_sb_info *sbi, pgoff_t index); + struct page *get_tmp_page(struct f2fs_sb_info *sbi, pgoff_t index); +-bool is_valid_meta_blkaddr(struct f2fs_sb_info *sbi, block_t blkaddr, int type); ++bool f2fs_is_valid_blkaddr(struct f2fs_sb_info *sbi, ++ block_t blkaddr, int type); + int ra_meta_pages(struct f2fs_sb_info *sbi, block_t start, int nrpages, + int type, bool sync); + void ra_meta_pages_cond(struct f2fs_sb_info *sbi, pgoff_t index); +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index d368eda462bb..e9c575ef70b5 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -328,13 +328,13 @@ static pgoff_t __get_first_dirty_index(struct address_space *mapping, + return pgofs; + } + +-static bool __found_offset(block_t blkaddr, pgoff_t dirty, pgoff_t pgofs, +- int whence) ++static bool __found_offset(struct f2fs_sb_info *sbi, block_t blkaddr, ++ pgoff_t dirty, pgoff_t pgofs, int whence) + { + switch (whence) { + case SEEK_DATA: + if ((blkaddr == NEW_ADDR && dirty == pgofs) || +- is_valid_blkaddr(blkaddr)) ++ is_valid_data_blkaddr(sbi, blkaddr)) + return true; + break; + case SEEK_HOLE: +@@ -397,7 +397,8 @@ static loff_t f2fs_seek_block(struct file *file, loff_t offset, int whence) + blkaddr = datablock_addr(dn.inode, + dn.node_page, dn.ofs_in_node); + +- if (__found_offset(blkaddr, dirty, pgofs, whence)) { ++ if (__found_offset(F2FS_I_SB(inode), blkaddr, dirty, ++ pgofs, whence)) { + f2fs_put_dnode(&dn); + goto found; + } +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index 2bcbbf566f0c..b1c0eb433841 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -62,11 +62,12 @@ static void __get_inode_rdev(struct inode *inode, struct f2fs_inode *ri) + } + } + +-static bool __written_first_block(struct f2fs_inode *ri) ++static bool __written_first_block(struct f2fs_sb_info *sbi, ++ struct f2fs_inode *ri) + { + block_t addr = le32_to_cpu(ri->i_addr[offset_in_addr(ri)]); + +- if (is_valid_blkaddr(addr)) ++ if (is_valid_data_blkaddr(sbi, addr)) + return true; + return false; + } +@@ -235,7 +236,7 @@ static int do_read_inode(struct inode *inode) + /* get rdev by using inline_info */ + __get_inode_rdev(inode, ri); + +- if (__written_first_block(ri)) ++ if (__written_first_block(sbi, ri)) + set_inode_flag(inode, FI_FIRST_BLOCK_WRITTEN); + + if (!need_inode_block_update(sbi, inode->i_ino)) +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index 5f212fb2d62b..999814c8cbea 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -334,7 +334,7 @@ static void set_node_addr(struct f2fs_sb_info *sbi, struct node_info *ni, + new_blkaddr == NULL_ADDR); + f2fs_bug_on(sbi, nat_get_blkaddr(e) == NEW_ADDR && + new_blkaddr == NEW_ADDR); +- f2fs_bug_on(sbi, is_valid_blkaddr(nat_get_blkaddr(e)) && ++ f2fs_bug_on(sbi, is_valid_data_blkaddr(sbi, nat_get_blkaddr(e)) && + new_blkaddr == NEW_ADDR); + + /* increment version no as node is removed */ +@@ -349,7 +349,7 @@ static void set_node_addr(struct f2fs_sb_info *sbi, struct node_info *ni, + + /* change address */ + nat_set_blkaddr(e, new_blkaddr); +- if (!is_valid_blkaddr(new_blkaddr)) ++ if (!is_valid_data_blkaddr(sbi, new_blkaddr)) + set_nat_flag(e, IS_CHECKPOINTED, false); + __set_nat_cache_dirty(nm_i, e); + +diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c +index 53f41ad4cbe1..6ea445377767 100644 +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -236,7 +236,7 @@ static int find_fsync_dnodes(struct f2fs_sb_info *sbi, struct list_head *head, + while (1) { + struct fsync_inode_entry *entry; + +- if (!is_valid_meta_blkaddr(sbi, blkaddr, META_POR)) ++ if (!f2fs_is_valid_blkaddr(sbi, blkaddr, META_POR)) + return 0; + + page = get_tmp_page(sbi, blkaddr); +@@ -479,7 +479,7 @@ retry_dn: + } + + /* dest is valid block, try to recover from src to dest */ +- if (is_valid_meta_blkaddr(sbi, dest, META_POR)) { ++ if (f2fs_is_valid_blkaddr(sbi, dest, META_POR)) { + + if (src == NULL_ADDR) { + err = reserve_new_block(&dn); +@@ -540,7 +540,7 @@ static int recover_data(struct f2fs_sb_info *sbi, struct list_head *inode_list, + while (1) { + struct fsync_inode_entry *entry; + +- if (!is_valid_meta_blkaddr(sbi, blkaddr, META_POR)) ++ if (!f2fs_is_valid_blkaddr(sbi, blkaddr, META_POR)) + break; + + ra_meta_pages_cond(sbi, blkaddr); +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 483d7a869679..5c698757e116 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -1758,7 +1758,7 @@ bool is_checkpointed_data(struct f2fs_sb_info *sbi, block_t blkaddr) + struct seg_entry *se; + bool is_cp = false; + +- if (!is_valid_blkaddr(blkaddr)) ++ if (!is_valid_data_blkaddr(sbi, blkaddr)) + return true; + + mutex_lock(&sit_i->sentry_lock); +@@ -2571,7 +2571,7 @@ void f2fs_wait_on_block_writeback(struct f2fs_sb_info *sbi, block_t blkaddr) + { + struct page *cpage; + +- if (!is_valid_blkaddr(blkaddr)) ++ if (!is_valid_data_blkaddr(sbi, blkaddr)) + return; + + cpage = find_lock_page(META_MAPPING(sbi), blkaddr); +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index f977774338c3..dd8f977fc273 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -85,7 +85,7 @@ + (GET_SEGOFF_FROM_SEG0(sbi, blk_addr) & ((sbi)->blocks_per_seg - 1)) + + #define GET_SEGNO(sbi, blk_addr) \ +- ((!is_valid_blkaddr(blk_addr)) ? \ ++ ((!is_valid_data_blkaddr(sbi, blk_addr)) ? \ + NULL_SEGNO : GET_L2R_SEGNO(FREE_I(sbi), \ + GET_SEGNO_FROM_SEG0(sbi, blk_addr))) + #define BLKS_PER_SEC(sbi) \ +@@ -631,11 +631,9 @@ static inline void verify_block_addr(struct f2fs_io_info *fio, block_t blk_addr) + + if (PAGE_TYPE_OF_BIO(fio->type) == META && + (!is_read_io(fio->op) || fio->is_meta)) +- BUG_ON(blk_addr < SEG0_BLKADDR(sbi) || +- blk_addr >= MAIN_BLKADDR(sbi)); ++ verify_blkaddr(sbi, blk_addr, META_GENERIC); + else +- BUG_ON(blk_addr < MAIN_BLKADDR(sbi) || +- blk_addr >= MAX_BLKADDR(sbi)); ++ verify_blkaddr(sbi, blk_addr, DATA_GENERIC); + } + + /* +-- +2.17.1 + diff --git a/queue-4.14/f2fs-sanity-check-on-sit-entry.patch b/queue-4.14/f2fs-sanity-check-on-sit-entry.patch new file mode 100644 index 00000000000..795a58c64b9 --- /dev/null +++ b/queue-4.14/f2fs-sanity-check-on-sit-entry.patch @@ -0,0 +1,107 @@ +From d4c155202fe9130693f1fb4584ba4bfe5394d0cb Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Tue, 24 Apr 2018 15:44:16 -0600 +Subject: f2fs: sanity check on sit entry + +commit b2ca374f33bd33fd822eb871876e4888cf79dc97 upstream. + +syzbot hit the following crash on upstream commit +87ef12027b9b1dd0e0b12cf311fbcb19f9d92539 (Wed Apr 18 19:48:17 2018 +0000) +Merge tag 'ceph-for-4.17-rc2' of git://github.com/ceph/ceph-client +syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=83699adeb2d13579c31e + +C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5805208181407744 +syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6005073343676416 +Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6555047731134464 +Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118 +compiler: gcc (GCC) 8.0.1 20180413 (experimental) + +IMPORTANT: if you fix the bug, please add the following tag to the commit: +Reported-by: syzbot+83699adeb2d13579c31e@syzkaller.appspotmail.com +It will help syzbot understand when the bug is fixed. See footer for details. +If you forward the report, please keep this part and the footer. + +F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0) +F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock +F2FS-fs (loop0): invalid crc value +BUG: unable to handle kernel paging request at ffffed006b2a50c0 +PGD 21ffee067 P4D 21ffee067 PUD 21fbeb067 PMD 0 +Oops: 0000 [#1] SMP KASAN +Dumping ftrace buffer: + (ftrace buffer empty) +Modules linked in: +CPU: 0 PID: 4514 Comm: syzkaller989480 Not tainted 4.17.0-rc1+ #8 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:build_sit_entries fs/f2fs/segment.c:3653 [inline] +RIP: 0010:build_segment_manager+0x7ef7/0xbf70 fs/f2fs/segment.c:3852 +RSP: 0018:ffff8801b102e5b0 EFLAGS: 00010a06 +RAX: 1ffff1006b2a50c0 RBX: 0000000000000004 RCX: 0000000000000001 +RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801ac74243e +RBP: ffff8801b102f410 R08: ffff8801acbd46c0 R09: fffffbfff14d9af8 +R10: fffffbfff14d9af8 R11: ffff8801acbd46c0 R12: ffff8801ac742a80 +R13: ffff8801d9519100 R14: dffffc0000000000 R15: ffff880359528600 +FS: 0000000001e04880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffed006b2a50c0 CR3: 00000001ac6ac000 CR4: 00000000001406f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + f2fs_fill_super+0x4095/0x7bf0 fs/f2fs/super.c:2803 + mount_bdev+0x30c/0x3e0 fs/super.c:1165 + f2fs_mount+0x34/0x40 fs/f2fs/super.c:3020 + mount_fs+0xae/0x328 fs/super.c:1268 + vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037 + vfs_kern_mount fs/namespace.c:1027 [inline] + do_new_mount fs/namespace.c:2517 [inline] + do_mount+0x564/0x3070 fs/namespace.c:2847 + ksys_mount+0x12d/0x140 fs/namespace.c:3063 + __do_sys_mount fs/namespace.c:3077 [inline] + __se_sys_mount fs/namespace.c:3074 [inline] + __x64_sys_mount+0xbe/0x150 fs/namespace.c:3074 + do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x443d6a +RSP: 002b:00007ffd312813c8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 +RAX: ffffffffffffffda RBX: 0000000020000c00 RCX: 0000000000443d6a +RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd312813d0 +RBP: 0000000000000003 R08: 0000000020016a00 R09: 000000000000000a +R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000004 +R13: 0000000000402c60 R14: 0000000000000000 R15: 0000000000000000 +RIP: build_sit_entries fs/f2fs/segment.c:3653 [inline] RSP: ffff8801b102e5b0 +RIP: build_segment_manager+0x7ef7/0xbf70 fs/f2fs/segment.c:3852 RSP: ffff8801b102e5b0 +CR2: ffffed006b2a50c0 +---[ end trace a2034989e196ff17 ]--- + +Reported-and-tested-by: syzbot+83699adeb2d13579c31e@syzkaller.appspotmail.com +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Ben Hutchings + +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 3c7bbbae0afa..1104a6c80251 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -3304,6 +3304,15 @@ static int build_sit_entries(struct f2fs_sb_info *sbi) + unsigned int old_valid_blocks; + + start = le32_to_cpu(segno_in_journal(journal, i)); ++ if (start >= MAIN_SEGS(sbi)) { ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "Wrong journal entry on segno %u", ++ start); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ err = -EINVAL; ++ break; ++ } ++ + se = &sit_i->sentries[start]; + sit = sit_in_journal(journal, i); + +-- +2.17.1 + diff --git a/queue-4.14/libceph-add-authorizer-challenge.patch b/queue-4.14/libceph-add-authorizer-challenge.patch new file mode 100644 index 00000000000..451848389cb --- /dev/null +++ b/queue-4.14/libceph-add-authorizer-challenge.patch @@ -0,0 +1,349 @@ +From fc90ac4eb1eefac7eecd005a524e49b630012fc1 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Fri, 27 Jul 2018 19:18:34 +0200 +Subject: libceph: add authorizer challenge + +commit 6daca13d2e72bedaaacfc08f873114c9307d5aea upstream. + +When a client authenticates with a service, an authorizer is sent with +a nonce to the service (ceph_x_authorize_[ab]) and the service responds +with a mutation of that nonce (ceph_x_authorize_reply). This lets the +client verify the service is who it says it is but it doesn't protect +against a replay: someone can trivially capture the exchange and reuse +the same authorizer to authenticate themselves. + +Allow the service to reject an initial authorizer with a random +challenge (ceph_x_authorize_challenge). The client then has to respond +with an updated authorizer proving they are able to decrypt the +service's challenge and that the new authorizer was produced for this +specific connection instance. + +The accepting side requires this challenge and response unconditionally +if the client side advertises they have CEPHX_V2 feature bit. + +This addresses CVE-2018-1128. + +Link: http://tracker.ceph.com/issues/24836 +Signed-off-by: Ilya Dryomov +Reviewed-by: Sage Weil +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/ceph/mds_client.c | 11 ++++++ + include/linux/ceph/auth.h | 8 ++++ + include/linux/ceph/messenger.h | 3 ++ + include/linux/ceph/msgr.h | 2 +- + net/ceph/auth.c | 16 ++++++++ + net/ceph/auth_x.c | 72 +++++++++++++++++++++++++++++++--- + net/ceph/auth_x_protocol.h | 7 ++++ + net/ceph/messenger.c | 17 +++++++- + net/ceph/osd_client.c | 11 ++++++ + 9 files changed, 140 insertions(+), 7 deletions(-) + +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index bf378ddca4db..a48984dd6426 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -4079,6 +4079,16 @@ static struct ceph_auth_handshake *get_authorizer(struct ceph_connection *con, + return auth; + } + ++static int add_authorizer_challenge(struct ceph_connection *con, ++ void *challenge_buf, int challenge_buf_len) ++{ ++ struct ceph_mds_session *s = con->private; ++ struct ceph_mds_client *mdsc = s->s_mdsc; ++ struct ceph_auth_client *ac = mdsc->fsc->client->monc.auth; ++ ++ return ceph_auth_add_authorizer_challenge(ac, s->s_auth.authorizer, ++ challenge_buf, challenge_buf_len); ++} + + static int verify_authorizer_reply(struct ceph_connection *con) + { +@@ -4142,6 +4152,7 @@ static const struct ceph_connection_operations mds_con_ops = { + .put = con_put, + .dispatch = dispatch, + .get_authorizer = get_authorizer, ++ .add_authorizer_challenge = add_authorizer_challenge, + .verify_authorizer_reply = verify_authorizer_reply, + .invalidate_authorizer = invalidate_authorizer, + .peer_reset = peer_reset, +diff --git a/include/linux/ceph/auth.h b/include/linux/ceph/auth.h +index e931da8424a4..6728c2ee0205 100644 +--- a/include/linux/ceph/auth.h ++++ b/include/linux/ceph/auth.h +@@ -64,6 +64,10 @@ struct ceph_auth_client_ops { + /* ensure that an existing authorizer is up to date */ + int (*update_authorizer)(struct ceph_auth_client *ac, int peer_type, + struct ceph_auth_handshake *auth); ++ int (*add_authorizer_challenge)(struct ceph_auth_client *ac, ++ struct ceph_authorizer *a, ++ void *challenge_buf, ++ int challenge_buf_len); + int (*verify_authorizer_reply)(struct ceph_auth_client *ac, + struct ceph_authorizer *a); + void (*invalidate_authorizer)(struct ceph_auth_client *ac, +@@ -118,6 +122,10 @@ void ceph_auth_destroy_authorizer(struct ceph_authorizer *a); + extern int ceph_auth_update_authorizer(struct ceph_auth_client *ac, + int peer_type, + struct ceph_auth_handshake *a); ++int ceph_auth_add_authorizer_challenge(struct ceph_auth_client *ac, ++ struct ceph_authorizer *a, ++ void *challenge_buf, ++ int challenge_buf_len); + extern int ceph_auth_verify_authorizer_reply(struct ceph_auth_client *ac, + struct ceph_authorizer *a); + extern void ceph_auth_invalidate_authorizer(struct ceph_auth_client *ac, +diff --git a/include/linux/ceph/messenger.h b/include/linux/ceph/messenger.h +index 9056077c023f..18fbe910ed55 100644 +--- a/include/linux/ceph/messenger.h ++++ b/include/linux/ceph/messenger.h +@@ -31,6 +31,9 @@ struct ceph_connection_operations { + struct ceph_auth_handshake *(*get_authorizer) ( + struct ceph_connection *con, + int *proto, int force_new); ++ int (*add_authorizer_challenge)(struct ceph_connection *con, ++ void *challenge_buf, ++ int challenge_buf_len); + int (*verify_authorizer_reply) (struct ceph_connection *con); + int (*invalidate_authorizer)(struct ceph_connection *con); + +diff --git a/include/linux/ceph/msgr.h b/include/linux/ceph/msgr.h +index 73ae2a926548..9e50aede46c8 100644 +--- a/include/linux/ceph/msgr.h ++++ b/include/linux/ceph/msgr.h +@@ -91,7 +91,7 @@ struct ceph_entity_inst { + #define CEPH_MSGR_TAG_SEQ 13 /* 64-bit int follows with seen seq number */ + #define CEPH_MSGR_TAG_KEEPALIVE2 14 /* keepalive2 byte + ceph_timespec */ + #define CEPH_MSGR_TAG_KEEPALIVE2_ACK 15 /* keepalive2 reply */ +- ++#define CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER 16 /* cephx v2 doing server challenge */ + + /* + * connection negotiation +diff --git a/net/ceph/auth.c b/net/ceph/auth.c +index dbde2b3c3c15..fbeee068ea14 100644 +--- a/net/ceph/auth.c ++++ b/net/ceph/auth.c +@@ -315,6 +315,22 @@ int ceph_auth_update_authorizer(struct ceph_auth_client *ac, + } + EXPORT_SYMBOL(ceph_auth_update_authorizer); + ++int ceph_auth_add_authorizer_challenge(struct ceph_auth_client *ac, ++ struct ceph_authorizer *a, ++ void *challenge_buf, ++ int challenge_buf_len) ++{ ++ int ret = 0; ++ ++ mutex_lock(&ac->mutex); ++ if (ac->ops && ac->ops->add_authorizer_challenge) ++ ret = ac->ops->add_authorizer_challenge(ac, a, challenge_buf, ++ challenge_buf_len); ++ mutex_unlock(&ac->mutex); ++ return ret; ++} ++EXPORT_SYMBOL(ceph_auth_add_authorizer_challenge); ++ + int ceph_auth_verify_authorizer_reply(struct ceph_auth_client *ac, + struct ceph_authorizer *a) + { +diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c +index 722791f45b2a..ce28bb07d8fd 100644 +--- a/net/ceph/auth_x.c ++++ b/net/ceph/auth_x.c +@@ -295,7 +295,8 @@ bad: + * authorizer. The first part (ceph_x_authorize_a) should already be + * encoded. + */ +-static int encrypt_authorizer(struct ceph_x_authorizer *au) ++static int encrypt_authorizer(struct ceph_x_authorizer *au, ++ u64 *server_challenge) + { + struct ceph_x_authorize_a *msg_a; + struct ceph_x_authorize_b *msg_b; +@@ -308,16 +309,28 @@ static int encrypt_authorizer(struct ceph_x_authorizer *au) + end = au->buf->vec.iov_base + au->buf->vec.iov_len; + + msg_b = p + ceph_x_encrypt_offset(); +- msg_b->struct_v = 1; ++ msg_b->struct_v = 2; + msg_b->nonce = cpu_to_le64(au->nonce); ++ if (server_challenge) { ++ msg_b->have_challenge = 1; ++ msg_b->server_challenge_plus_one = ++ cpu_to_le64(*server_challenge + 1); ++ } else { ++ msg_b->have_challenge = 0; ++ msg_b->server_challenge_plus_one = 0; ++ } + + ret = ceph_x_encrypt(&au->session_key, p, end - p, sizeof(*msg_b)); + if (ret < 0) + return ret; + + p += ret; +- WARN_ON(p > end); +- au->buf->vec.iov_len = p - au->buf->vec.iov_base; ++ if (server_challenge) { ++ WARN_ON(p != end); ++ } else { ++ WARN_ON(p > end); ++ au->buf->vec.iov_len = p - au->buf->vec.iov_base; ++ } + + return 0; + } +@@ -382,7 +395,7 @@ static int ceph_x_build_authorizer(struct ceph_auth_client *ac, + le64_to_cpu(msg_a->ticket_blob.secret_id)); + + get_random_bytes(&au->nonce, sizeof(au->nonce)); +- ret = encrypt_authorizer(au); ++ ret = encrypt_authorizer(au, NULL); + if (ret) { + pr_err("failed to encrypt authorizer: %d", ret); + goto out_au; +@@ -664,6 +677,54 @@ static int ceph_x_update_authorizer( + return 0; + } + ++static int decrypt_authorize_challenge(struct ceph_x_authorizer *au, ++ void *challenge_buf, ++ int challenge_buf_len, ++ u64 *server_challenge) ++{ ++ struct ceph_x_authorize_challenge *ch = ++ challenge_buf + sizeof(struct ceph_x_encrypt_header); ++ int ret; ++ ++ /* no leading len */ ++ ret = __ceph_x_decrypt(&au->session_key, challenge_buf, ++ challenge_buf_len); ++ if (ret < 0) ++ return ret; ++ if (ret < sizeof(*ch)) { ++ pr_err("bad size %d for ceph_x_authorize_challenge\n", ret); ++ return -EINVAL; ++ } ++ ++ *server_challenge = le64_to_cpu(ch->server_challenge); ++ return 0; ++} ++ ++static int ceph_x_add_authorizer_challenge(struct ceph_auth_client *ac, ++ struct ceph_authorizer *a, ++ void *challenge_buf, ++ int challenge_buf_len) ++{ ++ struct ceph_x_authorizer *au = (void *)a; ++ u64 server_challenge; ++ int ret; ++ ++ ret = decrypt_authorize_challenge(au, challenge_buf, challenge_buf_len, ++ &server_challenge); ++ if (ret) { ++ pr_err("failed to decrypt authorize challenge: %d", ret); ++ return ret; ++ } ++ ++ ret = encrypt_authorizer(au, &server_challenge); ++ if (ret) { ++ pr_err("failed to encrypt authorizer w/ challenge: %d", ret); ++ return ret; ++ } ++ ++ return 0; ++} ++ + static int ceph_x_verify_authorizer_reply(struct ceph_auth_client *ac, + struct ceph_authorizer *a) + { +@@ -816,6 +877,7 @@ static const struct ceph_auth_client_ops ceph_x_ops = { + .handle_reply = ceph_x_handle_reply, + .create_authorizer = ceph_x_create_authorizer, + .update_authorizer = ceph_x_update_authorizer, ++ .add_authorizer_challenge = ceph_x_add_authorizer_challenge, + .verify_authorizer_reply = ceph_x_verify_authorizer_reply, + .invalidate_authorizer = ceph_x_invalidate_authorizer, + .reset = ceph_x_reset, +diff --git a/net/ceph/auth_x_protocol.h b/net/ceph/auth_x_protocol.h +index 32c13d763b9a..24b0b74564d0 100644 +--- a/net/ceph/auth_x_protocol.h ++++ b/net/ceph/auth_x_protocol.h +@@ -70,6 +70,13 @@ struct ceph_x_authorize_a { + struct ceph_x_authorize_b { + __u8 struct_v; + __le64 nonce; ++ __u8 have_challenge; ++ __le64 server_challenge_plus_one; ++} __attribute__ ((packed)); ++ ++struct ceph_x_authorize_challenge { ++ __u8 struct_v; ++ __le64 server_challenge; + } __attribute__ ((packed)); + + struct ceph_x_authorize_reply { +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c +index 0b121327d32f..ad33baa2008d 100644 +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -2052,9 +2052,24 @@ static int process_connect(struct ceph_connection *con) + if (con->auth) { + /* + * Any connection that defines ->get_authorizer() +- * should also define ->verify_authorizer_reply(). ++ * should also define ->add_authorizer_challenge() and ++ * ->verify_authorizer_reply(). ++ * + * See get_connect_authorizer(). + */ ++ if (con->in_reply.tag == CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER) { ++ ret = con->ops->add_authorizer_challenge( ++ con, con->auth->authorizer_reply_buf, ++ le32_to_cpu(con->in_reply.authorizer_len)); ++ if (ret < 0) ++ return ret; ++ ++ con_out_kvec_reset(con); ++ __prepare_write_connect(con); ++ prepare_read_connect(con); ++ return 0; ++ } ++ + ret = con->ops->verify_authorizer_reply(con); + if (ret < 0) { + con->error_msg = "bad authorize reply"; +diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c +index 2814dba5902d..53ea2d48896c 100644 +--- a/net/ceph/osd_client.c ++++ b/net/ceph/osd_client.c +@@ -5292,6 +5292,16 @@ static struct ceph_auth_handshake *get_authorizer(struct ceph_connection *con, + return auth; + } + ++static int add_authorizer_challenge(struct ceph_connection *con, ++ void *challenge_buf, int challenge_buf_len) ++{ ++ struct ceph_osd *o = con->private; ++ struct ceph_osd_client *osdc = o->o_osdc; ++ struct ceph_auth_client *ac = osdc->client->monc.auth; ++ ++ return ceph_auth_add_authorizer_challenge(ac, o->o_auth.authorizer, ++ challenge_buf, challenge_buf_len); ++} + + static int verify_authorizer_reply(struct ceph_connection *con) + { +@@ -5341,6 +5351,7 @@ static const struct ceph_connection_operations osd_con_ops = { + .put = put_osd_con, + .dispatch = dispatch, + .get_authorizer = get_authorizer, ++ .add_authorizer_challenge = add_authorizer_challenge, + .verify_authorizer_reply = verify_authorizer_reply, + .invalidate_authorizer = invalidate_authorizer, + .alloc_msg = alloc_msg, +-- +2.17.1 + diff --git a/queue-4.14/libceph-factor-out-__ceph_x_decrypt.patch b/queue-4.14/libceph-factor-out-__ceph_x_decrypt.patch new file mode 100644 index 00000000000..d908e1cc809 --- /dev/null +++ b/queue-4.14/libceph-factor-out-__ceph_x_decrypt.patch @@ -0,0 +1,78 @@ +From 5bb530635eb6229ab4a63cc561974fdcda3d0616 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Thu, 26 Jul 2018 18:05:43 +0200 +Subject: libceph: factor out __ceph_x_decrypt() + +commit c571fe24d243bfe7017f0e67fe800b3cc2a1d1f7 upstream. + +Will be used for decrypting the server challenge which is only preceded +by ceph_x_encrypt_header. + +Drop struct_v check to allow for extending ceph_x_encrypt_header in the +future. + +Signed-off-by: Ilya Dryomov +Reviewed-by: Sage Weil +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + net/ceph/auth_x.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c +index 2f4a1baf5f52..9cac05239346 100644 +--- a/net/ceph/auth_x.c ++++ b/net/ceph/auth_x.c +@@ -70,25 +70,40 @@ static int ceph_x_encrypt(struct ceph_crypto_key *secret, void *buf, + return sizeof(u32) + ciphertext_len; + } + ++static int __ceph_x_decrypt(struct ceph_crypto_key *secret, void *p, ++ int ciphertext_len) ++{ ++ struct ceph_x_encrypt_header *hdr = p; ++ int plaintext_len; ++ int ret; ++ ++ ret = ceph_crypt(secret, false, p, ciphertext_len, ciphertext_len, ++ &plaintext_len); ++ if (ret) ++ return ret; ++ ++ if (le64_to_cpu(hdr->magic) != CEPHX_ENC_MAGIC) { ++ pr_err("%s bad magic\n", __func__); ++ return -EINVAL; ++ } ++ ++ return plaintext_len - sizeof(*hdr); ++} ++ + static int ceph_x_decrypt(struct ceph_crypto_key *secret, void **p, void *end) + { +- struct ceph_x_encrypt_header *hdr = *p + sizeof(u32); +- int ciphertext_len, plaintext_len; ++ int ciphertext_len; + int ret; + + ceph_decode_32_safe(p, end, ciphertext_len, e_inval); + ceph_decode_need(p, end, ciphertext_len, e_inval); + +- ret = ceph_crypt(secret, false, *p, end - *p, ciphertext_len, +- &plaintext_len); +- if (ret) ++ ret = __ceph_x_decrypt(secret, *p, ciphertext_len); ++ if (ret < 0) + return ret; + +- if (hdr->struct_v != 1 || le64_to_cpu(hdr->magic) != CEPHX_ENC_MAGIC) +- return -EPERM; +- + *p += ciphertext_len; +- return plaintext_len - sizeof(struct ceph_x_encrypt_header); ++ return ret; + + e_inval: + return -EINVAL; +-- +2.17.1 + diff --git a/queue-4.14/libceph-factor-out-__prepare_write_connect.patch b/queue-4.14/libceph-factor-out-__prepare_write_connect.patch new file mode 100644 index 00000000000..30648258031 --- /dev/null +++ b/queue-4.14/libceph-factor-out-__prepare_write_connect.patch @@ -0,0 +1,60 @@ +From 55b4028d703b5184ee8cb15af858eba1da52277e Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Thu, 26 Jul 2018 17:43:47 +0200 +Subject: libceph: factor out __prepare_write_connect() + +commit c0f56b483aa09c99bfe97409a43ad786f33b8a5a upstream. + +Will be used for sending ceph_msg_connect with an updated authorizer, +after the server challenges the initial authorizer. + +Signed-off-by: Ilya Dryomov +Reviewed-by: Sage Weil +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + net/ceph/messenger.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c +index 3a82e6d2864b..0b121327d32f 100644 +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -1446,6 +1446,17 @@ static void prepare_write_banner(struct ceph_connection *con) + con_flag_set(con, CON_FLAG_WRITE_PENDING); + } + ++static void __prepare_write_connect(struct ceph_connection *con) ++{ ++ con_out_kvec_add(con, sizeof(con->out_connect), &con->out_connect); ++ if (con->auth) ++ con_out_kvec_add(con, con->auth->authorizer_buf_len, ++ con->auth->authorizer_buf); ++ ++ con->out_more = 0; ++ con_flag_set(con, CON_FLAG_WRITE_PENDING); ++} ++ + static int prepare_write_connect(struct ceph_connection *con) + { + unsigned int global_seq = get_global_seq(con->msgr, 0); +@@ -1481,15 +1492,7 @@ static int prepare_write_connect(struct ceph_connection *con) + if (ret) + return ret; + +- con_out_kvec_add(con, sizeof (con->out_connect), +- &con->out_connect); +- if (con->auth) +- con_out_kvec_add(con, con->auth->authorizer_buf_len, +- con->auth->authorizer_buf); +- +- con->out_more = 0; +- con_flag_set(con, CON_FLAG_WRITE_PENDING); +- ++ __prepare_write_connect(con); + return 0; + } + +-- +2.17.1 + diff --git a/queue-4.14/libceph-factor-out-encrypt_authorizer.patch b/queue-4.14/libceph-factor-out-encrypt_authorizer.patch new file mode 100644 index 00000000000..a2ea29d0702 --- /dev/null +++ b/queue-4.14/libceph-factor-out-encrypt_authorizer.patch @@ -0,0 +1,97 @@ +From 007883236b05988d113f8aa20efd4a50b1ad7e91 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Fri, 27 Jul 2018 16:37:54 +0200 +Subject: libceph: factor out encrypt_authorizer() + +commit 149cac4a50b0b4081b38b2f38de6ef71c27eaa85 upstream. + +Will be used for encrypting both the initial and updated authorizers. + +Signed-off-by: Ilya Dryomov +Reviewed-by: Sage Weil +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + net/ceph/auth_x.c | 49 ++++++++++++++++++++++++++++++++++------------- + 1 file changed, 36 insertions(+), 13 deletions(-) + +diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c +index 9cac05239346..722791f45b2a 100644 +--- a/net/ceph/auth_x.c ++++ b/net/ceph/auth_x.c +@@ -290,6 +290,38 @@ bad: + return -EINVAL; + } + ++/* ++ * Encode and encrypt the second part (ceph_x_authorize_b) of the ++ * authorizer. The first part (ceph_x_authorize_a) should already be ++ * encoded. ++ */ ++static int encrypt_authorizer(struct ceph_x_authorizer *au) ++{ ++ struct ceph_x_authorize_a *msg_a; ++ struct ceph_x_authorize_b *msg_b; ++ void *p, *end; ++ int ret; ++ ++ msg_a = au->buf->vec.iov_base; ++ WARN_ON(msg_a->ticket_blob.secret_id != cpu_to_le64(au->secret_id)); ++ p = (void *)(msg_a + 1) + le32_to_cpu(msg_a->ticket_blob.blob_len); ++ end = au->buf->vec.iov_base + au->buf->vec.iov_len; ++ ++ msg_b = p + ceph_x_encrypt_offset(); ++ msg_b->struct_v = 1; ++ msg_b->nonce = cpu_to_le64(au->nonce); ++ ++ ret = ceph_x_encrypt(&au->session_key, p, end - p, sizeof(*msg_b)); ++ if (ret < 0) ++ return ret; ++ ++ p += ret; ++ WARN_ON(p > end); ++ au->buf->vec.iov_len = p - au->buf->vec.iov_base; ++ ++ return 0; ++} ++ + static void ceph_x_authorizer_cleanup(struct ceph_x_authorizer *au) + { + ceph_crypto_key_destroy(&au->session_key); +@@ -306,7 +338,6 @@ static int ceph_x_build_authorizer(struct ceph_auth_client *ac, + int maxlen; + struct ceph_x_authorize_a *msg_a; + struct ceph_x_authorize_b *msg_b; +- void *p, *end; + int ret; + int ticket_blob_len = + (th->ticket_blob ? th->ticket_blob->vec.iov_len : 0); +@@ -350,21 +381,13 @@ static int ceph_x_build_authorizer(struct ceph_auth_client *ac, + dout(" th %p secret_id %lld %lld\n", th, th->secret_id, + le64_to_cpu(msg_a->ticket_blob.secret_id)); + +- p = msg_a + 1; +- p += ticket_blob_len; +- end = au->buf->vec.iov_base + au->buf->vec.iov_len; +- +- msg_b = p + ceph_x_encrypt_offset(); +- msg_b->struct_v = 1; + get_random_bytes(&au->nonce, sizeof(au->nonce)); +- msg_b->nonce = cpu_to_le64(au->nonce); +- ret = ceph_x_encrypt(&au->session_key, p, end - p, sizeof(*msg_b)); +- if (ret < 0) ++ ret = encrypt_authorizer(au); ++ if (ret) { ++ pr_err("failed to encrypt authorizer: %d", ret); + goto out_au; ++ } + +- p += ret; +- WARN_ON(p > end); +- au->buf->vec.iov_len = p - au->buf->vec.iov_base; + dout(" built authorizer nonce %llx len %d\n", au->nonce, + (int)au->buf->vec.iov_len); + return 0; +-- +2.17.1 + diff --git a/queue-4.14/libceph-implement-cephx_v2-calculation-mode.patch b/queue-4.14/libceph-implement-cephx_v2-calculation-mode.patch new file mode 100644 index 00000000000..f70ef4bd495 --- /dev/null +++ b/queue-4.14/libceph-implement-cephx_v2-calculation-mode.patch @@ -0,0 +1,146 @@ +From 14735e0afb6ed378becd0dedf37d1e5ddfa12084 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Fri, 27 Jul 2018 19:25:32 +0200 +Subject: libceph: implement CEPHX_V2 calculation mode + +commit cc255c76c70f7a87d97939621eae04b600d9f4a1 upstream. + +Derive the signature from the entire buffer (both AES cipher blocks) +instead of using just the first half of the first block, leaving out +data_crc entirely. + +This addresses CVE-2018-1129. + +Link: http://tracker.ceph.com/issues/24837 +Signed-off-by: Ilya Dryomov +Reviewed-by: Sage Weil +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + include/linux/ceph/ceph_features.h | 7 +-- + net/ceph/auth_x.c | 73 +++++++++++++++++++++++------- + 2 files changed, 60 insertions(+), 20 deletions(-) + +diff --git a/include/linux/ceph/ceph_features.h b/include/linux/ceph/ceph_features.h +index 59042d5ac520..70f42eef813b 100644 +--- a/include/linux/ceph/ceph_features.h ++++ b/include/linux/ceph/ceph_features.h +@@ -165,9 +165,9 @@ DEFINE_CEPH_FEATURE(58, 1, FS_FILE_LAYOUT_V2) // overlap + DEFINE_CEPH_FEATURE(59, 1, FS_BTIME) + DEFINE_CEPH_FEATURE(59, 1, FS_CHANGE_ATTR) // overlap + DEFINE_CEPH_FEATURE(59, 1, MSG_ADDR2) // overlap +-DEFINE_CEPH_FEATURE(60, 1, BLKIN_TRACING) // *do not share this bit* ++DEFINE_CEPH_FEATURE(60, 1, OSD_RECOVERY_DELETES) // *do not share this bit* ++DEFINE_CEPH_FEATURE(61, 1, CEPHX_V2) // *do not share this bit* + +-DEFINE_CEPH_FEATURE(61, 1, RESERVED2) // unused, but slow down! + DEFINE_CEPH_FEATURE(62, 1, RESERVED) // do not use; used as a sentinal + DEFINE_CEPH_FEATURE_DEPRECATED(63, 1, RESERVED_BROKEN, LUMINOUS) // client-facing + +@@ -209,7 +209,8 @@ DEFINE_CEPH_FEATURE_DEPRECATED(63, 1, RESERVED_BROKEN, LUMINOUS) // client-facin + CEPH_FEATURE_SERVER_JEWEL | \ + CEPH_FEATURE_MON_STATEFUL_SUB | \ + CEPH_FEATURE_CRUSH_TUNABLES5 | \ +- CEPH_FEATURE_NEW_OSDOPREPLY_ENCODING) ++ CEPH_FEATURE_NEW_OSDOPREPLY_ENCODING | \ ++ CEPH_FEATURE_CEPHX_V2) + + #define CEPH_FEATURES_REQUIRED_DEFAULT \ + (CEPH_FEATURE_NOSRCADDR | \ +diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c +index ce28bb07d8fd..10eb759bbcb4 100644 +--- a/net/ceph/auth_x.c ++++ b/net/ceph/auth_x.c +@@ -9,6 +9,7 @@ + + #include + #include ++#include + #include + #include + +@@ -803,26 +804,64 @@ static int calc_signature(struct ceph_x_authorizer *au, struct ceph_msg *msg, + __le64 *psig) + { + void *enc_buf = au->enc_buf; +- struct { +- __le32 len; +- __le32 header_crc; +- __le32 front_crc; +- __le32 middle_crc; +- __le32 data_crc; +- } __packed *sigblock = enc_buf + ceph_x_encrypt_offset(); + int ret; + +- sigblock->len = cpu_to_le32(4*sizeof(u32)); +- sigblock->header_crc = msg->hdr.crc; +- sigblock->front_crc = msg->footer.front_crc; +- sigblock->middle_crc = msg->footer.middle_crc; +- sigblock->data_crc = msg->footer.data_crc; +- ret = ceph_x_encrypt(&au->session_key, enc_buf, CEPHX_AU_ENC_BUF_LEN, +- sizeof(*sigblock)); +- if (ret < 0) +- return ret; ++ if (!CEPH_HAVE_FEATURE(msg->con->peer_features, CEPHX_V2)) { ++ struct { ++ __le32 len; ++ __le32 header_crc; ++ __le32 front_crc; ++ __le32 middle_crc; ++ __le32 data_crc; ++ } __packed *sigblock = enc_buf + ceph_x_encrypt_offset(); ++ ++ sigblock->len = cpu_to_le32(4*sizeof(u32)); ++ sigblock->header_crc = msg->hdr.crc; ++ sigblock->front_crc = msg->footer.front_crc; ++ sigblock->middle_crc = msg->footer.middle_crc; ++ sigblock->data_crc = msg->footer.data_crc; ++ ++ ret = ceph_x_encrypt(&au->session_key, enc_buf, ++ CEPHX_AU_ENC_BUF_LEN, sizeof(*sigblock)); ++ if (ret < 0) ++ return ret; ++ ++ *psig = *(__le64 *)(enc_buf + sizeof(u32)); ++ } else { ++ struct { ++ __le32 header_crc; ++ __le32 front_crc; ++ __le32 front_len; ++ __le32 middle_crc; ++ __le32 middle_len; ++ __le32 data_crc; ++ __le32 data_len; ++ __le32 seq_lower_word; ++ } __packed *sigblock = enc_buf; ++ struct { ++ __le64 a, b, c, d; ++ } __packed *penc = enc_buf; ++ int ciphertext_len; ++ ++ sigblock->header_crc = msg->hdr.crc; ++ sigblock->front_crc = msg->footer.front_crc; ++ sigblock->front_len = msg->hdr.front_len; ++ sigblock->middle_crc = msg->footer.middle_crc; ++ sigblock->middle_len = msg->hdr.middle_len; ++ sigblock->data_crc = msg->footer.data_crc; ++ sigblock->data_len = msg->hdr.data_len; ++ sigblock->seq_lower_word = *(__le32 *)&msg->hdr.seq; ++ ++ /* no leading len, no ceph_x_encrypt_header */ ++ ret = ceph_crypt(&au->session_key, true, enc_buf, ++ CEPHX_AU_ENC_BUF_LEN, sizeof(*sigblock), ++ &ciphertext_len); ++ if (ret) ++ return ret; ++ ++ *psig = penc->a ^ penc->b ^ penc->c ^ penc->d; ++ } + +- *psig = *(__le64 *)(enc_buf + sizeof(u32)); + return 0; + } + +-- +2.17.1 + diff --git a/queue-4.14/libceph-store-ceph_auth_handshake-pointer-in-ceph_co.patch b/queue-4.14/libceph-store-ceph_auth_handshake-pointer-in-ceph_co.patch new file mode 100644 index 00000000000..f9d4a9958b9 --- /dev/null +++ b/queue-4.14/libceph-store-ceph_auth_handshake-pointer-in-ceph_co.patch @@ -0,0 +1,152 @@ +From c30cbc400acba029b39ee6098a7907f9194b149d Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Thu, 26 Jul 2018 15:17:46 +0200 +Subject: libceph: store ceph_auth_handshake pointer in ceph_connection + +commit 262614c4294d33b1f19e0d18c0091d9c329b544a upstream. + +We already copy authorizer_reply_buf and authorizer_reply_buf_len into +ceph_connection. Factoring out __prepare_write_connect() requires two +more: authorizer_buf and authorizer_buf_len. Store the pointer to the +handshake in con->auth rather than piling on. + +Signed-off-by: Ilya Dryomov +Reviewed-by: Sage Weil +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + include/linux/ceph/messenger.h | 3 +- + net/ceph/messenger.c | 54 ++++++++++++++++------------------ + 2 files changed, 27 insertions(+), 30 deletions(-) + +diff --git a/include/linux/ceph/messenger.h b/include/linux/ceph/messenger.h +index ead9d85f1c11..9056077c023f 100644 +--- a/include/linux/ceph/messenger.h ++++ b/include/linux/ceph/messenger.h +@@ -203,9 +203,8 @@ struct ceph_connection { + attempt for this connection, client */ + u32 peer_global_seq; /* peer's global seq for this connection */ + ++ struct ceph_auth_handshake *auth; + int auth_retry; /* true if we need a newer authorizer */ +- void *auth_reply_buf; /* where to put the authorizer reply */ +- int auth_reply_buf_len; + + struct mutex mutex; + +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c +index 5281da82371a..3a82e6d2864b 100644 +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -1411,24 +1411,26 @@ static void prepare_write_keepalive(struct ceph_connection *con) + * Connection negotiation. + */ + +-static struct ceph_auth_handshake *get_connect_authorizer(struct ceph_connection *con, +- int *auth_proto) ++static int get_connect_authorizer(struct ceph_connection *con) + { + struct ceph_auth_handshake *auth; ++ int auth_proto; + + if (!con->ops->get_authorizer) { ++ con->auth = NULL; + con->out_connect.authorizer_protocol = CEPH_AUTH_UNKNOWN; + con->out_connect.authorizer_len = 0; +- return NULL; ++ return 0; + } + +- auth = con->ops->get_authorizer(con, auth_proto, con->auth_retry); ++ auth = con->ops->get_authorizer(con, &auth_proto, con->auth_retry); + if (IS_ERR(auth)) +- return auth; ++ return PTR_ERR(auth); + +- con->auth_reply_buf = auth->authorizer_reply_buf; +- con->auth_reply_buf_len = auth->authorizer_reply_buf_len; +- return auth; ++ con->auth = auth; ++ con->out_connect.authorizer_protocol = cpu_to_le32(auth_proto); ++ con->out_connect.authorizer_len = cpu_to_le32(auth->authorizer_buf_len); ++ return 0; + } + + /* +@@ -1448,8 +1450,7 @@ static int prepare_write_connect(struct ceph_connection *con) + { + unsigned int global_seq = get_global_seq(con->msgr, 0); + int proto; +- int auth_proto; +- struct ceph_auth_handshake *auth; ++ int ret; + + switch (con->peer_name.type) { + case CEPH_ENTITY_TYPE_MON: +@@ -1476,20 +1477,15 @@ static int prepare_write_connect(struct ceph_connection *con) + con->out_connect.protocol_version = cpu_to_le32(proto); + con->out_connect.flags = 0; + +- auth_proto = CEPH_AUTH_UNKNOWN; +- auth = get_connect_authorizer(con, &auth_proto); +- if (IS_ERR(auth)) +- return PTR_ERR(auth); +- +- con->out_connect.authorizer_protocol = cpu_to_le32(auth_proto); +- con->out_connect.authorizer_len = auth ? +- cpu_to_le32(auth->authorizer_buf_len) : 0; ++ ret = get_connect_authorizer(con); ++ if (ret) ++ return ret; + + con_out_kvec_add(con, sizeof (con->out_connect), + &con->out_connect); +- if (auth && auth->authorizer_buf_len) +- con_out_kvec_add(con, auth->authorizer_buf_len, +- auth->authorizer_buf); ++ if (con->auth) ++ con_out_kvec_add(con, con->auth->authorizer_buf_len, ++ con->auth->authorizer_buf); + + con->out_more = 0; + con_flag_set(con, CON_FLAG_WRITE_PENDING); +@@ -1753,11 +1749,14 @@ static int read_partial_connect(struct ceph_connection *con) + if (ret <= 0) + goto out; + +- size = le32_to_cpu(con->in_reply.authorizer_len); +- end += size; +- ret = read_partial(con, end, size, con->auth_reply_buf); +- if (ret <= 0) +- goto out; ++ if (con->auth) { ++ size = le32_to_cpu(con->in_reply.authorizer_len); ++ end += size; ++ ret = read_partial(con, end, size, ++ con->auth->authorizer_reply_buf); ++ if (ret <= 0) ++ goto out; ++ } + + dout("read_partial_connect %p tag %d, con_seq = %u, g_seq = %u\n", + con, (int)con->in_reply.tag, +@@ -1765,7 +1764,6 @@ static int read_partial_connect(struct ceph_connection *con) + le32_to_cpu(con->in_reply.global_seq)); + out: + return ret; +- + } + + /* +@@ -2048,7 +2046,7 @@ static int process_connect(struct ceph_connection *con) + + dout("process_connect on %p tag %d\n", con, (int)con->in_tag); + +- if (con->auth_reply_buf) { ++ if (con->auth) { + /* + * Any connection that defines ->get_authorizer() + * should also define ->verify_authorizer_reply(). +-- +2.17.1 + diff --git a/queue-4.14/media-em28xx-fix-use-after-free-when-disconnecting.patch b/queue-4.14/media-em28xx-fix-use-after-free-when-disconnecting.patch new file mode 100644 index 00000000000..0206285b118 --- /dev/null +++ b/queue-4.14/media-em28xx-fix-use-after-free-when-disconnecting.patch @@ -0,0 +1,91 @@ +From 3e5d52f97edee1e861bfc579bb1924c7b5e655f8 Mon Sep 17 00:00:00 2001 +From: Matthias Schwarzott +Date: Mon, 30 Oct 2017 06:07:29 -0400 +Subject: media: em28xx: Fix use-after-free when disconnecting + +[ Upstream commit 910b0797fa9e8af09c44a3fa36cb310ba7a7218d ] + +Fix bug by moving the i2c_unregister_device calls after deregistration +of dvb frontend. + +The new style i2c drivers already destroys the frontend object at +i2c_unregister_device time. +When the dvb frontend is unregistered afterwards it leads to this oops: + + [ 6058.866459] BUG: unable to handle kernel NULL pointer dereference at 00000000000001f8 + [ 6058.866578] IP: dvb_frontend_stop+0x30/0xd0 [dvb_core] + [ 6058.866644] PGD 0 + [ 6058.866646] P4D 0 + + [ 6058.866726] Oops: 0000 [#1] SMP + [ 6058.866768] Modules linked in: rc_pinnacle_pctv_hd(O) em28xx_rc(O) si2157(O) si2168(O) em28xx_dvb(O) em28xx(O) si2165(O) a8293(O) tda10071(O) tea5767(O) tuner(O) cx23885(O) tda18271(O) videobuf2_dvb(O) videobuf2_dma_sg(O) m88ds3103(O) tveeprom(O) cx2341x(O) v4l2_common(O) dvb_core(O) rc_core(O) videobuf2_memops(O) videobuf2_v4l2(O) videobuf2_core(O) videodev(O) media(O) bluetooth ecdh_generic ums_realtek uas rtl8192cu rtl_usb rtl8192c_common rtlwifi usb_storage snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic i2c_mux snd_hda_intel snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core kvm_intel kvm irqbypass [last unloaded: videobuf2_memops] + [ 6058.867497] CPU: 2 PID: 7349 Comm: kworker/2:0 Tainted: G W O 4.13.9-gentoo #1 + [ 6058.867595] Hardware name: MEDION E2050 2391/H81H3-EM2, BIOS H81EM2W08.308 08/25/2014 + [ 6058.867692] Workqueue: usb_hub_wq hub_event + [ 6058.867746] task: ffff88011a15e040 task.stack: ffffc90003074000 + [ 6058.867825] RIP: 0010:dvb_frontend_stop+0x30/0xd0 [dvb_core] + [ 6058.867896] RSP: 0018:ffffc90003077b58 EFLAGS: 00010293 + [ 6058.867964] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000010040001f + [ 6058.868056] RDX: ffff88011a15e040 RSI: ffffea000464e400 RDI: ffff88001cbe3028 + [ 6058.868150] RBP: ffffc90003077b68 R08: ffff880119390380 R09: 000000010040001f + [ 6058.868241] R10: ffffc90003077b18 R11: 000000000001e200 R12: ffff88001cbe3028 + [ 6058.868330] R13: ffff88001cbe68d0 R14: ffff8800cf734000 R15: ffff8800cf734098 + [ 6058.868419] FS: 0000000000000000(0000) GS:ffff88011fb00000(0000) knlGS:0000000000000000 + [ 6058.868511] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 6058.868578] CR2: 00000000000001f8 CR3: 00000001113c5000 CR4: 00000000001406e0 + [ 6058.868662] Call Trace: + [ 6058.868705] dvb_unregister_frontend+0x2a/0x80 [dvb_core] + [ 6058.868774] em28xx_dvb_fini+0x132/0x220 [em28xx_dvb] + [ 6058.868840] em28xx_close_extension+0x34/0x90 [em28xx] + [ 6058.868902] em28xx_usb_disconnect+0x4e/0x70 [em28xx] + [ 6058.868968] usb_unbind_interface+0x6d/0x260 + [ 6058.869025] device_release_driver_internal+0x150/0x210 + [ 6058.869094] device_release_driver+0xd/0x10 + [ 6058.869150] bus_remove_device+0xe4/0x160 + [ 6058.869204] device_del+0x1ce/0x2f0 + [ 6058.869253] usb_disable_device+0x99/0x270 + [ 6058.869306] usb_disconnect+0x8d/0x260 + [ 6058.869359] hub_event+0x93d/0x1520 + [ 6058.869408] ? dequeue_task_fair+0xae5/0xd20 + [ 6058.869467] process_one_work+0x1d9/0x3e0 + [ 6058.869522] worker_thread+0x43/0x3e0 + [ 6058.869576] kthread+0x104/0x140 + [ 6058.869602] ? trace_event_raw_event_workqueue_work+0x80/0x80 + [ 6058.869640] ? kthread_create_on_node+0x40/0x40 + [ 6058.869673] ret_from_fork+0x22/0x30 + [ 6058.869698] Code: 54 49 89 fc 53 48 8b 9f 18 03 00 00 0f 1f 44 00 00 41 83 bc 24 04 05 00 00 02 74 0c 41 c7 84 24 04 05 00 00 01 00 00 00 0f ae f0 <48> 8b bb f8 01 00 00 48 85 ff 74 5c e8 df 40 f0 e0 48 8b 93 f8 + [ 6058.869850] RIP: dvb_frontend_stop+0x30/0xd0 [dvb_core] RSP: ffffc90003077b58 + [ 6058.869894] CR2: 00000000000001f8 + [ 6058.875880] ---[ end trace 717eecf7193b3fc6 ]--- + +Signed-off-by: Matthias Schwarzott +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/em28xx/em28xx-dvb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c +index 4a7db623fe29..29cdaaf1ed90 100644 +--- a/drivers/media/usb/em28xx/em28xx-dvb.c ++++ b/drivers/media/usb/em28xx/em28xx-dvb.c +@@ -2105,6 +2105,8 @@ static int em28xx_dvb_fini(struct em28xx *dev) + } + } + ++ em28xx_unregister_dvb(dvb); ++ + /* remove I2C SEC */ + client = dvb->i2c_client_sec; + if (client) { +@@ -2126,7 +2128,6 @@ static int em28xx_dvb_fini(struct em28xx *dev) + i2c_unregister_device(client); + } + +- em28xx_unregister_dvb(dvb); + kfree(dvb); + dev->dvb = NULL; + kref_put(&dev->ref, em28xx_free_device); +-- +2.17.1 + diff --git a/queue-4.14/net-tls-fixed-return-value-when-tls_complete_pending.patch b/queue-4.14/net-tls-fixed-return-value-when-tls_complete_pending.patch new file mode 100644 index 00000000000..09405aba7b1 --- /dev/null +++ b/queue-4.14/net-tls-fixed-return-value-when-tls_complete_pending.patch @@ -0,0 +1,66 @@ +From 4f3a265cee9e47bdd279ed75dd9aa112a4eb7aa7 Mon Sep 17 00:00:00 2001 +From: Vakul Garg +Date: Mon, 10 Sep 2018 22:53:46 +0530 +Subject: net/tls: Fixed return value when tls_complete_pending_work() fails + +commit 150085791afb8054e11d2e080d4b9cd755dd7f69 upstream. + +In tls_sw_sendmsg() and tls_sw_sendpage(), the variable 'ret' has +been set to return value of tls_complete_pending_work(). This allows +return of proper error code if tls_complete_pending_work() fails. + +Fixes: 3c4d7559159b ("tls: kernel TLS support") +Signed-off-by: Vakul Garg +Signed-off-by: David S. Miller +[bwh: Backported to 4.14: adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 5996fb5756e1..d18d4a478e4f 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -388,7 +388,7 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) + { + struct tls_context *tls_ctx = tls_get_ctx(sk); + struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx); +- int ret = 0; ++ int ret; + int required_size; + long timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT); + bool eor = !(msg->msg_flags & MSG_MORE); +@@ -403,7 +403,8 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) + + lock_sock(sk); + +- if (tls_complete_pending_work(sk, tls_ctx, msg->msg_flags, &timeo)) ++ ret = tls_complete_pending_work(sk, tls_ctx, msg->msg_flags, &timeo); ++ if (ret) + goto send_end; + + if (unlikely(msg->msg_controllen)) { +@@ -539,7 +540,7 @@ int tls_sw_sendpage(struct sock *sk, struct page *page, + { + struct tls_context *tls_ctx = tls_get_ctx(sk); + struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx); +- int ret = 0; ++ int ret; + long timeo = sock_sndtimeo(sk, flags & MSG_DONTWAIT); + bool eor; + size_t orig_size = size; +@@ -559,7 +560,8 @@ int tls_sw_sendpage(struct sock *sk, struct page *page, + + sk_clear_bit(SOCKWQ_ASYNC_NOSPACE, sk); + +- if (tls_complete_pending_work(sk, tls_ctx, flags, &timeo)) ++ ret = tls_complete_pending_work(sk, tls_ctx, flags, &timeo); ++ if (ret) + goto sendpage_end; + + /* Call the sk_stream functions to manage the sndbuf mem. */ +-- +2.17.1 + diff --git a/queue-4.14/revert-wlcore-add-missing-pm-call-for-wlcore_cmd_wai.patch b/queue-4.14/revert-wlcore-add-missing-pm-call-for-wlcore_cmd_wai.patch new file mode 100644 index 00000000000..ada90bab0ce --- /dev/null +++ b/queue-4.14/revert-wlcore-add-missing-pm-call-for-wlcore_cmd_wai.patch @@ -0,0 +1,90 @@ +From c7056af71383df8c55db643227f7012d0ce49536 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Dec 2018 10:03:24 -0500 +Subject: Revert "wlcore: Add missing PM call for + wlcore_cmd_wait_for_event_or_timeout()" + +This reverts commit e87efc44dd36ba3db59847c418354711ebad779b which was +upstream commit 4ec7cece87b3ed21ffcd407c62fb2f151a366bc1. + +From Dietmar May's report on the stable mailing list +(https://www.spinics.net/lists/stable/msg272201.html): + +> I've run into some problems which appear due to (a) recent patch(es) on +> the wlcore wifi driver. +> +> 4.4.160 - commit 3fdd34643ffc378b5924941fad40352c04610294 +> 4.9.131 - commit afeeecc764436f31d4447575bb9007732333818c +> +> Earlier versions (4.9.130 and 4.4.159 - tested back to 4.4.49) do not +> exhibit this problem. It is still present in 4.9.141. +> +> master as of 4.20.0-rc4 does not exhibit this problem. +> +> Basically, during client association when in AP mode (running hostapd), +> handshake may or may not complete following a noticeable delay. If +> successful, then the driver fails consistently in warn_slowpath_null +> during disassociation. If unsuccessful, the wifi client attempts multiple +> times, sometimes failing repeatedly. I've had clients unable to connect +> for 3-5 minutes during testing, with the syslog filled with dozens of +> backtraces. syslog details are below. +> +> I'm working on an embedded device with a TI 3352 ARM processor and a +> murata wl1271 module in sdio mode. We're running a fully patched ubuntu +> 18.04 ARM build, with a kernel built from kernel.org's stable/linux repo . +> Relevant parts of the kernel config are included below. +> +> The commit message states: +> +> > /I've only seen this few times with the runtime PM patches enabled so +> > this one is probably not needed before that. This seems to work +> > currently based on the current PM implementation timer. Let's apply +> > this separately though in case others are hitting this issue./ +> We're not doing anything explicit with power management. The device is an +> IoT edge gateway with battery backup, normally running on wall power. The +> battery is currently used solely to shut down the system cleanly to avoid +> filesystem corruption. +> +> The device tree is configured to keep power in suspend; but the device +> should never suspend, so in our case, there is no need to call +> wl1271_ps_elp_wakeup() or wl1271_ps_elp_sleep(), as occurs in the patch. + +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/cmd.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/drivers/net/wireless/ti/wlcore/cmd.c b/drivers/net/wireless/ti/wlcore/cmd.c +index f48c3f62966d..761cf8573a80 100644 +--- a/drivers/net/wireless/ti/wlcore/cmd.c ++++ b/drivers/net/wireless/ti/wlcore/cmd.c +@@ -35,7 +35,6 @@ + #include "wl12xx_80211.h" + #include "cmd.h" + #include "event.h" +-#include "ps.h" + #include "tx.h" + #include "hw_ops.h" + +@@ -192,10 +191,6 @@ int wlcore_cmd_wait_for_event_or_timeout(struct wl1271 *wl, + + timeout_time = jiffies + msecs_to_jiffies(WL1271_EVENT_TIMEOUT); + +- ret = wl1271_ps_elp_wakeup(wl); +- if (ret < 0) +- return ret; +- + do { + if (time_after(jiffies, timeout_time)) { + wl1271_debug(DEBUG_CMD, "timeout waiting for event %d", +@@ -227,7 +222,6 @@ int wlcore_cmd_wait_for_event_or_timeout(struct wl1271 *wl, + } while (!event); + + out: +- wl1271_ps_elp_sleep(wl); + kfree(events_vector); + return ret; + } +-- +2.17.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 90eec8e08f2..5f8e6e9eeaa 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -8,3 +8,51 @@ mm-khugepaged-collapse_shmem-remember-to-clear-holes.patch mm-khugepaged-minor-reorderings-in-collapse_shmem.patch mm-khugepaged-collapse_shmem-without-freezing-new_pa.patch mm-khugepaged-collapse_shmem-do-not-crash-on-compoun.patch +media-em28xx-fix-use-after-free-when-disconnecting.patch +ubi-initialize-fastmap-checkmapping-correctly.patch +libceph-store-ceph_auth_handshake-pointer-in-ceph_co.patch +libceph-factor-out-__prepare_write_connect.patch +libceph-factor-out-__ceph_x_decrypt.patch +libceph-factor-out-encrypt_authorizer.patch +libceph-add-authorizer-challenge.patch +libceph-implement-cephx_v2-calculation-mode.patch +bpf-prevent-memory-disambiguation-attack.patch +tls-add-function-to-update-the-tls-socket-configurat.patch +tls-fix-tls-ulp-context-leak-when-tls_tx-setsockopt-.patch +tls-avoid-copying-crypto_info-again-after-cipher_typ.patch +tls-don-t-override-sk_write_space-if-tls_set_sw_offl.patch +tls-use-correct-sk-sk_prot-for-ipv6.patch +net-tls-fixed-return-value-when-tls_complete_pending.patch +wil6210-missing-length-check-in-wmi_set_ie.patch +btrfs-validate-type-when-reading-a-chunk.patch +btrfs-verify-that-every-chunk-has-corresponding-bloc.patch +btrfs-refactor-check_leaf-function-for-later-expansi.patch +btrfs-check-if-item-pointer-overlaps-with-the-item-i.patch +btrfs-add-sanity-check-for-extent_data-when-reading-.patch +btrfs-add-checker-for-extent_csum.patch +btrfs-move-leaf-and-node-validation-checker-to-tree-.patch +btrfs-tree-checker-enhance-btrfs_check_node-output.patch +btrfs-tree-checker-fix-false-panic-for-sanity-test.patch +btrfs-tree-checker-add-checker-for-dir-item.patch +btrfs-tree-checker-use-zu-format-string-for-size_t.patch +btrfs-tree-check-reduce-stack-consumption-in-check_d.patch +btrfs-tree-checker-verify-block_group_item.patch +btrfs-tree-checker-detect-invalid-and-empty-essentia.patch +btrfs-check-that-each-block-group-has-corresponding-.patch +btrfs-tree-checker-check-level-for-leaves-and-nodes.patch +btrfs-tree-checker-fix-misleading-group-system-infor.patch +f2fs-check-blkaddr-more-accuratly-before-issue-a-bio.patch +f2fs-sanity-check-on-sit-entry.patch +f2fs-enhance-sanity_check_raw_super-to-avoid-potenti.patch +f2fs-clean-up-with-is_valid_blkaddr.patch +f2fs-introduce-and-spread-verify_blkaddr.patch +f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch +f2fs-add-sanity_check_inode-function.patch +f2fs-fix-to-do-sanity-check-with-extra_attr-feature.patch +f2fs-fix-to-do-sanity-check-with-user_block_count.patch +f2fs-fix-to-do-sanity-check-with-node-footer-and-ibl.patch +f2fs-fix-to-do-sanity-check-with-block-address-in-ma.patch +f2fs-fix-to-do-sanity-check-with-i_extra_isize.patch +f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch +xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch +revert-wlcore-add-missing-pm-call-for-wlcore_cmd_wai.patch diff --git a/queue-4.14/tls-add-function-to-update-the-tls-socket-configurat.patch b/queue-4.14/tls-add-function-to-update-the-tls-socket-configurat.patch new file mode 100644 index 00000000000..e46d60d8953 --- /dev/null +++ b/queue-4.14/tls-add-function-to-update-the-tls-socket-configurat.patch @@ -0,0 +1,129 @@ +From 75c0c62057604caac55e70d89af87317db0a7169 Mon Sep 17 00:00:00 2001 +From: Ilya Lesokhin +Date: Mon, 13 Nov 2017 10:22:45 +0200 +Subject: tls: Add function to update the TLS socket configuration + +commit 6d88207fcfddc002afe3e2e4a455e5201089d5d9 upstream. + +The tx configuration is now stored in ctx->tx_conf. +And sk->sk_prot is updated trough a function +This will simplify things when we add rx +and support for different possible +tx and rx cross configurations. + +Signed-off-by: Ilya Lesokhin +Signed-off-by: David S. Miller +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + include/net/tls.h | 2 ++ + net/tls/tls_main.c | 46 ++++++++++++++++++++++++++++++++-------------- + 2 files changed, 34 insertions(+), 14 deletions(-) + +diff --git a/include/net/tls.h b/include/net/tls.h +index 86ed3dd80fe7..0c3ab2af74d3 100644 +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -89,6 +89,8 @@ struct tls_context { + + void *priv_ctx; + ++ u8 tx_conf:2; ++ + u16 prepend_size; + u16 tag_size; + u16 overhead_size; +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index 4f2971f528db..191a8adee3ea 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -46,8 +46,18 @@ MODULE_DESCRIPTION("Transport Layer Security Support"); + MODULE_LICENSE("Dual BSD/GPL"); + MODULE_ALIAS_TCP_ULP("tls"); + +-static struct proto tls_base_prot; +-static struct proto tls_sw_prot; ++enum { ++ TLS_BASE_TX, ++ TLS_SW_TX, ++ TLS_NUM_CONFIG, ++}; ++ ++static struct proto tls_prots[TLS_NUM_CONFIG]; ++ ++static inline void update_sk_prot(struct sock *sk, struct tls_context *ctx) ++{ ++ sk->sk_prot = &tls_prots[ctx->tx_conf]; ++} + + int wait_on_pending_writer(struct sock *sk, long *timeo) + { +@@ -364,8 +374,8 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval, + { + struct tls_crypto_info *crypto_info, tmp_crypto_info; + struct tls_context *ctx = tls_get_ctx(sk); +- struct proto *prot = NULL; + int rc = 0; ++ int tx_conf; + + if (!optval || (optlen < sizeof(*crypto_info))) { + rc = -EINVAL; +@@ -422,11 +432,12 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval, + + /* currently SW is default, we will have ethtool in future */ + rc = tls_set_sw_offload(sk, ctx); +- prot = &tls_sw_prot; ++ tx_conf = TLS_SW_TX; + if (rc) + goto err_crypto_info; + +- sk->sk_prot = prot; ++ ctx->tx_conf = tx_conf; ++ update_sk_prot(sk, ctx); + goto out; + + err_crypto_info: +@@ -488,7 +499,9 @@ static int tls_init(struct sock *sk) + icsk->icsk_ulp_data = ctx; + ctx->setsockopt = sk->sk_prot->setsockopt; + ctx->getsockopt = sk->sk_prot->getsockopt; +- sk->sk_prot = &tls_base_prot; ++ ++ ctx->tx_conf = TLS_BASE_TX; ++ update_sk_prot(sk, ctx); + out: + return rc; + } +@@ -499,16 +512,21 @@ static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = { + .init = tls_init, + }; + ++static void build_protos(struct proto *prot, struct proto *base) ++{ ++ prot[TLS_BASE_TX] = *base; ++ prot[TLS_BASE_TX].setsockopt = tls_setsockopt; ++ prot[TLS_BASE_TX].getsockopt = tls_getsockopt; ++ ++ prot[TLS_SW_TX] = prot[TLS_BASE_TX]; ++ prot[TLS_SW_TX].close = tls_sk_proto_close; ++ prot[TLS_SW_TX].sendmsg = tls_sw_sendmsg; ++ prot[TLS_SW_TX].sendpage = tls_sw_sendpage; ++} ++ + static int __init tls_register(void) + { +- tls_base_prot = tcp_prot; +- tls_base_prot.setsockopt = tls_setsockopt; +- tls_base_prot.getsockopt = tls_getsockopt; +- +- tls_sw_prot = tls_base_prot; +- tls_sw_prot.sendmsg = tls_sw_sendmsg; +- tls_sw_prot.sendpage = tls_sw_sendpage; +- tls_sw_prot.close = tls_sk_proto_close; ++ build_protos(tls_prots, &tcp_prot); + + tcp_register_ulp(&tcp_tls_ulp_ops); + +-- +2.17.1 + diff --git a/queue-4.14/tls-avoid-copying-crypto_info-again-after-cipher_typ.patch b/queue-4.14/tls-avoid-copying-crypto_info-again-after-cipher_typ.patch new file mode 100644 index 00000000000..79ef50db60c --- /dev/null +++ b/queue-4.14/tls-avoid-copying-crypto_info-again-after-cipher_typ.patch @@ -0,0 +1,91 @@ +From 83006446cf9037a89bafe41e8c93ae3c67a91ed4 Mon Sep 17 00:00:00 2001 +From: Ilya Lesokhin +Date: Mon, 13 Nov 2017 10:22:48 +0200 +Subject: tls: Avoid copying crypto_info again after cipher_type check. + +commit 196c31b4b54474b31dee3c30352c45c2a93e9226 upstream. + +Avoid copying crypto_info again after cipher_type check +to avoid a TOCTOU exploits. +The temporary array on the stack is removed as we don't really need it + +Fixes: 3c4d7559159b ('tls: kernel TLS support') +Signed-off-by: Ilya Lesokhin +Signed-off-by: David S. Miller +[bwh: Backported to 4.14: Preserve changes made by earlier backports of + "tls: return -EBUSY if crypto_info is already set" and "tls: zero the + crypto information from tls_context before freeing"] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + net/tls/tls_main.c | 33 ++++++++++++++------------------- + 1 file changed, 14 insertions(+), 19 deletions(-) + +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index b5f9c578bcf0..f88df514ad5f 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -381,7 +381,7 @@ static int tls_getsockopt(struct sock *sk, int level, int optname, + static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval, + unsigned int optlen) + { +- struct tls_crypto_info *crypto_info, tmp_crypto_info; ++ struct tls_crypto_info *crypto_info; + struct tls_context *ctx = tls_get_ctx(sk); + int rc = 0; + int tx_conf; +@@ -391,38 +391,33 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval, + goto out; + } + +- rc = copy_from_user(&tmp_crypto_info, optval, sizeof(*crypto_info)); ++ crypto_info = &ctx->crypto_send.info; ++ /* Currently we don't support set crypto info more than one time */ ++ if (TLS_CRYPTO_INFO_READY(crypto_info)) { ++ rc = -EBUSY; ++ goto out; ++ } ++ ++ rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info)); + if (rc) { + rc = -EFAULT; + goto out; + } + + /* check version */ +- if (tmp_crypto_info.version != TLS_1_2_VERSION) { ++ if (crypto_info->version != TLS_1_2_VERSION) { + rc = -ENOTSUPP; +- goto out; +- } +- +- /* get user crypto info */ +- crypto_info = &ctx->crypto_send.info; +- +- /* Currently we don't support set crypto info more than one time */ +- if (TLS_CRYPTO_INFO_READY(crypto_info)) { +- rc = -EBUSY; +- goto out; ++ goto err_crypto_info; + } + +- switch (tmp_crypto_info.cipher_type) { ++ switch (crypto_info->cipher_type) { + case TLS_CIPHER_AES_GCM_128: { + if (optlen != sizeof(struct tls12_crypto_info_aes_gcm_128)) { + rc = -EINVAL; + goto err_crypto_info; + } +- rc = copy_from_user( +- crypto_info, +- optval, +- sizeof(struct tls12_crypto_info_aes_gcm_128)); +- ++ rc = copy_from_user(crypto_info + 1, optval + sizeof(*crypto_info), ++ optlen - sizeof(*crypto_info)); + if (rc) { + rc = -EFAULT; + goto err_crypto_info; +-- +2.17.1 + diff --git a/queue-4.14/tls-don-t-override-sk_write_space-if-tls_set_sw_offl.patch b/queue-4.14/tls-don-t-override-sk_write_space-if-tls_set_sw_offl.patch new file mode 100644 index 00000000000..8fca2a9be32 --- /dev/null +++ b/queue-4.14/tls-don-t-override-sk_write_space-if-tls_set_sw_offl.patch @@ -0,0 +1,45 @@ +From 65db835b5099a4be67c4b22efadf6372a6246d88 Mon Sep 17 00:00:00 2001 +From: Ilya Lesokhin +Date: Mon, 13 Nov 2017 10:22:49 +0200 +Subject: tls: don't override sk_write_space if tls_set_sw_offload fails. + +commit ee181e5201e640a4b92b217e9eab2531dab57d2c upstream. + +If we fail to enable tls in the kernel we shouldn't override +the sk_write_space callback + +Fixes: 3c4d7559159b ('tls: kernel TLS support') +Signed-off-by: Ilya Lesokhin +Signed-off-by: David S. Miller +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + net/tls/tls_main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index f88df514ad5f..33187e34599b 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -429,9 +429,6 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval, + goto err_crypto_info; + } + +- ctx->sk_write_space = sk->sk_write_space; +- sk->sk_write_space = tls_write_space; +- + /* currently SW is default, we will have ethtool in future */ + rc = tls_set_sw_offload(sk, ctx); + tx_conf = TLS_SW_TX; +@@ -440,6 +437,8 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval, + + ctx->tx_conf = tx_conf; + update_sk_prot(sk, ctx); ++ ctx->sk_write_space = sk->sk_write_space; ++ sk->sk_write_space = tls_write_space; + goto out; + + err_crypto_info: +-- +2.17.1 + diff --git a/queue-4.14/tls-fix-tls-ulp-context-leak-when-tls_tx-setsockopt-.patch b/queue-4.14/tls-fix-tls-ulp-context-leak-when-tls_tx-setsockopt-.patch new file mode 100644 index 00000000000..6f0fdacff72 --- /dev/null +++ b/queue-4.14/tls-fix-tls-ulp-context-leak-when-tls_tx-setsockopt-.patch @@ -0,0 +1,143 @@ +From 3f5057d9b9f89eefcd10e9aceea9e3c3b251c3e4 Mon Sep 17 00:00:00 2001 +From: Ilya Lesokhin +Date: Mon, 13 Nov 2017 10:22:46 +0200 +Subject: tls: Fix TLS ulp context leak, when TLS_TX setsockopt is not used. + +commit ff45d820a2df163957ad8ab459b6eb6976144c18 upstream. + +Previously the TLS ulp context would leak if we attached a TLS ulp +to a socket but did not use the TLS_TX setsockopt, +or did use it but it failed. +This patch solves the issue by overriding prot[TLS_BASE_TX].close +and fixing tls_sk_proto_close to work properly +when its called with ctx->tx_conf == TLS_BASE_TX. +This patch also removes ctx->free_resources as we can use ctx->tx_conf +to obtain the relevant information. + +Fixes: 3c4d7559159b ('tls: kernel TLS support') +Signed-off-by: Ilya Lesokhin +Signed-off-by: David S. Miller +[bwh: Backported to 4.14: Keep using tls_ctx_free() as introduced by + the earlier backport of "tls: zero the crypto information from + tls_context before freeing"] +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + include/net/tls.h | 2 +- + net/tls/tls_main.c | 24 ++++++++++++++++-------- + net/tls/tls_sw.c | 3 +-- + 3 files changed, 18 insertions(+), 11 deletions(-) + +diff --git a/include/net/tls.h b/include/net/tls.h +index 0c3ab2af74d3..604fd982da19 100644 +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -106,7 +106,6 @@ struct tls_context { + + u16 pending_open_record_frags; + int (*push_pending_record)(struct sock *sk, int flags); +- void (*free_resources)(struct sock *sk); + + void (*sk_write_space)(struct sock *sk); + void (*sk_proto_close)(struct sock *sk, long timeout); +@@ -131,6 +130,7 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size); + int tls_sw_sendpage(struct sock *sk, struct page *page, + int offset, size_t size, int flags); + void tls_sw_close(struct sock *sk, long timeout); ++void tls_sw_free_tx_resources(struct sock *sk); + + void tls_sk_destruct(struct sock *sk, struct tls_context *ctx); + void tls_icsk_clean_acked(struct sock *sk); +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index 191a8adee3ea..b5f9c578bcf0 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -249,6 +249,12 @@ static void tls_sk_proto_close(struct sock *sk, long timeout) + void (*sk_proto_close)(struct sock *sk, long timeout); + + lock_sock(sk); ++ sk_proto_close = ctx->sk_proto_close; ++ ++ if (ctx->tx_conf == TLS_BASE_TX) { ++ tls_ctx_free(ctx); ++ goto skip_tx_cleanup; ++ } + + if (!tls_complete_pending_work(sk, ctx, 0, &timeo)) + tls_handle_open_record(sk, 0); +@@ -265,13 +271,16 @@ static void tls_sk_proto_close(struct sock *sk, long timeout) + sg++; + } + } +- ctx->free_resources(sk); ++ + kfree(ctx->rec_seq); + kfree(ctx->iv); + +- sk_proto_close = ctx->sk_proto_close; +- tls_ctx_free(ctx); ++ if (ctx->tx_conf == TLS_SW_TX) { ++ tls_sw_free_tx_resources(sk); ++ tls_ctx_free(ctx); ++ } + ++skip_tx_cleanup: + release_sock(sk); + sk_proto_close(sk, timeout); + } +@@ -428,8 +437,6 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval, + ctx->sk_write_space = sk->sk_write_space; + sk->sk_write_space = tls_write_space; + +- ctx->sk_proto_close = sk->sk_prot->close; +- + /* currently SW is default, we will have ethtool in future */ + rc = tls_set_sw_offload(sk, ctx); + tx_conf = TLS_SW_TX; +@@ -499,6 +506,7 @@ static int tls_init(struct sock *sk) + icsk->icsk_ulp_data = ctx; + ctx->setsockopt = sk->sk_prot->setsockopt; + ctx->getsockopt = sk->sk_prot->getsockopt; ++ ctx->sk_proto_close = sk->sk_prot->close; + + ctx->tx_conf = TLS_BASE_TX; + update_sk_prot(sk, ctx); +@@ -515,11 +523,11 @@ static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = { + static void build_protos(struct proto *prot, struct proto *base) + { + prot[TLS_BASE_TX] = *base; +- prot[TLS_BASE_TX].setsockopt = tls_setsockopt; +- prot[TLS_BASE_TX].getsockopt = tls_getsockopt; ++ prot[TLS_BASE_TX].setsockopt = tls_setsockopt; ++ prot[TLS_BASE_TX].getsockopt = tls_getsockopt; ++ prot[TLS_BASE_TX].close = tls_sk_proto_close; + + prot[TLS_SW_TX] = prot[TLS_BASE_TX]; +- prot[TLS_SW_TX].close = tls_sk_proto_close; + prot[TLS_SW_TX].sendmsg = tls_sw_sendmsg; + prot[TLS_SW_TX].sendpage = tls_sw_sendpage; + } +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 6ae9ca567d6c..5996fb5756e1 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -646,7 +646,7 @@ sendpage_end: + return ret; + } + +-static void tls_sw_free_resources(struct sock *sk) ++void tls_sw_free_tx_resources(struct sock *sk) + { + struct tls_context *tls_ctx = tls_get_ctx(sk); + struct tls_sw_context *ctx = tls_sw_ctx(tls_ctx); +@@ -685,7 +685,6 @@ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx) + } + + ctx->priv_ctx = (struct tls_offload_context *)sw_ctx; +- ctx->free_resources = tls_sw_free_resources; + + crypto_info = &ctx->crypto_send.info; + switch (crypto_info->cipher_type) { +-- +2.17.1 + diff --git a/queue-4.14/tls-use-correct-sk-sk_prot-for-ipv6.patch b/queue-4.14/tls-use-correct-sk-sk_prot-for-ipv6.patch new file mode 100644 index 00000000000..e3d9e89e303 --- /dev/null +++ b/queue-4.14/tls-use-correct-sk-sk_prot-for-ipv6.patch @@ -0,0 +1,126 @@ +From 6c45b3bbf47c28c6d290e5afd18d1df4cdbec36b Mon Sep 17 00:00:00 2001 +From: Boris Pismenny +Date: Tue, 27 Feb 2018 14:18:39 +0200 +Subject: tls: Use correct sk->sk_prot for IPV6 + +commit c113187d38ff85dc302a1bb55864b203ebb2ba10 upstream. + +The tls ulp overrides sk->prot with a new tls specific proto structs. +The tls specific structs were previously based on the ipv4 specific +tcp_prot sturct. +As a result, attaching the tls ulp to an ipv6 tcp socket replaced +some ipv6 callback with the ipv4 equivalents. + +This patch adds ipv6 tls proto structs and uses them when +attached to ipv6 sockets. + +Fixes: 3c4d7559159b ('tls: kernel TLS support') +Signed-off-by: Boris Pismenny +Signed-off-by: Ilya Lesokhin +Signed-off-by: David S. Miller +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + net/tls/tls_main.c | 52 +++++++++++++++++++++++++++++++++------------- + 1 file changed, 37 insertions(+), 15 deletions(-) + +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index 33187e34599b..e903bdd39b9f 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -46,17 +46,27 @@ MODULE_DESCRIPTION("Transport Layer Security Support"); + MODULE_LICENSE("Dual BSD/GPL"); + MODULE_ALIAS_TCP_ULP("tls"); + ++enum { ++ TLSV4, ++ TLSV6, ++ TLS_NUM_PROTS, ++}; ++ + enum { + TLS_BASE_TX, + TLS_SW_TX, + TLS_NUM_CONFIG, + }; + +-static struct proto tls_prots[TLS_NUM_CONFIG]; ++static struct proto *saved_tcpv6_prot; ++static DEFINE_MUTEX(tcpv6_prot_mutex); ++static struct proto tls_prots[TLS_NUM_PROTS][TLS_NUM_CONFIG]; + + static inline void update_sk_prot(struct sock *sk, struct tls_context *ctx) + { +- sk->sk_prot = &tls_prots[ctx->tx_conf]; ++ int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4; ++ ++ sk->sk_prot = &tls_prots[ip_ver][ctx->tx_conf]; + } + + int wait_on_pending_writer(struct sock *sk, long *timeo) +@@ -476,8 +486,21 @@ static int tls_setsockopt(struct sock *sk, int level, int optname, + return do_tls_setsockopt(sk, optname, optval, optlen); + } + ++static void build_protos(struct proto *prot, struct proto *base) ++{ ++ prot[TLS_BASE_TX] = *base; ++ prot[TLS_BASE_TX].setsockopt = tls_setsockopt; ++ prot[TLS_BASE_TX].getsockopt = tls_getsockopt; ++ prot[TLS_BASE_TX].close = tls_sk_proto_close; ++ ++ prot[TLS_SW_TX] = prot[TLS_BASE_TX]; ++ prot[TLS_SW_TX].sendmsg = tls_sw_sendmsg; ++ prot[TLS_SW_TX].sendpage = tls_sw_sendpage; ++} ++ + static int tls_init(struct sock *sk) + { ++ int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4; + struct inet_connection_sock *icsk = inet_csk(sk); + struct tls_context *ctx; + int rc = 0; +@@ -502,6 +525,17 @@ static int tls_init(struct sock *sk) + ctx->getsockopt = sk->sk_prot->getsockopt; + ctx->sk_proto_close = sk->sk_prot->close; + ++ /* Build IPv6 TLS whenever the address of tcpv6_prot changes */ ++ if (ip_ver == TLSV6 && ++ unlikely(sk->sk_prot != smp_load_acquire(&saved_tcpv6_prot))) { ++ mutex_lock(&tcpv6_prot_mutex); ++ if (likely(sk->sk_prot != saved_tcpv6_prot)) { ++ build_protos(tls_prots[TLSV6], sk->sk_prot); ++ smp_store_release(&saved_tcpv6_prot, sk->sk_prot); ++ } ++ mutex_unlock(&tcpv6_prot_mutex); ++ } ++ + ctx->tx_conf = TLS_BASE_TX; + update_sk_prot(sk, ctx); + out: +@@ -514,21 +548,9 @@ static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = { + .init = tls_init, + }; + +-static void build_protos(struct proto *prot, struct proto *base) +-{ +- prot[TLS_BASE_TX] = *base; +- prot[TLS_BASE_TX].setsockopt = tls_setsockopt; +- prot[TLS_BASE_TX].getsockopt = tls_getsockopt; +- prot[TLS_BASE_TX].close = tls_sk_proto_close; +- +- prot[TLS_SW_TX] = prot[TLS_BASE_TX]; +- prot[TLS_SW_TX].sendmsg = tls_sw_sendmsg; +- prot[TLS_SW_TX].sendpage = tls_sw_sendpage; +-} +- + static int __init tls_register(void) + { +- build_protos(tls_prots, &tcp_prot); ++ build_protos(tls_prots[TLSV4], &tcp_prot); + + tcp_register_ulp(&tcp_tls_ulp_ops); + +-- +2.17.1 + diff --git a/queue-4.14/ubi-initialize-fastmap-checkmapping-correctly.patch b/queue-4.14/ubi-initialize-fastmap-checkmapping-correctly.patch new file mode 100644 index 00000000000..83776499082 --- /dev/null +++ b/queue-4.14/ubi-initialize-fastmap-checkmapping-correctly.patch @@ -0,0 +1,60 @@ +From 6c2f1c1731c9c25b48882f64f5762d4e981cd306 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Tue, 12 Jun 2018 09:33:16 +0200 +Subject: ubi: Initialize Fastmap checkmapping correctly + +commit 25677478474a91fa1b46f19a4a591a9848bca6fb upstream + +We cannot do it last, otherwithse it will be skipped for dynamic +volumes. + +Reported-by: Lachmann, Juergen +Fixes: 34653fd8c46e ("ubi: fastmap: Check each mapping only once") +Signed-off-by: Richard Weinberger +Signed-off-by: Sudip Mukherjee +Signed-off-by: Sasha Levin +--- + drivers/mtd/ubi/vtbl.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/mtd/ubi/vtbl.c b/drivers/mtd/ubi/vtbl.c +index 94d7a865b135..7504f430c011 100644 +--- a/drivers/mtd/ubi/vtbl.c ++++ b/drivers/mtd/ubi/vtbl.c +@@ -578,6 +578,16 @@ static int init_volumes(struct ubi_device *ubi, + vol->ubi = ubi; + reserved_pebs += vol->reserved_pebs; + ++ /* ++ * We use ubi->peb_count and not vol->reserved_pebs because ++ * we want to keep the code simple. Otherwise we'd have to ++ * resize/check the bitmap upon volume resize too. ++ * Allocating a few bytes more does not hurt. ++ */ ++ err = ubi_fastmap_init_checkmap(vol, ubi->peb_count); ++ if (err) ++ return err; ++ + /* + * In case of dynamic volume UBI knows nothing about how many + * data is stored there. So assume the whole volume is used. +@@ -620,16 +630,6 @@ static int init_volumes(struct ubi_device *ubi, + (long long)(vol->used_ebs - 1) * vol->usable_leb_size; + vol->used_bytes += av->last_data_size; + vol->last_eb_bytes = av->last_data_size; +- +- /* +- * We use ubi->peb_count and not vol->reserved_pebs because +- * we want to keep the code simple. Otherwise we'd have to +- * resize/check the bitmap upon volume resize too. +- * Allocating a few bytes more does not hurt. +- */ +- err = ubi_fastmap_init_checkmap(vol, ubi->peb_count); +- if (err) +- return err; + } + + /* And add the layout volume */ +-- +2.17.1 + diff --git a/queue-4.14/wil6210-missing-length-check-in-wmi_set_ie.patch b/queue-4.14/wil6210-missing-length-check-in-wmi_set_ie.patch new file mode 100644 index 00000000000..64e56cc7d9f --- /dev/null +++ b/queue-4.14/wil6210-missing-length-check-in-wmi_set_ie.patch @@ -0,0 +1,42 @@ +From 78e34acd58faa8ea15c5e282676e5f188f2432ac Mon Sep 17 00:00:00 2001 +From: Lior David +Date: Tue, 14 Nov 2017 15:25:39 +0200 +Subject: wil6210: missing length check in wmi_set_ie + +commit b5a8ffcae4103a9d823ea3aa3a761f65779fbe2a upstream. + +Add a length check in wmi_set_ie to detect unsigned integer +overflow. + +Signed-off-by: Lior David +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wil6210/wmi.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c +index ffdd2fa401b1..d63d7c326801 100644 +--- a/drivers/net/wireless/ath/wil6210/wmi.c ++++ b/drivers/net/wireless/ath/wil6210/wmi.c +@@ -1380,8 +1380,14 @@ int wmi_set_ie(struct wil6210_priv *wil, u8 type, u16 ie_len, const void *ie) + }; + int rc; + u16 len = sizeof(struct wmi_set_appie_cmd) + ie_len; +- struct wmi_set_appie_cmd *cmd = kzalloc(len, GFP_KERNEL); ++ struct wmi_set_appie_cmd *cmd; + ++ if (len < ie_len) { ++ rc = -EINVAL; ++ goto out; ++ } ++ ++ cmd = kzalloc(len, GFP_KERNEL); + if (!cmd) { + rc = -ENOMEM; + goto out; +-- +2.17.1 + diff --git a/queue-4.14/xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch b/queue-4.14/xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch new file mode 100644 index 00000000000..d557276f4a3 --- /dev/null +++ b/queue-4.14/xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch @@ -0,0 +1,51 @@ +From e51c18bdd2550bd3456a374755ceb5879cfb025c Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Tue, 17 Apr 2018 19:10:15 -0700 +Subject: xfs: don't fail when converting shortform attr to long form during + ATTR_REPLACE + +commit 7b38460dc8e4eafba06c78f8e37099d3b34d473c upstream. + +Kanda Motohiro reported that expanding a tiny xattr into a large xattr +fails on XFS because we remove the tiny xattr from a shortform fork and +then try to re-add it after converting the fork to extents format having +not removed the ATTR_REPLACE flag. This fails because the attr is no +longer present, causing a fs shutdown. + +This is derived from the patch in his bug report, but we really +shouldn't ignore a nonzero retval from the remove call. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199119 +Reported-by: kanda.motohiro@gmail.com +Reviewed-by: Dave Chinner +Reviewed-by: Christoph Hellwig +Signed-off-by: Darrick J. Wong +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_attr.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c +index 6249c92671de..ea66f04f46f7 100644 +--- a/fs/xfs/libxfs/xfs_attr.c ++++ b/fs/xfs/libxfs/xfs_attr.c +@@ -501,7 +501,14 @@ xfs_attr_shortform_addname(xfs_da_args_t *args) + if (args->flags & ATTR_CREATE) + return retval; + retval = xfs_attr_shortform_remove(args); +- ASSERT(retval == 0); ++ if (retval) ++ return retval; ++ /* ++ * Since we have removed the old attr, clear ATTR_REPLACE so ++ * that the leaf format add routine won't trip over the attr ++ * not being around. ++ */ ++ args->flags &= ~ATTR_REPLACE; + } + + if (args->namelen >= XFS_ATTR_SF_ENTSIZE_MAX || +-- +2.17.1 +