From c3780ad4a78e38304dc2df15403f21e8f714404b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 6 Jun 2022 13:15:29 +0200 Subject: [PATCH] 5.17-stable patches added patches: f2fs-fix-to-avoid-f2fs_bug_on-in-dec_valid_node_count.patch f2fs-fix-to-do-sanity-check-on-block-address-in-f2fs_do_zero_range.patch --- ...-f2fs_bug_on-in-dec_valid_node_count.patch | 68 +++++++++++++++++ ...-block-address-in-f2fs_do_zero_range.patch | 73 +++++++++++++++++++ queue-5.17/series | 2 + 3 files changed, 143 insertions(+) create mode 100644 queue-5.17/f2fs-fix-to-avoid-f2fs_bug_on-in-dec_valid_node_count.patch create mode 100644 queue-5.17/f2fs-fix-to-do-sanity-check-on-block-address-in-f2fs_do_zero_range.patch diff --git a/queue-5.17/f2fs-fix-to-avoid-f2fs_bug_on-in-dec_valid_node_count.patch b/queue-5.17/f2fs-fix-to-avoid-f2fs_bug_on-in-dec_valid_node_count.patch new file mode 100644 index 00000000000..3a7e1fbc3f4 --- /dev/null +++ b/queue-5.17/f2fs-fix-to-avoid-f2fs_bug_on-in-dec_valid_node_count.patch @@ -0,0 +1,68 @@ +From 4d17e6fe9293d57081ffdc11e1cf313e25e8fd9e Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 27 Apr 2022 01:06:02 +0800 +Subject: f2fs: fix to avoid f2fs_bug_on() in dec_valid_node_count() + +From: Chao Yu + +commit 4d17e6fe9293d57081ffdc11e1cf313e25e8fd9e upstream. + +As Yanming reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=215897 + +I have encountered a bug in F2FS file system in kernel v5.17. + +The kernel should enable CONFIG_KASAN=y and CONFIG_KASAN_INLINE=y. You can +reproduce the bug by running the following commands: + +The kernel message is shown below: + +kernel BUG at fs/f2fs/f2fs.h:2511! +Call Trace: + f2fs_remove_inode_page+0x2a2/0x830 + f2fs_evict_inode+0x9b7/0x1510 + evict+0x282/0x4e0 + do_unlinkat+0x33a/0x540 + __x64_sys_unlinkat+0x8e/0xd0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The root cause is: .total_valid_block_count or .total_valid_node_count +could fuzzed to zero, then once dec_valid_node_count() was called, it +will cause BUG_ON(), this patch fixes to print warning info and set +SBI_NEED_FSCK into CP instead of panic. + +Cc: stable@vger.kernel.org +Reported-by: Ming Yan +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/f2fs.h | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -2509,11 +2509,17 @@ static inline void dec_valid_node_count( + { + spin_lock(&sbi->stat_lock); + +- f2fs_bug_on(sbi, !sbi->total_valid_block_count); +- f2fs_bug_on(sbi, !sbi->total_valid_node_count); ++ if (unlikely(!sbi->total_valid_block_count || ++ !sbi->total_valid_node_count)) { ++ f2fs_warn(sbi, "dec_valid_node_count: inconsistent block counts, total_valid_block:%u, total_valid_node:%u", ++ sbi->total_valid_block_count, ++ sbi->total_valid_node_count); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ } else { ++ sbi->total_valid_block_count--; ++ sbi->total_valid_node_count--; ++ } + +- sbi->total_valid_node_count--; +- sbi->total_valid_block_count--; + if (sbi->reserved_blocks && + sbi->current_reserved_blocks < sbi->reserved_blocks) + sbi->current_reserved_blocks++; diff --git a/queue-5.17/f2fs-fix-to-do-sanity-check-on-block-address-in-f2fs_do_zero_range.patch b/queue-5.17/f2fs-fix-to-do-sanity-check-on-block-address-in-f2fs_do_zero_range.patch new file mode 100644 index 00000000000..3bb7604f109 --- /dev/null +++ b/queue-5.17/f2fs-fix-to-do-sanity-check-on-block-address-in-f2fs_do_zero_range.patch @@ -0,0 +1,73 @@ +From 25f8236213a91efdf708b9d77e9e51b6fc3e141c Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 27 Apr 2022 17:51:40 +0800 +Subject: f2fs: fix to do sanity check on block address in f2fs_do_zero_range() + +From: Chao Yu + +commit 25f8236213a91efdf708b9d77e9e51b6fc3e141c upstream. + +As Yanming reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=215894 + +I have encountered a bug in F2FS file system in kernel v5.17. + +I have uploaded the system call sequence as case.c, and a fuzzed image can +be found in google net disk + +The kernel should enable CONFIG_KASAN=y and CONFIG_KASAN_INLINE=y. You can +reproduce the bug by running the following commands: + +kernel BUG at fs/f2fs/segment.c:2291! +Call Trace: + f2fs_invalidate_blocks+0x193/0x2d0 + f2fs_fallocate+0x2593/0x4a70 + vfs_fallocate+0x2a5/0xac0 + ksys_fallocate+0x35/0x70 + __x64_sys_fallocate+0x8e/0xf0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The root cause is, after image was fuzzed, block mapping info in inode +will be inconsistent with SIT table, so in f2fs_fallocate(), it will cause +panic when updating SIT with invalid blkaddr. + +Let's fix the issue by adding sanity check on block address before updating +SIT table with it. + +Cc: stable@vger.kernel.org +Reported-by: Ming Yan +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/file.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1437,11 +1437,19 @@ static int f2fs_do_zero_range(struct dno + ret = -ENOSPC; + break; + } +- if (dn->data_blkaddr != NEW_ADDR) { +- f2fs_invalidate_blocks(sbi, dn->data_blkaddr); +- dn->data_blkaddr = NEW_ADDR; +- f2fs_set_data_blkaddr(dn); ++ ++ if (dn->data_blkaddr == NEW_ADDR) ++ continue; ++ ++ if (!f2fs_is_valid_blkaddr(sbi, dn->data_blkaddr, ++ DATA_GENERIC_ENHANCE)) { ++ ret = -EFSCORRUPTED; ++ break; + } ++ ++ f2fs_invalidate_blocks(sbi, dn->data_blkaddr); ++ dn->data_blkaddr = NEW_ADDR; ++ f2fs_set_data_blkaddr(dn); + } + + f2fs_update_extent_cache_range(dn, start, 0, index - start); diff --git a/queue-5.17/series b/queue-5.17/series index 167c00f30a6..3907e5facfb 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -607,3 +607,5 @@ video-fbdev-vesafb-fix-a-use-after-free-due-early-fb.patch nfsv4-fix-free-of-uninitialized-nfs4_label-on-referr.patch nfs-convert-gfp_nofs-to-gfp_kernel.patch nfsv4.1-mark-qualified-async-operations-as-moveable-.patch +f2fs-fix-to-avoid-f2fs_bug_on-in-dec_valid_node_count.patch +f2fs-fix-to-do-sanity-check-on-block-address-in-f2fs_do_zero_range.patch -- 2.47.3