releases/4.19.51/f2fs-fix-to-do-sanity-check-on-free-nid.patch

   1 From bac313e6b450a98b85dfb9a276268cb996e482ce Mon Sep 17 00:00:00 2001
   2 From: Chao Yu <yuchao0@huawei.com>
   3 Date: Mon, 15 Apr 2019 15:28:36 +0800
   4 Subject: f2fs: fix to do sanity check on free nid
   5
   6 [ Upstream commit 626bcf2b7ce87211dba565f2bfa7842ba5be5c1b ]
   7
   8 As Jungyeon reported in bugzilla:
   9
  10 https://bugzilla.kernel.org/show_bug.cgi?id=203225
  11
  12 - Overview
  13 When mounting the attached crafted image and unmounting it, following errors are reported.
  14 Additionally, it hangs on sync after unmounting.
  15
  16 The image is intentionally fuzzed from a normal f2fs image for testing.
  17 Compile options for F2FS are as follows.
  18 CONFIG_F2FS_FS=y
  19 CONFIG_F2FS_STAT_FS=y
  20 CONFIG_F2FS_FS_XATTR=y
  21 CONFIG_F2FS_FS_POSIX_ACL=y
  22 CONFIG_F2FS_CHECK_FS=y
  23
  24 - Reproduces
  25 mkdir test
  26 mount -t f2fs tmp.img test
  27 touch test/t
  28 umount test
  29 sync
  30
  31 - Messages
  32  kernel BUG at fs/f2fs/node.c:3073!
  33  RIP: 0010:f2fs_destroy_node_manager+0x2f0/0x300
  34  Call Trace:
  35   f2fs_put_super+0xf4/0x270
  36   generic_shutdown_super+0x62/0x110
  37   kill_block_super+0x1c/0x50
  38   kill_f2fs_super+0xad/0xd0
  39   deactivate_locked_super+0x35/0x60
  40   cleanup_mnt+0x36/0x70
  41   task_work_run+0x75/0x90
  42   exit_to_usermode_loop+0x93/0xa0
  43   do_syscall_64+0xba/0xf0
  44   entry_SYSCALL_64_after_hwframe+0x44/0xa9
  45  RIP: 0010:f2fs_destroy_node_manager+0x2f0/0x300
  46
  47 NAT table is corrupted, so reserved meta/node inode ids were added into
  48 free list incorrectly, during file creation, since reserved id has cached
  49 in inode hash, so it fails the creation and preallocated nid can not be
  50 released later, result in kernel panic.
  51
  52 To fix this issue, let's do nid boundary check during free nid loading.
  53
  54 Signed-off-by: Chao Yu <yuchao0@huawei.com>
  55 Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
  56 Signed-off-by: Sasha Levin <sashal@kernel.org>
  57 ---
  58  fs/f2fs/node.c | 3 +++
  59  1 file changed, 3 insertions(+)
  60
  61 diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
  62 index 807a77518a49..34c3f732601c 100644
  63 --- a/fs/f2fs/node.c
  64 +++ b/fs/f2fs/node.c
  65 @@ -2079,6 +2079,9 @@ static bool add_free_nid(struct f2fs_sb_info *sbi,
  66         if (unlikely(nid == 0))
  67                 return false;
  68
  69 +       if (unlikely(f2fs_check_nid_range(sbi, nid)))
  70 +               return false;
  71 +
  72         i = f2fs_kmem_cache_alloc(free_nid_slab, GFP_NOFS);
  73         i->nid = nid;
  74         i->state = FREE_NID;
  75 --
  76 2.20.1
  77