--- /dev/null
+From d8189834d4348ae608083e1f1f53792cfcc2a9bc Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Tue, 23 May 2023 14:17:25 +0800
+Subject: f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io()
+
+From: Chao Yu <chao@kernel.org>
+
+commit d8189834d4348ae608083e1f1f53792cfcc2a9bc upstream.
+
+butt3rflyh4ck reports a bug as below:
+
+When a thread always calls F2FS_IOC_RESIZE_FS to resize fs, if resize fs is
+failed, f2fs kernel thread would invoke callback function to update f2fs io
+info, it would call f2fs_write_end_io and may trigger null-ptr-deref in
+NODE_MAPPING.
+
+general protection fault, probably for non-canonical address
+KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
+RIP: 0010:NODE_MAPPING fs/f2fs/f2fs.h:1972 [inline]
+RIP: 0010:f2fs_write_end_io+0x727/0x1050 fs/f2fs/data.c:370
+ <TASK>
+ bio_endio+0x5af/0x6c0 block/bio.c:1608
+ req_bio_endio block/blk-mq.c:761 [inline]
+ blk_update_request+0x5cc/0x1690 block/blk-mq.c:906
+ blk_mq_end_request+0x59/0x4c0 block/blk-mq.c:1023
+ lo_complete_rq+0x1c6/0x280 drivers/block/loop.c:370
+ blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1101
+ __do_softirq+0x1d4/0x8ef kernel/softirq.c:571
+ run_ksoftirqd kernel/softirq.c:939 [inline]
+ run_ksoftirqd+0x31/0x60 kernel/softirq.c:931
+ smpboot_thread_fn+0x659/0x9e0 kernel/smpboot.c:164
+ kthread+0x33e/0x440 kernel/kthread.c:379
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
+
+The root cause is below race case can cause leaving dirty metadata
+in f2fs after filesystem is remount as ro:
+
+Thread A Thread B
+- f2fs_ioc_resize_fs
+ - f2fs_readonly --- return false
+ - f2fs_resize_fs
+ - f2fs_remount
+ - write_checkpoint
+ - set f2fs as ro
+ - free_segment_range
+ - update meta_inode's data
+
+Then, if f2fs_put_super() fails to write_checkpoint due to readonly
+status, and meta_inode's dirty data will be writebacked after node_inode
+is put, finally, f2fs_write_end_io will access NULL pointer on
+sbi->node_inode.
+
+Thread A IRQ context
+- f2fs_put_super
+ - write_checkpoint fails
+ - iput(node_inode)
+ - node_inode = NULL
+ - iput(meta_inode)
+ - write_inode_now
+ - f2fs_write_meta_page
+ - f2fs_write_end_io
+ - NODE_MAPPING(sbi)
+ : access NULL pointer on node_inode
+
+Fixes: b4b10061ef98 ("f2fs: refactor resize_fs to avoid meta updates in progress")
+Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+Closes: https://lore.kernel.org/r/1684480657-2375-1-git-send-email-yangtiezhu@loongson.cn
+Tested-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/f2fs.h | 2 +-
+ fs/f2fs/file.c | 2 +-
+ fs/f2fs/gc.c | 21 ++++++++++++++++++---
+ 3 files changed, 20 insertions(+), 5 deletions(-)
+
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -3483,7 +3483,7 @@ block_t f2fs_start_bidx_of_node(unsigned
+ int f2fs_gc(struct f2fs_sb_info *sbi, bool sync, bool background, bool force,
+ unsigned int segno);
+ void f2fs_build_gc_manager(struct f2fs_sb_info *sbi);
+-int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count);
++int f2fs_resize_fs(struct file *filp, __u64 block_count);
+ int __init f2fs_create_garbage_collection_cache(void);
+ void f2fs_destroy_garbage_collection_cache(void);
+
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -3356,7 +3356,7 @@ static int f2fs_ioc_resize_fs(struct fil
+ sizeof(block_count)))
+ return -EFAULT;
+
+- return f2fs_resize_fs(sbi, block_count);
++ return f2fs_resize_fs(filp, block_count);
+ }
+
+ static int f2fs_ioc_enable_verity(struct file *filp, unsigned long arg)
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -1976,8 +1976,9 @@ static void update_fs_metadata(struct f2
+ }
+ }
+
+-int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count)
++int f2fs_resize_fs(struct file *filp, __u64 block_count)
+ {
++ struct f2fs_sb_info *sbi = F2FS_I_SB(file_inode(filp));
+ __u64 old_block_count, shrunk_blocks;
+ struct cp_control cpc = { CP_RESIZE, 0, 0, 0 };
+ unsigned int secs;
+@@ -2015,12 +2016,18 @@ int f2fs_resize_fs(struct f2fs_sb_info *
+ return -EINVAL;
+ }
+
++ err = mnt_want_write_file(filp);
++ if (err)
++ return err;
++
+ shrunk_blocks = old_block_count - block_count;
+ secs = div_u64(shrunk_blocks, BLKS_PER_SEC(sbi));
+
+ /* stop other GC */
+- if (!down_write_trylock(&sbi->gc_lock))
+- return -EAGAIN;
++ if (!down_write_trylock(&sbi->gc_lock)) {
++ err = -EAGAIN;
++ goto out_drop_write;
++ }
+
+ /* stop CP to protect MAIN_SEC in free_segment_range */
+ f2fs_lock_op(sbi);
+@@ -2040,10 +2047,18 @@ int f2fs_resize_fs(struct f2fs_sb_info *
+ out_unlock:
+ f2fs_unlock_op(sbi);
+ up_write(&sbi->gc_lock);
++out_drop_write:
++ mnt_drop_write_file(filp);
+ if (err)
+ return err;
+
+ freeze_super(sbi->sb);
++
++ if (f2fs_readonly(sbi->sb)) {
++ thaw_super(sbi->sb);
++ return -EROFS;
++ }
++
+ down_write(&sbi->gc_lock);
+ mutex_lock(&sbi->cp_mutex);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
