From a2902514d76c80d256ee7829168229fd9c7654ab Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 20 Jul 2023 20:28:03 +0200 Subject: [PATCH] 5.10-stable patches added patches: f2fs-fix-to-avoid-null-pointer-dereference-f2fs_write_end_io.patch --- ...ointer-dereference-f2fs_write_end_io.patch | 153 ++++++++++++++++++ queue-5.10/series | 1 + 2 files changed, 154 insertions(+) create mode 100644 queue-5.10/f2fs-fix-to-avoid-null-pointer-dereference-f2fs_write_end_io.patch diff --git a/queue-5.10/f2fs-fix-to-avoid-null-pointer-dereference-f2fs_write_end_io.patch b/queue-5.10/f2fs-fix-to-avoid-null-pointer-dereference-f2fs_write_end_io.patch new file mode 100644 index 00000000000..d481a521d83 --- /dev/null +++ b/queue-5.10/f2fs-fix-to-avoid-null-pointer-dereference-f2fs_write_end_io.patch @@ -0,0 +1,153 @@ +From d8189834d4348ae608083e1f1f53792cfcc2a9bc Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 23 May 2023 14:17:25 +0800 +Subject: f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io() + +From: Chao Yu + +commit d8189834d4348ae608083e1f1f53792cfcc2a9bc upstream. + +butt3rflyh4ck reports a bug as below: + +When a thread always calls F2FS_IOC_RESIZE_FS to resize fs, if resize fs is +failed, f2fs kernel thread would invoke callback function to update f2fs io +info, it would call f2fs_write_end_io and may trigger null-ptr-deref in +NODE_MAPPING. + +general protection fault, probably for non-canonical address +KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] +RIP: 0010:NODE_MAPPING fs/f2fs/f2fs.h:1972 [inline] +RIP: 0010:f2fs_write_end_io+0x727/0x1050 fs/f2fs/data.c:370 + + bio_endio+0x5af/0x6c0 block/bio.c:1608 + req_bio_endio block/blk-mq.c:761 [inline] + blk_update_request+0x5cc/0x1690 block/blk-mq.c:906 + blk_mq_end_request+0x59/0x4c0 block/blk-mq.c:1023 + lo_complete_rq+0x1c6/0x280 drivers/block/loop.c:370 + blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1101 + __do_softirq+0x1d4/0x8ef kernel/softirq.c:571 + run_ksoftirqd kernel/softirq.c:939 [inline] + run_ksoftirqd+0x31/0x60 kernel/softirq.c:931 + smpboot_thread_fn+0x659/0x9e0 kernel/smpboot.c:164 + kthread+0x33e/0x440 kernel/kthread.c:379 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +The root cause is below race case can cause leaving dirty metadata +in f2fs after filesystem is remount as ro: + +Thread A Thread B +- f2fs_ioc_resize_fs + - f2fs_readonly --- return false + - f2fs_resize_fs + - f2fs_remount + - write_checkpoint + - set f2fs as ro + - free_segment_range + - update meta_inode's data + +Then, if f2fs_put_super() fails to write_checkpoint due to readonly +status, and meta_inode's dirty data will be writebacked after node_inode +is put, finally, f2fs_write_end_io will access NULL pointer on +sbi->node_inode. + +Thread A IRQ context +- f2fs_put_super + - write_checkpoint fails + - iput(node_inode) + - node_inode = NULL + - iput(meta_inode) + - write_inode_now + - f2fs_write_meta_page + - f2fs_write_end_io + - NODE_MAPPING(sbi) + : access NULL pointer on node_inode + +Fixes: b4b10061ef98 ("f2fs: refactor resize_fs to avoid meta updates in progress") +Reported-by: butt3rflyh4ck +Closes: https://lore.kernel.org/r/1684480657-2375-1-git-send-email-yangtiezhu@loongson.cn +Tested-by: butt3rflyh4ck +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Stefan Ghinea +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/f2fs.h | 2 +- + fs/f2fs/file.c | 2 +- + fs/f2fs/gc.c | 21 ++++++++++++++++++--- + 3 files changed, 20 insertions(+), 5 deletions(-) + +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3483,7 +3483,7 @@ block_t f2fs_start_bidx_of_node(unsigned + int f2fs_gc(struct f2fs_sb_info *sbi, bool sync, bool background, bool force, + unsigned int segno); + void f2fs_build_gc_manager(struct f2fs_sb_info *sbi); +-int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count); ++int f2fs_resize_fs(struct file *filp, __u64 block_count); + int __init f2fs_create_garbage_collection_cache(void); + void f2fs_destroy_garbage_collection_cache(void); + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -3356,7 +3356,7 @@ static int f2fs_ioc_resize_fs(struct fil + sizeof(block_count))) + return -EFAULT; + +- return f2fs_resize_fs(sbi, block_count); ++ return f2fs_resize_fs(filp, block_count); + } + + static int f2fs_ioc_enable_verity(struct file *filp, unsigned long arg) +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1976,8 +1976,9 @@ static void update_fs_metadata(struct f2 + } + } + +-int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count) ++int f2fs_resize_fs(struct file *filp, __u64 block_count) + { ++ struct f2fs_sb_info *sbi = F2FS_I_SB(file_inode(filp)); + __u64 old_block_count, shrunk_blocks; + struct cp_control cpc = { CP_RESIZE, 0, 0, 0 }; + unsigned int secs; +@@ -2015,12 +2016,18 @@ int f2fs_resize_fs(struct f2fs_sb_info * + return -EINVAL; + } + ++ err = mnt_want_write_file(filp); ++ if (err) ++ return err; ++ + shrunk_blocks = old_block_count - block_count; + secs = div_u64(shrunk_blocks, BLKS_PER_SEC(sbi)); + + /* stop other GC */ +- if (!down_write_trylock(&sbi->gc_lock)) +- return -EAGAIN; ++ if (!down_write_trylock(&sbi->gc_lock)) { ++ err = -EAGAIN; ++ goto out_drop_write; ++ } + + /* stop CP to protect MAIN_SEC in free_segment_range */ + f2fs_lock_op(sbi); +@@ -2040,10 +2047,18 @@ int f2fs_resize_fs(struct f2fs_sb_info * + out_unlock: + f2fs_unlock_op(sbi); + up_write(&sbi->gc_lock); ++out_drop_write: ++ mnt_drop_write_file(filp); + if (err) + return err; + + freeze_super(sbi->sb); ++ ++ if (f2fs_readonly(sbi->sb)) { ++ thaw_super(sbi->sb); ++ return -EROFS; ++ } ++ + down_write(&sbi->gc_lock); + mutex_lock(&sbi->cp_mutex); + diff --git a/queue-5.10/series b/queue-5.10/series index de091c344cf..5222fd258d7 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -374,3 +374,4 @@ net-sched-make-psched_mtu-rtnl-less-safe.patch net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch +f2fs-fix-to-avoid-null-pointer-dereference-f2fs_write_end_io.patch -- 2.47.3