From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: stable@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH 5.10 5.15] nilfs2: reject devices with insufficient block count
Date: Mon, 19 Jun 2023 09:49:05 +0200 [thread overview]
Message-ID: <2023061957-unsigned-antirust-a017@gregkh> (raw)
In-Reply-To: <20230618183519.2411-1-konishi.ryusuke@gmail.com>
On Mon, Jun 19, 2023 at 03:35:19AM +0900, Ryusuke Konishi wrote:
> commit 92c5d1b860e9581d64baca76779576c0ab0d943d upstream.
>
> The current sanity check for nilfs2 geometry information lacks checks for
> the number of segments stored in superblocks, so even for device images
> that have been destructively truncated or have an unusually high number of
> segments, the mount operation may succeed.
>
> This causes out-of-bounds block I/O on file system block reads or log
> writes to the segments, the latter in particular causing
> "a_ops->writepages" to repeatedly fail, resulting in sync_inodes_sb() to
> hang.
>
> Fix this issue by checking the number of segments stored in the superblock
> and avoiding mounting devices that can cause out-of-bounds accesses. To
> eliminate the possibility of overflow when calculating the number of
> blocks required for the device from the number of segments, this also adds
> a helper function to calculate the upper bound on the number of segments
> and inserts a check using it.
>
> Link: https://lkml.kernel.org/r/20230526021332.3431-1-konishi.ryusuke@gmail.com
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> Reported-by: syzbot+7d50f1e54a12ba3aeae2@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?extid=7d50f1e54a12ba3aeae2
> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> ---
> Please apply this patch to the above stable trees instead of the patch
> that could not be applied to them. The hang issue reported by syzbot was
> confirmed to reproduce on these stable kernels using its reproducer.
> This fixes it.
>
> In this patch, "sb_bdev_nr_blocks()" is replaced with its equivalent since
> it doesn't yet exist in these kernels. With this tweak, this patch is
> applicable from v5.9 to v5.15. Also, this patch has been tested against
> the title stable trees.
>
Now queued up, thanks.
greg k-h
prev parent reply other threads:[~2023-06-19 7:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-18 18:35 [PATCH 5.10 5.15] nilfs2: reject devices with insufficient block count Ryusuke Konishi
2023-06-19 7:49 ` Greg Kroah-Hartman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2023061957-unsigned-antirust-a017@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=konishi.ryusuke@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.