* [f2fs-dev] [PATCH AUTOSEL 5.10 5/8] f2fs: fix to do sanity check on curseg->alloc_type
[not found] <20220328194322.1586401-1-sashal@kernel.org>
@ 2022-03-28 19:43 ` Sasha Levin
2022-03-28 19:43 ` [f2fs-dev] [PATCH AUTOSEL 5.10 7/8] f2fs: compress: fix to print raw data size in error path of lz4 decompression Sasha Levin
1 sibling, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2022-03-28 19:43 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Sasha Levin, Jaegeuk Kim, yuchao0, linux-f2fs-devel
From: Chao Yu <chao@kernel.org>
[ Upstream commit f41ee8b91c00770d718be2ff4852a80017ae9ab3 ]
As Wenqing Liu reported in bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=215657
- Overview
UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 when mount and operate a corrupted image
- Reproduce
tested on kernel 5.17-rc4, 5.17-rc6
1. mkdir test_crash
2. cd test_crash
3. unzip tmp2.zip
4. mkdir mnt
5. ./single_test.sh f2fs 2
- Kernel dump
[ 46.434454] loop0: detected capacity change from 0 to 131072
[ 46.529839] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d9
[ 46.738319] ================================================================================
[ 46.738412] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2
[ 46.738475] index 231 is out of range for type 'unsigned int [2]'
[ 46.738539] CPU: 2 PID: 939 Comm: umount Not tainted 5.17.0-rc6 #1
[ 46.738547] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 46.738551] Call Trace:
[ 46.738556] <TASK>
[ 46.738563] dump_stack_lvl+0x47/0x5c
[ 46.738581] ubsan_epilogue+0x5/0x50
[ 46.738592] __ubsan_handle_out_of_bounds+0x68/0x80
[ 46.738604] f2fs_allocate_data_block+0xdff/0xe60 [f2fs]
[ 46.738819] do_write_page+0xef/0x210 [f2fs]
[ 46.738934] f2fs_do_write_node_page+0x3f/0x80 [f2fs]
[ 46.739038] __write_node_page+0x2b7/0x920 [f2fs]
[ 46.739162] f2fs_sync_node_pages+0x943/0xb00 [f2fs]
[ 46.739293] f2fs_write_checkpoint+0x7bb/0x1030 [f2fs]
[ 46.739405] kill_f2fs_super+0x125/0x150 [f2fs]
[ 46.739507] deactivate_locked_super+0x60/0xc0
[ 46.739517] deactivate_super+0x70/0xb0
[ 46.739524] cleanup_mnt+0x11a/0x200
[ 46.739532] __cleanup_mnt+0x16/0x20
[ 46.739538] task_work_run+0x67/0xa0
[ 46.739547] exit_to_user_mode_prepare+0x18c/0x1a0
[ 46.739559] syscall_exit_to_user_mode+0x26/0x40
[ 46.739568] do_syscall_64+0x46/0xb0
[ 46.739584] entry_SYSCALL_64_after_hwframe+0x44/0xae
The root cause is we missed to do sanity check on curseg->alloc_type,
result in out-of-bound accessing on sbi->block_count[] array, fix it.
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/segment.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index d04b449978aa..49f5cb532738 100644
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -4650,6 +4650,13 @@ static int sanity_check_curseg(struct f2fs_sb_info *sbi)
sanity_check_seg_type(sbi, curseg->seg_type);
+ if (curseg->alloc_type != LFS && curseg->alloc_type != SSR) {
+ f2fs_err(sbi,
+ "Current segment has invalid alloc_type:%d",
+ curseg->alloc_type);
+ return -EFSCORRUPTED;
+ }
+
if (f2fs_test_bit(blkofs, se->cur_valid_map))
goto out;
--
2.34.1
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [f2fs-dev] [PATCH AUTOSEL 5.10 7/8] f2fs: compress: fix to print raw data size in error path of lz4 decompression
[not found] <20220328194322.1586401-1-sashal@kernel.org>
2022-03-28 19:43 ` [f2fs-dev] [PATCH AUTOSEL 5.10 5/8] f2fs: fix to do sanity check on curseg->alloc_type Sasha Levin
@ 2022-03-28 19:43 ` Sasha Levin
1 sibling, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2022-03-28 19:43 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Sasha Levin, yuchao0, linux-f2fs-devel, Jaegeuk Kim
From: Chao Yu <chao@kernel.org>
[ Upstream commit d284af43f703760e261b1601378a0c13a19d5f1f ]
In lz4_decompress_pages(), if size of decompressed data is not equal to
expected one, we should print the size rather than size of target buffer
for decompressed data, fix it.
Signed-off-by: Chao Yu <chao.yu@oppo.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/compress.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c
index ec542e8c46cc..1541da5ace85 100644
--- a/fs/f2fs/compress.c
+++ b/fs/f2fs/compress.c
@@ -286,10 +286,9 @@ static int lz4_decompress_pages(struct decompress_io_ctx *dic)
}
if (ret != PAGE_SIZE << dic->log_cluster_size) {
- printk_ratelimited("%sF2FS-fs (%s): lz4 invalid rlen:%zu, "
+ printk_ratelimited("%sF2FS-fs (%s): lz4 invalid ret:%d, "
"expected:%lu\n", KERN_ERR,
- F2FS_I_SB(dic->inode)->sb->s_id,
- dic->rlen,
+ F2FS_I_SB(dic->inode)->sb->s_id, ret,
PAGE_SIZE << dic->log_cluster_size);
return -EIO;
}
--
2.34.1
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-03-28 19:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20220328194322.1586401-1-sashal@kernel.org>
2022-03-28 19:43 ` [f2fs-dev] [PATCH AUTOSEL 5.10 5/8] f2fs: fix to do sanity check on curseg->alloc_type Sasha Levin
2022-03-28 19:43 ` [f2fs-dev] [PATCH AUTOSEL 5.10 7/8] f2fs: compress: fix to print raw data size in error path of lz4 decompression Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).