From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Chao Yu <yuchao0@huawei.com>, Jaegeuk Kim <jaegeuk@kernel.org>,
Sasha Levin <sashal@kernel.org>,
linux-f2fs-devel@lists.sourceforge.net
Subject: [PATCH AUTOSEL 5.0 052/173] f2fs: fix to do checksum even if inode page is uptodate
Date: Sat, 1 Jun 2019 09:17:24 -0400 [thread overview]
Message-ID: <20190601131934.25053-52-sashal@kernel.org> (raw)
In-Reply-To: <20190601131934.25053-1-sashal@kernel.org>
From: Chao Yu <yuchao0@huawei.com>
[ Upstream commit b42b179bda9ff11075a6fc2bac4d9e400513679a ]
As Jungyeon reported in bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=203221
- Overview
When mounting the attached crafted image and running program, this error is reported.
The image is intentionally fuzzed from a normal f2fs image for testing and I enabled option CONFIG_F2FS_CHECK_FS on.
- Reproduces
cc poc_07.c
mkdir test
mount -t f2fs tmp.img test
cp a.out test
cd test
sudo ./a.out
- Messages
kernel BUG at fs/f2fs/node.c:1279!
RIP: 0010:read_node_page+0xcf/0xf0
Call Trace:
__get_node_page+0x6b/0x2f0
f2fs_iget+0x8f/0xdf0
f2fs_lookup+0x136/0x320
__lookup_slow+0x92/0x140
lookup_slow+0x30/0x50
walk_component+0x1c1/0x350
path_lookupat+0x62/0x200
filename_lookup+0xb3/0x1a0
do_fchmodat+0x3e/0xa0
__x64_sys_chmod+0x12/0x20
do_syscall_64+0x43/0xf0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
On below paths, we can have opportunity to readahead inode page
- gc_node_segment -> f2fs_ra_node_page
- gc_data_segment -> f2fs_ra_node_page
- f2fs_fill_dentries -> f2fs_ra_node_page
Unlike synchronized read, on readahead path, we can set page uptodate
before verifying page's checksum, then read_node_page() will trigger
kernel panic once it encounters a uptodated page w/ incorrect checksum.
So considering readahead scenario, we have to do checksum each time
when loading inode page even if it is uptodated.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/inode.c | 4 ++--
fs/f2fs/node.c | 7 ++++---
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index 8c8d40e07ebaf..24c81703ec56f 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -176,8 +176,8 @@ bool f2fs_inode_chksum_verify(struct f2fs_sb_info *sbi, struct page *page)
if (provided != calculated)
f2fs_msg(sbi->sb, KERN_WARNING,
- "checksum invalid, ino = %x, %x vs. %x",
- ino_of_node(page), provided, calculated);
+ "checksum invalid, nid = %lu, ino_of_node = %x, %x vs. %x",
+ page->index, ino_of_node(page), provided, calculated);
return provided == calculated;
}
diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
index 63bb6134d39ae..e29d5f6735ae9 100644
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -1281,9 +1281,10 @@ static int read_node_page(struct page *page, int op_flags)
int err;
if (PageUptodate(page)) {
-#ifdef CONFIG_F2FS_CHECK_FS
- f2fs_bug_on(sbi, !f2fs_inode_chksum_verify(sbi, page));
-#endif
+ if (!f2fs_inode_chksum_verify(sbi, page)) {
+ ClearPageUptodate(page);
+ return -EBADMSG;
+ }
return LOCKED_PAGE;
}
--
2.20.1
next prev parent reply other threads:[~2019-06-01 13:38 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-01 13:16 [PATCH AUTOSEL 5.0 001/173] media: rockchip/vpu: Fix/re-order probe-error/remove path Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 002/173] media: rockchip/vpu: Add missing dont_use_autosuspend() calls Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 003/173] rapidio: fix a NULL pointer dereference when create_workqueue() fails Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 004/173] fs/fat/file.c: issue flush after the writeback of FAT Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 005/173] sysctl: return -EINVAL if val violates minmax Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 006/173] ipc: prevent lockup on alloc_msg and free_msg Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 007/173] drm/msm: correct attempted NULL pointer dereference in debugfs Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 008/173] drm/pl111: Initialize clock spinlock early Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 009/173] ARM: prevent tracing IPI_CPU_BACKTRACE Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 010/173] mm/hmm: select mmu notifier when selecting HMM Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 011/173] hugetlbfs: on restore reserve error path retain subpool reservation Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 012/173] mm/memory_hotplug: release memory resource after arch_remove_memory() Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 013/173] mem-hotplug: fix node spanned pages when we have a node with only ZONE_MOVABLE Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 014/173] mm/cma.c: fix crash on CMA allocation if bitmap allocation fails Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 015/173] initramfs: free initrd memory if opening /initrd.image fails Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 016/173] mm/memory_hotplug.c: fix the wrong usage of N_HIGH_MEMORY Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 017/173] mm/cma.c: fix the bitmap status to show failed allocation reason Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 018/173] mm: page_mkclean vs MADV_DONTNEED race Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 019/173] mm/cma_debug.c: fix the break condition in cma_maxchunk_get() Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 020/173] mm/slab.c: fix an infinite loop in leaks_show() Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 021/173] kernel/sys.c: prctl: fix false positive in validate_prctl_map() Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 022/173] thermal: rcar_gen3_thermal: disable interrupt in .remove Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 023/173] drivers: thermal: tsens: Don't print error message on -EPROBE_DEFER Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 024/173] mfd: tps65912-spi: Add missing of table registration Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 025/173] mfd: intel-lpss: Set the device in reset state when init Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 026/173] drm/nouveau/disp/dp: respect sink limits when selecting failsafe link configuration Sasha Levin
2019-06-01 13:16 ` [PATCH AUTOSEL 5.0 027/173] mfd: twl6040: Fix device init errors for ACCCTL register Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 028/173] perf/x86/intel: Allow PEBS multi-entry in watermark mode Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 029/173] drm/nouveau/kms/gf119-gp10x: push HeadSetControlOutputResource() mthd when encoders change Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 030/173] drm/bridge: adv7511: Fix low refresh rate selection Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 031/173] objtool: Don't use ignore flag for fake jumps Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 032/173] drm/nouveau/kms/gv100-: fix spurious window immediate interlocks Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 033/173] bpf: fix undefined behavior in narrow load handling Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 034/173] gcc-plugins: arm_ssp_per_task_plugin: Fix for older GCC < 6 Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 035/173] EDAC/mpc85xx: Prevent building as a module Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 036/173] NFS4: Fix v4.0 client state corruption when mount Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 037/173] pwm: meson: Use the spin-lock only to protect register modifications Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 038/173] mailbox: stm32-ipcc: check invalid irq Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 039/173] ntp: Allow TAI-UTC offset to be set to zero Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 040/173] f2fs: fix to avoid panic in do_recover_data() Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 041/173] f2fs: fix to avoid panic in f2fs_inplace_write_data() Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 042/173] f2fs: fix error path of recovery Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 043/173] f2fs: fix to avoid panic in f2fs_remove_inode_page() Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 044/173] f2fs: fix to do sanity check on free nid Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 045/173] f2fs: fix to clear dirty inode in error path of f2fs_iget() Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 046/173] f2fs: fix to avoid panic in dec_valid_block_count() Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 047/173] f2fs: fix to use inline space only if inline_xattr is enable Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 048/173] f2fs: fix to avoid panic in dec_valid_node_count() Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 049/173] f2fs: fix to do sanity check on valid block count of segment Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 050/173] f2fs: fix to avoid deadloop in foreground GC Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 051/173] f2fs: fix to retrieve inline xattr space Sasha Levin
2019-06-01 13:17 ` Sasha Levin [this message]
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 053/173] media: atmel: atmel-isc: fix asd memory allocation Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 054/173] percpu: remove spurious lock dependency between percpu and sched Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 055/173] tracing: probeevent: Fix to make the type of $comm string Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 056/173] tracing: Fix partial reading of trace event's id file Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 057/173] configfs: fix possible use-after-free in configfs_register_group Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 058/173] uml: fix a boot splat wrt use of cpu_all_mask Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 059/173] PCI: dwc: Free MSI in dw_pcie_host_init() error path Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 060/173] PCI: dwc: Free MSI IRQ page in dw_pcie_free_msi() Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 061/173] netfilter: ctnetlink: Resolve conntrack L3-protocol flush regression Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 062/173] ovl: do not generate duplicate fsnotify events for "fake" path Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 063/173] mmc: mmci: Prevent polling for busy detection in IRQ context Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 064/173] netfilter: nf_flow_table: fix missing error check for rhashtable_insert_fast Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 065/173] netfilter: nf_conntrack_h323: restore boundary check correctness Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 066/173] mips: Make sure dt memory regions are valid Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 067/173] netfilter: nf_tables: fix base chain stat rcu_dereference usage Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 068/173] watchdog: Use depends instead of select for pretimeout governors Sasha Levin
2019-06-01 13:17 ` [PATCH AUTOSEL 5.0 069/173] watchdog: imx2_wdt: Fix set_timeout for big timeout values Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190601131934.25053-52-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yuchao0@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).