From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Chao Yu <yuchao0@huawei.com>, Jaegeuk Kim <jaegeuk@kernel.org>,
Sasha Levin <sashal@kernel.org>,
linux-f2fs-devel@lists.sourceforge.net
Subject: [PATCH AUTOSEL 4.19 035/141] f2fs: fix to avoid panic in f2fs_inplace_write_data()
Date: Sat, 1 Jun 2019 09:20:11 -0400 [thread overview]
Message-ID: <20190601132158.25821-35-sashal@kernel.org> (raw)
In-Reply-To: <20190601132158.25821-1-sashal@kernel.org>
From: Chao Yu <yuchao0@huawei.com>
[ Upstream commit 05573d6ccf702df549a7bdeabef31e4753df1a90 ]
As Jungyeon reported in bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=203239
- Overview
When mounting the attached crafted image and running program, following errors are reported.
Additionally, it hangs on sync after running program.
The image is intentionally fuzzed from a normal f2fs image for testing.
Compile options for F2FS are as follows.
CONFIG_F2FS_FS=y
CONFIG_F2FS_STAT_FS=y
CONFIG_F2FS_FS_XATTR=y
CONFIG_F2FS_FS_POSIX_ACL=y
CONFIG_F2FS_CHECK_FS=y
- Reproduces
cc poc_15.c
./run.sh f2fs
sync
- Kernel messages
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:3162!
RIP: 0010:f2fs_inplace_write_data+0x12d/0x160
Call Trace:
f2fs_do_write_data_page+0x3c1/0x820
__write_data_page+0x156/0x720
f2fs_write_cache_pages+0x20d/0x460
f2fs_write_data_pages+0x1b4/0x300
do_writepages+0x15/0x60
__filemap_fdatawrite_range+0x7c/0xb0
file_write_and_wait_range+0x2c/0x80
f2fs_do_sync_file+0x102/0x810
do_fsync+0x33/0x60
__x64_sys_fsync+0xb/0x10
do_syscall_64+0x43/0xf0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The reason is f2fs_inplace_write_data() will trigger kernel panic due
to data block locates in node type segment.
To avoid panic, let's just return error code and set SBI_NEED_FSCK to
give a hint to fsck for latter repairing.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/segment.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index ac038563273de..4c6406bbe01e8 100644
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -3068,13 +3068,18 @@ int f2fs_inplace_write_data(struct f2fs_io_info *fio)
{
int err;
struct f2fs_sb_info *sbi = fio->sbi;
+ unsigned int segno;
fio->new_blkaddr = fio->old_blkaddr;
/* i/o temperature is needed for passing down write hints */
__get_segment_type(fio);
- f2fs_bug_on(sbi, !IS_DATASEG(get_seg_entry(sbi,
- GET_SEGNO(sbi, fio->new_blkaddr))->type));
+ segno = GET_SEGNO(sbi, fio->new_blkaddr);
+
+ if (!IS_DATASEG(get_seg_entry(sbi, segno)->type)) {
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ return -EFAULT;
+ }
stat_inc_inplace_blocks(fio->sbi);
--
2.20.1
next prev parent reply other threads:[~2019-06-01 13:35 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-01 13:19 [PATCH AUTOSEL 4.19 001/141] rapidio: fix a NULL pointer dereference when create_workqueue() fails Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 002/141] fs/fat/file.c: issue flush after the writeback of FAT Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 003/141] sysctl: return -EINVAL if val violates minmax Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 004/141] ipc: prevent lockup on alloc_msg and free_msg Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 005/141] drm/pl111: Initialize clock spinlock early Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 006/141] ARM: prevent tracing IPI_CPU_BACKTRACE Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 007/141] mm/hmm: select mmu notifier when selecting HMM Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 008/141] hugetlbfs: on restore reserve error path retain subpool reservation Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 009/141] mem-hotplug: fix node spanned pages when we have a node with only ZONE_MOVABLE Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 010/141] mm/cma.c: fix crash on CMA allocation if bitmap allocation fails Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 011/141] initramfs: free initrd memory if opening /initrd.image fails Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 012/141] mm/cma.c: fix the bitmap status to show failed allocation reason Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 013/141] mm: page_mkclean vs MADV_DONTNEED race Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 014/141] mm/cma_debug.c: fix the break condition in cma_maxchunk_get() Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 015/141] mm/slab.c: fix an infinite loop in leaks_show() Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 016/141] kernel/sys.c: prctl: fix false positive in validate_prctl_map() Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 017/141] thermal: rcar_gen3_thermal: disable interrupt in .remove Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 018/141] drivers: thermal: tsens: Don't print error message on -EPROBE_DEFER Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 019/141] mfd: tps65912-spi: Add missing of table registration Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 020/141] mfd: intel-lpss: Set the device in reset state when init Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 021/141] drm/nouveau/disp/dp: respect sink limits when selecting failsafe link configuration Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 022/141] mfd: twl6040: Fix device init errors for ACCCTL register Sasha Levin
2019-06-01 13:19 ` [PATCH AUTOSEL 4.19 023/141] perf/x86/intel: Allow PEBS multi-entry in watermark mode Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 024/141] drm/nouveau/kms/gf119-gp10x: push HeadSetControlOutputResource() mthd when encoders change Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 025/141] drm/bridge: adv7511: Fix low refresh rate selection Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 026/141] objtool: Don't use ignore flag for fake jumps Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 027/141] drm/nouveau/kms/gv100-: fix spurious window immediate interlocks Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 028/141] bpf: fix undefined behavior in narrow load handling Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 029/141] EDAC/mpc85xx: Prevent building as a module Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 030/141] NFS4: Fix v4.0 client state corruption when mount Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 031/141] pwm: meson: Use the spin-lock only to protect register modifications Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 032/141] mailbox: stm32-ipcc: check invalid irq Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 033/141] ntp: Allow TAI-UTC offset to be set to zero Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 034/141] f2fs: fix to avoid panic in do_recover_data() Sasha Levin
2019-06-01 13:20 ` Sasha Levin [this message]
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 036/141] f2fs: fix to avoid panic in f2fs_remove_inode_page() Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 037/141] f2fs: fix to do sanity check on free nid Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 038/141] f2fs: fix to clear dirty inode in error path of f2fs_iget() Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 039/141] f2fs: fix to avoid panic in dec_valid_block_count() Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 040/141] f2fs: fix to use inline space only if inline_xattr is enable Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 041/141] f2fs: fix to do sanity check on valid block count of segment Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 042/141] f2fs: fix to do checksum even if inode page is uptodate Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 043/141] percpu: remove spurious lock dependency between percpu and sched Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 044/141] tracing: Fix partial reading of trace event's id file Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 045/141] configfs: fix possible use-after-free in configfs_register_group Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 046/141] uml: fix a boot splat wrt use of cpu_all_mask Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 047/141] PCI: dwc: Free MSI in dw_pcie_host_init() error path Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 048/141] PCI: dwc: Free MSI IRQ page in dw_pcie_free_msi() Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 049/141] ovl: do not generate duplicate fsnotify events for "fake" path Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 050/141] mmc: mmci: Prevent polling for busy detection in IRQ context Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 051/141] netfilter: nf_flow_table: fix missing error check for rhashtable_insert_fast Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 052/141] netfilter: nf_conntrack_h323: restore boundary check correctness Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 053/141] mips: Make sure dt memory regions are valid Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 054/141] netfilter: nf_tables: fix base chain stat rcu_dereference usage Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 055/141] watchdog: Use depends instead of select for pretimeout governors Sasha Levin
2019-06-01 13:20 ` [PATCH AUTOSEL 4.19 056/141] watchdog: imx2_wdt: Fix set_timeout for big timeout values Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190601132158.25821-35-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yuchao0@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).