Re: Patch "nilfs2: fix missing error check for sb_set_blocksize call" has been added to the 5.4-stable tree

Re: Patch "nilfs2: fix missing error check for sb_set_blocksize call" has been added to the 5.4-stable tree

[Ryusuke Konishi]

Forward to the stable mailing list.

Ryusuke Konishi

On Sun, Dec 10, 2023 at 11:37 AM Ryusuke Konishi  wrote:
>
> Hi Greg,
>
> Please drop this patch from the 5.4-stable, 4.19-stable, and 4.14-stable queues.
>
> This patch uses nilfs_error() instead of nilfs_err(), which does not
> yet exist in these versions, but these are different routines and
> nilfs_error() should not be used as an alternative for init_nilfs(),
> as it can cause deadlock.
>
> I'll try to post a separate patch to replace it for these versions.
>
> Thanks,
> Ryusuke Konishi
>
> On Sat, Dec 9, 2023 at 9:32 PM wrote:
> >
> >
> > This is a note to let you know that I've just added the patch titled
> >
> >     nilfs2: fix missing error check for sb_set_blocksize call
> >
> > to the 5.4-stable tree which can be found at:
> >     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> >
> > The filename of the patch is:
> >      nilfs2-fix-missing-error-check-for-sb_set_blocksize-call.patch
> > and it can be found in the queue-5.4 subdirectory.
> >
> > If you, or anyone else, feels it should not be added to the stable tree,
> > please let <stable@vger.kernel.org> know about it.
> >
> >
> > From d61d0ab573649789bf9eb909c89a1a193b2e3d10 Mon Sep 17 00:00:00 2001
> > From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> > Date: Wed, 29 Nov 2023 23:15:47 +0900
> > Subject: nilfs2: fix missing error check for sb_set_blocksize call
> >
> > From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> >
> > commit d61d0ab573649789bf9eb909c89a1a193b2e3d10 upstream.
> >
> > When mounting a filesystem image with a block size larger than the page
> > size, nilfs2 repeatedly outputs long error messages with stack traces to
> > the kernel log, such as the following:
> >
> >  getblk(): invalid block size 8192 requested
> >  logical block size: 512
> >  ...
> >  Call Trace:
> >   dump_stack_lvl+0x92/0xd4
> >   dump_stack+0xd/0x10
> >   bdev_getblk+0x33a/0x354
> >   __breadahead+0x11/0x80
> >   nilfs_search_super_root+0xe2/0x704 [nilfs2]
> >   load_nilfs+0x72/0x504 [nilfs2]
> >   nilfs_mount+0x30f/0x518 [nilfs2]
> >   legacy_get_tree+0x1b/0x40
> >   vfs_get_tree+0x18/0xc4
> >   path_mount+0x786/0xa88
> >   __ia32_sys_mount+0x147/0x1a8
> >   __do_fast_syscall_32+0x56/0xc8
> >   do_fast_syscall_32+0x29/0x58
> >   do_SYSENTER_32+0x15/0x18
> >   entry_SYSENTER_32+0x98/0xf1
> >  ...
> >
> > This overloads the system logger.  And to make matters worse, it sometimes
> > crashes the kernel with a memory access violation.
> >
> > This is because the return value of the sb_set_blocksize() call, which
> > should be checked for errors, is not checked.
> >
> > The latter issue is due to out-of-buffer memory being accessed based on a
> > large block size that caused sb_set_blocksize() to fail for buffers read
> > with the initial minimum block size that remained unupdated in the
> > super_block structure.
> >
> > Since nilfs2 mkfs tool does not accept block sizes larger than the system
> > page size, this has been overlooked.  However, it is possible to create
> > this situation by intentionally modifying the tool or by passing a
> > filesystem image created on a system with a large page size to a system
> > with a smaller page size and mounting it.
> >
> > Fix this issue by inserting the expected error handling for the call to
> > sb_set_blocksize().
> >
> > Link: https://lkml.kernel.org/r/20231129141547.4726-1-konishi.ryusuke@gmail.com
> > Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> > Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> > Cc: <stable@vger.kernel.org>
> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> >  fs/nilfs2/the_nilfs.c |    6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > --- a/fs/nilfs2/the_nilfs.c
> > +++ b/fs/nilfs2/the_nilfs.c
> > @@ -688,7 +688,11 @@ int init_nilfs(struct the_nilfs *nilfs,
> >                         goto failed_sbh;
> >                 }
> >                 nilfs_release_super_block(nilfs);
> > -               sb_set_blocksize(sb, blocksize);
> > +               if (!sb_set_blocksize(sb, blocksize)) {
> > +                       nilfs_error(sb, "bad blocksize %d", blocksize);
> > +                       err = -EINVAL;
> > +                       goto out;
> > +               }
> >
> >                 err = nilfs_load_super_block(nilfs, sb, blocksize, &sbp);
> >                 if (err)
> >
> >
> > Patches currently in stable-queue which might be from konishi.ryusuke@gmail.com are
> >
> > queue-5.4/nilfs2-prevent-warning-in-nilfs_sufile_set_segment_usage.patch
> > queue-5.4/nilfs2-fix-missing-error-check-for-sb_set_blocksize-call.patch

[PATCH 4.14 4.19 5.4] nilfs2: fix missing error check for sb_set_blocksize call

[Ryusuke Konishi]

commit d61d0ab573649789bf9eb909c89a1a193b2e3d10 upstream.

When mounting a filesystem image with a block size larger than the page
size, nilfs2 repeatedly outputs long error messages with stack traces to
the kernel log, such as the following:

 getblk(): invalid block size 8192 requested
 logical block size: 512
 ...
 Call Trace:
  dump_stack_lvl+0x92/0xd4
  dump_stack+0xd/0x10
  bdev_getblk+0x33a/0x354
  __breadahead+0x11/0x80
  nilfs_search_super_root+0xe2/0x704 [nilfs2]
  load_nilfs+0x72/0x504 [nilfs2]
  nilfs_mount+0x30f/0x518 [nilfs2]
  legacy_get_tree+0x1b/0x40
  vfs_get_tree+0x18/0xc4
  path_mount+0x786/0xa88
  __ia32_sys_mount+0x147/0x1a8
  __do_fast_syscall_32+0x56/0xc8
  do_fast_syscall_32+0x29/0x58
  do_SYSENTER_32+0x15/0x18
  entry_SYSENTER_32+0x98/0xf1
 ...

This overloads the system logger.  And to make matters worse, it sometimes
crashes the kernel with a memory access violation.

This is because the return value of the sb_set_blocksize() call, which
should be checked for errors, is not checked.

The latter issue is due to out-of-buffer memory being accessed based on a
large block size that caused sb_set_blocksize() to fail for buffers read
with the initial minimum block size that remained unupdated in the
super_block structure.

Since nilfs2 mkfs tool does not accept block sizes larger than the system
page size, this has been overlooked.  However, it is possible to create
this situation by intentionally modifying the tool or by passing a
filesystem image created on a system with a large page size to a system
with a smaller page size and mounting it.

Fix this issue by inserting the expected error handling for the call to
sb_set_blocksize().

Link: https://lkml.kernel.org/r/20231129141547.4726-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
Please apply this patch to the stable trees indicated by the subject line
prefix, instead of the patch I asked you to drop earlier.

In this patch, "nilfs_err()" is replaced with its equivalent since it
doesn't yet exist in these kernels.  With this tweak, this patch is
applicable from v4.8 to v5.8.  Also this patch has been tested against
these three stable trees.

Thanks,
Ryusuke Konishi

fs/nilfs2/the_nilfs.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c
index d550a564645e..c8d869bc25b0 100644
--- a/fs/nilfs2/the_nilfs.c
+++ b/fs/nilfs2/the_nilfs.c
@@ -688,7 +688,11 @@ int init_nilfs(struct the_nilfs *nilfs, struct super_block *sb, char *data)
 			goto failed_sbh;
 		}
 		nilfs_release_super_block(nilfs);
-		sb_set_blocksize(sb, blocksize);
+		if (!sb_set_blocksize(sb, blocksize)) {
+			nilfs_msg(sb, KERN_ERR, "bad blocksize %d", blocksize);
+			err = -EINVAL;
+			goto out;
+		}
 
 		err = nilfs_load_super_block(nilfs, sb, blocksize, &sbp);
 		if (err)
-- 
2.39.3

Re: [PATCH 4.14 4.19 5.4] nilfs2: fix missing error check for sb_set_blocksize call

[Greg Kroah-Hartman]

On Sun, Dec 10, 2023 at 04:26:48PM +0900, Ryusuke Konishi wrote:
> commit d61d0ab573649789bf9eb909c89a1a193b2e3d10 upstream.
> 
> When mounting a filesystem image with a block size larger than the page
> size, nilfs2 repeatedly outputs long error messages with stack traces to
> the kernel log, such as the following:
> 
>  getblk(): invalid block size 8192 requested
>  logical block size: 512
>  ...
>  Call Trace:
>   dump_stack_lvl+0x92/0xd4
>   dump_stack+0xd/0x10
>   bdev_getblk+0x33a/0x354
>   __breadahead+0x11/0x80
>   nilfs_search_super_root+0xe2/0x704 [nilfs2]
>   load_nilfs+0x72/0x504 [nilfs2]
>   nilfs_mount+0x30f/0x518 [nilfs2]
>   legacy_get_tree+0x1b/0x40
>   vfs_get_tree+0x18/0xc4
>   path_mount+0x786/0xa88
>   __ia32_sys_mount+0x147/0x1a8
>   __do_fast_syscall_32+0x56/0xc8
>   do_fast_syscall_32+0x29/0x58
>   do_SYSENTER_32+0x15/0x18
>   entry_SYSENTER_32+0x98/0xf1
>  ...
> 
> This overloads the system logger.  And to make matters worse, it sometimes
> crashes the kernel with a memory access violation.
> 
> This is because the return value of the sb_set_blocksize() call, which
> should be checked for errors, is not checked.
> 
> The latter issue is due to out-of-buffer memory being accessed based on a
> large block size that caused sb_set_blocksize() to fail for buffers read
> with the initial minimum block size that remained unupdated in the
> super_block structure.
> 
> Since nilfs2 mkfs tool does not accept block sizes larger than the system
> page size, this has been overlooked.  However, it is possible to create
> this situation by intentionally modifying the tool or by passing a
> filesystem image created on a system with a large page size to a system
> with a smaller page size and mounting it.
> 
> Fix this issue by inserting the expected error handling for the call to
> sb_set_blocksize().
> 
> Link: https://lkml.kernel.org/r/20231129141547.4726-1-konishi.ryusuke@gmail.com
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> ---
> Please apply this patch to the stable trees indicated by the subject line
> prefix, instead of the patch I asked you to drop earlier.
> 
> In this patch, "nilfs_err()" is replaced with its equivalent since it
> doesn't yet exist in these kernels.  With this tweak, this patch is
> applicable from v4.8 to v5.8.  Also this patch has been tested against
> these three stable trees.

Now replaced with this version, thanks for catching this!

greg k-h