From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+74ebe2104433e9dc610d@syzkaller.appspotmail.com,
Chao Yu <chao@kernel.org>, Jaegeuk Kim <jaegeuk@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.6 55/67] f2fs: fix to cover read extent cache access with lock
Date: Thu, 15 Aug 2024 15:26:09 +0200 [thread overview]
Message-ID: <20240815131840.420051071@linuxfoundation.org> (raw)
In-Reply-To: <20240815131838.311442229@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit d7409b05a64f212735f0d33f5f1602051a886eab ]
syzbot reports a f2fs bug as below:
BUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46
Read of size 4 at addr ffff8880739ab220 by task syz-executor200/5097
CPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46
do_read_inode fs/f2fs/inode.c:509 [inline]
f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560
f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237
generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413
exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444
exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584
do_handle_to_path fs/fhandle.c:155 [inline]
handle_to_path fs/fhandle.c:210 [inline]
do_handle_open+0x495/0x650 fs/fhandle.c:226
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
We missed to cover sanity_check_extent_cache() w/ extent cache lock,
so, below race case may happen, result in use after free issue.
- f2fs_iget
- do_read_inode
- f2fs_init_read_extent_tree
: add largest extent entry in to cache
- shrink
- f2fs_shrink_read_extent_tree
- __shrink_extent_tree
- __detach_extent_node
: drop largest extent entry
- sanity_check_extent_cache
: access et->largest w/o lock
let's refactor sanity_check_extent_cache() to avoid extent cache access
and call it before f2fs_init_read_extent_tree() to fix this issue.
Reported-by: syzbot+74ebe2104433e9dc610d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/00000000000009beea061740a531@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/extent_cache.c | 48 +++++++++++++++++-------------------------
fs/f2fs/f2fs.h | 2 +-
fs/f2fs/inode.c | 10 ++++-----
3 files changed, 25 insertions(+), 35 deletions(-)
diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c
index ad8dfac73bd44..6a9a470345bfc 100644
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -19,34 +19,24 @@
#include "node.h"
#include <trace/events/f2fs.h>
-bool sanity_check_extent_cache(struct inode *inode)
+bool sanity_check_extent_cache(struct inode *inode, struct page *ipage)
{
struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
- struct f2fs_inode_info *fi = F2FS_I(inode);
- struct extent_tree *et = fi->extent_tree[EX_READ];
- struct extent_info *ei;
-
- if (!et)
- return true;
+ struct f2fs_extent *i_ext = &F2FS_INODE(ipage)->i_ext;
+ struct extent_info ei;
- ei = &et->largest;
- if (!ei->len)
- return true;
+ get_read_extent_info(&ei, i_ext);
- /* Let's drop, if checkpoint got corrupted. */
- if (is_set_ckpt_flags(sbi, CP_ERROR_FLAG)) {
- ei->len = 0;
- et->largest_updated = true;
+ if (!ei.len)
return true;
- }
- if (!f2fs_is_valid_blkaddr(sbi, ei->blk, DATA_GENERIC_ENHANCE) ||
- !f2fs_is_valid_blkaddr(sbi, ei->blk + ei->len - 1,
+ if (!f2fs_is_valid_blkaddr(sbi, ei.blk, DATA_GENERIC_ENHANCE) ||
+ !f2fs_is_valid_blkaddr(sbi, ei.blk + ei.len - 1,
DATA_GENERIC_ENHANCE)) {
set_sbi_flag(sbi, SBI_NEED_FSCK);
f2fs_warn(sbi, "%s: inode (ino=%lx) extent info [%u, %u, %u] is incorrect, run fsck to fix",
__func__, inode->i_ino,
- ei->blk, ei->fofs, ei->len);
+ ei.blk, ei.fofs, ei.len);
return false;
}
return true;
@@ -395,24 +385,22 @@ void f2fs_init_read_extent_tree(struct inode *inode, struct page *ipage)
if (!__may_extent_tree(inode, EX_READ)) {
/* drop largest read extent */
- if (i_ext && i_ext->len) {
+ if (i_ext->len) {
f2fs_wait_on_page_writeback(ipage, NODE, true, true);
i_ext->len = 0;
set_page_dirty(ipage);
}
- goto out;
+ set_inode_flag(inode, FI_NO_EXTENT);
+ return;
}
et = __grab_extent_tree(inode, EX_READ);
- if (!i_ext || !i_ext->len)
- goto out;
-
get_read_extent_info(&ei, i_ext);
write_lock(&et->lock);
- if (atomic_read(&et->node_cnt))
- goto unlock_out;
+ if (atomic_read(&et->node_cnt) || !ei.len)
+ goto skip;
en = __attach_extent_node(sbi, et, &ei, NULL,
&et->root.rb_root.rb_node, true);
@@ -424,11 +412,13 @@ void f2fs_init_read_extent_tree(struct inode *inode, struct page *ipage)
list_add_tail(&en->list, &eti->extent_list);
spin_unlock(&eti->extent_lock);
}
-unlock_out:
+skip:
+ /* Let's drop, if checkpoint got corrupted. */
+ if (f2fs_cp_error(sbi)) {
+ et->largest.len = 0;
+ et->largest_updated = true;
+ }
write_unlock(&et->lock);
-out:
- if (!F2FS_I(inode)->extent_tree[EX_READ])
- set_inode_flag(inode, FI_NO_EXTENT);
}
void f2fs_init_age_extent_tree(struct inode *inode)
diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index 19490dd832194..00eff023cd9d6 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -4189,7 +4189,7 @@ void f2fs_leave_shrinker(struct f2fs_sb_info *sbi);
/*
* extent_cache.c
*/
-bool sanity_check_extent_cache(struct inode *inode);
+bool sanity_check_extent_cache(struct inode *inode, struct page *ipage);
void f2fs_init_extent_tree(struct inode *inode);
void f2fs_drop_extent_tree(struct inode *inode);
void f2fs_destroy_extent_node(struct inode *inode);
diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index 0172f4e503061..26e857fee631d 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -511,16 +511,16 @@ static int do_read_inode(struct inode *inode)
init_idisk_time(inode);
- /* Need all the flag bits */
- f2fs_init_read_extent_tree(inode, node_page);
- f2fs_init_age_extent_tree(inode);
-
- if (!sanity_check_extent_cache(inode)) {
+ if (!sanity_check_extent_cache(inode, node_page)) {
f2fs_put_page(node_page, 1);
f2fs_handle_error(sbi, ERROR_CORRUPTED_INODE);
return -EFSCORRUPTED;
}
+ /* Need all the flag bits */
+ f2fs_init_read_extent_tree(inode, node_page);
+ f2fs_init_age_extent_tree(inode);
+
f2fs_put_page(node_page, 1);
stat_inc_inline_xattr(inode);
--
2.43.0
next prev parent reply other threads:[~2024-08-15 14:10 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-15 13:25 [PATCH 6.6 00/67] 6.6.47-rc1 review Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 01/67] exec: Fix ToCToU between perm check and set-uid/gid usage Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 02/67] ASoC: topology: Clean up route loading Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 03/67] ASoC: topology: Fix route memory corruption Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 04/67] LoongArch: Define __ARCH_WANT_NEW_STAT in unistd.h Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 05/67] NFSD: Rewrite synopsis of nfsd_percpu_counters_init() Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 06/67] NFSD: Fix frame size warning in svc_export_parse() Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 07/67] sunrpc: dont change ->sv_stats if it doesnt exist Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 08/67] nfsd: stop setting ->pg_stats for unused stats Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 09/67] sunrpc: pass in the sv_stats struct through svc_create_pooled Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 10/67] sunrpc: remove ->pg_stats from svc_program Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 11/67] sunrpc: use the struct net as the svc proc private Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 12/67] nfsd: rename NFSD_NET_* to NFSD_STATS_* Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 13/67] nfsd: expose /proc/net/sunrpc/nfsd in net namespaces Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 14/67] nfsd: make all of the nfsd stats per-network namespace Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 15/67] nfsd: remove nfsd_stats, make th_cnt a global counter Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 16/67] nfsd: make svc_stat per-network namespace instead of global Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 17/67] mm: gup: stop abusing try_grab_folio Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 18/67] nvme/pci: Add APST quirk for Lenovo N60z laptop Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 19/67] genirq/cpuhotplug: Skip suspended interrupts when restoring affinity Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 20/67] genirq/cpuhotplug: Retry with cpu_online_mask when migration fails Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 21/67] cgroup: Make operations on the cgroup root_list RCU safe Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 22/67] tcp_metrics: optimize tcp_metrics_flush_all() Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 23/67] wifi: mac80211: take wiphy lock for MAC addr change Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 24/67] wifi: mac80211: fix change_address deadlock during unregister Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 25/67] fs: Convert to bdev_open_by_dev() Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 26/67] jfs: " Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 27/67] jfs: fix log->bdev_handle null ptr deref in lbmStartIO Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 28/67] net: dont dump stack on queue timeout Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 29/67] jfs: fix shift-out-of-bounds in dbJoin Greg Kroah-Hartman
2024-08-15 14:13 ` Dave Kleikamp
2024-08-15 14:19 ` Greg Kroah-Hartman
2024-08-15 16:24 ` Dave Kleikamp
2024-08-15 13:25 ` [PATCH 6.6 30/67] squashfs: squashfs_read_data need to check if the length is 0 Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 31/67] Squashfs: fix variable overflow triggered by sysbot Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 32/67] reiserfs: fix uninit-value in comp_keys Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 33/67] erofs: avoid debugging output for (de)compressed data Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 34/67] net: tls, add test to capture error on large splice Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 35/67] Input: bcm5974 - check endpoint type before starting traffic Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 36/67] quota: Detect loops in quota tree Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 37/67] net:rds: Fix possible deadlock in rds_message_put Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 38/67] net: sctp: fix skb leak in sctp_inq_free() Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 39/67] pppoe: Fix memory leak in pppoe_sendmsg() Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 40/67] bpf: Replace bpf_lpm_trie_key 0-length array with flexible array Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 41/67] bpf: Avoid kfree_rcu() under lock in bpf_lpm_trie Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 42/67] fs: Annotate struct file_handle with __counted_by() and use struct_size() Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 43/67] mISDN: fix MISDN_TIME_STAMP handling Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 44/67] net: add copy_safe_from_sockptr() helper Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.6 45/67] nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 46/67] Bluetooth: RFCOMM: Fix not validating setsockopt user input Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 47/67] ext4: fold quota accounting into ext4_xattr_inode_lookup_create() Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 48/67] ext4: do not create EA inode under buffer lock Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 49/67] mm/page_table_check: support userfault wr-protect entries Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 50/67] wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 51/67] ext4: convert ext4_da_do_write_end() to take a folio Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 52/67] ext4: sanity check for NULL pointer after ext4_force_shutdown Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 53/67] bpf, net: Use DEV_STAT_INC() Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 54/67] f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC Greg Kroah-Hartman
2024-08-15 13:26 ` Greg Kroah-Hartman [this message]
2024-08-15 13:26 ` [PATCH 6.6 56/67] fou: remove warn in gue_gro_receive on unsupported protocol Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 57/67] jfs: fix null ptr deref in dtInsertEntry Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 58/67] jfs: Fix shift-out-of-bounds in dbDiscardAG Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 59/67] fs/ntfs3: Do copy_to_user out of run_lock Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 60/67] ALSA: usb: Fix UBSAN warning in parse_audio_unit() Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 61/67] binfmt_flat: Fix corruption when not offsetting data start Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 62/67] Revert "jfs: fix shift-out-of-bounds in dbJoin" Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 63/67] Revert "Input: bcm5974 - check endpoint type before starting traffic" Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 64/67] mm/debug_vm_pgtable: drop RANDOM_ORVALUE trick Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 65/67] cgroup: Move rcu_head up near the top of cgroup_root Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 66/67] KVM: arm64: Dont defer TLB invalidation when zapping table entries Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.6 67/67] KVM: arm64: Dont pass a TLBI level hint " Greg Kroah-Hartman
2024-08-15 19:35 ` [PATCH 6.6 00/67] 6.6.47-rc1 review ChromeOS Kernel Stable Merge
2024-08-15 19:46 ` Peter Schneider
2024-08-15 21:59 ` Florian Fainelli
2024-08-16 8:47 ` Anders Roxell
2024-08-16 11:24 ` Mark Brown
2024-08-16 11:56 ` Takeshi Ogasawara
2024-08-16 19:47 ` Jon Hunter
2024-08-16 20:40 ` Ron Economos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240815131840.420051071@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chao@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+74ebe2104433e9dc610d@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox