From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, stable@kernel.org,
syzbot+b9c7ffd609c3f09416ab@syzkaller.appspotmail.com,
Chao Yu <chao@kernel.org>, Jaegeuk Kim <jaegeuk@kernel.org>
Subject: [PATCH 6.17 25/26] f2fs: fix to do sanity check on node footer for non inode dnode
Date: Fri, 10 Oct 2025 15:16:20 +0200 [thread overview]
Message-ID: <20251010131332.120480940@linuxfoundation.org> (raw)
In-Reply-To: <20251010131331.204964167@linuxfoundation.org>
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
commit c18ecd99e0c707ef8f83cace861cbc3162f4fdf1 upstream.
As syzbot reported below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/file.c:1243!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5354 Comm: syz.0.0 Not tainted 6.17.0-rc1-syzkaller-00211-g90d970cade8e #0 PREEMPT(full)
RIP: 0010:f2fs_truncate_hole+0x69e/0x6c0 fs/f2fs/file.c:1243
Call Trace:
<TASK>
f2fs_punch_hole+0x2db/0x330 fs/f2fs/file.c:1306
f2fs_fallocate+0x546/0x990 fs/f2fs/file.c:2018
vfs_fallocate+0x666/0x7e0 fs/open.c:342
ksys_fallocate fs/open.c:366 [inline]
__do_sys_fallocate fs/open.c:371 [inline]
__se_sys_fallocate fs/open.c:369 [inline]
__x64_sys_fallocate+0xc0/0x110 fs/open.c:369
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1e65f8ebe9
w/ a fuzzed image, f2fs may encounter panic due to it detects inconsistent
truncation range in direct node in f2fs_truncate_hole().
The root cause is: a non-inode dnode may has the same footer.ino and
footer.nid, so the dnode will be parsed as an inode, then ADDRS_PER_PAGE()
may return wrong blkaddr count which may be 923 typically, by chance,
dn.ofs_in_node is equal to 923, then count can be calculated to 0 in below
statement, later it will trigger panic w/ f2fs_bug_on(, count == 0 || ...).
count = min(end_offset - dn.ofs_in_node, pg_end - pg_start);
This patch introduces a new node_type NODE_TYPE_NON_INODE, then allowing
passing the new_type to sanity_check_node_footer in f2fs_get_node_folio()
to detect corruption that a non-inode dnode has the same footer.ino and
footer.nid.
Scripts to reproduce:
mkfs.f2fs -f /dev/vdb
mount /dev/vdb /mnt/f2fs
touch /mnt/f2fs/foo
touch /mnt/f2fs/bar
dd if=/dev/zero of=/mnt/f2fs/foo bs=1M count=8
umount /mnt/f2fs
inject.f2fs --node --mb i_nid --nid 4 --idx 0 --val 5 /dev/vdb
mount /dev/vdb /mnt/f2fs
xfs_io /mnt/f2fs/foo -c "fpunch 6984k 4k"
Cc: stable@kernel.org
Reported-by: syzbot+b9c7ffd609c3f09416ab@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/68a68e27.050a0220.1a3988.0002.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 4 ++-
fs/f2fs/gc.c | 4 +--
fs/f2fs/node.c | 58 +++++++++++++++++++++++++++++++++++------------------
fs/f2fs/node.h | 1
fs/f2fs/recovery.c | 2 -
5 files changed, 46 insertions(+), 23 deletions(-)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -3764,6 +3764,7 @@ void f2fs_hash_filename(const struct ino
* node.c
*/
struct node_info;
+enum node_type;
int f2fs_check_nid_range(struct f2fs_sb_info *sbi, nid_t nid);
bool f2fs_available_free_memory(struct f2fs_sb_info *sbi, int type);
@@ -3786,7 +3787,8 @@ int f2fs_remove_inode_page(struct inode
struct folio *f2fs_new_inode_folio(struct inode *inode);
struct folio *f2fs_new_node_folio(struct dnode_of_data *dn, unsigned int ofs);
void f2fs_ra_node_page(struct f2fs_sb_info *sbi, nid_t nid);
-struct folio *f2fs_get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid);
+struct folio *f2fs_get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid,
+ enum node_type node_type);
struct folio *f2fs_get_inode_folio(struct f2fs_sb_info *sbi, pgoff_t ino);
struct folio *f2fs_get_xnode_folio(struct f2fs_sb_info *sbi, pgoff_t xnid);
int f2fs_move_node_folio(struct folio *node_folio, int gc_type);
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -1071,7 +1071,7 @@ next_step:
}
/* phase == 2 */
- node_folio = f2fs_get_node_folio(sbi, nid);
+ node_folio = f2fs_get_node_folio(sbi, nid, NODE_TYPE_REGULAR);
if (IS_ERR(node_folio))
continue;
@@ -1145,7 +1145,7 @@ static bool is_alive(struct f2fs_sb_info
nid = le32_to_cpu(sum->nid);
ofs_in_node = le16_to_cpu(sum->ofs_in_node);
- node_folio = f2fs_get_node_folio(sbi, nid);
+ node_folio = f2fs_get_node_folio(sbi, nid, NODE_TYPE_REGULAR);
if (IS_ERR(node_folio))
return false;
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -871,7 +871,8 @@ int f2fs_get_dnode_of_data(struct dnode_
}
if (!done) {
- nfolio[i] = f2fs_get_node_folio(sbi, nids[i]);
+ nfolio[i] = f2fs_get_node_folio(sbi, nids[i],
+ NODE_TYPE_NON_INODE);
if (IS_ERR(nfolio[i])) {
err = PTR_ERR(nfolio[i]);
f2fs_folio_put(nfolio[0], false);
@@ -989,7 +990,7 @@ static int truncate_dnode(struct dnode_o
return 1;
/* get direct node */
- folio = f2fs_get_node_folio(sbi, dn->nid);
+ folio = f2fs_get_node_folio(sbi, dn->nid, NODE_TYPE_NON_INODE);
if (PTR_ERR(folio) == -ENOENT)
return 1;
else if (IS_ERR(folio))
@@ -1033,7 +1034,8 @@ static int truncate_nodes(struct dnode_o
trace_f2fs_truncate_nodes_enter(dn->inode, dn->nid, dn->data_blkaddr);
- folio = f2fs_get_node_folio(F2FS_I_SB(dn->inode), dn->nid);
+ folio = f2fs_get_node_folio(F2FS_I_SB(dn->inode), dn->nid,
+ NODE_TYPE_NON_INODE);
if (IS_ERR(folio)) {
trace_f2fs_truncate_nodes_exit(dn->inode, PTR_ERR(folio));
return PTR_ERR(folio);
@@ -1111,7 +1113,8 @@ static int truncate_partial_nodes(struct
/* get indirect nodes in the path */
for (i = 0; i < idx + 1; i++) {
/* reference count'll be increased */
- folios[i] = f2fs_get_node_folio(F2FS_I_SB(dn->inode), nid[i]);
+ folios[i] = f2fs_get_node_folio(F2FS_I_SB(dn->inode), nid[i],
+ NODE_TYPE_NON_INODE);
if (IS_ERR(folios[i])) {
err = PTR_ERR(folios[i]);
idx = i - 1;
@@ -1496,21 +1499,37 @@ static int sanity_check_node_footer(stru
struct folio *folio, pgoff_t nid,
enum node_type ntype)
{
- if (unlikely(nid != nid_of_node(folio) ||
- (ntype == NODE_TYPE_INODE && !IS_INODE(folio)) ||
- (ntype == NODE_TYPE_XATTR &&
- !f2fs_has_xattr_block(ofs_of_node(folio))) ||
- time_to_inject(sbi, FAULT_INCONSISTENT_FOOTER))) {
- f2fs_warn(sbi, "inconsistent node block, node_type:%d, nid:%lu, "
- "node_footer[nid:%u,ino:%u,ofs:%u,cpver:%llu,blkaddr:%u]",
- ntype, nid, nid_of_node(folio), ino_of_node(folio),
- ofs_of_node(folio), cpver_of_node(folio),
- next_blkaddr_of_node(folio));
- set_sbi_flag(sbi, SBI_NEED_FSCK);
- f2fs_handle_error(sbi, ERROR_INCONSISTENT_FOOTER);
- return -EFSCORRUPTED;
+ if (unlikely(nid != nid_of_node(folio)))
+ goto out_err;
+
+ switch (ntype) {
+ case NODE_TYPE_INODE:
+ if (!IS_INODE(folio))
+ goto out_err;
+ break;
+ case NODE_TYPE_XATTR:
+ if (!f2fs_has_xattr_block(ofs_of_node(folio)))
+ goto out_err;
+ break;
+ case NODE_TYPE_NON_INODE:
+ if (IS_INODE(folio))
+ goto out_err;
+ break;
+ default:
+ break;
}
+ if (time_to_inject(sbi, FAULT_INCONSISTENT_FOOTER))
+ goto out_err;
return 0;
+out_err:
+ f2fs_warn(sbi, "inconsistent node block, node_type:%d, nid:%lu, "
+ "node_footer[nid:%u,ino:%u,ofs:%u,cpver:%llu,blkaddr:%u]",
+ ntype, nid, nid_of_node(folio), ino_of_node(folio),
+ ofs_of_node(folio), cpver_of_node(folio),
+ next_blkaddr_of_node(folio));
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ f2fs_handle_error(sbi, ERROR_INCONSISTENT_FOOTER);
+ return -EFSCORRUPTED;
}
static struct folio *__get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid,
@@ -1567,9 +1586,10 @@ out_put_err:
return ERR_PTR(err);
}
-struct folio *f2fs_get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid)
+struct folio *f2fs_get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid,
+ enum node_type node_type)
{
- return __get_node_folio(sbi, nid, NULL, 0, NODE_TYPE_REGULAR);
+ return __get_node_folio(sbi, nid, NULL, 0, node_type);
}
struct folio *f2fs_get_inode_folio(struct f2fs_sb_info *sbi, pgoff_t ino)
--- a/fs/f2fs/node.h
+++ b/fs/f2fs/node.h
@@ -57,6 +57,7 @@ enum node_type {
NODE_TYPE_REGULAR,
NODE_TYPE_INODE,
NODE_TYPE_XATTR,
+ NODE_TYPE_NON_INODE,
};
/*
--- a/fs/f2fs/recovery.c
+++ b/fs/f2fs/recovery.c
@@ -548,7 +548,7 @@ got_it:
}
/* Get the node page */
- node_folio = f2fs_get_node_folio(sbi, nid);
+ node_folio = f2fs_get_node_folio(sbi, nid, NODE_TYPE_REGULAR);
if (IS_ERR(node_folio))
return PTR_ERR(node_folio);
next prev parent reply other threads:[~2025-10-10 13:17 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-10 13:15 [PATCH 6.17 00/26] 6.17.2-rc1 review Greg Kroah-Hartman
2025-10-10 13:15 ` [PATCH 6.17 01/26] drm/amdgpu: Enable MES lr_compute_wa by default Greg Kroah-Hartman
2025-10-10 13:15 ` [PATCH 6.17 02/26] USB: serial: option: add SIMCom 8230C compositions Greg Kroah-Hartman
2025-10-10 13:15 ` [PATCH 6.17 03/26] Bluetooth: btusb: Add USB ID 2001:332a for D-Link AX9U rev. A1 Greg Kroah-Hartman
2025-10-10 13:15 ` [PATCH 6.17 04/26] wifi: rtlwifi: rtl8192cu: Dont claim USB ID 07b8:8188 Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 05/26] wifi: rtl8xxxu: " Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 06/26] rust: drm: fix `srctree/` links Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 07/26] rust: block: " Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 08/26] rust: pci: fix incorrect platform reference in PCI driver probe doc comment Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 09/26] rust: pci: fix incorrect platform reference in PCI driver unbind " Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 10/26] serial: qcom-geni: Fix blocked task Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 11/26] nvmem: layouts: fix automatic module loading Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 12/26] drivers/misc/amd-sbi/Kconfig: select REGMAP_I2C Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 13/26] binder: fix double-free in dbitmap Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 14/26] serial: stm32: allow selecting console when the driver is module Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 15/26] staging: axis-fifo: fix maximum TX packet length check Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 16/26] staging: axis-fifo: fix TX handling on copy_from_user() failure Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 17/26] staging: axis-fifo: flush RX FIFO on read errors Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 18/26] driver core: faux: Set power.no_pm for faux devices Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 19/26] driver core/PM: Set power.no_callbacks along with power.no_pm Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 20/26] Revert "crypto: testmgr - desupport SHA-1 for FIPS 140" Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 21/26] crypto: zstd - Fix compression bug caused by truncation Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 22/26] crypto: rng - Ensure set_ent is always present Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 23/26] net/9p: fix double req put in p9_fd_cancelled Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.17 24/26] KVM: x86: Dont (re)check L1 intercepts when completing userspace I/O Greg Kroah-Hartman
2025-10-10 13:16 ` Greg Kroah-Hartman [this message]
2025-10-10 13:16 ` [PATCH 6.17 26/26] ring buffer: Propagate __rb_map_vma return value to caller Greg Kroah-Hartman
2025-10-10 15:14 ` [PATCH 6.17 00/26] 6.17.2-rc1 review Ronald Warsow
2025-10-10 17:15 ` Jon Hunter
2025-10-10 19:51 ` Justin Forbes
2025-10-10 22:20 ` Shuah Khan
2025-10-11 8:39 ` Naresh Kamboju
2025-10-11 10:49 ` Mark Brown
2025-10-11 11:31 ` Ron Economos
2025-10-11 12:26 ` Takeshi Ogasawara
2025-10-11 16:55 ` Brett A C Sheffield
2025-10-11 21:59 ` Peter Schneider
2025-10-12 9:42 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251010131332.120480940@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chao@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+b9c7ffd609c3f09416ab@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox