diff mbox series

[4.19,026/239] f2fs: fix to do sanity check in is_alive()

Message ID	20220124183943.957395248@linuxfoundation.org
State	New
Headers	show Return-Path: <stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Chao Yu <chao@kernel.org>, Jaegeuk Kim <jaegeuk@kernel.org> Subject: [PATCH 4.19 026/239] f2fs: fix to do sanity check in is_alive() Date: Mon, 24 Jan 2022 19:41:04 +0100 Message-Id: <20220124183943.957395248@linuxfoundation.org> In-Reply-To: <20220124183943.102762895@linuxfoundation.org> References: <20220124183943.102762895@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [4.19,006/239] mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe() [4.19,009/239] random: fix data race on crng_node_pool [4.19,014/239] orangefs: Fix the size of a memory allocation in orangefs_bufmap_alloc() [4.19,015/239] KVM: s390: Clarify SIGP orders versus STOP/RESTART [4.19,017/239] rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with interrupts e... [4.19,018/239] firmware: qemu_fw_cfg: fix sysfs information leak [4.19,019/239] firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries [4.19,020/239] firmware: qemu_fw_cfg: fix kobject leak in probe error path [4.19,024/239] HID: wacom: Ignore the confidence flag when a touch is removed [4.19,026/239] f2fs: fix to do sanity check in is_alive() [4.19,029/239] x86/gpu: Reserve stolen memory for first integrated Intel GPU [4.19,032/239] media: mceusb: fix control-message timeouts [4.19,033/239] media: em28xx: fix control-message timeouts [4.19,036/239] media: dib0700: fix undefined behavior in tuner shutdown [4.19,038/239] media: pvrusb2: fix control-message timeouts [4.19,042/239] PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller [4.19,045/239] Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails [4.19,047/239] clk: bcm-2835: Remove rounding up the dividers [4.19,051/239] media: em28xx: fix memory leak in em28xx_init_dev [4.19,052/239] arm64: dts: meson-gxbb-wetek: fix missing GPIO binding [4.19,054/239] tee: fix put order in teedev_close_context() [4.19,055/239] media: dmxdev: fix UAF when dvb_register_device() fails [4.19,059/239] media: rcar-csi2: Correct the selection of hsfreqrange [4.19,061/239] media: mtk-vcodec: call v4l2_m2m_ctx_release first when file is released [4.19,062/239] netfilter: bridge: add support for pppoe filtering [4.19,063/239] arm64: dts: qcom: msm8916: fix MMC controller aliases [4.19,064/239] drm/amdgpu: Fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode() [4.19,066/239] tty: serial: uartlite: allow 64 bit address [4.19,067/239] serial: amba-pl011: do not request memory region twice [4.19,069/239] media: dib8000: Fix a memleak in dib8000_init() [4.19,071/239] media: si2157: Fix "warm" tuner state detection [4.19,072/239] sched/rt: Try to restart rt period timer when rt runtime exceeded [4.19,073/239] xfrm: fix a small bug in xfrm_sa_len() [4.19,074/239] crypto: stm32/cryp - fix double pm exit [4.19,075/239] media: dw2102: Fix use after free [4.19,076/239] media: msi001: fix possible null-ptr-deref in msi001_probe() [4.19,077/239] media: coda/imx-vdoa: Handle dma_set_coherent_mask error codes [4.19,079/239] xfrm: interface with if_id 0 should return error [4.19,082/239] ARM: dts: armada-38x: Add generic compatible to UART nodes [4.19,084/239] x86/mce/inject: Avoid out-of-bounds write when setting flags [4.19,085/239] pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in __nonstatic_find_io_regi... [4.19,088/239] ppp: ensure minimum packet size in ppp_write() [4.19,090/239] fsl/fman: Check for null pointer after calling devm_ioremap [4.19,095/239] can: xilinx_can: xcan_probe(): check for error irq [4.19,096/239] pcmcia: fix setting of kthread task states [4.19,100/239] ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls [4.19,101/239] ALSA: hda: Add missing rwsem around snd_ctl_remove() calls [4.19,103/239] powerpc/prom_init: Fix improper check of prom_getprop() [4.19,105/239] ALSA: oss: fix compile error when OSS_DEBUG is enabled [4.19,110/239] RDMA/core: Let ib_find_gid() continue search even after empty entry [4.19,112/239] dmaengine: pxa/mmp: stop referencing config->slave_id [4.19,115/239] ASoC: samsung: idma: Check of ioremap return value [4.19,116/239] misc: lattice-ecp3-config: Fix task hung when firmware load failed [4.19,120/239] Bluetooth: Fix debugfs entry leak in hci_register_dev() [4.19,123/239] drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR [4.19,126/239] media: b2c2: Add missing check in flexcop_pci_isr: [4.19,127/239] ARM: imx: rename DEBUG_IMX21_IMX27_UART to DEBUG_IMX27_UART [4.19,132/239] mwifiex: Fix skb_over_panic in mwifiex_usb_recv() [4.19,133/239] rsi: Fix out-of-bounds read in rsi_read_pkt() [4.19,137/239] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() [4.19,138/239] media: m920x: dont use stack on USB reads [4.19,140/239] ath10k: Fix tx hanging [4.19,143/239] x86/mce: Mark mce_end() noinstr [4.19,144/239] x86/mce: Mark mce_read_aux() noinstr [4.19,147/239] HID: quirks: Allow inverting the absolute X/Y values [4.19,151/239] audit: ensure userspace is penalized the same as the kernel when under pressure [4.19,152/239] arm64: tegra: Adjust length of CCPLEX cluster MMIO region [4.19,154/239] ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream [4.19,155/239] iwlwifi: fix leaks/bad data after failed firmware load [4.19,156/239] iwlwifi: remove module loading failure message [4.19,157/239] iwlwifi: mvm: Fix calculation of frame length [4.19,159/239] jffs2: GC deadlock reading a page that is used in jffs2_write_begin() [4.19,163/239] ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5 [4.19,164/239] drm/amdgpu: fixup bad vram size on gmc v8 [4.19,166/239] btrfs: remove BUG_ON() in find_parent_nodes() [4.19,167/239] btrfs: remove BUG_ON(!eie) in find_parent_nodes [4.19,176/239] serial: core: Keep mctrl register state and cached copy in sync [4.19,178/239] powerpc/6xx: add missing of_node_put [4.19,179/239] powerpc/powernv: add missing of_node_put [4.19,181/239] powerpc/btext: add missing of_node_put [4.19,184/239] powerpc/smp: Move setup_profiling_timer() under CONFIG_PROFILING [4.19,185/239] i2c: mpc: Correct I2C reset procedure [4.19,190/239] i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters [4.19,194/239] power: bq25890: Enable continuous conversion for ADC at charging [4.19,196/239] ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers [4.19,197/239] serial: Fix incorrect rs485 polarity on uart open [4.19,199/239] iwlwifi: mvm: Increase the scan timeout guard to 30 seconds [4.19,200/239] s390/mm: fix 2KB pgtable release race [4.19,203/239] ext4: make sure quota gets properly shutdown on error [4.19,204/239] ext4: set csum seed in tmp inode while migrating to extents [4.19,206/239] ext4: dont use the orphan list when migrating an inode [4.19,207/239] crypto: stm32/crc32 - Fix kernel BUG triggered in probe() [4.19,208/239] ASoC: dpcm: prevent snd_soc_dpcm use after free [4.19,215/239] RDMA/hns: Modify the mapping attribute of doorbell to device [4.19,217/239] dmaengine: stm32-mdma: fix STM32_MDMA_CTBR_TSEL_MASK [4.19,219/239] powerpc/fsl/dts: Enable WA for erratum A-009885 on fman3l MDIO buses [4.19,220/239] net/fsl: xgmac_mdio: Fix incorrect iounmap when removing module [4.19,221/239] parisc: pdc_stable: Fix memory leak in pdcs_register_pathentries [4.19,224/239] net: axienet: fix number of TX ring slots for available check [4.19,225/239] rtc: pxa: fix null pointer dereference [4.19,229/239] dmaengine: at_xdmac: Print debug message after realeasing the lock [4.19,230/239] dmaengine: at_xdmac: Fix lld view setting [4.19,233/239] bcmgenet: add WOL IRQ check [4.19,238/239] fuse: fix bad inode

Commit Message

Greg KH Jan. 24, 2022, 6:41 p.m. UTC

From: Chao Yu <chao@kernel.org>

commit 77900c45ee5cd5da63bd4d818a41dbdf367e81cd upstream.

In fuzzed image, SSA table may indicate that a data block belongs to
invalid node, which node ID is out-of-range (0, 1, 2 or max_nid), in
order to avoid migrating inconsistent data in such corrupted image,
let's do sanity check anyway before data block migration.

Cc: stable@vger.kernel.org
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/f2fs/gc.c |    3 +++
 1 file changed, 3 insertions(+)

Comments

Pavel Machek Feb. 1, 2022, 7:18 p.m. UTC | #1

Hi!

> Oops, you're right, my bad.
> 
> > 
> > > +++ b/fs/f2fs/gc.c
> > > @@ -589,6 +589,9 @@ static bool is_alive(struct f2fs_sb_info
> > >   		set_sbi_flag(sbi, SBI_NEED_FSCK);
> > >   	}
> > > +	if (f2fs_check_nid_range(sbi, dni->ino))
> > > +		return false;
> > > +
> > >   	*nofs = ofs_of_node(node_page);
> > >   	source_blkaddr = datablock_addr(NULL, node_page, ofs_in_node);
> > >   	f2fs_put_page(node_page, 1);
> > 
> > AFAICT f2fs_put_page() needs to be done in the error path, too.
> > 
> > (Problem seems to exist in mainline, too).
> > 
> > Something like this?
> 
> Could you please send a formal patch to f2fs mailing list for better review?
> 
> Anyway, thanks a lot for the report and the patch!

I'm quite busy with other reviews at the moment. If you could submit a
patch, it would be great, otherwise I'll get to it .. sometime.

Best regards,
									Pavel

Chao Yu Feb. 3, 2022, 2:51 p.m. UTC | #2

On 2022/2/2 3:18, Pavel Machek wrote:
> Hi!
> 
>> Oops, you're right, my bad.
>>
>>>
>>>> +++ b/fs/f2fs/gc.c
>>>> @@ -589,6 +589,9 @@ static bool is_alive(struct f2fs_sb_info
>>>>    		set_sbi_flag(sbi, SBI_NEED_FSCK);
>>>>    	}
>>>> +	if (f2fs_check_nid_range(sbi, dni->ino))
>>>> +		return false;
>>>> +
>>>>    	*nofs = ofs_of_node(node_page);
>>>>    	source_blkaddr = datablock_addr(NULL, node_page, ofs_in_node);
>>>>    	f2fs_put_page(node_page, 1);
>>>
>>> AFAICT f2fs_put_page() needs to be done in the error path, too.
>>>
>>> (Problem seems to exist in mainline, too).
>>>
>>> Something like this?
>>
>> Could you please send a formal patch to f2fs mailing list for better review?
>>
>> Anyway, thanks a lot for the report and the patch!
> 
> I'm quite busy with other reviews at the moment. If you could submit a
> patch, it would be great, otherwise I'll get to it .. sometime.

I've submitted a patch, could you please take a look?

Thanks,

> 
> Best regards,
> 									Pavel
>

diff mbox series

Patch

--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -589,6 +589,9 @@  static bool is_alive(struct f2fs_sb_info
 		set_sbi_flag(sbi, SBI_NEED_FSCK);
 	}
 
+	if (f2fs_check_nid_range(sbi, dni->ino))
+		return false;
+
 	*nofs = ofs_of_node(node_page);
 	source_blkaddr = datablock_addr(NULL, node_page, ofs_in_node);
 	f2fs_put_page(node_page, 1);