mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/fs/f2fs
History
Chao Yu a481db81e7 f2fs: fix to do sanity check on inode type during garbage collection 
commit 9056d6489f upstream.

As report by Wenqing Liu in bugzilla:

https://bugzilla.kernel.org/show_bug.cgi?id=215231

- Overview
kernel NULL pointer dereference triggered  in folio_mark_dirty() when mount and operate on a crafted f2fs image

- Reproduce
tested on kernel 5.16-rc3, 5.15.X under root

1. mkdir mnt
2. mount -t f2fs tmp1.img mnt
3. touch tmp
4. cp tmp mnt

F2FS-fs (loop0): sanity_check_inode: inode (ino=49) extent info [5942, 4294180864, 4] is incorrect, run fsck to fix
F2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=31340049, run fsck to fix.
BUG: kernel NULL pointer dereference, address: 0000000000000000
 folio_mark_dirty+0x33/0x50
 move_data_page+0x2dd/0x460 [f2fs]
 do_garbage_collect+0xc18/0x16a0 [f2fs]
 f2fs_gc+0x1d3/0xd90 [f2fs]
 f2fs_balance_fs+0x13a/0x570 [f2fs]
 f2fs_create+0x285/0x840 [f2fs]
 path_openat+0xe6d/0x1040
 do_filp_open+0xc5/0x140
 do_sys_openat2+0x23a/0x310
 do_sys_open+0x57/0x80

The root cause is for special file: e.g. character, block, fifo or socket file,
f2fs doesn't assign address space operations pointer array for mapping->a_ops field,
so, in a fuzzed image, SSA table indicates a data block belong to special file, when
f2fs tries to migrate that block, it causes NULL pointer access once move_data_page()
calls a_ops->set_dirty_page().

Cc: stable@vger.kernel.org
Reported-by: Wenqing Liu <wenqingliu0120@gmail.com>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Kazunori Kobayashi <kazunori.kobayashi@miraclelinux.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2023-11-08 11:21:07 +01:00
..
Kconfig
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
acl.c f2fs: fix wrong return value of f2fs_acl_create 2019-02-12 19:46:00 +01:00
acl.h
checkpoint.c f2fs: fix to check segment boundary during SIT page readahead 2020-11-05 11:06:53 +01:00
data.c f2fs: fix potential overflow 2020-01-17 19:45:52 +01:00
debug.c
dir.c f2fs: check if file namelen exceeds max value 2020-08-05 10:06:49 +02:00
extent_cache.c f2fs: let's avoid panic if extent_tree is not created 2023-01-24 07:05:18 +01:00
f2fs.h f2fs: use generic EFSBADCRC/EFSCORRUPTED 2019-10-05 12:47:39 +02:00
file.c f2fs: fix out-of-repair __setattr_copy() 2021-03-03 18:22:55 +01:00
gc.c f2fs: fix to do sanity check on inode type during garbage collection 2023-11-08 11:21:07 +01:00
gc.h f2fs: fix potential overflow when adjusting GC cycle 2017-08-15 10:40:14 -07:00
hash.c
inline.c f2fs: fix information leak in f2fs_move_inline_dirents() 2023-03-11 16:26:44 +01:00
inode.c f2fs: use generic EFSBADCRC/EFSCORRUPTED 2019-10-05 12:47:39 +02:00
namei.c fscrypt: return -EXDEV for incompatible rename or link into encrypted dir 2020-11-05 11:06:52 +01:00
node.c f2fs: fix indefinite loop scanning for free nid 2020-09-23 10:46:34 +02:00
node.h f2fs: simplify the way of calulating next nat address 2017-07-04 02:11:34 -07:00
recovery.c f2fs: mark inode dirty explicitly in recover_inode() 2019-11-20 18:00:45 +01:00
segment.c f2fs: fix potential overflow 2021-09-22 11:45:15 +02:00
segment.h f2fs: handle unallocated section and zone on pinned/atgc 2021-03-07 11:27:45 +01:00
shrinker.c f2fs: fix sbi->extent_list corruption issue 2019-02-12 19:46:08 +01:00
super.c f2fs: add MODULE_SOFTDEP to ensure crc32 is included in the initramfs 2021-07-20 16:17:53 +02:00
sysfs.c f2fs: wait for sysfs kobject removal before freeing f2fs_sb_info 2020-10-29 09:07:10 +01:00
trace.c f2fs: do not use mutex lock in atomic context 2019-04-05 22:31:27 +02:00
trace.h
xattr.c f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr() 2021-12-29 12:17:36 +01:00
xattr.h f2fs: fix to avoid accessing xattr across the boundary 2020-05-20 08:17:04 +02:00