mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-27 21:03:32 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs
History
Darrick J. Wong 0e98a97f77 xfs: verify buffer contents when we skip log replay 
commit 22ed903eee upstream.

syzbot detected a crash during log recovery:

XFS (loop0): Mounting V5 Filesystem bfdc47fc-10d8-4eed-a562-11a831b3f791
XFS (loop0): Torn write (CRC failure) detected at log block 0x180. Truncating head block from 0x200.
XFS (loop0): Starting recovery (logdev: internal)
==================================================================
BUG: KASAN: slab-out-of-bounds in xfs_btree_lookup_get_block+0x15c/0x6d0 fs/xfs/libxfs/xfs_btree.c:1813
Read of size 8 at addr ffff88807e89f258 by task syz-executor132/5074

CPU: 0 PID: 5074 Comm: syz-executor132 Not tainted 6.2.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
 print_address_description+0x74/0x340 mm/kasan/report.c:306
 print_report+0x107/0x1f0 mm/kasan/report.c:417
 kasan_report+0xcd/0x100 mm/kasan/report.c:517
 xfs_btree_lookup_get_block+0x15c/0x6d0 fs/xfs/libxfs/xfs_btree.c:1813
 xfs_btree_lookup+0x346/0x12c0 fs/xfs/libxfs/xfs_btree.c:1913
 xfs_btree_simple_query_range+0xde/0x6a0 fs/xfs/libxfs/xfs_btree.c:4713
 xfs_btree_query_range+0x2db/0x380 fs/xfs/libxfs/xfs_btree.c:4953
 xfs_refcount_recover_cow_leftovers+0x2d1/0xa60 fs/xfs/libxfs/xfs_refcount.c:1946
 xfs_reflink_recover_cow+0xab/0x1b0 fs/xfs/xfs_reflink.c:930
 xlog_recover_finish+0x824/0x920 fs/xfs/xfs_log_recover.c:3493
 xfs_log_mount_finish+0x1ec/0x3d0 fs/xfs/xfs_log.c:829
 xfs_mountfs+0x146a/0x1ef0 fs/xfs/xfs_mount.c:933
 xfs_fs_fill_super+0xf95/0x11f0 fs/xfs/xfs_super.c:1666
 get_tree_bdev+0x400/0x620 fs/super.c:1282
 vfs_get_tree+0x88/0x270 fs/super.c:1489
 do_new_mount+0x289/0xad0 fs/namespace.c:3145
 do_mount fs/namespace.c:3488 [inline]
 __do_sys_mount fs/namespace.c:3697 [inline]
 __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f89fa3f4aca
Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffd5fb5ef8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00646975756f6e2c RCX: 00007f89fa3f4aca
RDX: 0000000020000100 RSI: 0000000020009640 RDI: 00007fffd5fb5f10
RBP: 00007fffd5fb5f10 R08: 00007fffd5fb5f50 R09: 000000000000970d
R10: 0000000000200800 R11: 0000000000000206 R12: 0000000000000004
R13: 0000555556c6b2c0 R14: 0000000000200800 R15: 00007fffd5fb5f50
 </TASK>

The fuzzed image contains an AGF with an obviously garbage
agf_refcount_level value of 32, and a dirty log with a buffer log item
for that AGF.  The ondisk AGF has a higher LSN than the recovered log
item.  xlog_recover_buf_commit_pass2 reads the buffer, compares the
LSNs, and decides to skip replay because the ondisk buffer appears to be
newer.

Unfortunately, the ondisk buffer is corrupt, but recovery just read the
buffer with no buffer ops specified:

	error = xfs_buf_read(mp->m_ddev_targp, buf_f->blf_blkno,
			buf_f->blf_len, buf_flags, &bp, NULL);

Skipping the buffer leaves its contents in memory unverified.  This sets
us up for a kernel crash because xfs_refcount_recover_cow_leftovers
reads the buffer (which is still around in XBF_DONE state, so no read
verification) and creates a refcountbt cursor of height 32.  This is
impossible so we run off the end of the cursor object and crash.

Fix this by invoking the verifier on all skipped buffers and aborting
log recovery if the ondisk buffer is corrupt.  It might be smarter to
force replay the log item atop the buffer and then see if it'll pass the
write verifier (like ext4 does) but for now let's go with the
conservative option where we stop immediately.

Link: https://syzkaller.appspot.com/bug?extid=7e9494b8b399902e994e
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-06-14 11:09:59 +02:00
..
9p 9p: missing chunk of "fs/9p: Don't update file type when updating file attributes" 2022-06-22 14:13:12 +02:00
adfs
affs affs: initialize fsdata in affs_truncate() 2023-02-01 08:23:11 +01:00
afs afs: Fix setting of mtime when creating a file/dir/symlink 2023-06-14 11:09:37 +02:00
autofs
befs
bfs bfs: don't use WARNING: string when it's just info. 2021-01-06 14:56:52 +01:00
btrfs btrfs: fix csum_tree_block page iteration to avoid tripping on -Werror=array-bounds 2023-06-09 10:30:16 +02:00
cachefiles fs/cachefiles: Remove wait_bit_key layout dependency 2021-03-30 14:32:07 +02:00
ceph ceph: fix use-after-free bug for inodes when flushing capsnaps 2023-06-14 11:09:51 +02:00
cifs cifs: fix pcchunk length type in smb2_copychunk_range 2023-05-17 11:48:14 +02:00
coda coda: Avoid partial allocation of sig_inputArgs 2023-03-11 16:39:51 +01:00
configfs configfs: fix possible memory leak in configfs_create_dir() 2023-01-14 10:15:37 +01:00
cramfs
crypto fscrypt: fix keyring memory leak on mount failure 2022-11-10 18:14:25 +01:00
debugfs debugfs: fix error when writing negative value to atomic_t debugfs file 2023-01-14 10:15:19 +01:00
devpts fsnotify: fix fsnotify hooks in pseudo filesystems 2022-02-01 17:25:39 +01:00
dlm fs: dlm: handle -EBUSY first in lock arg validation 2022-10-26 13:25:08 +02:00
ecryptfs Revert "ecryptfs: replace BUG_ON with error handling code" 2021-05-26 12:06:55 +02:00
efivarfs efivarfs: revert "fix memory leak in efivarfs_create()" 2020-11-25 16:55:02 +01:00
efs
erofs erofs: fix potential overflow calculating xattr_isize 2023-05-17 11:47:38 +02:00
exfat exfat: fix inode->i_blocks for non-512 byte sector size device 2023-03-11 16:39:56 +01:00
exportfs
ext2 ext2: Check block size validity during mount 2023-05-30 12:57:48 +01:00
ext4 ext4: only check dquot_initialize_needed() when debugging 2023-06-14 11:09:58 +02:00
f2fs f2fs: fix iostat lock protection 2023-06-14 11:09:31 +02:00
fat fat: add ratelimit to fat*_ent_bread() 2022-06-09 10:20:58 +02:00
freevxfs
fscache fscache: Fix cookie key hashing 2021-09-18 13:40:15 +02:00
fuse fuse: fix deadlock between atomic O_TRUNC and page invalidation 2023-04-26 11:27:41 +02:00
gfs2 gfs2: Don't deref jdesc in evict 2023-06-09 10:30:08 +02:00
hfs hfs: fix missing hfs_bnode_get() in __hfs_bnode_create 2023-03-11 16:39:55 +01:00
hfsplus fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() 2023-05-30 12:57:47 +01:00
hostfs hostfs: fix memory handling in follow_link() 2021-04-14 08:42:06 +02:00
hpfs
hugetlbfs hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param() 2023-01-14 10:16:20 +01:00
iomap xfs: use current->journal_info for detecting transaction recursion 2022-07-07 17:52:19 +02:00
isofs isofs: Fix out of bound access for corrupted isofs image 2021-11-12 14:58:33 +01:00
jbd2 jdb2: Don't refuse invalidation of already invalidated buffers 2023-05-17 11:47:52 +02:00
jffs2 jffs2: correct logic when creating a hole in jffs2_write_begin 2023-03-22 13:30:01 +01:00
jfs fs/jfs: fix shift exponent db_agl2size negative 2023-03-11 16:40:08 +01:00
kernfs kernfs: fix use-after-free in __kernfs_remove 2022-11-03 23:57:50 +09:00
lockd lockd: lockd server-side shouldn't set fl_ops 2021-09-18 13:40:30 +02:00
minix minix: fix bug when opening a file with O_DIRECT 2022-04-13 21:01:01 +02:00
nfs NFSv4.1: Always send a RECLAIM_COMPLETE after establishing lease 2023-05-17 11:48:02 +02:00
nfs_common nfs_common: need lock during iterate through the list 2020-12-30 11:53:45 +01:00
nfsd NFSD: callback request does not use correct credential for AUTH_SYS 2023-04-20 12:10:22 +02:00
nilfs2 nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode() 2023-05-30 12:57:55 +01:00
nls
notify inotify: Avoid reporting event with invalid wd 2023-05-17 11:48:14 +02:00
ntfs ntfs: check overflow when iterating ATTR_RECORDs 2022-11-25 17:45:57 +01:00
ocfs2 ocfs2: Switch to security_inode_init_security() 2023-05-30 12:57:56 +01:00
omfs
openpromfs
orangefs orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init() 2023-01-14 10:16:20 +01:00
overlayfs ovl: remove privs in ovl_fallocate() 2023-02-22 12:55:55 +01:00
proc sysctl: add proc_dou8vec_minmax() 2023-04-20 12:10:26 +02:00
pstore pstore: Revert pmsg_lock back to a normal mutex 2023-05-17 11:47:54 +02:00
qnx4 qnx4: work around gcc false positive warning bug 2021-09-30 10:11:08 +02:00
qnx6
quota ext4: fix bug_on in __es_tree_search caused by bad quota inode 2023-01-14 10:16:38 +01:00
ramfs
reiserfs reiserfs: Add security prefix to xattr name in reiserfs_security_write() 2023-05-17 11:47:34 +02:00
romfs
squashfs revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" 2023-02-22 12:55:56 +01:00
sysfs
sysv fs: sysv: Fix sysv_nblocks() returns wrong value 2023-01-14 10:15:22 +01:00
tracefs tracefs: Only clobber mode/uid/gid on remount if asked 2022-09-20 12:38:31 +02:00
ubifs ubifs: Free memory for tmpfile name 2023-05-17 11:47:35 +02:00
udf udf: Fix off-by-one error when discarding preallocation 2023-03-17 08:45:07 +01:00
ufs
unicode
vboxsf vboxfs: fix broken legacy mount signature checking 2021-10-17 10:43:33 +02:00
verity fsverity: don't drop pagecache at end of FS_IOC_ENABLE_VERITY 2023-04-05 11:23:44 +02:00
xfs xfs: verify buffer contents when we skip log replay 2023-06-14 11:09:59 +02:00
zonefs zonefs: Fix error message in zonefs_file_dio_append() 2023-04-05 11:23:51 +02:00
aio.c aio: fix mremap after fork null-deref 2023-02-22 12:55:54 +01:00
anon_inodes.c
attr.c attr: use consistent sgid stripping checks 2023-03-22 13:30:08 +01:00
bad_inode.c
binfmt_aout.c
binfmt_elf.c fs/binfmt_elf: Fix memory leak in load_elf_binary() 2022-11-03 23:57:49 +09:00
binfmt_elf_fdpic.c binfmt: Fix error return code in load_elf_fdpic_binary() 2023-01-14 10:16:26 +01:00
binfmt_em86.c
binfmt_flat.c binfmt_flat: do not stop relocating GOT entries prematurely on riscv 2022-06-09 10:20:47 +02:00
binfmt_misc.c binfmt_misc: fix shift-out-of-bounds in check_special_flags 2023-01-14 10:16:13 +01:00
binfmt_script.c
block_dev.c block: fix a race between del_gendisk and BLKRRPART 2021-06-03 09:00:45 +02:00
buffer.c mm: fs: initialize fsdata passed to write_begin/write_end interface 2022-11-25 17:45:56 +01:00
char_dev.c chardev: fix error handling in cdev_device_add() 2023-01-14 10:15:59 +01:00
compat_binfmt_elf.c
coredump.c coredump: Limit what can interrupt coredumps 2023-01-04 11:39:22 +01:00
d_path.c
dax.c dax: fix cache flush on PMD-mapped pages 2022-06-09 10:21:16 +02:00
dcache.c
dcookies.c
direct-io.c fs: direct-io: fix missing sdio->boundary 2021-04-14 08:41:58 +02:00
drop_caches.c
eventfd.c eventfd: provide a eventfd_signal_mask() helper 2023-01-04 11:39:24 +01:00
eventpoll.c eventpoll: add EPOLL_URING_WAKE poll wakeup flag 2023-01-04 11:39:24 +01:00
exec.c exec: Copy oldsighand->action under spin-lock 2022-11-03 23:57:49 +09:00
fcntl.c fcntl: fix potential deadlocks for &fown_struct.lock 2022-10-30 09:41:18 +01:00
fhandle.c
file.c fs: prevent out-of-bounds array speculation when closing a file descriptor 2023-03-17 08:45:05 +01:00
file_table.c SUNRPC: Ensure we flush any closed sockets before xs_xprt_free() 2022-05-18 10:23:48 +02:00
filesystems.c
fs-writeback.c writeback: fix call of incorrect macro 2023-05-17 11:48:10 +02:00
fs_context.c memcg: charge fs_context and legacy_fs_context 2022-02-08 18:30:36 +01:00
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fsopen.c
init.c
inode.c attr: use consistent sgid stripping checks 2023-03-22 13:30:08 +01:00
internal.h attr: add setattr_should_drop_sgid() 2023-03-22 13:30:07 +01:00
ioctl.c fs: fix an infinite loop in iomap_fiemap 2022-05-25 09:17:54 +02:00
Kconfig tmpfs: disallow CONFIG_TMPFS_INODE64 on alpha 2021-02-17 11:02:21 +01:00
Kconfig.binfmt
kernel_read_file.c vfs: check fd has read access in kernel_read_file_from_fd() 2021-10-27 09:56:51 +02:00
libfs.c libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value 2023-01-14 10:15:19 +01:00
locks.c filelock: new helper: vfs_inode_has_locks 2023-01-14 10:16:47 +01:00
Makefile io_uring: import 5.15-stable io_uring 2023-01-04 11:39:23 +01:00
mbcache.c mbcache: Avoid nesting of cache->c_list_lock under bit locks 2023-01-14 10:16:50 +01:00
mount.h
mpage.c
namei.c fs: move S_ISGID stripping into the vfs_*() helpers 2023-03-22 13:30:07 +01:00
namespace.c fs: warn about impending deprecation of mandatory locks 2021-08-26 08:35:57 -04:00
no-block.c
nsfs.c
open.c attr: use consistent sgid stripping checks 2023-03-22 13:30:08 +01:00
pipe.c pipe: Fix missing lock in pipe_resize_ring() 2022-06-06 08:42:41 +02:00
pnode.c pnode: terminate at peers of source 2023-01-14 10:16:27 +01:00
pnode.h mount: fix mounting of detached mounts onto targets that reside on shared mounts 2021-03-17 17:06:13 +01:00
posix_acl.c
proc_namespace.c proc mountinfo: make splice available again 2020-12-30 11:54:02 +01:00
read_write.c vfs: fix copy_file_range() averts filesystem freeze protection 2022-12-19 12:27:30 +01:00
readdir.c readdir: make sure to verify directory entry for legacy interfaces too 2021-04-21 13:00:54 +02:00
remap_range.c fs/remap: constrain dedupe of EOF blocks 2022-07-21 21:20:01 +02:00
select.c select: Fix indefinitely sleeping task in poll_schedule_timeout() 2022-01-29 10:26:11 +01:00
seq_file.c seq_file: disallow extremely large seq buffer allocations 2021-07-20 16:05:59 +02:00
signalfd.c io_uring: disable polling pollfree files 2022-09-05 10:28:58 +02:00
splice.c Revert "fs: check FMODE_LSEEK to control internal pipe splicing" 2022-10-17 17:26:07 +02:00
stack.c
stat.c stat: fix inconsistency between struct stat and struct compat_stat 2022-04-27 13:53:54 +02:00
statfs.c statfs: enforce statfs[64] structure initialization 2023-05-30 12:57:55 +01:00
super.c fscrypt: fix keyring memory leak on mount failure 2022-11-10 18:14:25 +01:00
sync.c vfs: make sync_filesystem return errors from ->sync_fs 2022-08-31 17:15:14 +02:00
timerfd.c
userfaultfd.c userfaultfd: open userfaultfds with O_RDONLY 2022-10-26 13:25:17 +02:00
utimes.c
xattr.c fs: don't audit the capability check in simple_xattr_list() 2023-01-14 10:15:16 +01:00