mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/fs/f2fs
History
Chao Yu af0f716ad3 f2fs: fix to do sanity check on direct node in truncate_dnode() 
commit a6ec83786a upstream.

syzbot reports below bug:

BUG: KASAN: slab-use-after-free in f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574
Read of size 4 at addr ffff88802a25c000 by task syz-executor148/5000

CPU: 1 PID: 5000 Comm: syz-executor148 Not tainted 6.4.0-rc7-syzkaller-00041-ge660abd551f1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351
 print_report mm/kasan/report.c:462 [inline]
 kasan_report+0x11c/0x130 mm/kasan/report.c:572
 f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574
 truncate_dnode+0x229/0x2e0 fs/f2fs/node.c:944
 f2fs_truncate_inode_blocks+0x64b/0xde0 fs/f2fs/node.c:1154
 f2fs_do_truncate_blocks+0x4ac/0xf30 fs/f2fs/file.c:721
 f2fs_truncate_blocks+0x7b/0x300 fs/f2fs/file.c:749
 f2fs_truncate.part.0+0x4a5/0x630 fs/f2fs/file.c:799
 f2fs_truncate include/linux/fs.h:825 [inline]
 f2fs_setattr+0x1738/0x2090 fs/f2fs/file.c:1006
 notify_change+0xb2c/0x1180 fs/attr.c:483
 do_truncate+0x143/0x200 fs/open.c:66
 handle_truncate fs/namei.c:3295 [inline]
 do_open fs/namei.c:3640 [inline]
 path_openat+0x2083/0x2750 fs/namei.c:3791
 do_filp_open+0x1ba/0x410 fs/namei.c:3818
 do_sys_openat2+0x16d/0x4c0 fs/open.c:1356
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_creat fs/open.c:1448 [inline]
 __se_sys_creat fs/open.c:1442 [inline]
 __x64_sys_creat+0xcd/0x120 fs/open.c:1442
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The root cause is, inodeA references inodeB via inodeB's ino, once inodeA
is truncated, it calls truncate_dnode() to truncate data blocks in inodeB's
node page, it traverse mapping data from node->i.i_addr[0] to
node->i.i_addr[ADDRS_PER_BLOCK() - 1], result in out-of-boundary access.

This patch fixes to add sanity check on dnode page in truncate_dnode(),
so that, it can help to avoid triggering such issue, and once it encounters
such issue, it will record newly introduced ERROR_INVALID_NODE_REFERENCE
error into superblock, later fsck can detect such issue and try repairing.

Also, it removes f2fs_truncate_data_blocks() for cleanup due to the
function has only one caller, and uses f2fs_truncate_data_blocks_range()
instead.

Reported-and-tested-by: syzbot+12cb4425b22169b52036@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/000000000000f3038a05fef867f8@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2023-08-11 12:14:26 +02:00
..
Kconfig f2fs: introduce F2FS_UNFAIR_RWSEM to support unfair rwsem 2022-03-04 09:15:53 -08:00
Makefile f2fs: separate out iostat feature 2021-08-23 10:25:51 -07:00
acl.c fs: port i_{g,u}id_into_vfs{g,u}id() to mnt_idmap 2023-01-19 09:24:29 +01:00
acl.h fs: port ->set_acl() to pass mnt_idmap 2023-01-19 09:24:27 +01:00
checkpoint.c f2fs: support errors=remount-ro|continue|panic mountoption 2023-07-19 16:36:35 +02:00
compress.c f2fs: flush error flags in workqueue 2023-07-19 16:36:35 +02:00
data.c f2fs: support errors=remount-ro|continue|panic mountoption 2023-07-19 16:36:35 +02:00
debug.c f2fs: fix to recover quota data correctly 2023-04-12 20:00:36 -07:00
dir.c f2fs: fix deadlock in i_xattr_sem and inode page lock 2023-07-23 13:53:50 +02:00
extent_cache.c f2fs: remove unnessary comment in __may_age_extent_tree 2023-04-24 11:03:10 -07:00
f2fs.h f2fs: fix to do sanity check on direct node in truncate_dnode() 2023-08-11 12:14:26 +02:00
file.c f2fs: fix to do sanity check on direct node in truncate_dnode() 2023-08-11 12:14:26 +02:00
gc.c f2fs: check return value of freeze_super() 2023-07-19 16:36:41 +02:00
gc.h f2fs: Fix system crash due to lack of free space in LFS 2023-04-10 10:58:45 -07:00
hash.c f2fs: don't use casefolded comparison for "." and ".." 2022-05-17 11:19:23 -07:00
inline.c f2fs: use common implementation of file type 2023-04-10 10:58:45 -07:00
inode.c f2fs: remove unneeded in-memory i_crtime copy 2023-04-10 11:00:58 -07:00
iostat.c f2fs: use iostat_lat_type directly as a parameter in the iostat_update_and_unbind_ctx() 2023-02-07 10:39:28 -08:00
iostat.h f2fs: use iostat_lat_type directly as a parameter in the iostat_update_and_unbind_ctx() 2023-02-07 10:39:28 -08:00
namei.c Revert "f2fs: fix potential corruption when moving a directory" 2023-07-19 16:36:55 +02:00
node.c f2fs: fix to do sanity check on direct node in truncate_dnode() 2023-08-11 12:14:26 +02:00
node.h f2fs: convert to use bitmap API 2023-03-29 15:17:37 -07:00
recovery.c f2fs: fix to recover quota data correctly 2023-04-12 20:00:36 -07:00
segment.c f2fs: allocate node blocks for atomic write block replacement 2023-04-24 11:03:10 -07:00
segment.h f2fs: add has_enough_free_secs() 2023-04-18 09:05:54 -07:00
shrinker.c f2fs: add block_age-based extent cache 2022-12-12 14:53:56 -08:00
super.c f2fs: don't reset unchangable mount option in f2fs_remount() 2023-07-23 13:53:50 +02:00
sysfs.c f2fs: remove bulk remove_proc_entry() and unnecessary kobject_del() 2023-04-17 14:49:30 -07:00
verity.c f2fs-for-6.3-rc1 2023-02-27 16:18:51 -08:00
xattr.c f2fs: fix deadlock in i_xattr_sem and inode page lock 2023-07-23 13:53:50 +02:00
xattr.h f2fs: code cleanup by removing ifdef macro surrounding 2020-05-26 18:56:10 -07:00