Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1910680yba; Mon, 15 Apr 2019 00:33:00 -0700 (PDT) X-Google-Smtp-Source: APXvYqzAw56++NHAr+BeD7gIPlkdWAU1aA6jTpDaLRXmFo40XnvYbTLRTZ9XAGmLtMlWQbDPt3+L X-Received: by 2002:a63:ac12:: with SMTP id v18mr65215754pge.111.1555313580796; Mon, 15 Apr 2019 00:33:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555313580; cv=none; d=google.com; s=arc-20160816; b=vxVIaY/95qfMYbaAv4+2XpsGR7v7UFeTOY1sSAD16pjdbz/BsWc/y1cP0FaoJeFch2 UBvnP1r9vZ+O6APBbyrHR6h06F79zZR7JS3M7mF8LCRpPlEXQ1+vrOWSkS2+Hr2nNkH/ eib11/n5dqmjDmn1NR6VSuSWqikM/qNum3g6hVeP2HKemHfARrqOx/e7hSdT9OLP+nq6 s/w2t/r8/SZ6O6Z7KUiVWjad8eH5uZjVlh5OwLIJ8Q8QqSr/VpMtDU/qyScooA6CID5v pW3T4XtzZR3HpC+4vAAyuKqjS8dSrnGhSGGFWZkb+0xFFuuzLQykLq6G39/He+5xR0Mr UFNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=ZFJrELASGvrAPVBgJblZetmM9NdujM3BlICwUA1sXhk=; b=D7hDxEKB5f0nOjhPuZDGoQ2NV/pFWEricLbtpucJQrKp9gmt4gGPptmhMwdTjyRIGP WFbvdXzoEqo/xWCoGQmdSZ3FLFtQ1puGLCL1DmW4reuxzM30VmvFjUOXsSIiB/jQYd3q 4Tv0uuS2VQLOq1ePYhegONxYJvwa0cNNxybX+gS6lkWE/OP3uMO2zXpm8TZwfFerssun IN/vhy2LlMmitMf0gMxSkhGPQTdZEKQsymn/FBiNqIXClxgdpmQpRX+iiRtqLMwZ8mbO 4v0ix0uWOeA7tho9EVGGZZZPoqEi60qLVDoJf8wiR0dsBk2OpstBOdVZbon4VNf1shRe Fozw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g1si35415879pgd.269.2019.04.15.00.32.44; Mon, 15 Apr 2019 00:33:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726476AbfDOHbF (ORCPT + 99 others); Mon, 15 Apr 2019 03:31:05 -0400 Received: from szxga03-in.huawei.com ([45.249.212.189]:2550 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726034AbfDOHbF (ORCPT ); Mon, 15 Apr 2019 03:31:05 -0400 Received: from DGGEMM403-HUB.china.huawei.com (unknown [172.30.72.55]) by Forcepoint Email with ESMTP id 21B70E263F8BA418CF45; Mon, 15 Apr 2019 15:31:03 +0800 (CST) Received: from dggeme763-chm.china.huawei.com (10.3.19.109) by DGGEMM403-HUB.china.huawei.com (10.3.20.211) with Microsoft SMTP Server (TLS) id 14.3.408.0; Mon, 15 Apr 2019 15:31:02 +0800 Received: from szvp000201624.huawei.com (10.120.216.130) by dggeme763-chm.china.huawei.com (10.3.19.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1591.10; Mon, 15 Apr 2019 15:31:02 +0800 From: Chao Yu To: CC: , , , Chao Yu Subject: [PATCH 10/13] f2fs: fix to do sanity check on valid block count of segment Date: Mon, 15 Apr 2019 15:30:51 +0800 Message-ID: <20190415073054.2577-2-yuchao0@huawei.com> X-Mailer: git-send-email 2.18.0.rc1 In-Reply-To: <20190415073054.2577-1-yuchao0@huawei.com> References: <20190415073054.2577-1-yuchao0@huawei.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.120.216.130] X-ClientProxiedBy: dggeme710-chm.china.huawei.com (10.1.199.106) To dggeme763-chm.china.huawei.com (10.3.19.109) X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org As Jungyeon reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203233 - Overview When mounting the attached crafted image and running program, following errors are reported. Additionally, it hangs on sync after running program. The image is intentionally fuzzed from a normal f2fs image for testing. Compile options for F2FS are as follows. CONFIG_F2FS_FS=y CONFIG_F2FS_STAT_FS=y CONFIG_F2FS_FS_XATTR=y CONFIG_F2FS_FS_POSIX_ACL=y CONFIG_F2FS_CHECK_FS=y - Reproduces cc poc_13.c mkdir test mount -t f2fs tmp.img test cp a.out test cd test sudo ./a.out sync - Kernel messages F2FS-fs (sdb): Bitmap was wrongly set, blk:4608 kernel BUG at fs/f2fs/segment.c:2102! RIP: 0010:update_sit_entry+0x394/0x410 Call Trace: f2fs_allocate_data_block+0x16f/0x660 do_write_page+0x62/0x170 f2fs_do_write_node_page+0x33/0xa0 __write_node_page+0x270/0x4e0 f2fs_sync_node_pages+0x5df/0x670 f2fs_write_checkpoint+0x372/0x1400 f2fs_sync_fs+0xa3/0x130 f2fs_do_sync_file+0x1a6/0x810 do_fsync+0x33/0x60 __x64_sys_fsync+0xb/0x10 do_syscall_64+0x43/0xf0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 sit.vblocks and sum valid block count in sit.valid_map may be inconsistent, segment w/ zero vblocks will be treated as free segment, while allocating in free segment, we may allocate a free block, if its bitmap is valid previously, it can cause kernel crash due to bitmap verification failure. Anyway, to avoid further serious metadata inconsistence and corruption, it is necessary and worth to detect SIT inconsistence. So let's enable check_block_count() to verify vblocks and valid_map all the time rather than do it only CONFIG_F2FS_CHECK_FS is enabled. Signed-off-by: Chao Yu --- fs/f2fs/segment.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h index b333ecca6ed6..429007b8036e 100644 --- a/fs/f2fs/segment.h +++ b/fs/f2fs/segment.h @@ -673,7 +673,6 @@ static inline void verify_fio_blkaddr(struct f2fs_io_info *fio) static inline int check_block_count(struct f2fs_sb_info *sbi, int segno, struct f2fs_sit_entry *raw_sit) { -#ifdef CONFIG_F2FS_CHECK_FS bool is_valid = test_bit_le(0, raw_sit->valid_map) ? true : false; int valid_blocks = 0; int cur_pos = 0, next_pos; @@ -700,7 +699,7 @@ static inline int check_block_count(struct f2fs_sb_info *sbi, set_sbi_flag(sbi, SBI_NEED_FSCK); return -EINVAL; } -#endif + /* check segment usage, and check boundary of a given segment number */ if (unlikely(GET_SIT_VBLOCKS(raw_sit) > sbi->blocks_per_seg || segno > TOTAL_SEGS(sbi) - 1)) { -- 2.18.0.rc1