Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1910680yba;
        Mon, 15 Apr 2019 00:33:00 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzAw56++NHAr+BeD7gIPlkdWAU1aA6jTpDaLRXmFo40XnvYbTLRTZ9XAGmLtMlWQbDPt3+L
X-Received: by 2002:a63:ac12:: with SMTP id v18mr65215754pge.111.1555313580796;
        Mon, 15 Apr 2019 00:33:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1555313580; cv=none;
        d=google.com; s=arc-20160816;
        b=vxVIaY/95qfMYbaAv4+2XpsGR7v7UFeTOY1sSAD16pjdbz/BsWc/y1cP0FaoJeFch2
         UBvnP1r9vZ+O6APBbyrHR6h06F79zZR7JS3M7mF8LCRpPlEXQ1+vrOWSkS2+Hr2nNkH/
         eib11/n5dqmjDmn1NR6VSuSWqikM/qNum3g6hVeP2HKemHfARrqOx/e7hSdT9OLP+nq6
         s/w2t/r8/SZ6O6Z7KUiVWjad8eH5uZjVlh5OwLIJ8Q8QqSr/VpMtDU/qyScooA6CID5v
         pW3T4XtzZR3HpC+4vAAyuKqjS8dSrnGhSGGFWZkb+0xFFuuzLQykLq6G39/He+5xR0Mr
         UFNA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from;
        bh=ZFJrELASGvrAPVBgJblZetmM9NdujM3BlICwUA1sXhk=;
        b=D7hDxEKB5f0nOjhPuZDGoQ2NV/pFWEricLbtpucJQrKp9gmt4gGPptmhMwdTjyRIGP
         WFbvdXzoEqo/xWCoGQmdSZ3FLFtQ1puGLCL1DmW4reuxzM30VmvFjUOXsSIiB/jQYd3q
         4Tv0uuS2VQLOq1ePYhegONxYJvwa0cNNxybX+gS6lkWE/OP3uMO2zXpm8TZwfFerssun
         IN/vhy2LlMmitMf0gMxSkhGPQTdZEKQsymn/FBiNqIXClxgdpmQpRX+iiRtqLMwZ8mbO
         4v0ix0uWOeA7tho9EVGGZZZPoqEi60qLVDoJf8wiR0dsBk2OpstBOdVZbon4VNf1shRe
         Fozw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g1si35415879pgd.269.2019.04.15.00.32.44;
        Mon, 15 Apr 2019 00:33:00 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726476AbfDOHbF (ORCPT <rfc822;tluu11sec@gmail.com> + 99 others);
        Mon, 15 Apr 2019 03:31:05 -0400
Received: from szxga03-in.huawei.com ([45.249.212.189]:2550 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726034AbfDOHbF (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 Apr 2019 03:31:05 -0400
Received: from DGGEMM403-HUB.china.huawei.com (unknown [172.30.72.55])
        by Forcepoint Email with ESMTP id 21B70E263F8BA418CF45;
        Mon, 15 Apr 2019 15:31:03 +0800 (CST)
Received: from dggeme763-chm.china.huawei.com (10.3.19.109) by
 DGGEMM403-HUB.china.huawei.com (10.3.20.211) with Microsoft SMTP Server (TLS)
 id 14.3.408.0; Mon, 15 Apr 2019 15:31:02 +0800
Received: from szvp000201624.huawei.com (10.120.216.130) by
 dggeme763-chm.china.huawei.com (10.3.19.109) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1591.10; Mon, 15 Apr 2019 15:31:02 +0800
From:   Chao Yu <yuchao0@huawei.com>
To:     <jaegeuk@kernel.org>
CC:     <linux-f2fs-devel@lists.sourceforge.net>,
        <linux-kernel@vger.kernel.org>, <chao@kernel.org>,
        Chao Yu <yuchao0@huawei.com>
Subject: [PATCH 10/13] f2fs: fix to do sanity check on valid block count of segment
Date:   Mon, 15 Apr 2019 15:30:51 +0800
Message-ID: <20190415073054.2577-2-yuchao0@huawei.com>
X-Mailer: git-send-email 2.18.0.rc1
In-Reply-To: <20190415073054.2577-1-yuchao0@huawei.com>
References: <20190415073054.2577-1-yuchao0@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.120.216.130]
X-ClientProxiedBy: dggeme710-chm.china.huawei.com (10.1.199.106) To
 dggeme763-chm.china.huawei.com (10.3.19.109)
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

As Jungyeon reported in bugzilla:

https://bugzilla.kernel.org/show_bug.cgi?id=203233

- Overview
When mounting the attached crafted image and running program, following errors are reported.
Additionally, it hangs on sync after running program.

The image is intentionally fuzzed from a normal f2fs image for testing.
Compile options for F2FS are as follows.
CONFIG_F2FS_FS=y
CONFIG_F2FS_STAT_FS=y
CONFIG_F2FS_FS_XATTR=y
CONFIG_F2FS_FS_POSIX_ACL=y
CONFIG_F2FS_CHECK_FS=y

- Reproduces
cc poc_13.c
mkdir test
mount -t f2fs tmp.img test
cp a.out test
cd test
sudo ./a.out
sync

- Kernel messages
 F2FS-fs (sdb): Bitmap was wrongly set, blk:4608
 kernel BUG at fs/f2fs/segment.c:2102!
 RIP: 0010:update_sit_entry+0x394/0x410
 Call Trace:
  f2fs_allocate_data_block+0x16f/0x660
  do_write_page+0x62/0x170
  f2fs_do_write_node_page+0x33/0xa0
  __write_node_page+0x270/0x4e0
  f2fs_sync_node_pages+0x5df/0x670
  f2fs_write_checkpoint+0x372/0x1400
  f2fs_sync_fs+0xa3/0x130
  f2fs_do_sync_file+0x1a6/0x810
  do_fsync+0x33/0x60
  __x64_sys_fsync+0xb/0x10
  do_syscall_64+0x43/0xf0
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

sit.vblocks and sum valid block count in sit.valid_map may be
inconsistent, segment w/ zero vblocks will be treated as free
segment, while allocating in free segment, we may allocate a
free block, if its bitmap is valid previously, it can cause
kernel crash due to bitmap verification failure.

Anyway, to avoid further serious metadata inconsistence and
corruption, it is necessary and worth to detect SIT
inconsistence. So let's enable check_block_count() to verify
vblocks and valid_map all the time rather than do it only
CONFIG_F2FS_CHECK_FS is enabled.

Signed-off-by: Chao Yu <yuchao0@huawei.com>
---
 fs/f2fs/segment.h | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h
index b333ecca6ed6..429007b8036e 100644
--- a/fs/f2fs/segment.h
+++ b/fs/f2fs/segment.h
@@ -673,7 +673,6 @@ static inline void verify_fio_blkaddr(struct f2fs_io_info *fio)
 static inline int check_block_count(struct f2fs_sb_info *sbi,
 		int segno, struct f2fs_sit_entry *raw_sit)
 {
-#ifdef CONFIG_F2FS_CHECK_FS
 	bool is_valid  = test_bit_le(0, raw_sit->valid_map) ? true : false;
 	int valid_blocks = 0;
 	int cur_pos = 0, next_pos;
@@ -700,7 +699,7 @@ static inline int check_block_count(struct f2fs_sb_info *sbi,
 		set_sbi_flag(sbi, SBI_NEED_FSCK);
 		return -EINVAL;
 	}
-#endif
+
 	/* check segment usage, and check boundary of a given segment number */
 	if (unlikely(GET_SIT_VBLOCKS(raw_sit) > sbi->blocks_per_seg
 					|| segno > TOTAL_SEGS(sbi) - 1)) {
-- 
2.18.0.rc1