Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3437280pxk; Mon, 28 Sep 2020 18:25:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw2iIcpcJn86MhcgI6HRtiSj4C7cV8uZYWSq2WCML/vCuKyi3InvCqlWwq//WOJPLK4/bu8 X-Received: by 2002:a50:f1cf:: with SMTP id y15mr788229edl.204.1601342746762; Mon, 28 Sep 2020 18:25:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601342746; cv=none; d=google.com; s=arc-20160816; b=AF7tdZOKjD9E8fQGbpsTQcsa1QwEgXEHtkj+89p4O32x3qVJVawoigGK/X+UvYeBd7 6uBjDXnws0sZJcZ2VNfxQLkOVx/oIJHIp0Wu59HTQkzroyOtxUiOOs1VjywfrRlCZpr8 jsZ1eVcWtUPjSAlFXkveiIB4FfErHD3cGoymnHiaLOy01byvzt0+FRpToSwLMN8/ekjG r29EYFoB98YoJmEaDoA5cL8dRc60Pe3uXRrPQ8QFltfAapOQ+4WFTGdvxMXKmt5awcAG wE7Uhpn4NASdxPLoPWkW8eFfSyvZyR4vQ2zsyErIPQ68pBmrocJUZ/tJS7cZqAJ/fX4f mKRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=WQxjlr/LWV5B2k34d0AMau1iDp2opRa+1lDGupLe6o4=; b=AbOOoj6J+AjvcTJBV/Xt331gALpMbpRDoGoFexW5/HPJdvpQ6d2SY1ufUHq/HEMfWM JFfyuliQVLE6CjMkF3szXgJS31FRkcWY6+pptHiRVMJL+e8DMRYZH0yUdzj6wJGH/sn4 APM2OJEa1B6X/ZcatJSH5OkDWs4CdOhSt/vDdnAx2+gWQh350DluMIsE6pqGvSdNWytI VLWBJv2/pEeQRPcD/xusC16uwZmBRkZTIMPkXG37ZUUqvQbqkAUTXDQnYK4g6anZ/O27 lKmdhnZimolo1CiARN4h31pdQi8KHS3SqR7UKoZgfuvqHfWGHk4aanaaybJ6pJCvd1x7 UeVw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h19si1679456ejl.253.2020.09.28.18.25.14; Mon, 28 Sep 2020 18:25:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727043AbgI2BXZ (ORCPT + 99 others); Mon, 28 Sep 2020 21:23:25 -0400 Received: from szxga06-in.huawei.com ([45.249.212.32]:33724 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725272AbgI2BXZ (ORCPT ); Mon, 28 Sep 2020 21:23:25 -0400 Received: from DGGEMS402-HUB.china.huawei.com (unknown [172.30.72.60]) by Forcepoint Email with ESMTP id 728E642F578DCC23FDED; Tue, 29 Sep 2020 09:23:23 +0800 (CST) Received: from szvp000203569.huawei.com (10.120.216.130) by DGGEMS402-HUB.china.huawei.com (10.3.19.202) with Microsoft SMTP Server id 14.3.487.0; Tue, 29 Sep 2020 09:23:16 +0800 From: Chao Yu To: CC: , , , Chao Yu , Subject: [PATCH v2] f2fs: fix to check segment boundary during SIT page readahead Date: Tue, 29 Sep 2020 09:23:12 +0800 Message-ID: <20200929012312.109617-1-yuchao0@huawei.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.120.216.130] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org As syzbot reported: kernel BUG at fs/f2fs/segment.h:657! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 16220 Comm: syz-executor.0 Not tainted 5.9.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:f2fs_ra_meta_pages+0xa51/0xdc0 fs/f2fs/segment.h:657 Call Trace: build_sit_entries fs/f2fs/segment.c:4195 [inline] f2fs_build_segment_manager+0x4b8a/0xa3c0 fs/f2fs/segment.c:4779 f2fs_fill_super+0x377d/0x6b80 fs/f2fs/super.c:3633 mount_bdev+0x32e/0x3f0 fs/super.c:1417 legacy_get_tree+0x105/0x220 fs/fs_context.c:592 vfs_get_tree+0x89/0x2f0 fs/super.c:1547 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x1387/0x2070 fs/namespace.c:3192 do_mount fs/namespace.c:3205 [inline] __do_sys_mount fs/namespace.c:3413 [inline] __se_sys_mount fs/namespace.c:3390 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 @blkno in f2fs_ra_meta_pages could exceed max segment count, causing panic in following sanity check in current_sit_addr(), add check condition to avoid this issue. Reported-by: syzbot+3698081bcf0bb2d12174@syzkaller.appspotmail.com Signed-off-by: Chao Yu --- v2: - add reported-by tag. fs/f2fs/checkpoint.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c index 3c6fd7a2a819..f18386d30f03 100644 --- a/fs/f2fs/checkpoint.c +++ b/fs/f2fs/checkpoint.c @@ -243,6 +243,8 @@ int f2fs_ra_meta_pages(struct f2fs_sb_info *sbi, block_t start, int nrpages, blkno * NAT_ENTRY_PER_BLOCK); break; case META_SIT: + if (unlikely(blkno >= TOTAL_SEGS(sbi))) + goto out; /* get sit block addr */ fio.new_blkaddr = current_sit_addr(sbi, blkno * SIT_ENTRY_PER_BLOCK); -- 2.26.2