Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp680181pxb; Tue, 5 Apr 2022 18:30:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwWMu891zY6lUceahJE9d6xta7Lcg+Muu+lkoKmZ9EOhhBaTruTOOf2m647KMIZkUsdufhy X-Received: by 2002:a17:907:c02:b0:6df:fb64:2770 with SMTP id ga2-20020a1709070c0200b006dffb642770mr6257179ejc.221.1649208618734; Tue, 05 Apr 2022 18:30:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649208618; cv=none; d=google.com; s=arc-20160816; b=MH8yS0P2LrCdg+MquPn4mx6o669h2AzNa3zb7xIH+9iNexIHMOIMXniBrHxw7uAKKP Ybc3O+qstuB/hthvNK63fQUcAWL/mEw0lnLrEiGGJ3pWtvCFL7agfMCHemBOSiUnA2E7 LYtOczv1B2CcTbDypjOe1t6ggfAMIDh9eZh9Ft04i3q57dmWr4HhBJBAy39Eh1F5cKnT sED6Pj0KMXCncRj74mQCzluPA5OglXfb6y96CP7je2Xgzozf59irb6D95cViUE5VKslq 16ILx/s6EPoTjVPo3wJjxajwB4idbULFFYA7kAqkm19mtbpDpExyb7wDCkl6YSyYbJ4j i3wA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=NMQvbLtUd3jwaY9MgMBRnOQ1g6PWFul9E45oacRVvSM=; b=ZfYFXZ9yiZbr5bdF1AfShwd4tI2b5EmAvCkKtXvqpwsfbPvvKNgVKJWfupOjyxtYpd MXi1eHi14gRhN3wdlc3WaC7L/0jxHwWGFFjNgWnfRvDydCALYxNWPN2fhRu1S+4fZRoS owLg2g48J25u/4ukhcU1L+QAjy33KlJFB8fQz53VkXt3mVJDi8BxZVZWIPtH6FYca8+l rQXx8iFFk6JwA/NxSfkCTVt45/aqnBOUyCP6ocn0yYiejI2EcRyTZvKswARCFDtZJ1qS sE9VKHg+Le7CKJ1BV/eK1tuGGAiRZysbHP5EdnDr/498gPOsBNXrqa3uXGKA8S+Jdzpm VkWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=z696SO4J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z23-20020a17090674d700b006dfa07788cfsi8143968ejl.452.2022.04.05.18.29.53; Tue, 05 Apr 2022 18:30:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=z696SO4J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235504AbiDEH7s (ORCPT + 99 others); Tue, 5 Apr 2022 03:59:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34126 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232881AbiDEHrN (ORCPT ); Tue, 5 Apr 2022 03:47:13 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC45C9BBAB; Tue, 5 Apr 2022 00:43:12 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 7ED70B81B18; Tue, 5 Apr 2022 07:43:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D5ADBC340EE; Tue, 5 Apr 2022 07:43:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649144590; bh=KrpoqmBm+9RVRU5wmQ0UoegreTFKV0nEgPTZhJMf3uw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=z696SO4J8y5zA4q8hpxm/m1C5D5lHSdG5v2q+wEH7jTFcAWbanlHCPAaIWmfubIc/ 6mPNouekrLvEjLG93CvgERn1uvJCuErE+6JP5GXbbGWOBl5zyYpZ2fCylhtng8iIHI /dWFrdnVKsXnkDYnWZ0Dt8gBeVx/Y5HdUCsmaHuc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Chao Yu , Jaegeuk Kim Subject: [PATCH 5.17 0061/1126] f2fs: fix to do sanity check on .cp_pack_total_block_count Date: Tue, 5 Apr 2022 09:13:28 +0200 Message-Id: <20220405070409.361282307@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070407.513532867@linuxfoundation.org> References: <20220405070407.513532867@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Chao Yu commit 5b5b4f85b01604389f7a0f11ef180a725bf0e2d4 upstream. As bughunter reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215709 f2fs may hang when mounting a fuzzed image, the dmesg shows as below: __filemap_get_folio+0x3a9/0x590 pagecache_get_page+0x18/0x60 __get_meta_page+0x95/0x460 [f2fs] get_checkpoint_version+0x2a/0x1e0 [f2fs] validate_checkpoint+0x8e/0x2a0 [f2fs] f2fs_get_valid_checkpoint+0xd0/0x620 [f2fs] f2fs_fill_super+0xc01/0x1d40 [f2fs] mount_bdev+0x18a/0x1c0 f2fs_mount+0x15/0x20 [f2fs] legacy_get_tree+0x28/0x50 vfs_get_tree+0x27/0xc0 path_mount+0x480/0xaa0 do_mount+0x7c/0xa0 __x64_sys_mount+0x8b/0xe0 do_syscall_64+0x38/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae The root cause is cp_pack_total_block_count field in checkpoint was fuzzed to one, as calcuated, two cp pack block locates in the same block address, so then read latter cp pack block, it will block on the page lock due to the lock has already held when reading previous cp pack block, fix it by adding sanity check for cp_pack_total_block_count. Cc: stable@vger.kernel.org Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman --- fs/f2fs/checkpoint.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/fs/f2fs/checkpoint.c +++ b/fs/f2fs/checkpoint.c @@ -864,6 +864,7 @@ static struct page *validate_checkpoint( struct page *cp_page_1 = NULL, *cp_page_2 = NULL; struct f2fs_checkpoint *cp_block = NULL; unsigned long long cur_version = 0, pre_version = 0; + unsigned int cp_blocks; int err; err = get_checkpoint_version(sbi, cp_addr, &cp_block, @@ -871,15 +872,16 @@ static struct page *validate_checkpoint( if (err) return NULL; - if (le32_to_cpu(cp_block->cp_pack_total_block_count) > - sbi->blocks_per_seg) { + cp_blocks = le32_to_cpu(cp_block->cp_pack_total_block_count); + + if (cp_blocks > sbi->blocks_per_seg || cp_blocks <= F2FS_CP_PACKS) { f2fs_warn(sbi, "invalid cp_pack_total_block_count:%u", le32_to_cpu(cp_block->cp_pack_total_block_count)); goto invalid_cp; } pre_version = *version; - cp_addr += le32_to_cpu(cp_block->cp_pack_total_block_count) - 1; + cp_addr += cp_blocks - 1; err = get_checkpoint_version(sbi, cp_addr, &cp_block, &cp_page_2, version); if (err)