Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp846895pxb;
        Wed, 6 Apr 2022 01:45:40 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzJ4WJy3/AXS7p/MA0TgRoE+0NsdX0YRcVG53aYSd2AB4BHjLyZRA5addrjlEN0xLT/ZxbV
X-Received: by 2002:a17:902:7d86:b0:156:434a:a901 with SMTP id a6-20020a1709027d8600b00156434aa901mr7689831plm.77.1649234740083;
        Wed, 06 Apr 2022 01:45:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649234740; cv=none;
        d=google.com; s=arc-20160816;
        b=I6p8WG+9TFX/0MmflsYdBY7FYKc5we+E591OLTrdBBOP8iIEnQ8VTvg5m7gFXYFkMN
         5pBTa6COGq6Hs5jqh4oCQvKm4yAHIvYQLos20FUpIaa/w0bJW4ubgJOsfpZEoSBpK5W9
         NUugI+MDK0YdEqwiuMkYAOwrDA/AohVYZcdkeFvJzMNVx3Efd6vMMALW8pfxjO8bgHpA
         Jeo0Ujw8EfLHFughpq+4X0Vm1CyE4G99JakJ8rn4zmw0a46Gersgb4sjmDgc9mowrznJ
         BUYT18ZSFUqhWLNykNAfzFbfVAc+cpp9KmlBYo5FS797zAQDb6Rz7V2cP/VwndYtxCK1
         52dg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=RVBc8TrZn42IXIKZE+KK2rZRkM+UYiMLjpSYQEi1+1c=;
        b=pTWhqBqwbdLO3bK7jXTEb3trlQOkqMM19QfPrAKgG6LeXXUopGs5g1dXwNvnYYzJJk
         t+CSBkvdDrQkDIPlk0MABTzEB/wI6kYNhiu6nGcAzWoNSwZNB0UliwkRLshqKZ6iXDd6
         7cTT9exnkfcUe5koXQ5ryaw2pc80ik8w7zygX8RSBhY0iRa5d1saW0KxVt6fNU6+BAiI
         730eZ7pVYPWa6H9dUiF1MRtWKyieOH1sSKKPent66BKAhwkTATpG6saXKXEtiWLFyb+C
         PP5LurxRSS6baNQeg+B2B/slNYPZiiIJCJCM0PW4Dz5AoyWRMeZO5mOqAkNDld3zGEuk
         fjYg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=JkaBythO;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id p32-20020a635b20000000b003816043f098si15785292pgb.653.2022.04.06.01.45.39
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 06 Apr 2022 01:45:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=JkaBythO;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 45C9B5857FD;
	Wed,  6 Apr 2022 01:30:34 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1841716AbiDFBZY (ORCPT <rfc822;02joepater06@gmail.com>
        + 99 others); Tue, 5 Apr 2022 21:25:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48494 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1354756AbiDEKPd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Apr 2022 06:15:33 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D3A36C4A5;
        Tue,  5 Apr 2022 03:02:36 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id BE4E161740;
        Tue,  5 Apr 2022 10:02:35 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C5E64C385A1;
        Tue,  5 Apr 2022 10:02:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1649152955;
        bh=locgQxsyc0MpvAdZeZH1B7amSJ1o7txFD/CTHTitM/g=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=JkaBythOPpsAqlnM1UmkT7GPGCubDuz0L2jj5NP97f1xYymLODM6pqSeHblqidvGh
         AAoq35pmx1535L62sEVigAp0dVvWiTTcvv4mrmzX8dSD4sJahLBCz2Z8G1ukpGJHlV
         iAXo2peRT/GWXjRsoznlcHDN23G9BuhJQmehFsNE=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Chao Yu <chao.yu@oppo.com>,
        Jaegeuk Kim <jaegeuk@kernel.org>
Subject: [PATCH 5.10 050/599] f2fs: fix to do sanity check on .cp_pack_total_block_count
Date:   Tue,  5 Apr 2022 09:25:44 +0200
Message-Id: <20220405070300.317859746@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220405070258.802373272@linuxfoundation.org>
References: <20220405070258.802373272@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Chao Yu <chao@kernel.org>

commit 5b5b4f85b01604389f7a0f11ef180a725bf0e2d4 upstream.

As bughunter reported in bugzilla:

https://bugzilla.kernel.org/show_bug.cgi?id=215709

f2fs may hang when mounting a fuzzed image, the dmesg shows as below:

__filemap_get_folio+0x3a9/0x590
pagecache_get_page+0x18/0x60
__get_meta_page+0x95/0x460 [f2fs]
get_checkpoint_version+0x2a/0x1e0 [f2fs]
validate_checkpoint+0x8e/0x2a0 [f2fs]
f2fs_get_valid_checkpoint+0xd0/0x620 [f2fs]
f2fs_fill_super+0xc01/0x1d40 [f2fs]
mount_bdev+0x18a/0x1c0
f2fs_mount+0x15/0x20 [f2fs]
legacy_get_tree+0x28/0x50
vfs_get_tree+0x27/0xc0
path_mount+0x480/0xaa0
do_mount+0x7c/0xa0
__x64_sys_mount+0x8b/0xe0
do_syscall_64+0x38/0xc0
entry_SYSCALL_64_after_hwframe+0x44/0xae

The root cause is cp_pack_total_block_count field in checkpoint was fuzzed
to one, as calcuated, two cp pack block locates in the same block address,
so then read latter cp pack block, it will block on the page lock due to
the lock has already held when reading previous cp pack block, fix it by
adding sanity check for cp_pack_total_block_count.

Cc: stable@vger.kernel.org
Signed-off-by: Chao Yu <chao.yu@oppo.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/f2fs/checkpoint.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/fs/f2fs/checkpoint.c
+++ b/fs/f2fs/checkpoint.c
@@ -851,6 +851,7 @@ static struct page *validate_checkpoint(
 	struct page *cp_page_1 = NULL, *cp_page_2 = NULL;
 	struct f2fs_checkpoint *cp_block = NULL;
 	unsigned long long cur_version = 0, pre_version = 0;
+	unsigned int cp_blocks;
 	int err;
 
 	err = get_checkpoint_version(sbi, cp_addr, &cp_block,
@@ -858,15 +859,16 @@ static struct page *validate_checkpoint(
 	if (err)
 		return NULL;
 
-	if (le32_to_cpu(cp_block->cp_pack_total_block_count) >
-					sbi->blocks_per_seg) {
+	cp_blocks = le32_to_cpu(cp_block->cp_pack_total_block_count);
+
+	if (cp_blocks > sbi->blocks_per_seg || cp_blocks <= F2FS_CP_PACKS) {
 		f2fs_warn(sbi, "invalid cp_pack_total_block_count:%u",
 			  le32_to_cpu(cp_block->cp_pack_total_block_count));
 		goto invalid_cp;
 	}
 	pre_version = *version;
 
-	cp_addr += le32_to_cpu(cp_block->cp_pack_total_block_count) - 1;
+	cp_addr += cp_blocks - 1;
 	err = get_checkpoint_version(sbi, cp_addr, &cp_block,
 					&cp_page_2, version);
 	if (err)