Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp7309337rwi; Mon, 24 Oct 2022 12:44:12 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6iAMBs9fe2o98syNvVRs0zPrV93k0XYQW/ud7LG7IM+iC/3r8Gr1+BWBUXrTj0WOGNg1FW X-Received: by 2002:a17:907:1dec:b0:7aa:6262:f23f with SMTP id og44-20020a1709071dec00b007aa6262f23fmr3460462ejc.38.1666640651959; Mon, 24 Oct 2022 12:44:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666640651; cv=none; d=google.com; s=arc-20160816; b=agN7YvB+PXSyQpWq2+Eadxvd8uvao7+QWXaXogWADWIYxahWN90oDZUJexg7lJxhZH NibUlZxCQWFCQ1QvTWQXJA1Amb14yn63o0G7chkw0TS4CY3SFb8HnG6RsLOKFMOBKgH6 4Ol4X08jX+CKpyw/zMx3cE0KVK0Y3t55be1MSN1L6a9C1K2ZC3jLwVoi2LiKIIDr2OXJ P0HB51GQztH4Ud0ceq6z0fG3GO8yGFTipRHfWN2lE2iQsmvSBozF79O0Zvao4pLEXVjJ uafS4dvdAnKaMPwhzGXEm0tD+26t6IwvKGHclBU32UmadA6ZILMbDZQMLxJTSMl8jXs3 V2tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=vMoqZmg3BvEFSPyb8NXmBUivDBSWL7ZAuNIoNQycssA=; b=esVLwQCtW0sVl3qF6OJjRD7ZjXDuT0QgEUIPytEwGHzDsbpQxrFiUSmYlhbNB52GVw BTfNsXFl4MdDBbp8/f+eo99mghkZIB39daV3kIGCHNtk6jny7XpGFG2SDFFLB2T1qxaf YFI+L25MoV95e6xfW3s+1csou/yLc+cjdBpXcrQVN50sVqrwYZOHMe11bjgUcARiiDTR +VlxJg/Vmf7kpMR6Ze7sT3xwB4Aeihz7FeiZMwK6QM596gYBQIeQDTYsey0TlKaBElDy Kwg8HUTKJZ5gtGAc9hRbRy6w2he9Xd+lV5kNH4gdI6QVTNy7+dhVgai8SztgumEBbNL3 n+1w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f17-20020a056402355100b0045cc02ce2aasi637888edd.319.2022.10.24.12.43.43; Mon, 24 Oct 2022 12:44:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232187AbiJXT22 (ORCPT + 99 others); Mon, 24 Oct 2022 15:28:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60878 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233242AbiJXT1r (ORCPT ); Mon, 24 Oct 2022 15:27:47 -0400 Received: from jabberwock.ucw.cz (jabberwock.ucw.cz [IPv6:2a00:da80:fff0:2::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0E646275DD; Mon, 24 Oct 2022 10:59:34 -0700 (PDT) Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id 710AB1C002C; Mon, 24 Oct 2022 19:30:13 +0200 (CEST) Date: Mon, 24 Oct 2022 19:30:12 +0200 From: Pavel Machek To: Greg Kroah-Hartman Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Wenqing Liu , Chao Yu , Jaegeuk Kim Subject: Re: [PATCH 5.10 052/390] f2fs: fix to do sanity check on summary info Message-ID: <20221024173012.GA25198@duo.ucw.cz> References: <20221024113022.510008560@linuxfoundation.org> <20221024113024.853480982@linuxfoundation.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline In-Reply-To: <20221024113024.853480982@linuxfoundation.org> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NEUTRAL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > From: Chao Yu >=20 > commit c6ad7fd16657ebd34a87a97d9588195aae87597d upstream. >=20 > As Wenqing Liu reported in bugzilla: >=20 > https://bugzilla.kernel.org/show_bug.cgi?id=3D216456 >=20 > BUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs] > Read of size 4 at addr ffff8881464dcd80 by task mount/1013 I believe this is missing put_page on the error path: > +++ b/fs/f2fs/gc.c > @@ -1003,6 +1003,14 @@ static bool is_alive(struct f2fs_sb_info > return false; > } > =20 > + max_addrs =3D IS_INODE(node_page) ? DEF_ADDRS_PER_INODE : > + DEF_ADDRS_PER_BLOCK; > + if (ofs_in_node >=3D max_addrs) { > + f2fs_err(sbi, "Inconsistent ofs_in_node:%u in summary, ino:%u, nid:%u,= max:%u", > + ofs_in_node, dni->ino, dni->nid, max_addrs); > + return false; > + } > + > *nofs =3D ofs_of_node(node_page); > source_blkaddr =3D data_blkaddr(NULL, node_page, ofs_in_node); > f2fs_put_page(node_page, 1); So something like this is needed. (Feel free to test/adapt/apply). Signed-off-by: Pavel Machek Best regards, Pavel diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index 4546e01b2ee0..dab794225cce 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -1110,6 +1110,7 @@ static bool is_alive(struct f2fs_sb_info *sbi, struct= f2fs_summary *sum, if (ofs_in_node >=3D max_addrs) { f2fs_err(sbi, "Inconsistent ofs_in_node:%u in summary, ino:%u, nid:%u, m= ax:%u", ofs_in_node, dni->ino, dni->nid, max_addrs); + f2fs_put_page(node_page, 1); return false; } =20 --=20 DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCY1bLpAAKCRAw5/Bqldv6 8hmyAKC7ZXIcPf5MpyZ9AMln+rmaOqzJugCgohM0HFz47LHNFd++QYjLSHMYJeU= =cm9e -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+--