Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1071761iob; Fri, 13 May 2022 22:01:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxroMol09R4jx6DFGxpwso0O9R/aE36YhLJPHtjaMhMa75wW6PY4K3DU0V8A8DaY1BVJ0k0 X-Received: by 2002:adf:f543:0:b0:20a:e059:2f80 with SMTP id j3-20020adff543000000b0020ae0592f80mr6441841wrp.495.1652504476270; Fri, 13 May 2022 22:01:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652504476; cv=none; d=google.com; s=arc-20160816; b=JVIM0ThU7I01j3vGyK22vIHlskkMi6Yh9x2X2UjiBaFpqcoJJ/Ph3tnOLdZDPsfDEE WPYqATh+aYRtqNeS7tBZ2kToD2xYFM2iDrSkQOt8jQ93Ay+zk21le93FCkFJgr7xw8ty jFYZR7puxRyUbwj2W6bELPWhMi9bu112nivbRb6iEVLDiSUkECZskXzewB2mKjMRK0Bi WKTJUPz0OIszzBLFIFgVZR+Jgva9izQVBUamJf1fXe+PccNmGJyV/ubs1E4Gj/scPNDo r7gEOBCe+pru3GOw78HPGmegkd4G2hTD4rYwU6DE5h1caGxogmMSIvsQeeCknwZjBGaK 51fA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=9r9Oag9qMJS5d8Wu2qxoPjfVImpOuyYcCj1VUaDcA0k=; b=GIyc2VJsKu3vsCSriVdSDtEUuvmNVZMNsJ7m2Mult3yCyLIIJ8VNywMpPGcJON2Hiq OtvQroNy9DMnPEAOpEx3PN3JmJu7Ulv7/wv6rKaG7bnjHuCW6S02eAtAq8CEYchArJAd pw+UIPiWA6/A6y8Cr7LK0wKgnCTaLy0zxlQSqWnzV5Jc02RjeMoiGZFfouHSgkcemFoi xlzkEYYsfJWNk26Z4iW7ISoERFeRrU8E4Ffvgz/xZ9Iu7vfIu/7YlI1NjpZMJGcs7lFT ceXc8TiaZzs0cWcSztlrh9SjAWUwRH7aesJKsWu+TuwE/EDrgIbSklMXhZQeuqS3lT27 6Dew== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b="BEkc/XPI"; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id f5-20020adfc985000000b00207acda6936si4427508wrh.600.2022.05.13.22.01.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 May 2022 22:01:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b="BEkc/XPI"; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B15D8B2253; Fri, 13 May 2022 20:37:51 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231569AbiENDht (ORCPT + 99 others); Fri, 13 May 2022 23:37:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59490 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231400AbiENDhs (ORCPT ); Fri, 13 May 2022 23:37:48 -0400 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9D46057995 for ; Fri, 13 May 2022 20:37:46 -0700 (PDT) Received: from cwcc.thunk.org (pool-108-7-220-252.bstnma.fios.verizon.net [108.7.220.252]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 24E3be03031120 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 13 May 2022 23:37:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1652499462; bh=9r9Oag9qMJS5d8Wu2qxoPjfVImpOuyYcCj1VUaDcA0k=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=BEkc/XPI0wdUF/xDZweHc+avlXjVjBjcdiwlw+djDsfXtPNgm1LTqCDarK1AHFKjH 7vjwGDXrD6akSZai/f3/zc6T8XzCiY971xxljly6zvwa8TtrBf6iuLXmtmVRmHG0Jf PpIKQAVs5gjFidBAh+d+IG+GXfWh8X+cpv8MDbwPN4N397pT6ic+D0hSN8QzwKN3a/ eK8W9uiapIMitNZlMuAeOcwsKPYZnrHnVjWpBJ6LhW/Mdn323I4cBsW0rTySMI5hIF cXGe9JwpU0b3UDbXiS46ByFL81tcYkskKb/gWg7LqwSoVAnZorYpF5M3jpZhJRtfGi DEfOm9IRl4cYg== Received: by cwcc.thunk.org (Postfix, from userid 15806) id 3457F15C3F2A; Fri, 13 May 2022 23:37:40 -0400 (EDT) Date: Fri, 13 May 2022 23:37:40 -0400 From: "Theodore Ts'o" To: Nguyen Dinh Phi Cc: Andreas Dilger , syzbot+c7358a3cd05ee786eb31@syzkaller.appspotmail.com, linux-ext4@vger.kernel.org, harshadshirwadkar@gmail.com Subject: Re: [PATCH] ext4: Fix block validation on non-journal fs in __ext4_iget() Message-ID: References: <20220420192312.1655305-1-phind.uet@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220420192312.1655305-1-phind.uet@gmail.com> X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Thu, Apr 21, 2022 at 03:23:12AM +0800, Nguyen Dinh Phi wrote: > Syzbot report following KERNEL BUG: > kernel BUG at fs/ext4/extents_status.c:899! > .... > > The reason is fast commit recovery path will skip block validation in > __ext4_iget(), it allows syzbot be able to mount a corrupted non-journal > filesystem and cause kernel BUG when accessing it. > > Fix it by adding a condition checking. > diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c > index 560e56b42829..66c86d85081e 100644 > --- a/fs/ext4/inode.c > +++ b/fs/ext4/inode.c > @@ -4951,7 +4951,7 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, > goto bad_inode; > } else if (!ext4_has_inline_data(inode)) { > /* validate the block references in the inode */ > - if (!(EXT4_SB(sb)->s_mount_state & EXT4_FC_REPLAY) && > + if (!(journal && EXT4_SB(sb)->s_mount_state & EXT4_FC_REPLAY) && This isn't the right fix. It papers over the problem and fixes the specific syzkaller fuzzed image, but there are other corrupted file system images which will cause problems. What the syzkaller fuzzed file system image did was to set the EXT4_FC_REPLAY_BIT bit the on_disk superblock field s_state, which then gets copied to sbi->s_mount_state: sbi->s_mount_state = le16_to_cpu(es->s_state); ... and then hilarity ensues. The root cause is that we are using EXT4_FC_REPLAY bit in sbi->s_mount_state to indicate whether we are in the middle of a fast commit replay. This *should* have been done using a bit in s_mount_flags (e.g., EXT4_MF_FC_REPLAY) via the ext4_{set,clear,test}_mount_flag() inline functions. The previous paragraph describes the correct long-term fix, but the trivial/hacky fix which is easy to backport to LTS stable kernels is something like this: diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 4b0ea8df1f5c..f7ae53d986f1 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -4889,7 +4889,7 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) sbi->s_inodes_per_block; sbi->s_desc_per_block = blocksize / EXT4_DESC_SIZE(sb); sbi->s_sbh = bh; - sbi->s_mount_state = le16_to_cpu(es->s_state); + sbi->s_mount_state = le16_to_cpu(es->s_state) & ~EXT4_FC_REPLAY; sbi->s_addr_per_block_bits = ilog2(EXT4_ADDR_PER_BLOCK(sb)); sbi->s_desc_per_block_bits = ilog2(EXT4_DESC_PER_BLOCK(sb)); @@ -6452,7 +6452,8 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) if (err) goto restore_opts; } - sbi->s_mount_state = le16_to_cpu(es->s_state); + sbi->s_mount_state = (le16_to_cpu(es->s_state) & + ~EXT4_FC_REPLAY); err = ext4_setup_super(sb, es, 0); if (err) (The first hunk is sufficient to suppress the syzkaller failure, but for completeness sake we need catch the case where the journal contains a maliciously modified superblock, which then is copied to the active superblock, after which hilarity once again ensues.) - Ted