1. 05 Dec, 2018 40 commits
    • Chao Yu's avatar
      f2fs: fix to do sanity check with i_extra_isize · d7d9d29a
      Chao Yu authored
      commit 18dd6470 upstream.
      
      If inode.i_extra_isize was fuzzed to an abnormal value, when
      calculating inline data size, the result will overflow, result
      in accessing invalid memory area when operating inline data.
      
      Let's do sanity check with i_extra_isize during inode loading
      for fixing.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200421
      
      - Reproduce
      
      - POC (poc.c)
          #define _GNU_SOURCE
          #include <sys/types.h>
          #include <sys/mount.h>
          #include <sys/mman.h>
          #include <sys/stat.h>
          #include <sys/xattr.h>
      
          #include <dirent.h>
          #include <errno.h>
          #include <error.h>
          #include <fcntl.h>
          #include <stdio.h>
          #include <stdlib.h>
          #include <string.h>
          #include <unistd.h>
      
          #include <linux/falloc.h>
          #include <linux/loop.h>
      
          static void activity(char *mpoint) {
      
            char *foo_bar_baz;
            char *foo_baz;
            char *xattr;
            int err;
      
            err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
            err = asprintf(&foo_baz, "%s/foo/baz", mpoint);
            err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint);
      
            rename(foo_bar_baz, foo_baz);
      
            char buf2[113];
            memset(buf2, 0, sizeof(buf2));
            listxattr(xattr, buf2, sizeof(buf2));
            removexattr(xattr, "user.mime_type");
      
          }
      
          int main(int argc, char *argv[]) {
            activity(argv[1]);
            return 0;
          }
      
      - Kernel message
      Umount the image will leave the following message
      [ 2910.995489] F2FS-fs (loop0): Mounted with checkpoint version = 2
      [ 2918.416465] ==================================================================
      [ 2918.416807] BUG: KASAN: slab-out-of-bounds in f2fs_iget+0xcb9/0x1a80
      [ 2918.417009] Read of size 4 at addr ffff88018efc2068 by task a.out/1229
      
      [ 2918.417311] CPU: 1 PID: 1229 Comm: a.out Not tainted 4.17.0+ #1
      [ 2918.417314] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [ 2918.417323] Call Trace:
      [ 2918.417366]  dump_stack+0x71/0xab
      [ 2918.417401]  print_address_description+0x6b/0x290
      [ 2918.417407]  kasan_report+0x28e/0x390
      [ 2918.417411]  ? f2fs_iget+0xcb9/0x1a80
      [ 2918.417415]  f2fs_iget+0xcb9/0x1a80
      [ 2918.417422]  ? f2fs_lookup+0x2e7/0x580
      [ 2918.417425]  f2fs_lookup+0x2e7/0x580
      [ 2918.417433]  ? __recover_dot_dentries+0x400/0x400
      [ 2918.417447]  ? legitimize_path.isra.29+0x5a/0xa0
      [ 2918.417453]  __lookup_slow+0x11c/0x220
      [ 2918.417457]  ? may_delete+0x2a0/0x2a0
      [ 2918.417475]  ? deref_stack_reg+0xe0/0xe0
      [ 2918.417479]  ? __lookup_hash+0xb0/0xb0
      [ 2918.417483]  lookup_slow+0x3e/0x60
      [ 2918.417488]  walk_component+0x3ac/0x990
      [ 2918.417492]  ? generic_permission+0x51/0x1e0
      [ 2918.417495]  ? inode_permission+0x51/0x1d0
      [ 2918.417499]  ? pick_link+0x3e0/0x3e0
      [ 2918.417502]  ? link_path_walk+0x4b1/0x770
      [ 2918.417513]  ? _raw_spin_lock_irqsave+0x25/0x50
      [ 2918.417518]  ? walk_component+0x990/0x990
      [ 2918.417522]  ? path_init+0x2e6/0x580
      [ 2918.417526]  path_lookupat+0x13f/0x430
      [ 2918.417531]  ? trailing_symlink+0x3a0/0x3a0
      [ 2918.417534]  ? do_renameat2+0x270/0x7b0
      [ 2918.417538]  ? __kasan_slab_free+0x14c/0x190
      [ 2918.417541]  ? do_renameat2+0x270/0x7b0
      [ 2918.417553]  ? kmem_cache_free+0x85/0x1e0
      [ 2918.417558]  ? do_renameat2+0x270/0x7b0
      [ 2918.417563]  filename_lookup+0x13c/0x280
      [ 2918.417567]  ? filename_parentat+0x2b0/0x2b0
      [ 2918.417572]  ? kasan_unpoison_shadow+0x31/0x40
      [ 2918.417575]  ? kasan_kmalloc+0xa6/0xd0
      [ 2918.417593]  ? strncpy_from_user+0xaa/0x1c0
      [ 2918.417598]  ? getname_flags+0x101/0x2b0
      [ 2918.417614]  ? path_listxattr+0x87/0x110
      [ 2918.417619]  path_listxattr+0x87/0x110
      [ 2918.417623]  ? listxattr+0xc0/0xc0
      [ 2918.417637]  ? mm_fault_error+0x1b0/0x1b0
      [ 2918.417654]  do_syscall_64+0x73/0x160
      [ 2918.417660]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 2918.417676] RIP: 0033:0x7f2f3a3480d7
      [ 2918.417677] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
      [ 2918.417732] RSP: 002b:00007fff4095b7d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000c2
      [ 2918.417744] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2f3a3480d7
      [ 2918.417746] RDX: 0000000000000071 RSI: 00007fff4095b810 RDI: 000000000126a0c0
      [ 2918.417749] RBP: 00007fff4095b890 R08: 000000000126a010 R09: 0000000000000000
      [ 2918.417751] R10: 00000000000001ab R11: 0000000000000206 R12: 00000000004005e0
      [ 2918.417753] R13: 00007fff4095b990 R14: 0000000000000000 R15: 0000000000000000
      
      [ 2918.417853] Allocated by task 329:
      [ 2918.418002]  kasan_kmalloc+0xa6/0xd0
      [ 2918.418007]  kmem_cache_alloc+0xc8/0x1e0
      [ 2918.418023]  mempool_init_node+0x194/0x230
      [ 2918.418027]  mempool_init+0x12/0x20
      [ 2918.418042]  bioset_init+0x2bd/0x380
      [ 2918.418052]  blk_alloc_queue_node+0xe9/0x540
      [ 2918.418075]  dm_create+0x2c0/0x800
      [ 2918.418080]  dev_create+0xd2/0x530
      [ 2918.418083]  ctl_ioctl+0x2a3/0x5b0
      [ 2918.418087]  dm_ctl_ioctl+0xa/0x10
      [ 2918.418092]  do_vfs_ioctl+0x13e/0x8c0
      [ 2918.418095]  ksys_ioctl+0x66/0x70
      [ 2918.418098]  __x64_sys_ioctl+0x3d/0x50
      [ 2918.418102]  do_syscall_64+0x73/0x160
      [ 2918.418106]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [ 2918.418204] Freed by task 0:
      [ 2918.418301] (stack is not available)
      
      [ 2918.418521] The buggy address belongs to the object at ffff88018efc0000
                      which belongs to the cache biovec-max of size 8192
      [ 2918.418894] The buggy address is located 104 bytes to the right of
                      8192-byte region [ffff88018efc0000, ffff88018efc2000)
      [ 2918.419257] The buggy address belongs to the page:
      [ 2918.419431] page:ffffea00063bf000 count:1 mapcount:0 mapping:ffff8801f2242540 index:0x0 compound_mapcount: 0
      [ 2918.419702] flags: 0x17fff8000008100(slab|head)
      [ 2918.419879] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f2242540
      [ 2918.420101] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000
      [ 2918.420322] page dumped because: kasan: bad access detected
      
      [ 2918.420599] Memory state around the buggy address:
      [ 2918.420764]  ffff88018efc1f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 2918.420975]  ffff88018efc1f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 2918.421194] >ffff88018efc2000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [ 2918.421406]                                                           ^
      [ 2918.421627]  ffff88018efc2080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [ 2918.421838]  ffff88018efc2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 2918.422046] ==================================================================
      [ 2918.422264] Disabling lock debugging due to kernel taint
      [ 2923.901641] BUG: unable to handle kernel paging request at ffff88018f0db000
      [ 2923.901884] PGD 22226a067 P4D 22226a067 PUD 222273067 PMD 18e642063 PTE 800000018f0db061
      [ 2923.902120] Oops: 0003 [#1] SMP KASAN PTI
      [ 2923.902274] CPU: 1 PID: 1231 Comm: umount Tainted: G    B             4.17.0+ #1
      [ 2923.902490] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [ 2923.902761] RIP: 0010:__memset+0x24/0x30
      [ 2923.902906] Code: 90 90 90 90 90 90 66 66 90 66 90 49 89 f9 48 89 d1 83 e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3
      [ 2923.903446] RSP: 0018:ffff88018ddf7ae0 EFLAGS: 00010206
      [ 2923.903622] RAX: 0000000000000000 RBX: ffff8801d549d888 RCX: 1ffffffffffdaffb
      [ 2923.903833] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88018f0daffc
      [ 2923.904062] RBP: ffff88018efc206c R08: 1ffff10031df840d R09: ffff88018efc206c
      [ 2923.904273] R10: ffffffffffffe1ee R11: ffffed0031df65fa R12: 0000000000000000
      [ 2923.904485] R13: ffff8801d549dc98 R14: 00000000ffffc3db R15: ffffea00063bec80
      [ 2923.904693] FS:  00007fa8b2f8a840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000
      [ 2923.904937] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2923.910080] CR2: ffff88018f0db000 CR3: 000000018f892000 CR4: 00000000000006e0
      [ 2923.914930] Call Trace:
      [ 2923.919724]  f2fs_truncate_inline_inode+0x114/0x170
      [ 2923.924487]  f2fs_truncate_blocks+0x11b/0x7c0
      [ 2923.929178]  ? f2fs_truncate_data_blocks+0x10/0x10
      [ 2923.933834]  ? dqget+0x670/0x670
      [ 2923.938437]  ? f2fs_destroy_extent_tree+0xd6/0x270
      [ 2923.943107]  ? __radix_tree_lookup+0x2f/0x150
      [ 2923.947772]  f2fs_truncate+0xd4/0x1a0
      [ 2923.952491]  f2fs_evict_inode+0x5ab/0x610
      [ 2923.957204]  evict+0x15f/0x280
      [ 2923.961898]  __dentry_kill+0x161/0x250
      [ 2923.966634]  shrink_dentry_list+0xf3/0x250
      [ 2923.971897]  shrink_dcache_parent+0xa9/0x100
      [ 2923.976561]  ? shrink_dcache_sb+0x1f0/0x1f0
      [ 2923.981177]  ? wait_for_completion+0x8a/0x210
      [ 2923.985781]  ? migrate_swap_stop+0x2d0/0x2d0
      [ 2923.990332]  do_one_tree+0xe/0x40
      [ 2923.994735]  shrink_dcache_for_umount+0x3a/0xa0
      [ 2923.999077]  generic_shutdown_super+0x3e/0x1c0
      [ 2924.003350]  kill_block_super+0x4b/0x70
      [ 2924.007619]  deactivate_locked_super+0x65/0x90
      [ 2924.011812]  cleanup_mnt+0x5c/0xa0
      [ 2924.015995]  task_work_run+0xce/0xf0
      [ 2924.020174]  exit_to_usermode_loop+0x115/0x120
      [ 2924.024293]  do_syscall_64+0x12f/0x160
      [ 2924.028479]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 2924.032709] RIP: 0033:0x7fa8b2868487
      [ 2924.036888] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
      [ 2924.045750] RSP: 002b:00007ffc39824d58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
      [ 2924.050190] RAX: 0000000000000000 RBX: 00000000008ea030 RCX: 00007fa8b2868487
      [ 2924.054604] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000008f4360
      [ 2924.058940] RBP: 00000000008f4360 R08: 0000000000000000 R09: 0000000000000014
      [ 2924.063186] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007fa8b2d7183c
      [ 2924.067418] R13: 0000000000000000 R14: 00000000008ea210 R15: 00007ffc39824fe0
      [ 2924.071534] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer joydev input_leds serio_raw snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel psmouse aes_x86_64 8139cp crypto_simd cryptd mii glue_helper pata_acpi floppy
      [ 2924.098044] CR2: ffff88018f0db000
      [ 2924.102520] ---[ end trace a8e0d899985faf31 ]---
      [ 2924.107012] RIP: 0010:__memset+0x24/0x30
      [ 2924.111448] Code: 90 90 90 90 90 90 66 66 90 66 90 49 89 f9 48 89 d1 83 e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3
      [ 2924.120724] RSP: 0018:ffff88018ddf7ae0 EFLAGS: 00010206
      [ 2924.125312] RAX: 0000000000000000 RBX: ffff8801d549d888 RCX: 1ffffffffffdaffb
      [ 2924.129931] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88018f0daffc
      [ 2924.134537] RBP: ffff88018efc206c R08: 1ffff10031df840d R09: ffff88018efc206c
      [ 2924.139175] R10: ffffffffffffe1ee R11: ffffed0031df65fa R12: 0000000000000000
      [ 2924.143825] R13: ffff8801d549dc98 R14: 00000000ffffc3db R15: ffffea00063bec80
      [ 2924.148500] FS:  00007fa8b2f8a840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000
      [ 2924.153247] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2924.158003] CR2: ffff88018f0db000 CR3: 000000018f892000 CR4: 00000000000006e0
      [ 2924.164641] BUG: Bad rss-counter state mm:00000000fa04621e idx:0 val:4
      [ 2924.170007] BUG: Bad rss-counter
      tate mm:00000000fa04621e idx:1 val:2
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc3/source/fs/f2fs/inline.c#L78
      	memset(addr + from, 0, MAX_INLINE_DATA(inode) - from);
      Here the length can be negative.
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      [bwh: Backported to 4.14: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d7d9d29a
    • Chao Yu's avatar
      f2fs: fix to do sanity check with block address in main area · ad19d1e7
      Chao Yu authored
      commit c9b60788 upstream.
      
      This patch add to do sanity check with below field:
      - cp_pack_total_block_count
      - blkaddr of data/node
      - extent info
      
      - Overview
      BUG() in verify_block_addr() when writing to a corrupted f2fs image
      
      - Reproduce (4.18 upstream kernel)
      
      - POC (poc.c)
      
      static void activity(char *mpoint) {
      
        char *foo_bar_baz;
        int err;
      
        static int buf[8192];
        memset(buf, 0, sizeof(buf));
      
        err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
      
        int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777);
        if (fd >= 0) {
          write(fd, (char *)buf, sizeof(buf));
          fdatasync(fd);
          close(fd);
        }
      }
      
      int main(int argc, char *argv[]) {
        activity(argv[1]);
        return 0;
      }
      
      - Kernel message
      [  689.349473] F2FS-fs (loop0): Mounted with checkpoint version = 3
      [  699.728662] WARNING: CPU: 0 PID: 1309 at fs/f2fs/segment.c:2860 f2fs_inplace_write_data+0x232/0x240
      [  699.728670] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  699.729056] CPU: 0 PID: 1309 Comm: a.out Not tainted 4.18.0-rc1+ #4
      [  699.729064] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  699.729074] RIP: 0010:f2fs_inplace_write_data+0x232/0x240
      [  699.729076] Code: ff e9 cf fe ff ff 49 8d 7d 10 e8 39 45 ad ff 4d 8b 7d 10 be 04 00 00 00 49 8d 7f 48 e8 07 49 ad ff 45 8b 7f 48 e9 fb fe ff ff <0f> 0b f0 41 80 4d 48 04 e9 65 fe ff ff 90 66 66 66 66 90 55 48 8d
      [  699.729130] RSP: 0018:ffff8801f43af568 EFLAGS: 00010202
      [  699.729139] RAX: 000000000000003f RBX: ffff8801f43af7b8 RCX: ffffffffb88c9113
      [  699.729142] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffff8802024e5540
      [  699.729144] RBP: ffff8801f43af590 R08: 0000000000000009 R09: ffffffffffffffe8
      [  699.729147] R10: 0000000000000001 R11: ffffed0039b0596a R12: ffff8802024e5540
      [  699.729149] R13: ffff8801f0335500 R14: ffff8801e3e7a700 R15: ffff8801e1ee4450
      [  699.729154] FS:  00007f9bf97f5700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  699.729156] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  699.729159] CR2: 00007f9bf925d170 CR3: 00000001f0c34000 CR4: 00000000000006f0
      [  699.729171] Call Trace:
      [  699.729192]  f2fs_do_write_data_page+0x2e2/0xe00
      [  699.729203]  ? f2fs_should_update_outplace+0xd0/0xd0
      [  699.729238]  ? memcg_drain_all_list_lrus+0x280/0x280
      [  699.729269]  ? __radix_tree_replace+0xa3/0x120
      [  699.729276]  __write_data_page+0x5c7/0xe30
      [  699.729291]  ? kasan_check_read+0x11/0x20
      [  699.729310]  ? page_mapped+0x8a/0x110
      [  699.729321]  ? page_mkclean+0xe9/0x160
      [  699.729327]  ? f2fs_do_write_data_page+0xe00/0xe00
      [  699.729331]  ? invalid_page_referenced_vma+0x130/0x130
      [  699.729345]  ? clear_page_dirty_for_io+0x332/0x450
      [  699.729351]  f2fs_write_cache_pages+0x4ca/0x860
      [  699.729358]  ? __write_data_page+0xe30/0xe30
      [  699.729374]  ? percpu_counter_add_batch+0x22/0xa0
      [  699.729380]  ? kasan_check_write+0x14/0x20
      [  699.729391]  ? _raw_spin_lock+0x17/0x40
      [  699.729403]  ? f2fs_mark_inode_dirty_sync.part.18+0x16/0x30
      [  699.729413]  ? iov_iter_advance+0x113/0x640
      [  699.729418]  ? f2fs_write_end+0x133/0x2e0
      [  699.729423]  ? balance_dirty_pages_ratelimited+0x239/0x640
      [  699.729428]  f2fs_write_data_pages+0x329/0x520
      [  699.729433]  ? generic_perform_write+0x250/0x320
      [  699.729438]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.729454]  ? current_time+0x110/0x110
      [  699.729459]  ? f2fs_preallocate_blocks+0x1ef/0x370
      [  699.729464]  do_writepages+0x37/0xb0
      [  699.729468]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.729472]  ? do_writepages+0x37/0xb0
      [  699.729478]  __filemap_fdatawrite_range+0x19a/0x1f0
      [  699.729483]  ? delete_from_page_cache_batch+0x4e0/0x4e0
      [  699.729496]  ? __vfs_write+0x2b2/0x410
      [  699.729501]  file_write_and_wait_range+0x66/0xb0
      [  699.729506]  f2fs_do_sync_file+0x1f9/0xd90
      [  699.729511]  ? truncate_partial_data_page+0x290/0x290
      [  699.729521]  ? __sb_end_write+0x30/0x50
      [  699.729526]  ? vfs_write+0x20f/0x260
      [  699.729530]  f2fs_sync_file+0x9a/0xb0
      [  699.729534]  ? f2fs_do_sync_file+0xd90/0xd90
      [  699.729548]  vfs_fsync_range+0x68/0x100
      [  699.729554]  ? __fget_light+0xc9/0xe0
      [  699.729558]  do_fsync+0x3d/0x70
      [  699.729562]  __x64_sys_fdatasync+0x24/0x30
      [  699.729585]  do_syscall_64+0x78/0x170
      [  699.729595]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  699.729613] RIP: 0033:0x7f9bf930d800
      [  699.729615] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 49 bf 2c 00 00 75 10 b8 4b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be 78 01 00 48 89 04 24
      [  699.729668] RSP: 002b:00007ffee3606c68 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
      [  699.729673] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bf930d800
      [  699.729675] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003
      [  699.729678] RBP: 00007ffee3606ca0 R08: 0000000001503010 R09: 0000000000000000
      [  699.729680] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400610
      [  699.729683] R13: 00007ffee3606da0 R14: 0000000000000000 R15: 0000000000000000
      [  699.729687] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  699.729782] ------------[ cut here ]------------
      [  699.729785] kernel BUG at fs/f2fs/segment.h:654!
      [  699.731055] invalid opcode: 0000 [#1] SMP KASAN PTI
      [  699.732104] CPU: 0 PID: 1309 Comm: a.out Tainted: G        W         4.18.0-rc1+ #4
      [  699.733684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  699.735611] RIP: 0010:f2fs_submit_page_bio+0x29b/0x730
      [  699.736649] Code: 54 49 8d bd 18 04 00 00 e8 b2 59 af ff 41 8b 8d 18 04 00 00 8b 45 b8 41 d3 e6 44 01 f0 4c 8d 73 14 41 39 c7 0f 82 37 fe ff ff <0f> 0b 65 8b 05 2c 04 77 47 89 c0 48 0f a3 05 52 c1 d5 01 0f 92 c0
      [  699.740524] RSP: 0018:ffff8801f43af508 EFLAGS: 00010283
      [  699.741573] RAX: 0000000000000000 RBX: ffff8801f43af7b8 RCX: ffffffffb88a7cef
      [  699.743006] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffff8801e3e7a64c
      [  699.744426] RBP: ffff8801f43af558 R08: ffffed003e066b55 R09: ffffed003e066b55
      [  699.745833] R10: 0000000000000001 R11: ffffed003e066b54 R12: ffffea0007876940
      [  699.747256] R13: ffff8801f0335500 R14: ffff8801e3e7a600 R15: 0000000000000001
      [  699.748683] FS:  00007f9bf97f5700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  699.750293] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  699.751462] CR2: 00007f9bf925d170 CR3: 00000001f0c34000 CR4: 00000000000006f0
      [  699.752874] Call Trace:
      [  699.753386]  ? f2fs_inplace_write_data+0x93/0x240
      [  699.754341]  f2fs_inplace_write_data+0xd2/0x240
      [  699.755271]  f2fs_do_write_data_page+0x2e2/0xe00
      [  699.756214]  ? f2fs_should_update_outplace+0xd0/0xd0
      [  699.757215]  ? memcg_drain_all_list_lrus+0x280/0x280
      [  699.758209]  ? __radix_tree_replace+0xa3/0x120
      [  699.759164]  __write_data_page+0x5c7/0xe30
      [  699.760002]  ? kasan_check_read+0x11/0x20
      [  699.760823]  ? page_mapped+0x8a/0x110
      [  699.761573]  ? page_mkclean+0xe9/0x160
      [  699.762345]  ? f2fs_do_write_data_page+0xe00/0xe00
      [  699.763332]  ? invalid_page_referenced_vma+0x130/0x130
      [  699.764374]  ? clear_page_dirty_for_io+0x332/0x450
      [  699.765347]  f2fs_write_cache_pages+0x4ca/0x860
      [  699.766276]  ? __write_data_page+0xe30/0xe30
      [  699.767161]  ? percpu_counter_add_batch+0x22/0xa0
      [  699.768112]  ? kasan_check_write+0x14/0x20
      [  699.768951]  ? _raw_spin_lock+0x17/0x40
      [  699.769739]  ? f2fs_mark_inode_dirty_sync.part.18+0x16/0x30
      [  699.770885]  ? iov_iter_advance+0x113/0x640
      [  699.771743]  ? f2fs_write_end+0x133/0x2e0
      [  699.772569]  ? balance_dirty_pages_ratelimited+0x239/0x640
      [  699.773680]  f2fs_write_data_pages+0x329/0x520
      [  699.774603]  ? generic_perform_write+0x250/0x320
      [  699.775544]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.776510]  ? current_time+0x110/0x110
      [  699.777299]  ? f2fs_preallocate_blocks+0x1ef/0x370
      [  699.778279]  do_writepages+0x37/0xb0
      [  699.779026]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.779978]  ? do_writepages+0x37/0xb0
      [  699.780755]  __filemap_fdatawrite_range+0x19a/0x1f0
      [  699.781746]  ? delete_from_page_cache_batch+0x4e0/0x4e0
      [  699.782820]  ? __vfs_write+0x2b2/0x410
      [  699.783597]  file_write_and_wait_range+0x66/0xb0
      [  699.784540]  f2fs_do_sync_file+0x1f9/0xd90
      [  699.785381]  ? truncate_partial_data_page+0x290/0x290
      [  699.786415]  ? __sb_end_write+0x30/0x50
      [  699.787204]  ? vfs_write+0x20f/0x260
      [  699.787941]  f2fs_sync_file+0x9a/0xb0
      [  699.788694]  ? f2fs_do_sync_file+0xd90/0xd90
      [  699.789572]  vfs_fsync_range+0x68/0x100
      [  699.790360]  ? __fget_light+0xc9/0xe0
      [  699.791128]  do_fsync+0x3d/0x70
      [  699.791779]  __x64_sys_fdatasync+0x24/0x30
      [  699.792614]  do_syscall_64+0x78/0x170
      [  699.793371]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  699.794406] RIP: 0033:0x7f9bf930d800
      [  699.795134] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 49 bf 2c 00 00 75 10 b8 4b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be 78 01 00 48 89 04 24
      [  699.798960] RSP: 002b:00007ffee3606c68 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
      [  699.800483] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bf930d800
      [  699.801923] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003
      [  699.803373] RBP: 00007ffee3606ca0 R08: 0000000001503010 R09: 0000000000000000
      [  699.804798] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400610
      [  699.806233] R13: 00007ffee3606da0 R14: 0000000000000000 R15: 0000000000000000
      [  699.807667] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  699.817079] ---[ end trace 4ce02f25ff7d3df6 ]---
      [  699.818068] RIP: 0010:f2fs_submit_page_bio+0x29b/0x730
      [  699.819114] Code: 54 49 8d bd 18 04 00 00 e8 b2 59 af ff 41 8b 8d 18 04 00 00 8b 45 b8 41 d3 e6 44 01 f0 4c 8d 73 14 41 39 c7 0f 82 37 fe ff ff <0f> 0b 65 8b 05 2c 04 77 47 89 c0 48 0f a3 05 52 c1 d5 01 0f 92 c0
      [  699.822919] RSP: 0018:ffff8801f43af508 EFLAGS: 00010283
      [  699.823977] RAX: 0000000000000000 RBX: ffff8801f43af7b8 RCX: ffffffffb88a7cef
      [  699.825436] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffff8801e3e7a64c
      [  699.826881] RBP: ffff8801f43af558 R08: ffffed003e066b55 R09: ffffed003e066b55
      [  699.828292] R10: 0000000000000001 R11: ffffed003e066b54 R12: ffffea0007876940
      [  699.829750] R13: ffff8801f0335500 R14: ffff8801e3e7a600 R15: 0000000000000001
      [  699.831192] FS:  00007f9bf97f5700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  699.832793] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  699.833981] CR2: 00007f9bf925d170 CR3: 00000001f0c34000 CR4: 00000000000006f0
      [  699.835556] ==================================================================
      [  699.837029] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
      [  699.838462] Read of size 8 at addr ffff8801f43af970 by task a.out/1309
      
      [  699.840086] CPU: 0 PID: 1309 Comm: a.out Tainted: G      D W         4.18.0-rc1+ #4
      [  699.841603] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  699.843475] Call Trace:
      [  699.843982]  dump_stack+0x7b/0xb5
      [  699.844661]  print_address_description+0x70/0x290
      [  699.845607]  kasan_report+0x291/0x390
      [  699.846351]  ? update_stack_state+0x38c/0x3e0
      [  699.853831]  __asan_load8+0x54/0x90
      [  699.854569]  update_stack_state+0x38c/0x3e0
      [  699.855428]  ? __read_once_size_nocheck.constprop.7+0x20/0x20
      [  699.856601]  ? __save_stack_trace+0x5e/0x100
      [  699.857476]  unwind_next_frame.part.5+0x18e/0x490
      [  699.858448]  ? unwind_dump+0x290/0x290
      [  699.859217]  ? clear_page_dirty_for_io+0x332/0x450
      [  699.860185]  __unwind_start+0x106/0x190
      [  699.860974]  __save_stack_trace+0x5e/0x100
      [  699.861808]  ? __save_stack_trace+0x5e/0x100
      [  699.862691]  ? unlink_anon_vmas+0xba/0x2c0
      [  699.863525]  save_stack_trace+0x1f/0x30
      [  699.864312]  save_stack+0x46/0xd0
      [  699.864993]  ? __alloc_pages_slowpath+0x1420/0x1420
      [  699.865990]  ? flush_tlb_mm_range+0x15e/0x220
      [  699.866889]  ? kasan_check_write+0x14/0x20
      [  699.867724]  ? __dec_node_state+0x92/0xb0
      [  699.868543]  ? lock_page_memcg+0x85/0xf0
      [  699.869350]  ? unlock_page_memcg+0x16/0x80
      [  699.870185]  ? page_remove_rmap+0x198/0x520
      [  699.871048]  ? mark_page_accessed+0x133/0x200
      [  699.871930]  ? _cond_resched+0x1a/0x50
      [  699.872700]  ? unmap_page_range+0xcd4/0xe50
      [  699.873551]  ? rb_next+0x58/0x80
      [  699.874217]  ? rb_next+0x58/0x80
      [  699.874895]  __kasan_slab_free+0x13c/0x1a0
      [  699.875734]  ? unlink_anon_vmas+0xba/0x2c0
      [  699.876563]  kasan_slab_free+0xe/0x10
      [  699.877315]  kmem_cache_free+0x89/0x1e0
      [  699.878095]  unlink_anon_vmas+0xba/0x2c0
      [  699.878913]  free_pgtables+0x101/0x1b0
      [  699.879677]  exit_mmap+0x146/0x2a0
      [  699.880378]  ? __ia32_sys_munmap+0x50/0x50
      [  699.881214]  ? kasan_check_read+0x11/0x20
      [  699.882052]  ? mm_update_next_owner+0x322/0x380
      [  699.882985]  mmput+0x8b/0x1d0
      [  699.883602]  do_exit+0x43a/0x1390
      [  699.884288]  ? mm_update_next_owner+0x380/0x380
      [  699.885212]  ? f2fs_sync_file+0x9a/0xb0
      [  699.885995]  ? f2fs_do_sync_file+0xd90/0xd90
      [  699.886877]  ? vfs_fsync_range+0x68/0x100
      [  699.887694]  ? __fget_light+0xc9/0xe0
      [  699.888442]  ? do_fsync+0x3d/0x70
      [  699.889118]  ? __x64_sys_fdatasync+0x24/0x30
      [  699.889996]  rewind_stack_do_exit+0x17/0x20
      [  699.890860] RIP: 0033:0x7f9bf930d800
      [  699.891585] Code: Bad RIP value.
      [  699.892268] RSP: 002b:00007ffee3606c68 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
      [  699.893781] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bf930d800
      [  699.895220] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003
      [  699.896643] RBP: 00007ffee3606ca0 R08: 0000000001503010 R09: 0000000000000000
      [  699.898069] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400610
      [  699.899505] R13: 00007ffee3606da0 R14: 0000000000000000 R15: 0000000000000000
      
      [  699.901241] The buggy address belongs to the page:
      [  699.902215] page:ffffea0007d0ebc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  699.903811] flags: 0x2ffff0000000000()
      [  699.904585] raw: 02ffff0000000000 0000000000000000 ffffffff07d00101 0000000000000000
      [  699.906125] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000
      [  699.907673] page dumped because: kasan: bad access detected
      
      [  699.909108] Memory state around the buggy address:
      [  699.910077]  ffff8801f43af800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
      [  699.911528]  ffff8801f43af880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  699.912953] >ffff8801f43af900: 00 00 00 00 00 00 00 00 f1 01 f4 f4 f4 f2 f2 f2
      [  699.914392]                                                              ^
      [  699.915758]  ffff8801f43af980: f2 00 f4 f4 00 00 00 00 f2 00 00 00 00 00 00 00
      [  699.917193]  ffff8801f43afa00: 00 00 00 00 00 00 00 00 00 f3 f3 f3 00 00 00 00
      [  699.918634] ==================================================================
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.h#L644
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      [bwh: Backported to 4.14:
       - Error label is different in validate_checkpoint() due to the earlier
         backport of "f2fs: fix invalid memory access"
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ad19d1e7
    • Chao Yu's avatar
      f2fs: fix to do sanity check with node footer and iblocks · b8321ccd
      Chao Yu authored
      commit e34438c9 upstream.
      
      This patch adds to do sanity check with below fields of inode to
      avoid reported panic.
      - node footer
      - iblocks
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200223
      
      - Overview
      BUG() triggered in f2fs_truncate_inode_blocks() when un-mounting a mounted f2fs image after writing to it
      
      - Reproduce
      
      - POC (poc.c)
      
      static void activity(char *mpoint) {
      
        char *foo_bar_baz;
        int err;
      
        static int buf[8192];
        memset(buf, 0, sizeof(buf));
      
        err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
      
        // open / write / read
        int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777);
        if (fd >= 0) {
          write(fd, (char *)buf, 517);
          write(fd, (char *)buf, sizeof(buf));
          close(fd);
        }
      
      }
      
      int main(int argc, char *argv[]) {
        activity(argv[1]);
        return 0;
      }
      
      - Kernel meesage
      [  552.479723] F2FS-fs (loop0): Mounted with checkpoint version = 2
      [  556.451891] ------------[ cut here ]------------
      [  556.451899] kernel BUG at fs/f2fs/node.c:987!
      [  556.452920] invalid opcode: 0000 [#1] SMP KASAN PTI
      [  556.453936] CPU: 1 PID: 1310 Comm: umount Not tainted 4.18.0-rc1+ #4
      [  556.455213] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  556.457140] RIP: 0010:f2fs_truncate_inode_blocks+0x4a7/0x6f0
      [  556.458280] Code: e8 ae ea ff ff 41 89 c7 c1 e8 1f 84 c0 74 0a 41 83 ff fe 0f 85 35 ff ff ff 81 85 b0 fe ff ff fb 03 00 00 e9 f7 fd ff ff 0f 0b <0f> 0b e8 62 b7 9a 00 48 8b bd a0 fe ff ff e8 56 54 ae ff 48 8b b5
      [  556.462015] RSP: 0018:ffff8801f292f808 EFLAGS: 00010286
      [  556.463068] RAX: ffffed003e73242d RBX: ffff8801f292f958 RCX: ffffffffb88b81bc
      [  556.464479] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8801f3992164
      [  556.465901] RBP: ffff8801f292f980 R08: ffffed003e73242d R09: ffffed003e73242d
      [  556.467311] R10: 0000000000000001 R11: ffffed003e73242c R12: 00000000fffffc64
      [  556.468706] R13: ffff8801f3992000 R14: 0000000000000058 R15: 00000000ffff8801
      [  556.470117] FS:  00007f8029297840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  556.471702] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  556.472838] CR2: 000055f5f57305d8 CR3: 00000001f18b0000 CR4: 00000000000006e0
      [  556.474265] Call Trace:
      [  556.474782]  ? f2fs_alloc_nid_failed+0xf0/0xf0
      [  556.475686]  ? truncate_nodes+0x980/0x980
      [  556.476516]  ? pagecache_get_page+0x21f/0x2f0
      [  556.477412]  ? __asan_loadN+0xf/0x20
      [  556.478153]  ? __get_node_page+0x331/0x5b0
      [  556.478992]  ? reweight_entity+0x1e6/0x3b0
      [  556.479826]  f2fs_truncate_blocks+0x55e/0x740
      [  556.480709]  ? f2fs_truncate_data_blocks+0x20/0x20
      [  556.481689]  ? __radix_tree_lookup+0x34/0x160
      [  556.482630]  ? radix_tree_lookup+0xd/0x10
      [  556.483445]  f2fs_truncate+0xd4/0x1a0
      [  556.484206]  f2fs_evict_inode+0x5ce/0x630
      [  556.485032]  evict+0x16f/0x290
      [  556.485664]  iput+0x280/0x300
      [  556.486300]  dentry_unlink_inode+0x165/0x1e0
      [  556.487169]  __dentry_kill+0x16a/0x260
      [  556.487936]  dentry_kill+0x70/0x250
      [  556.488651]  shrink_dentry_list+0x125/0x260
      [  556.489504]  shrink_dcache_parent+0xc1/0x110
      [  556.490379]  ? shrink_dcache_sb+0x200/0x200
      [  556.491231]  ? bit_wait_timeout+0xc0/0xc0
      [  556.492047]  do_one_tree+0x12/0x40
      [  556.492743]  shrink_dcache_for_umount+0x3f/0xa0
      [  556.493656]  generic_shutdown_super+0x43/0x1c0
      [  556.494561]  kill_block_super+0x52/0x80
      [  556.495341]  kill_f2fs_super+0x62/0x70
      [  556.496105]  deactivate_locked_super+0x6f/0xa0
      [  556.497004]  deactivate_super+0x5e/0x80
      [  556.497785]  cleanup_mnt+0x61/0xa0
      [  556.498492]  __cleanup_mnt+0x12/0x20
      [  556.499218]  task_work_run+0xc8/0xf0
      [  556.499949]  exit_to_usermode_loop+0x125/0x130
      [  556.500846]  do_syscall_64+0x138/0x170
      [  556.501609]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  556.502659] RIP: 0033:0x7f8028b77487
      [  556.503384] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
      [  556.507137] RSP: 002b:00007fff9f2e3598 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
      [  556.508637] RAX: 0000000000000000 RBX: 0000000000ebd030 RCX: 00007f8028b77487
      [  556.510069] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000ec41e0
      [  556.511481] RBP: 0000000000ec41e0 R08: 0000000000000000 R09: 0000000000000014
      [  556.512892] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f802908083c
      [  556.514320] R13: 0000000000000000 R14: 0000000000ebd210 R15: 00007fff9f2e3820
      [  556.515745] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  556.529276] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  556.530340] RIP: 0010:f2fs_truncate_inode_blocks+0x4a7/0x6f0
      [  556.531513] Code: e8 ae ea ff ff 41 89 c7 c1 e8 1f 84 c0 74 0a 41 83 ff fe 0f 85 35 ff ff ff 81 85 b0 fe ff ff fb 03 00 00 e9 f7 fd ff ff 0f 0b <0f> 0b e8 62 b7 9a 00 48 8b bd a0 fe ff ff e8 56 54 ae ff 48 8b b5
      [  556.535330] RSP: 0018:ffff8801f292f808 EFLAGS: 00010286
      [  556.536395] RAX: ffffed003e73242d RBX: ffff8801f292f958 RCX: ffffffffb88b81bc
      [  556.537824] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8801f3992164
      [  556.539290] RBP: ffff8801f292f980 R08: ffffed003e73242d R09: ffffed003e73242d
      [  556.540709] R10: 0000000000000001 R11: ffffed003e73242c R12: 00000000fffffc64
      [  556.542131] R13: ffff8801f3992000 R14: 0000000000000058 R15: 00000000ffff8801
      [  556.543579] FS:  00007f8029297840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  556.545180] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  556.546338] CR2: 000055f5f57305d8 CR3: 00000001f18b0000 CR4: 00000000000006e0
      [  556.547809] ==================================================================
      [  556.549248] BUG: KASAN: stack-out-of-bounds in arch_tlb_gather_mmu+0x52/0x170
      [  556.550672] Write of size 8 at addr ffff8801f292fd10 by task umount/1310
      
      [  556.552338] CPU: 1 PID: 1310 Comm: umount Tainted: G      D           4.18.0-rc1+ #4
      [  556.553886] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  556.555756] Call Trace:
      [  556.556264]  dump_stack+0x7b/0xb5
      [  556.556944]  print_address_description+0x70/0x290
      [  556.557903]  kasan_report+0x291/0x390
      [  556.558649]  ? arch_tlb_gather_mmu+0x52/0x170
      [  556.559537]  __asan_store8+0x57/0x90
      [  556.560268]  arch_tlb_gather_mmu+0x52/0x170
      [  556.561110]  tlb_gather_mmu+0x12/0x40
      [  556.561862]  exit_mmap+0x123/0x2a0
      [  556.562555]  ? __ia32_sys_munmap+0x50/0x50
      [  556.563384]  ? exit_aio+0x98/0x230
      [  556.564079]  ? __x32_compat_sys_io_submit+0x260/0x260
      [  556.565099]  ? taskstats_exit+0x1f4/0x640
      [  556.565925]  ? kasan_check_read+0x11/0x20
      [  556.566739]  ? mm_update_next_owner+0x322/0x380
      [  556.567652]  mmput+0x8b/0x1d0
      [  556.568260]  do_exit+0x43a/0x1390
      [  556.568937]  ? mm_update_next_owner+0x380/0x380
      [  556.569855]  ? deactivate_super+0x5e/0x80
      [  556.570668]  ? cleanup_mnt+0x61/0xa0
      [  556.571395]  ? __cleanup_mnt+0x12/0x20
      [  556.572156]  ? task_work_run+0xc8/0xf0
      [  556.572917]  ? exit_to_usermode_loop+0x125/0x130
      [  556.573861]  rewind_stack_do_exit+0x17/0x20
      [  556.574707] RIP: 0033:0x7f8028b77487
      [  556.575428] Code: Bad RIP value.
      [  556.576106] RSP: 002b:00007fff9f2e3598 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
      [  556.577599] RAX: 0000000000000000 RBX: 0000000000ebd030 RCX: 00007f8028b77487
      [  556.579020] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000ec41e0
      [  556.580422] RBP: 0000000000ec41e0 R08: 0000000000000000 R09: 0000000000000014
      [  556.581833] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f802908083c
      [  556.583252] R13: 0000000000000000 R14: 0000000000ebd210 R15: 00007fff9f2e3820
      
      [  556.584983] The buggy address belongs to the page:
      [  556.585961] page:ffffea0007ca4bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  556.587540] flags: 0x2ffff0000000000()
      [  556.588296] raw: 02ffff0000000000 0000000000000000 dead000000000200 0000000000000000
      [  556.589822] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [  556.591359] page dumped because: kasan: bad access detected
      
      [  556.592786] Memory state around the buggy address:
      [  556.593753]  ffff8801f292fc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  556.595191]  ffff8801f292fc80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
      [  556.596613] >ffff8801f292fd00: 00 00 f3 00 00 00 00 f3 f3 00 00 00 00 f4 f4 f4
      [  556.598044]                          ^
      [  556.598797]  ffff8801f292fd80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
      [  556.600225]  ffff8801f292fe00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4
      [  556.601647] ==================================================================
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/node.c#L987
      		case NODE_DIND_BLOCK:
      			err = truncate_nodes(&dn, nofs, offset[1], 3);
      			cont = 0;
      			break;
      
      		default:
      			BUG(); <---
      		}
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b8321ccd
    • Chao Yu's avatar
      f2fs: fix to do sanity check with user_block_count · f9cf5462
      Chao Yu authored
      commit 9dc956b2 upstream.
      
      This patch fixs to do sanity check with user_block_count.
      
      - Overview
      Divide zero in utilization when mount() a corrupted f2fs image
      
      - Reproduce (4.18 upstream kernel)
      
      - Kernel message
      [  564.099503] F2FS-fs (loop0): invalid crc value
      [  564.101991] divide error: 0000 [#1] SMP KASAN PTI
      [  564.103103] CPU: 1 PID: 1298 Comm: f2fs_discard-7: Not tainted 4.18.0-rc1+ #4
      [  564.104584] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  564.106624] RIP: 0010:issue_discard_thread+0x248/0x5c0
      [  564.107692] Code: ff ff 48 8b bd e8 fe ff ff 41 8b 9d 4c 04 00 00 e8 cd b8 ad ff 41 8b 85 50 04 00 00 31 d2 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <48> f7 f3 83 f8 50 7e 16 41 c7 86 7c ff ff ff 01 00 00 00 41 c7 86
      [  564.111686] RSP: 0018:ffff8801f3117dc0 EFLAGS: 00010206
      [  564.112775] RAX: 0000000000000384 RBX: 0000000000000000 RCX: ffffffffb88c1e03
      [  564.114250] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e3aa4850
      [  564.115706] RBP: ffff8801f3117f00 R08: 1ffffffff751a1d0 R09: fffffbfff751a1d0
      [  564.117177] R10: 0000000000000001 R11: fffffbfff751a1d0 R12: 00000000fffffffc
      [  564.118634] R13: ffff8801e3aa4400 R14: ffff8801f3117ed8 R15: ffff8801e2050000
      [  564.120094] FS:  0000000000000000(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  564.121748] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  564.122923] CR2: 000000000202b078 CR3: 00000001f11ac000 CR4: 00000000000006e0
      [  564.124383] Call Trace:
      [  564.124924]  ? __issue_discard_cmd+0x480/0x480
      [  564.125882]  ? __sched_text_start+0x8/0x8
      [  564.126756]  ? __kthread_parkme+0xcb/0x100
      [  564.127620]  ? kthread_blkcg+0x70/0x70
      [  564.128412]  kthread+0x180/0x1d0
      [  564.129105]  ? __issue_discard_cmd+0x480/0x480
      [  564.130029]  ? kthread_associate_blkcg+0x150/0x150
      [  564.131033]  ret_from_fork+0x35/0x40
      [  564.131794] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  564.141798] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  564.142773] RIP: 0010:issue_discard_thread+0x248/0x5c0
      [  564.143885] Code: ff ff 48 8b bd e8 fe ff ff 41 8b 9d 4c 04 00 00 e8 cd b8 ad ff 41 8b 85 50 04 00 00 31 d2 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <48> f7 f3 83 f8 50 7e 16 41 c7 86 7c ff ff ff 01 00 00 00 41 c7 86
      [  564.147776] RSP: 0018:ffff8801f3117dc0 EFLAGS: 00010206
      [  564.148856] RAX: 0000000000000384 RBX: 0000000000000000 RCX: ffffffffb88c1e03
      [  564.150424] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e3aa4850
      [  564.151906] RBP: ffff8801f3117f00 R08: 1ffffffff751a1d0 R09: fffffbfff751a1d0
      [  564.153463] R10: 0000000000000001 R11: fffffbfff751a1d0 R12: 00000000fffffffc
      [  564.154915] R13: ffff8801e3aa4400 R14: ffff8801f3117ed8 R15: ffff8801e2050000
      [  564.156405] FS:  0000000000000000(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  564.158070] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  564.159279] CR2: 000000000202b078 CR3: 00000001f11ac000 CR4: 00000000000006e0
      [  564.161043] ==================================================================
      [  564.162587] BUG: KASAN: stack-out-of-bounds in from_kuid_munged+0x1d/0x50
      [  564.163994] Read of size 4 at addr ffff8801f3117c84 by task f2fs_discard-7:/1298
      
      [  564.165852] CPU: 1 PID: 1298 Comm: f2fs_discard-7: Tainted: G      D           4.18.0-rc1+ #4
      [  564.167593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  564.169522] Call Trace:
      [  564.170057]  dump_stack+0x7b/0xb5
      [  564.170778]  print_address_description+0x70/0x290
      [  564.171765]  kasan_report+0x291/0x390
      [  564.172540]  ? from_kuid_munged+0x1d/0x50
      [  564.173408]  __asan_load4+0x78/0x80
      [  564.174148]  from_kuid_munged+0x1d/0x50
      [  564.174962]  do_notify_parent+0x1f5/0x4f0
      [  564.175808]  ? send_sigqueue+0x390/0x390
      [  564.176639]  ? css_set_move_task+0x152/0x340
      [  564.184197]  do_exit+0x1290/0x1390
      [  564.184950]  ? __issue_discard_cmd+0x480/0x480
      [  564.185884]  ? mm_update_next_owner+0x380/0x380
      [  564.186829]  ? __sched_text_start+0x8/0x8
      [  564.187672]  ? __kthread_parkme+0xcb/0x100
      [  564.188528]  ? kthread_blkcg+0x70/0x70
      [  564.189333]  ? kthread+0x180/0x1d0
      [  564.190052]  ? __issue_discard_cmd+0x480/0x480
      [  564.190983]  rewind_stack_do_exit+0x17/0x20
      
      [  564.192190] The buggy address belongs to the page:
      [  564.193213] page:ffffea0007cc45c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  564.194856] flags: 0x2ffff0000000000()
      [  564.195644] raw: 02ffff0000000000 0000000000000000 dead000000000200 0000000000000000
      [  564.197247] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [  564.198826] page dumped because: kasan: bad access detected
      
      [  564.200299] Memory state around the buggy address:
      [  564.201306]  ffff8801f3117b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  564.202779]  ffff8801f3117c00: 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3
      [  564.204252] >ffff8801f3117c80: f3 f3 f3 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
      [  564.205742]                    ^
      [  564.206424]  ffff8801f3117d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  564.207908]  ffff8801f3117d80: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
      [  564.209389] ==================================================================
      [  564.231795] F2FS-fs (loop0): Mounted with checkpoint version = 2
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.h#L586
      	return div_u64((u64)valid_user_blocks(sbi) * 100,
      					sbi->user_block_count);
      Missing checks on sbi->user_block_count.
      Reported-by: default avatarWen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f9cf5462
    • Chao Yu's avatar
      f2fs: fix to do sanity check with extra_attr feature · 0081c90e
      Chao Yu authored
      commit 76d56d4a upstream.
      
      If FI_EXTRA_ATTR is set in inode by fuzzing, inode.i_addr[0] will be
      parsed as inode.i_extra_isize, then in __recover_inline_status, inline
      data address will beyond boundary of page, result in accessing invalid
      memory.
      
      So in this condition, during reading inode page, let's do sanity check
      with EXTRA_ATTR feature of fs and extra_attr bit of inode, if they're
      inconsistent, deny to load this inode.
      
      - Overview
      Out-of-bound access in f2fs_iget() when mounting a corrupted f2fs image
      
      - Reproduce
      
      The following message will be got in KASAN build of 4.18 upstream kernel.
      [  819.392227] ==================================================================
      [  819.393901] BUG: KASAN: slab-out-of-bounds in f2fs_iget+0x736/0x1530
      [  819.395329] Read of size 4 at addr ffff8801f099c968 by task mount/1292
      
      [  819.397079] CPU: 1 PID: 1292 Comm: mount Not tainted 4.18.0-rc1+ #4
      [  819.397082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  819.397088] Call Trace:
      [  819.397124]  dump_stack+0x7b/0xb5
      [  819.397154]  print_address_description+0x70/0x290
      [  819.397159]  kasan_report+0x291/0x390
      [  819.397163]  ? f2fs_iget+0x736/0x1530
      [  819.397176]  check_memory_region+0x139/0x190
      [  819.397182]  __asan_loadN+0xf/0x20
      [  819.397185]  f2fs_iget+0x736/0x1530
      [  819.397197]  f2fs_fill_super+0x1b4f/0x2b40
      [  819.397202]  ? f2fs_fill_super+0x1b4f/0x2b40
      [  819.397208]  ? f2fs_commit_super+0x1b0/0x1b0
      [  819.397227]  ? set_blocksize+0x90/0x140
      [  819.397241]  mount_bdev+0x1c5/0x210
      [  819.397245]  ? f2fs_commit_super+0x1b0/0x1b0
      [  819.397252]  f2fs_mount+0x15/0x20
      [  819.397256]  mount_fs+0x60/0x1a0
      [  819.397267]  ? alloc_vfsmnt+0x309/0x360
      [  819.397272]  vfs_kern_mount+0x6b/0x1a0
      [  819.397282]  do_mount+0x34a/0x18c0
      [  819.397300]  ? lockref_put_or_lock+0xcf/0x160
      [  819.397306]  ? copy_mount_string+0x20/0x20
      [  819.397318]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  819.397324]  ? kasan_check_write+0x14/0x20
      [  819.397334]  ? _copy_from_user+0x6a/0x90
      [  819.397353]  ? memdup_user+0x42/0x60
      [  819.397359]  ksys_mount+0x83/0xd0
      [  819.397365]  __x64_sys_mount+0x67/0x80
      [  819.397388]  do_syscall_64+0x78/0x170
      [  819.397403]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  819.397422] RIP: 0033:0x7f54c667cb9a
      [  819.397424] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [  819.397483] RSP: 002b:00007ffd8f46cd08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
      [  819.397496] RAX: ffffffffffffffda RBX: 0000000000dfa030 RCX: 00007f54c667cb9a
      [  819.397498] RDX: 0000000000dfa210 RSI: 0000000000dfbf30 RDI: 0000000000e02ec0
      [  819.397501] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  819.397503] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000000e02ec0
      [  819.397505] R13: 0000000000dfa210 R14: 0000000000000000 R15: 0000000000000003
      
      [  819.397866] Allocated by task 139:
      [  819.398702]  save_stack+0x46/0xd0
      [  819.398705]  kasan_kmalloc+0xad/0xe0
      [  819.398709]  kasan_slab_alloc+0x11/0x20
      [  819.398713]  kmem_cache_alloc+0xd1/0x1e0
      [  819.398717]  dup_fd+0x50/0x4c0
      [  819.398740]  copy_process.part.37+0xbed/0x32e0
      [  819.398744]  _do_fork+0x16e/0x590
      [  819.398748]  __x64_sys_clone+0x69/0x80
      [  819.398752]  do_syscall_64+0x78/0x170
      [  819.398756]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [  819.399097] Freed by task 159:
      [  819.399743]  save_stack+0x46/0xd0
      [  819.399747]  __kasan_slab_free+0x13c/0x1a0
      [  819.399750]  kasan_slab_free+0xe/0x10
      [  819.399754]  kmem_cache_free+0x89/0x1e0
      [  819.399757]  put_files_struct+0x132/0x150
      [  819.399761]  exit_files+0x62/0x70
      [  819.399766]  do_exit+0x47b/0x1390
      [  819.399770]  do_group_exit+0x86/0x130
      [  819.399774]  __x64_sys_exit_group+0x2c/0x30
      [  819.399778]  do_syscall_64+0x78/0x170
      [  819.399782]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [  819.400115] The buggy address belongs to the object at ffff8801f099c680
                      which belongs to the cache files_cache of size 704
      [  819.403234] The buggy address is located 40 bytes to the right of
                      704-byte region [ffff8801f099c680, ffff8801f099c940)
      [  819.405689] The buggy address belongs to the page:
      [  819.406709] page:ffffea0007c26700 count:1 mapcount:0 mapping:ffff8801f69a3340 index:0xffff8801f099d380 compound_mapcount: 0
      [  819.408984] flags: 0x2ffff0000008100(slab|head)
      [  819.409932] raw: 02ffff0000008100 ffffea00077fb600 0000000200000002 ffff8801f69a3340
      [  819.411514] raw: ffff8801f099d380 0000000080130000 00000001ffffffff 0000000000000000
      [  819.413073] page dumped because: kasan: bad access detected
      
      [  819.414539] Memory state around the buggy address:
      [  819.415521]  ffff8801f099c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  819.416981]  ffff8801f099c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  819.418454] >ffff8801f099c900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [  819.419921]                                                           ^
      [  819.421265]  ffff8801f099c980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
      [  819.422745]  ffff8801f099ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  819.424206] ==================================================================
      [  819.425668] Disabling lock debugging due to kernel taint
      [  819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3
      
      The kernel still mounts the image. If you run the following program on the mounted folder mnt,
      
      (poc.c)
      
      static void activity(char *mpoint) {
      
        char *foo_bar_baz;
        int err;
      
        static int buf[8192];
        memset(buf, 0, sizeof(buf));
      
        err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
          int fd = open(foo_bar_baz, O_RDONLY, 0);
        if (fd >= 0) {
            read(fd, (char *)buf, 11);
            close(fd);
        }
      }
      
      int main(int argc, char *argv[]) {
        activity(argv[1]);
        return 0;
      }
      
      You can get kernel crash:
      [  819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3
      [  918.028501] BUG: unable to handle kernel paging request at ffffed0048000d82
      [  918.044020] PGD 23ffee067 P4D 23ffee067 PUD 23fbef067 PMD 0
      [  918.045207] Oops: 0000 [#1] SMP KASAN PTI
      [  918.046048] CPU: 0 PID: 1309 Comm: poc Tainted: G    B             4.18.0-rc1+ #4
      [  918.047573] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  918.049552] RIP: 0010:check_memory_region+0x5e/0x190
      [  918.050565] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0
      [  918.054322] RSP: 0018:ffff8801e3a1f258 EFLAGS: 00010202
      [  918.055400] RAX: ffffed0048000d82 RBX: ffff880240006c11 RCX: ffffffffb8867d14
      [  918.056832] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff880240006c10
      [  918.058253] RBP: ffff8801e3a1f268 R08: 1ffff10048000d82 R09: ffffed0048000d82
      [  918.059717] R10: 0000000000000001 R11: ffffed0048000d82 R12: ffffed0048000d83
      [  918.061159] R13: ffff8801e3a1f390 R14: 0000000000000000 R15: ffff880240006c08
      [  918.062614] FS:  00007fac9732c700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  918.064246] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  918.065412] CR2: ffffed0048000d82 CR3: 00000001df77a000 CR4: 00000000000006f0
      [  918.066882] Call Trace:
      [  918.067410]  __asan_loadN+0xf/0x20
      [  918.068149]  f2fs_find_target_dentry+0xf4/0x270
      [  918.069083]  ? __get_node_page+0x331/0x5b0
      [  918.069925]  f2fs_find_in_inline_dir+0x24b/0x310
      [  918.070881]  ? f2fs_recover_inline_data+0x4c0/0x4c0
      [  918.071905]  ? unwind_next_frame.part.5+0x34f/0x490
      [  918.072901]  ? unwind_dump+0x290/0x290
      [  918.073695]  ? is_bpf_text_address+0xe/0x20
      [  918.074566]  __f2fs_find_entry+0x599/0x670
      [  918.075408]  ? kasan_unpoison_shadow+0x36/0x50
      [  918.076315]  ? kasan_kmalloc+0xad/0xe0
      [  918.077100]  ? memcg_kmem_put_cache+0x55/0xa0
      [  918.077998]  ? f2fs_find_target_dentry+0x270/0x270
      [  918.079006]  ? d_set_d_op+0x30/0x100
      [  918.079749]  ? __d_lookup_rcu+0x69/0x2e0
      [  918.080556]  ? __d_alloc+0x275/0x450
      [  918.081297]  ? kasan_check_write+0x14/0x20
      [  918.082135]  ? memset+0x31/0x40
      [  918.082820]  ? fscrypt_setup_filename+0x1ec/0x4c0
      [  918.083782]  ? d_alloc_parallel+0x5bb/0x8c0
      [  918.084640]  f2fs_find_entry+0xe9/0x110
      [  918.085432]  ? __f2fs_find_entry+0x670/0x670
      [  918.086308]  ? kasan_check_write+0x14/0x20
      [  918.087163]  f2fs_lookup+0x297/0x590
      [  918.087902]  ? f2fs_link+0x2b0/0x2b0
      [  918.088646]  ? legitimize_path.isra.29+0x61/0xa0
      [  918.089589]  __lookup_slow+0x12e/0x240
      [  918.090371]  ? may_delete+0x2b0/0x2b0
      [  918.091123]  ? __nd_alloc_stack+0xa0/0xa0
      [  918.091944]  lookup_slow+0x44/0x60
      [  918.092642]  walk_component+0x3ee/0xa40
      [  918.093428]  ? is_bpf_text_address+0xe/0x20
      [  918.094283]  ? pick_link+0x3e0/0x3e0
      [  918.095047]  ? in_group_p+0xa5/0xe0
      [  918.095771]  ? generic_permission+0x53/0x1e0
      [  918.096666]  ? security_inode_permission+0x1d/0x70
      [  918.097646]  ? inode_permission+0x7a/0x1f0
      [  918.098497]  link_path_walk+0x2a2/0x7b0
      [  918.099298]  ? apparmor_capget+0x3d0/0x3d0
      [  918.100140]  ? walk_component+0xa40/0xa40
      [  918.100958]  ? path_init+0x2e6/0x580
      [  918.101695]  path_openat+0x1bb/0x2160
      [  918.102471]  ? __save_stack_trace+0x92/0x100
      [  918.103352]  ? save_stack+0xb5/0xd0
      [  918.104070]  ? vfs_unlink+0x250/0x250
      [  918.104822]  ? save_stack+0x46/0xd0
      [  918.105538]  ? kasan_slab_alloc+0x11/0x20
      [  918.106370]  ? kmem_cache_alloc+0xd1/0x1e0
      [  918.107213]  ? getname_flags+0x76/0x2c0
      [  918.107997]  ? getname+0x12/0x20
      [  918.108677]  ? do_sys_open+0x14b/0x2c0
      [  918.109450]  ? __x64_sys_open+0x4c/0x60
      [  918.110255]  ? do_syscall_64+0x78/0x170
      [  918.111083]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  918.112148]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  918.113204]  ? f2fs_empty_inline_dir+0x1e0/0x1e0
      [  918.114150]  ? timespec64_trunc+0x5c/0x90
      [  918.114993]  ? wb_io_lists_depopulated+0x1a/0xc0
      [  918.115937]  ? inode_io_list_move_locked+0x102/0x110
      [  918.116949]  do_filp_open+0x12b/0x1d0
      [  918.117709]  ? may_open_dev+0x50/0x50
      [  918.118475]  ? kasan_kmalloc+0xad/0xe0
      [  918.119246]  do_sys_open+0x17c/0x2c0
      [  918.119983]  ? do_sys_open+0x17c/0x2c0
      [  918.120751]  ? filp_open+0x60/0x60
      [  918.121463]  ? task_work_run+0x4d/0xf0
      [  918.122237]  __x64_sys_open+0x4c/0x60
      [  918.123001]  do_syscall_64+0x78/0x170
      [  918.123759]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  918.124802] RIP: 0033:0x7fac96e3e040
      [  918.125537] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 09 27 2d 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 7e e0 01 00 48 89 04 24
      [  918.129341] RSP: 002b:00007fff1b37f848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
      [  918.130870] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fac96e3e040
      [  918.132295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000122d080
      [  918.133748] RBP: 00007fff1b37f9b0 R08: 00007fac9710bbd8 R09: 0000000000000001
      [  918.135209] R10: 000000000000069d R11: 0000000000000246 R12: 0000000000400c20
      [  918.136650] R13: 00007fff1b37fab0 R14: 0000000000000000 R15: 0000000000000000
      [  918.138093] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  918.147924] CR2: ffffed0048000d82
      [  918.148619] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  918.149563] RIP: 0010:check_memory_region+0x5e/0x190
      [  918.150576] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0
      [  918.154360] RSP: 0018:ffff8801e3a1f258 EFLAGS: 00010202
      [  918.155411] RAX: ffffed0048000d82 RBX: ffff880240006c11 RCX: ffffffffb8867d14
      [  918.156833] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff880240006c10
      [  918.158257] RBP: ffff8801e3a1f268 R08: 1ffff10048000d82 R09: ffffed0048000d82
      [  918.159722] R10: 0000000000000001 R11: ffffed0048000d82 R12: ffffed0048000d83
      [  918.161149] R13: ffff8801e3a1f390 R14: 0000000000000000 R15: ffff880240006c08
      [  918.162587] FS:  00007fac9732c700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  918.164203] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  918.165356] CR2: ffffed0048000d82 CR3: 00000001df77a000 CR4: 00000000000006f0
      Reported-by: default avatarWen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      [bwh: Backported to 4.14: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0081c90e
    • Ben Hutchings's avatar
      f2fs: Add sanity_check_inode() function · 2598fc56
      Ben Hutchings authored
      This was done as part of commit 5d64600d "f2fs: avoid bug_on on
      corrupted inode" upstream, but the specific check that commit added is
      not applicable to 4.14.
      
      Cc: Jaegeuk Kim <jaegeuk@kernel.org>
      Cc: Chao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2598fc56
    • Chao Yu's avatar
      f2fs: fix to do sanity check with secs_per_zone · f3d6361a
      Chao Yu authored
      commit 42bf546c upstream.
      
      As Wen Xu reported in below link:
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200183
      
      - Overview
      Divide zero in reset_curseg() when mounting a crafted f2fs image
      
      - Reproduce
      
      - Kernel message
      [  588.281510] divide error: 0000 [#1] SMP KASAN PTI
      [  588.282701] CPU: 0 PID: 1293 Comm: mount Not tainted 4.18.0-rc1+ #4
      [  588.284000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  588.286178] RIP: 0010:reset_curseg+0x94/0x1a0
      [  588.298166] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246
      [  588.299360] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b
      [  588.300809] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64
      [  588.305272] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000
      [  588.306822] FS:  00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  588.308456] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  588.309623] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0
      [  588.311085] Call Trace:
      [  588.311637]  f2fs_build_segment_manager+0x103f/0x3410
      [  588.316136]  ? f2fs_commit_super+0x1b0/0x1b0
      [  588.317031]  ? set_blocksize+0x90/0x140
      [  588.319473]  f2fs_mount+0x15/0x20
      [  588.320166]  mount_fs+0x60/0x1a0
      [  588.320847]  ? alloc_vfsmnt+0x309/0x360
      [  588.321647]  vfs_kern_mount+0x6b/0x1a0
      [  588.322432]  do_mount+0x34a/0x18c0
      [  588.323175]  ? strndup_user+0x46/0x70
      [  588.323937]  ? copy_mount_string+0x20/0x20
      [  588.324793]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  588.325702]  ? kasan_check_write+0x14/0x20
      [  588.326562]  ? _copy_from_user+0x6a/0x90
      [  588.327375]  ? memdup_user+0x42/0x60
      [  588.328118]  ksys_mount+0x83/0xd0
      [  588.328808]  __x64_sys_mount+0x67/0x80
      [  588.329607]  do_syscall_64+0x78/0x170
      [  588.330400]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  588.331461] RIP: 0033:0x7fad848e8b9a
      [  588.336022] RSP: 002b:00007ffd7c5b6be8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [  588.337547] RAX: ffffffffffffffda RBX: 00000000016f8030 RCX: 00007fad848e8b9a
      [  588.338999] RDX: 00000000016f8210 RSI: 00000000016f9f30 RDI: 0000000001700ec0
      [  588.340442] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  588.341887] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001700ec0
      [  588.343341] R13: 00000000016f8210 R14: 0000000000000000 R15: 0000000000000003
      [  588.354891] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  588.355862] RIP: 0010:reset_curseg+0x94/0x1a0
      [  588.360742] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246
      [  588.361812] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b
      [  588.363485] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64
      [  588.365213] RBP: ffff8801e88d7968 R08: ffffed003c32266f R09: ffffed003c32266f
      [  588.366661] R10: 0000000000000001 R11: ffffed003c32266e R12: ffff8801f0337700
      [  588.368110] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000
      [  588.370057] FS:  00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  588.372099] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  588.373291] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0
      
      - Location
      https://elixir.bootlin.com/linux/latest/source/fs/f2fs/segment.c#L2147
              curseg->zone = GET_ZONE_FROM_SEG(sbi, curseg->segno);
      
      If secs_per_zone is corrupted due to fuzzing test, it will cause divide
      zero operation when using GET_ZONE_FROM_SEG macro, so we should do more
      sanity check with secs_per_zone during mount to avoid this issue.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f3d6361a
    • Chao Yu's avatar
      f2fs: introduce and spread verify_blkaddr · eea71570
      Chao Yu authored
      commit e1da7872 upstream.
      
      This patch introduces verify_blkaddr to check meta/data block address
      with valid range to detect bug earlier.
      
      In addition, once we encounter an invalid blkaddr, notice user to run
      fsck to fix, and let the kernel panic.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      [bwh: Backported to 4.14: I skipped an earlier renaming of
       is_valid_meta_blkaddr() to f2fs_is_valid_meta_blkaddr()]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      eea71570
    • Chao Yu's avatar
      f2fs: clean up with is_valid_blkaddr() · 9e6c4a85
      Chao Yu authored
      commit 7b525dd0 upstream.
      
      - rename is_valid_blkaddr() to is_valid_meta_blkaddr() for readability.
      - introduce is_valid_blkaddr() for cleanup.
      
      No logic change in this patch.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9e6c4a85
    • Jaegeuk Kim's avatar
      f2fs: enhance sanity_check_raw_super() to avoid potential overflow · e60b9723
      Jaegeuk Kim authored
      commit 0cfe75c5 upstream.
      
      In order to avoid the below overflow issue, we should have checked the
      boundaries in superblock before reaching out to allocation. As Linus suggested,
      the right place should be sanity_check_raw_super().
      
      Dr Silvio Cesare of InfoSect reported:
      
      There are integer overflows with using the cp_payload superblock field in the
      f2fs filesystem potentially leading to memory corruption.
      
      include/linux/f2fs_fs.h
      
      struct f2fs_super_block {
      ...
              __le32 cp_payload;
      
      fs/f2fs/f2fs.h
      
      typedef u32 block_t;    /*
                               * should not change u32, since it is the on-disk block
                               * address format, __le32.
                               */
      ...
      
      static inline block_t __cp_payload(struct f2fs_sb_info *sbi)
      {
              return le32_to_cpu(F2FS_RAW_SUPER(sbi)->cp_payload);
      }
      
      fs/f2fs/checkpoint.c
      
              block_t start_blk, orphan_blocks, i, j;
      ...
              start_blk = __start_cp_addr(sbi) + 1 + __cp_payload(sbi);
              orphan_blocks = __start_sum_addr(sbi) - 1 - __cp_payload(sbi);
      
      +++ integer overflows
      
      ...
              unsigned int cp_blks = 1 + __cp_payload(sbi);
      ...
              sbi->ckpt = kzalloc(cp_blks * blk_size, GFP_KERNEL);
      
      +++ integer overflow leading to incorrect heap allocation.
      
              int cp_payload_blks = __cp_payload(sbi);
      ...
              ckpt->cp_pack_start_sum = cpu_to_le32(1 + cp_payload_blks +
                              orphan_blocks);
      
      +++ sign bug and integer overflow
      
      ...
              for (i = 1; i < 1 + cp_payload_blks; i++)
      
      +++ integer overflow
      
      ...
      
            sbi->max_orphans = (sbi->blocks_per_seg - F2FS_CP_PACKS -
                              NR_CURSEG_TYPE - __cp_payload(sbi)) *
                                      F2FS_ORPHANS_PER_BLOCK;
      
      +++ integer overflow
      Reported-by: default avatarGreg KH <greg@kroah.com>
      Reported-by: default avatarSilvio Cesare <silvio.cesare@gmail.com>
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      [bwh: Backported to 4.14: No hot file extension support]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e60b9723
    • Jaegeuk Kim's avatar
      f2fs: sanity check on sit entry · a8f40be6
      Jaegeuk Kim authored
      commit b2ca374f upstream.
      
      syzbot hit the following crash on upstream commit
      87ef1202 (Wed Apr 18 19:48:17 2018 +0000)
      Merge tag 'ceph-for-4.17-rc2' of git://github.com/ceph/ceph-client
      syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=83699adeb2d13579c31e
      
      C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5805208181407744
      syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6005073343676416
      Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6555047731134464
      Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118
      compiler: gcc (GCC) 8.0.1 20180413 (experimental)
      
      IMPORTANT: if you fix the bug, please add the following tag to the commit:
      Reported-by: syzbot+83699adeb2d13579c31e@syzkaller.appspotmail.com
      It will help syzbot understand when the bug is fixed. See footer for details.
      If you forward the report, please keep this part and the footer.
      
      F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
      F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
      F2FS-fs (loop0): invalid crc value
      BUG: unable to handle kernel paging request at ffffed006b2a50c0
      PGD 21ffee067 P4D 21ffee067 PUD 21fbeb067 PMD 0
      Oops: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 0 PID: 4514 Comm: syzkaller989480 Not tainted 4.17.0-rc1+ #8
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:build_sit_entries fs/f2fs/segment.c:3653 [inline]
      RIP: 0010:build_segment_manager+0x7ef7/0xbf70 fs/f2fs/segment.c:3852
      RSP: 0018:ffff8801b102e5b0 EFLAGS: 00010a06
      RAX: 1ffff1006b2a50c0 RBX: 0000000000000004 RCX: 0000000000000001
      RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801ac74243e
      RBP: ffff8801b102f410 R08: ffff8801acbd46c0 R09: fffffbfff14d9af8
      R10: fffffbfff14d9af8 R11: ffff8801acbd46c0 R12: ffff8801ac742a80
      R13: ffff8801d9519100 R14: dffffc0000000000 R15: ffff880359528600
      FS:  0000000001e04880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffed006b2a50c0 CR3: 00000001ac6ac000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       f2fs_fill_super+0x4095/0x7bf0 fs/f2fs/super.c:2803
       mount_bdev+0x30c/0x3e0 fs/super.c:1165
       f2fs_mount+0x34/0x40 fs/f2fs/super.c:3020
       mount_fs+0xae/0x328 fs/super.c:1268
       vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
       vfs_kern_mount fs/namespace.c:1027 [inline]
       do_new_mount fs/namespace.c:2517 [inline]
       do_mount+0x564/0x3070 fs/namespace.c:2847
       ksys_mount+0x12d/0x140 fs/namespace.c:3063
       __do_sys_mount fs/namespace.c:3077 [inline]
       __se_sys_mount fs/namespace.c:3074 [inline]
       __x64_sys_mount+0xbe/0x150 fs/namespace.c:3074
       do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x443d6a
      RSP: 002b:00007ffd312813c8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
      RAX: ffffffffffffffda RBX: 0000000020000c00 RCX: 0000000000443d6a
      RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd312813d0
      RBP: 0000000000000003 R08: 0000000020016a00 R09: 000000000000000a
      R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000004
      R13: 0000000000402c60 R14: 0000000000000000 R15: 0000000000000000
      RIP: build_sit_entries fs/f2fs/segment.c:3653 [inline] RSP: ffff8801b102e5b0
      RIP: build_segment_manager+0x7ef7/0xbf70 fs/f2fs/segment.c:3852 RSP: ffff8801b102e5b0
      CR2: ffffed006b2a50c0
      ---[ end trace a2034989e196ff17 ]---
      
      Reported-and-tested-by: syzbot+83699adeb2d13579c31e@syzkaller.appspotmail.com
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a8f40be6
    • Yunlei He's avatar
      f2fs: check blkaddr more accuratly before issue a bio · aec6ccb3
      Yunlei He authored
      commit 0833721e upstream.
      
      This patch check blkaddr more accuratly before issue a
      write or read bio.
      Signed-off-by: default avatarYunlei He <heyunlei@huawei.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      aec6ccb3
    • Shaokun Zhang's avatar
      btrfs: tree-checker: Fix misleading group system information · 4b356df1
      Shaokun Zhang authored
      commit 761333f2 upstream.
      
      block_group_err shows the group system as a decimal value with a '0x'
      prefix, which is somewhat misleading.
      
      Fix it to print hexadecimal, as was intended.
      
      Fixes: fce466ea ("btrfs: tree-checker: Verify block_group_item")
      Reviewed-by: default avatarNikolay Borisov <nborisov@suse.com>
      Reviewed-by: default avatarQu Wenruo <wqu@suse.com>
      Signed-off-by: default avatarShaokun Zhang <zhangshaokun@hisilicon.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4b356df1
    • Qu Wenruo's avatar
      btrfs: tree-checker: Check level for leaves and nodes · cf968bbc
      Qu Wenruo authored
      commit f556faa4 upstream.
      
      Although we have tree level check at tree read runtime, it's completely
      based on its parent level.
      We still need to do accurate level check to avoid invalid tree blocks
      sneak into kernel space.
      
      The check itself is simple, for leaf its level should always be 0.
      For nodes its level should be in range [1, BTRFS_MAX_LEVEL - 1].
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Reviewed-by: default avatarSu Yue <suy.fnst@cn.fujitsu.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      [bwh: Backported to 4.14:
       - Pass root instead of fs_info to generic_err()
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      cf968bbc
    • Qu Wenruo's avatar
      btrfs: Check that each block group has corresponding chunk at mount time · 34407a17
      Qu Wenruo authored
      commit 514c7dca upstream.
      
      A crafted btrfs image with incorrect chunk<->block group mapping will
      trigger a lot of unexpected things as the mapping is essential.
      
      Although the problem can be caught by block group item checker
      added in "btrfs: tree-checker: Verify block_group_item", it's still not
      sufficient.  A sufficiently valid block group item can pass the check
      added by the mentioned patch but could fail to match the existing chunk.
      
      This patch will add extra block group -> chunk mapping check, to ensure
      we have a completely matching (start, len, flags) chunk for each block
      group at mount time.
      
      Here we reuse the original helper find_first_block_group(), which is
      already doing the basic bg -> chunk checks, adding further checks of the
      start/len and type flags.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=199837Reported-by: default avatarXu Wen <wen.xu@gatech.edu>
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Reviewed-by: default avatarSu Yue <suy.fnst@cn.fujitsu.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      34407a17
    • Qu Wenruo's avatar
      btrfs: tree-checker: Detect invalid and empty essential trees · c0dfb998
      Qu Wenruo authored
      commit ba480dd4 upstream.
      
      A crafted image has empty root tree block, which will later cause NULL
      pointer dereference.
      
      The following trees should never be empty:
      1) Tree root
         Must contain at least root items for extent tree, device tree and fs
         tree
      
      2) Chunk tree
         Or we can't even bootstrap as it contains the mapping.
      
      3) Fs tree
         At least inode item for top level inode (.).
      
      4) Device tree
         Dev extents for chunks
      
      5) Extent tree
         Must have corresponding extent for each chunk.
      
      If any of them is empty, we are sure the fs is corrupted and no need to
      mount it.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=199847Reported-by: default avatarXu Wen <wen.xu@gatech.edu>
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Tested-by: default avatarGu Jinxiang <gujx@cn.fujitsu.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      [bwh: Backported to 4.14: Pass root instead of fs_info to generic_err()]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c0dfb998
    • Qu Wenruo's avatar
      btrfs: tree-checker: Verify block_group_item · 9f268b5c
      Qu Wenruo authored
      commit fce466ea upstream.
      
      A crafted image with invalid block group items could make free space cache
      code to cause panic.
      
      We could detect such invalid block group item by checking:
      1) Item size
         Known fixed value.
      2) Block group size (key.offset)
         We have an upper limit on block group item (10G)
      3) Chunk objectid
         Known fixed value.
      4) Type
         Only 4 valid type values, DATA, METADATA, SYSTEM and DATA|METADATA.
         No more than 1 bit set for profile type.
      5) Used space
         No more than the block group size.
      
      This should allow btrfs to detect and refuse to mount the crafted image.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=199849Reported-by: default avatarXu Wen <wen.xu@gatech.edu>
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Reviewed-by: default avatarGu Jinxiang <gujx@cn.fujitsu.com>
      Reviewed-by: default avatarNikolay Borisov <nborisov@suse.com>
      Tested-by: default avatarGu Jinxiang <gujx@cn.fujitsu.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      [bwh: Backported to 4.14:
       - In check_leaf_item(), pass root->fs_info to check_block_group_item()
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9f268b5c
    • David Sterba's avatar
      btrfs: tree-check: reduce stack consumption in check_dir_item · e07e1c75
      David Sterba authored
      commit e2683fc9 upstream.
      
      I've noticed that the updated item checker stack consumption increased
      dramatically in 542f5385e20cf97447 ("btrfs: tree-checker: Add checker
      for dir item")
      
      tree-checker.c:check_leaf                    +552 (176 -> 728)
      
      The array is 255 bytes long, dynamic allocation would slow down the
      sanity checks so it's more reasonable to keep it on-stack. Moving the
      variable to the scope of use reduces the stack usage again
      
      tree-checker.c:check_leaf                    -264 (728 -> 464)
      Reviewed-by: default avatarJosef Bacik <jbacik@fb.com>
      Reviewed-by: default avatarQu Wenruo <wqu@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e07e1c75
    • Arnd Bergmann's avatar
      btrfs: tree-checker: use %zu format string for size_t · 52ea1665
      Arnd Bergmann authored
      commit 7cfad652 upstream.
      
      The return value of sizeof() is of type size_t, so we must print it
      using the %z format modifier rather than %l to avoid this warning
      on some architectures:
      
      fs/btrfs/tree-checker.c: In function 'check_dir_item':
      fs/btrfs/tree-checker.c:273:50: error: format '%lu' expects argument of type 'long unsigned int', but argument 5 has type 'u32' {aka 'unsigned int'} [-Werror=format=]
      
      Fixes: 005887f2e3e0 ("btrfs: tree-checker: Add checker for dir item")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      52ea1665
    • Qu Wenruo's avatar
      btrfs: tree-checker: Add checker for dir item · fe09fe21
      Qu Wenruo authored
      commit ad7b0368 upstream.
      
      Add checker for dir item, for key types DIR_ITEM, DIR_INDEX and
      XATTR_ITEM.
      
      This checker does comprehensive checks for:
      
      1) dir_item header and its data size
         Against item boundary and maximum name/xattr length.
         This part is mostly the same as old verify_dir_item().
      
      2) dir_type
         Against maximum file types, and against key type.
         Since XATTR key should only have FT_XATTR dir item, and normal dir
         item type should not have XATTR key.
      
         The check between key->type and dir_type is newly introduced by this
         patch.
      
      3) name hash
         For XATTR and DIR_ITEM key, key->offset is name hash (crc32c).
         Check the hash of the name against the key to ensure it's correct.
      
         The name hash check is only found in btrfs-progs before this patch.
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Reviewed-by: default avatarNikolay Borisov <nborisov@suse.com>
      Reviewed-by: default avatarSu Yue <suy.fnst@cn.fujitsu.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fe09fe21
    • Qu Wenruo's avatar
      btrfs: tree-checker: Fix false panic for sanity test · b6a07f90
      Qu Wenruo authored
      commit 69fc6cbb upstream.
      
      [BUG]
      If we run btrfs with CONFIG_BTRFS_FS_RUN_SANITY_TESTS=y, it will
      instantly cause kernel panic like:
      
      ------
      ...
      assertion failed: 0, file: fs/btrfs/disk-io.c, line: 3853
      ...
      Call Trace:
       btrfs_mark_buffer_dirty+0x187/0x1f0 [btrfs]
       setup_items_for_insert+0x385/0x650 [btrfs]
       __btrfs_drop_extents+0x129a/0x1870 [btrfs]
      ...
      -----
      
      [Cause]
      Btrfs will call btrfs_check_leaf() in btrfs_mark_buffer_dirty() to check
      if the leaf is valid with CONFIG_BTRFS_FS_RUN_SANITY_TESTS=y.
      
      However quite some btrfs_mark_buffer_dirty() callers(*) don't really
      initialize its item data but only initialize its item pointers, leaving
      item data uninitialized.
      
      This makes tree-checker catch uninitialized data as error, causing
      such panic.
      
      *: These callers include but not limited to
      setup_items_for_insert()
      btrfs_split_item()
      btrfs_expand_item()
      
      [Fix]
      Add a new parameter @check_item_data to btrfs_check_leaf().
      With @check_item_data set to false, item data check will be skipped and
      fallback to old btrfs_check_leaf() behavior.
      
      So we can still get early warning if we screw up item pointers, and
      avoid false panic.
      
      Cc: Filipe Manana <fdmanana@gmail.com>
      Reported-by: default avatarLakshmipathi.G <lakshmipathi.g@gmail.com>
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Reviewed-by: default avatarLiu Bo <bo.li.liu@oracle.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b6a07f90
    • Qu Wenruo's avatar
      btrfs: tree-checker: Enhance btrfs_check_node output · b3032dc2
      Qu Wenruo authored
      commit bba4f298 upstream.
      
      Use inline function to replace macro since we don't need
      stringification.
      (Macro still exists until all callers get updated)
      
      And add more info about the error, and replace EIO with EUCLEAN.
      
      For nr_items error, report if it's too large or too small, and output
      the valid value range.
      
      For node block pointer, added a new alignment checker.
      
      For key order, also output the next key to make the problem more
      obvious.
      Signed-off-by: default avatarQu Wenruo <quwenruo.btrfs@gmx.com>
      [ wording adjustments, unindented long strings ]
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b3032dc2
    • Qu Wenruo's avatar
      btrfs: Move leaf and node validation checker to tree-checker.c · eb3493e2
      Qu Wenruo authored
      commit 557ea5dd upstream.
      
      It's no doubt the comprehensive tree block checker will become larger,
      so moving them into their own files is quite reasonable.
      Signed-off-by: default avatarQu Wenruo <quwenruo.btrfs@gmx.com>
      [ wording adjustments ]
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      eb3493e2
    • Qu Wenruo's avatar
      btrfs: Add checker for EXTENT_CSUM · 64948fd6
      Qu Wenruo authored
      commit 4b865cab upstream.
      
      EXTENT_CSUM checker is a relatively easy one, only needs to check:
      
      1) Objectid
         Fixed to BTRFS_EXTENT_CSUM_OBJECTID
      
      2) Key offset alignment
         Must be aligned to sectorsize
      
      3) Item size alignedment
         Must be aligned to csum size
      Signed-off-by: default avatarQu Wenruo <quwenruo.btrfs@gmx.com>
      Reviewed-by: default avatarNikolay Borisov <nborisov@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      64948fd6
    • Qu Wenruo's avatar
      btrfs: Add sanity check for EXTENT_DATA when reading out leaf · fa5d29e6
      Qu Wenruo authored
      commit 40c3c409 upstream.
      
      Add extra checks for item with EXTENT_DATA type.  This checks the
      following thing:
      
      0) Key offset
         All key offsets must be aligned to sectorsize.
         Inline extent must have 0 for key offset.
      
      1) Item size
         Uncompressed inline file extent size must match item size.
         (Compressed inline file extent has no information about its on-disk size.)
         Regular/preallocated file extent size must be a fixed value.
      
      2) Every member of regular file extent item
         Including alignment for bytenr and offset, possible value for
         compression/encryption/type.
      
      3) Type/compression/encode must be one of the valid values.
      
      This should be the most comprehensive and strict check in the context
      of btrfs_item for EXTENT_DATA.
      Signed-off-by: default avatarQu Wenruo <quwenruo.btrfs@gmx.com>
      Reviewed-by: default avatarNikolay Borisov <nborisov@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      [ switch to BTRFS_FILE_EXTENT_TYPES, similar to what
        BTRFS_COMPRESS_TYPES does ]
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fa5d29e6
    • Qu Wenruo's avatar
      btrfs: Check if item pointer overlaps with the item itself · ac6ea50b
      Qu Wenruo authored
      commit 7f43d4af upstream.
      
      Function check_leaf() checks if any item pointer points outside of the
      leaf, but it doesn't check if the pointer overlaps with the item itself.
      
      Normally only the last item may be the victim, but adding such check is
      never a bad idea anyway.
      Signed-off-by: default avatarQu Wenruo <quwenruo.btrfs@gmx.com>
      Reviewed-by: default avatarNikolay Borisov <nborisov@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ac6ea50b
    • Qu Wenruo's avatar
      btrfs: Refactor check_leaf function for later expansion · a5cc85fe
      Qu Wenruo authored
      commit c3267bba upstream.
      
      Current check_leaf() function does a good job checking key order and
      item offset/size.
      
      However it only checks from slot 0 to the last but one slot, this is
      good but makes later expansion hard.
      
      So this refactoring iterates from slot 0 to the last slot.
      For key comparison, it uses a key with all 0 as initial key, so all
      valid keys should be larger than that.
      
      And for item size/offset checks, it compares current item end with
      previous item offset.
      For slot 0, use leaf end as a special case.
      
      This makes later item/key offset checks and item size checks easier to
      be implemented.
      
      Also, makes check_leaf() to return -EUCLEAN other than -EIO to indicate
      error.
      Signed-off-by: default avatarQu Wenruo <quwenruo.btrfs@gmx.com>
      Reviewed-by: default avatarNikolay Borisov <nborisov@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a5cc85fe
    • Qu Wenruo's avatar
      btrfs: Verify that every chunk has corresponding block group at mount time · 895586ec
      Qu Wenruo authored
      commit 7ef49515 upstream.
      
      If a crafted image has missing block group items, it could cause
      unexpected behavior and breaks the assumption of 1:1 chunk<->block group
      mapping.
      
      Although we have the block group -> chunk mapping check, we still need
      chunk -> block group mapping check.
      
      This patch will do extra check to ensure each chunk has its
      corresponding block group.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=199847Reported-by: default avatarXu Wen <wen.xu@gatech.edu>
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Reviewed-by: default avatarGu Jinxiang <gujx@cn.fujitsu.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      895586ec
    • Gu Jinxiang's avatar
      btrfs: validate type when reading a chunk · f7eef132
      Gu Jinxiang authored
      commit 315409b0 upstream.
      
      Reported in https://bugzilla.kernel.org/show_bug.cgi?id=199839, with an
      image that has an invalid chunk type but does not return an error.
      
      Add chunk type check in btrfs_check_chunk_valid, to detect the wrong
      type combinations.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=199839Reported-by: default avatarXu Wen <wen.xu@gatech.edu>
      Reviewed-by: default avatarQu Wenruo <wqu@suse.com>
      Signed-off-by: default avatarGu Jinxiang <gujx@cn.fujitsu.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f7eef132
    • Lior David's avatar
      wil6210: missing length check in wmi_set_ie · 107b02c8
      Lior David authored
      commit b5a8ffca upstream.
      
      Add a length check in wmi_set_ie to detect unsigned integer
      overflow.
      Signed-off-by: default avatarLior David <qca_liord@qca.qualcomm.com>
      Signed-off-by: default avatarMaya Erez <qca_merez@qca.qualcomm.com>
      Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      107b02c8
    • Vakul Garg's avatar
      net/tls: Fixed return value when tls_complete_pending_work() fails · 39d9e1c6
      Vakul Garg authored
      commit 15008579 upstream.
      
      In tls_sw_sendmsg() and tls_sw_sendpage(), the variable 'ret' has
      been set to return value of tls_complete_pending_work(). This allows
      return of proper error code if tls_complete_pending_work() fails.
      
      Fixes: 3c4d7559 ("tls: kernel TLS support")
      Signed-off-by: default avatarVakul Garg <vakul.garg@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 4.14: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      39d9e1c6
    • Boris Pismenny's avatar
      tls: Use correct sk->sk_prot for IPV6 · 2a0f5919
      Boris Pismenny authored
      commit c113187d upstream.
      
      The tls ulp overrides sk->prot with a new tls specific proto structs.
      The tls specific structs were previously based on the ipv4 specific
      tcp_prot sturct.
      As a result, attaching the tls ulp to an ipv6 tcp socket replaced
      some ipv6 callback with the ipv4 equivalents.
      
      This patch adds ipv6 tls proto structs and uses them when
      attached to ipv6 sockets.
      
      Fixes: 3c4d7559 ('tls: kernel TLS support')
      Signed-off-by: default avatarBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: default avatarIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2a0f5919
    • Ilya Lesokhin's avatar
      tls: don't override sk_write_space if tls_set_sw_offload fails. · 2b8b2e76
      Ilya Lesokhin authored
      commit ee181e52 upstream.
      
      If we fail to enable tls in the kernel we shouldn't override
      the sk_write_space callback
      
      Fixes: 3c4d7559 ('tls: kernel TLS support')
      Signed-off-by: default avatarIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2b8b2e76
    • Ilya Lesokhin's avatar
      tls: Avoid copying crypto_info again after cipher_type check. · 93f16446
      Ilya Lesokhin authored
      commit 196c31b4 upstream.
      
      Avoid copying crypto_info again after cipher_type check
      to avoid a TOCTOU exploits.
      The temporary array on the stack is removed as we don't really need it
      
      Fixes: 3c4d7559 ('tls: kernel TLS support')
      Signed-off-by: default avatarIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 4.14: Preserve changes made by earlier backports of
       "tls: return -EBUSY if crypto_info is already set" and "tls: zero the
       crypto information from tls_context before freeing"]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      93f16446
    • Ilya Lesokhin's avatar
      tls: Fix TLS ulp context leak, when TLS_TX setsockopt is not used. · 797b8bb4
      Ilya Lesokhin authored
      commit ff45d820 upstream.
      
      Previously the TLS ulp context would leak if we attached a TLS ulp
      to a socket but did not use the TLS_TX setsockopt,
      or did use it but it failed.
      This patch solves the issue by overriding prot[TLS_BASE_TX].close
      and fixing tls_sk_proto_close to work properly
      when its called with ctx->tx_conf == TLS_BASE_TX.
      This patch also removes ctx->free_resources as we can use ctx->tx_conf
      to obtain the relevant information.
      
      Fixes: 3c4d7559 ('tls: kernel TLS support')
      Signed-off-by: default avatarIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 4.14: Keep using tls_ctx_free() as introduced by
       the earlier backport of "tls: zero the crypto information from
       tls_context before freeing"]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      797b8bb4
    • Ilya Lesokhin's avatar
      tls: Add function to update the TLS socket configuration · 25f03991
      Ilya Lesokhin authored
      commit 6d88207f upstream.
      
      The tx configuration is now stored in ctx->tx_conf.
      And sk->sk_prot is updated trough a function
      This will simplify things when we add rx
      and support for different possible
      tx and rx cross configurations.
      Signed-off-by: default avatarIlya Lesokhin <ilyal@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      25f03991
    • Alexei Starovoitov's avatar
      bpf: Prevent memory disambiguation attack · 83b570c0
      Alexei Starovoitov authored
      commit af86ca4e upstream.
      
      Detect code patterns where malicious 'speculative store bypass' can be used
      and sanitize such patterns.
      
       39: (bf) r3 = r10
       40: (07) r3 += -216
       41: (79) r8 = *(u64 *)(r7 +0)   // slow read
       42: (7a) *(u64 *)(r10 -72) = 0  // verifier inserts this instruction
       43: (7b) *(u64 *)(r8 +0) = r3   // this store becomes slow due to r8
       44: (79) r1 = *(u64 *)(r6 +0)   // cpu speculatively executes this load
       45: (71) r2 = *(u8 *)(r1 +0)    // speculatively arbitrary 'load byte'
                                       // is now sanitized
      
      Above code after x86 JIT becomes:
       e5: mov    %rbp,%rdx
       e8: add    $0xffffffffffffff28,%rdx
       ef: mov    0x0(%r13),%r14
       f3: movq   $0x0,-0x48(%rbp)
       fb: mov    %rdx,0x0(%r14)
       ff: mov    0x0(%rbx),%rdi
      103: movzbq 0x0(%rdi),%rsi
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      [bwh: Backported to 4.14:
       - Add bpf_verifier_env parameter to check_stack_write()
       - Look up stack slot_types with state->stack_slot_type[] rather than
         state->stack[].slot_type[]
       - Drop bpf_verifier_env argument to verbose()
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      83b570c0
    • Ilya Dryomov's avatar
      libceph: implement CEPHX_V2 calculation mode · b16d0c5d
      Ilya Dryomov authored
      commit cc255c76 upstream.
      
      Derive the signature from the entire buffer (both AES cipher blocks)
      instead of using just the first half of the first block, leaving out
      data_crc entirely.
      
      This addresses CVE-2018-1129.
      
      Link: http://tracker.ceph.com/issues/24837Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarSage Weil <sage@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b16d0c5d
    • Ilya Dryomov's avatar
      libceph: add authorizer challenge · 3fd73c8a
      Ilya Dryomov authored
      commit 6daca13d upstream.
      
      When a client authenticates with a service, an authorizer is sent with
      a nonce to the service (ceph_x_authorize_[ab]) and the service responds
      with a mutation of that nonce (ceph_x_authorize_reply).  This lets the
      client verify the service is who it says it is but it doesn't protect
      against a replay: someone can trivially capture the exchange and reuse
      the same authorizer to authenticate themselves.
      
      Allow the service to reject an initial authorizer with a random
      challenge (ceph_x_authorize_challenge).  The client then has to respond
      with an updated authorizer proving they are able to decrypt the
      service's challenge and that the new authorizer was produced for this
      specific connection instance.
      
      The accepting side requires this challenge and response unconditionally
      if the client side advertises they have CEPHX_V2 feature bit.
      
      This addresses CVE-2018-1128.
      
      Link: http://tracker.ceph.com/issues/24836Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarSage Weil <sage@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3fd73c8a
    • Ilya Dryomov's avatar
      libceph: factor out encrypt_authorizer() · a55056e1
      Ilya Dryomov authored
      commit 149cac4a upstream.
      
      Will be used for encrypting both the initial and updated authorizers.
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarSage Weil <sage@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a55056e1