korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-09-21 12:11:49 +08:00
Code Issues Packages Projects Releases Wiki Activity
linux-rolling-lts
linux/fs/f2fs
History
Chao Yu 263df78166 f2fs: fix to cover read extent cache access with lock 
[ Upstream commit d7409b05a6 ]

syzbot reports a f2fs bug as below:

BUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46
Read of size 4 at addr ffff8880739ab220 by task syz-executor200/5097

CPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46
 do_read_inode fs/f2fs/inode.c:509 [inline]
 f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560
 f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237
 generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413
 exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444
 exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584
 do_handle_to_path fs/fhandle.c:155 [inline]
 handle_to_path fs/fhandle.c:210 [inline]
 do_handle_open+0x495/0x650 fs/fhandle.c:226
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

We missed to cover sanity_check_extent_cache() w/ extent cache lock,
so, below race case may happen, result in use after free issue.

- f2fs_iget
 - do_read_inode
  - f2fs_init_read_extent_tree
  : add largest extent entry in to cache
					- shrink
					 - f2fs_shrink_read_extent_tree
					  - __shrink_extent_tree
					   - __detach_extent_node
					   : drop largest extent entry
  - sanity_check_extent_cache
  : access et->largest w/o lock

let's refactor sanity_check_extent_cache() to avoid extent cache access
and call it before f2fs_init_read_extent_tree() to fix this issue.

Reported-by: syzbot+74ebe2104433e9dc610d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/00000000000009beea061740a531@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-08-19 06:04:29 +02:00
..
acl.c fs: port i_{g,u}id_into_vfs{g,u}id() to mnt_idmap 2023-01-19 09:24:29 +01:00
acl.h fs: port ->set_acl() to pass mnt_idmap 2023-01-19 09:24:27 +01:00
checkpoint.c f2fs: fix to update user block counts in block_operations() 2024-08-03 08:54:36 +02:00
compress.c f2fs: use f2fs_{err,info}_ratelimited() for cleanup 2024-06-12 11:13:03 +02:00
data.c f2fs: use meta inode for GC of COW file 2024-08-03 08:54:23 +02:00
debug.c f2fs: use BLKS_PER_SEG, BLKS_PER_SEC, and SEGS_PER_SEC 2024-06-12 11:12:28 +02:00
dir.c f2fs: support printk_ratelimited() in f2fs_printk() 2024-06-12 11:12:27 +02:00
extent_cache.c f2fs: fix to cover read extent cache access with lock 2024-08-19 06:04:29 +02:00
f2fs.h f2fs: fix to cover read extent cache access with lock 2024-08-19 06:04:29 +02:00
file.c f2fs: fix to truncate preallocated blocks in f2fs_file_open() 2024-08-03 08:54:34 +02:00
gc.c f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC 2024-08-19 06:04:29 +02:00
gc.h f2fs: Fix system crash due to lack of free space in LFS 2023-04-10 10:58:45 -07:00
hash.c f2fs: don't use casefolded comparison for "." and ".." 2022-05-17 11:19:23 -07:00
inline.c f2fs: use meta inode for GC of COW file 2024-08-03 08:54:23 +02:00
inode.c f2fs: fix to cover read extent cache access with lock 2024-08-19 06:04:29 +02:00
iostat.c f2fs: add async reset zone command support 2023-06-12 13:04:09 -07:00
iostat.h f2fs: use iostat_lat_type directly as a parameter in the iostat_update_and_unbind_ctx() 2023-02-07 10:39:28 -08:00
Kconfig fs: add CONFIG_BUFFER_HEAD 2023-08-02 09:13:09 -06:00
Makefile f2fs: separate out iostat feature 2021-08-23 10:25:51 -07:00
namei.c f2fs: fix to create selinux label during whiteout initialization 2024-03-26 18:20:01 -04:00
node.c f2fs: fix to release node block count in error path of f2fs_new_node_page() 2024-06-12 11:12:30 +02:00
node.h f2fs: use BLKS_PER_SEG, BLKS_PER_SEC, and SEGS_PER_SEC 2024-06-12 11:12:28 +02:00
recovery.c f2fs: use BLKS_PER_SEG, BLKS_PER_SEC, and SEGS_PER_SEC 2024-06-12 11:12:28 +02:00
segment.c f2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid 2024-08-11 12:47:16 +02:00
segment.h f2fs: fix start segno of large section 2024-08-03 08:54:35 +02:00
shrinker.c f2fs: add block_age-based extent cache 2022-12-12 14:53:56 -08:00
super.c f2fs: check validation of fault attrs in f2fs_build_fault_attr() 2024-07-11 12:49:09 +02:00
sysfs.c f2fs: check validation of fault attrs in f2fs_build_fault_attr() 2024-07-11 12:49:09 +02:00
verity.c f2fs-for-6.3-rc1 2023-02-27 16:18:51 -08:00
xattr.c f2fs: fix to check return value of f2fs_recover_xattr_data 2024-01-25 15:35:37 -08:00
xattr.h f2fs: cleanup MIN_INLINE_XATTR_SIZE 2023-06-26 06:07:10 -07:00