| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z64zcac0_dw1_rML@google.com>
Date: Thu, 13 Feb 2025 18:01:21 +0000
From: Jaegeuk Kim <jaegeuk@...nel.org>
To: Chao Yu <chao@...nel.org>
Cc: linux-f2fs-devel@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
syzbot+b6b347b7a4ea1b2e29b6@...kaller.appspotmail.com
Subject: Re: [PATCH] f2fs: fix to avoid accessing uninitialized curseg
On 02/12, Chao Yu wrote:
> syzbot reports a f2fs bug as below:
>
> F2FS-fs (loop3): Stopped filesystem due to reason: 7
> kworker/u8:7: attempt to access beyond end of device
> BUG: unable to handle page fault for address: ffffed1604ea3dfa
> RIP: 0010:get_ckpt_valid_blocks fs/f2fs/segment.h:361 [inline]
> RIP: 0010:has_curseg_enough_space fs/f2fs/segment.h:570 [inline]
> RIP: 0010:__get_secs_required fs/f2fs/segment.h:620 [inline]
> RIP: 0010:has_not_enough_free_secs fs/f2fs/segment.h:633 [inline]
> RIP: 0010:has_enough_free_secs+0x575/0x1660 fs/f2fs/segment.h:649
> <TASK>
> f2fs_is_checkpoint_ready fs/f2fs/segment.h:671 [inline]
> f2fs_write_inode+0x425/0x540 fs/f2fs/inode.c:791
> write_inode fs/fs-writeback.c:1525 [inline]
> __writeback_single_inode+0x708/0x10d0 fs/fs-writeback.c:1745
> writeback_sb_inodes+0x820/0x1360 fs/fs-writeback.c:1976
> wb_writeback+0x413/0xb80 fs/fs-writeback.c:2156
> wb_do_writeback fs/fs-writeback.c:2303 [inline]
> wb_workfn+0x410/0x1080 fs/fs-writeback.c:2343
> process_one_work kernel/workqueue.c:3236 [inline]
> process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317
> worker_thread+0x870/0xd30 kernel/workqueue.c:3398
> kthread+0x7a9/0x920 kernel/kthread.c:464
> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
>
> Commit 8b10d3653735 ("f2fs: introduce FAULT_NO_SEGMENT") allows to trigger
> no free segment fault in allocator, then it will update curseg->segno to
> NULL_SEGNO, though, CP_ERROR_FLAG has been set, f2fs_write_inode() missed
> to check the flag, and access invalid curseg->segno directly in below call
> path, then resulting in panic:
>
> - f2fs_write_inode
> - f2fs_is_checkpoint_ready
> - has_enough_free_secs
> - has_not_enough_free_secs
> - __get_secs_required
> - has_curseg_enough_space
> - get_ckpt_valid_blocks
> : access invalid curseg->segno
>
> To avoid this issue, let's:
> - check CP_ERROR_FLAG flag in prior to f2fs_is_checkpoint_ready() in
> f2fs_write_inode().
> - in has_curseg_enough_space(), a) verify status of curseg before accessing
> its field, and b) grab curseg_mutex lock to avoid race condition.
>
> Fixes: 8b10d3653735 ("f2fs: introduce FAULT_NO_SEGMENT")
> Reported-by: syzbot+b6b347b7a4ea1b2e29b6@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/all/67973c2b.050a0220.11b1bb.0089.GAE@google.com
> Signed-off-by: Chao Yu <chao@...nel.org>
> ---
> fs/f2fs/inode.c | 7 +++++++
> fs/f2fs/segment.h | 27 ++++++++++++++++++++++-----
> 2 files changed, 29 insertions(+), 5 deletions(-)
>
> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> index 02f1b69d03d8..5c1b515eab36 100644
> --- a/fs/f2fs/inode.c
> +++ b/fs/f2fs/inode.c
> @@ -799,6 +799,13 @@ int f2fs_write_inode(struct inode *inode, struct writeback_control *wbc)
> !is_inode_flag_set(inode, FI_DIRTY_INODE))
> return 0;
>
> + /*
> + * no need to update inode page, ultimately f2fs_evict_inode() will
> + * clear dirty status of inode.
> + */
> + if (f2fs_cp_error(sbi))
> + return -EIO;
> +
> if (!f2fs_is_checkpoint_ready(sbi)) {
> f2fs_mark_inode_dirty_sync(inode, true);
> return -ENOSPC;
> diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h
> index 943be4f1d6d2..e9fcf2b85b76 100644
> --- a/fs/f2fs/segment.h
> +++ b/fs/f2fs/segment.h
> @@ -559,15 +559,23 @@ static inline bool has_curseg_enough_space(struct f2fs_sb_info *sbi,
> unsigned int node_blocks, unsigned int data_blocks,
> unsigned int dent_blocks)
> {
> -
> + struct curseg_info *curseg;
> unsigned int segno, left_blocks, blocks;
> int i;
>
> /* check current data/node sections in the worst case. */
> for (i = CURSEG_HOT_DATA; i < NR_PERSISTENT_LOG; i++) {
> - segno = CURSEG_I(sbi, i)->segno;
> - left_blocks = CAP_BLKS_PER_SEC(sbi) -
> + curseg = CURSEG_I(sbi, i);
> +
> + mutex_lock(&curseg->curseg_mutex);
> + if (!curseg->inited || curseg->segno == NULL_SEGNO) {
> + left_blocks = 0;
> + } else {
> + segno = curseg->segno;
> + left_blocks = CAP_BLKS_PER_SEC(sbi) -
> get_ckpt_valid_blocks(sbi, segno, true);
> + }
> + mutex_unlock(&curseg->curseg_mutex);
This looks a bit worrisome, as it'll block user-facing allocation. Can we
have another way to prevent the issue?
>
> blocks = i <= CURSEG_COLD_DATA ? data_blocks : node_blocks;
> if (blocks > left_blocks)
> @@ -575,9 +583,18 @@ static inline bool has_curseg_enough_space(struct f2fs_sb_info *sbi,
> }
>
> /* check current data section for dentry blocks. */
> - segno = CURSEG_I(sbi, CURSEG_HOT_DATA)->segno;
> - left_blocks = CAP_BLKS_PER_SEC(sbi) -
> + curseg = CURSEG_I(sbi, CURSEG_HOT_DATA);
> +
> + mutex_lock(&curseg->curseg_mutex);
> + if (!curseg->inited || curseg->segno == NULL_SEGNO) {
> + left_blocks = 0;
> + } else {
> + segno = curseg->segno;
> + left_blocks = CAP_BLKS_PER_SEC(sbi) -
> get_ckpt_valid_blocks(sbi, segno, true);
> + }
> + mutex_unlock(&curseg->curseg_mutex);
> +
> if (dent_blocks > left_blocks)
> return false;
> return true;
> --
> 2.48.1.502.g6dc24dfdaf-goog
Powered by blists - more mailing lists