OrgACRN
/
acrn-kernel
mirror of https://github.com/projectacrn/acrn-kernel.git
1
0
Fork 0
Code Issues Releases Wiki Activity
acrn-kernel/fs
History
Chao Yu ebe83e9bb8 f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io() 
[ Upstream commit d8189834d4 ]

butt3rflyh4ck reports a bug as below:

When a thread always calls F2FS_IOC_RESIZE_FS to resize fs, if resize fs is
failed, f2fs kernel thread would invoke callback function to update f2fs io
info, it would call  f2fs_write_end_io and may trigger null-ptr-deref in
NODE_MAPPING.

general protection fault, probably for non-canonical address
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
RIP: 0010:NODE_MAPPING fs/f2fs/f2fs.h:1972 [inline]
RIP: 0010:f2fs_write_end_io+0x727/0x1050 fs/f2fs/data.c:370
 <TASK>
 bio_endio+0x5af/0x6c0 block/bio.c:1608
 req_bio_endio block/blk-mq.c:761 [inline]
 blk_update_request+0x5cc/0x1690 block/blk-mq.c:906
 blk_mq_end_request+0x59/0x4c0 block/blk-mq.c:1023
 lo_complete_rq+0x1c6/0x280 drivers/block/loop.c:370
 blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1101
 __do_softirq+0x1d4/0x8ef kernel/softirq.c:571
 run_ksoftirqd kernel/softirq.c:939 [inline]
 run_ksoftirqd+0x31/0x60 kernel/softirq.c:931
 smpboot_thread_fn+0x659/0x9e0 kernel/smpboot.c:164
 kthread+0x33e/0x440 kernel/kthread.c:379
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

The root cause is below race case can cause leaving dirty metadata
in f2fs after filesystem is remount as ro:

Thread A				Thread B
- f2fs_ioc_resize_fs
 - f2fs_readonly   --- return false
 - f2fs_resize_fs
					- f2fs_remount
					 - write_checkpoint
					 - set f2fs as ro
  - free_segment_range
   - update meta_inode's data

Then, if f2fs_put_super()  fails to write_checkpoint due to readonly
status, and meta_inode's dirty data will be writebacked after node_inode
is put, finally, f2fs_write_end_io will access NULL pointer on
sbi->node_inode.

Thread A				IRQ context
- f2fs_put_super
 - write_checkpoint fails
 - iput(node_inode)
 - node_inode = NULL
 - iput(meta_inode)
  - write_inode_now
   - f2fs_write_meta_page
					- f2fs_write_end_io
					 - NODE_MAPPING(sbi)
					 : access NULL pointer on node_inode

Fixes: b4b10061ef ("f2fs: refactor resize_fs to avoid meta updates in progress")
Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Closes: https://lore.kernel.org/r/1684480657-2375-1-git-send-email-yangtiezhu@loongson.cn
Tested-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2023-07-19 16:21:55 +02:00
..
9p
adfs
affs
afs afs: Fix vlserver probe RTT handling 2023-06-21 16:01:02 +02:00
autofs
befs
bfs
btrfs btrfs: fix race when deleting free space root from the dirty cow roots list 2023-07-19 16:21:47 +02:00
cachefiles
ceph ceph: fix use-after-free bug for inodes when flushing capsnaps 2023-06-14 11:15:27 +02:00
coda
configfs
cramfs
crypto blk-crypto: add a blk_crypto_config_supported_natively helper 2023-05-11 23:03:00 +09:00
debugfs
devpts
dlm fs: dlm: fix race setting stop tx flag 2023-03-17 08:50:19 +01:00
ecryptfs
efivarfs
efs
erofs erofs: fix compact 4B support for 16k block size 2023-07-19 16:20:59 +02:00
exfat
exportfs
ext2 ext2: Check block size validity during mount 2023-05-24 17:32:36 +01:00
ext4 ext4: drop the call to ext4_error() from ext4_get_group_info() 2023-06-21 16:01:01 +02:00
f2fs f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io() 2023-07-19 16:21:55 +02:00
fat
freevxfs
fscache
fuse fuse: always revalidate rename target dentry 2023-04-26 14:28:42 +02:00
gfs2 gfs2: Fix duplicate should_fault_in_pages() call 2023-07-19 16:21:54 +02:00
hfs
hfsplus fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() 2023-05-24 17:32:34 +01:00
hostfs
hpfs
hugetlbfs
iomap
isofs
jbd2 jdb2: Don't refuse invalidation of already invalidated buffers 2023-05-11 23:03:23 +09:00
jffs2 jffs2: correct logic when creating a hole in jffs2_write_begin 2023-03-22 13:33:53 +01:00
jfs fs/jfs: fix shift exponent db_agl2size negative 2023-03-11 13:55:16 +01:00
kernfs kernfs: fix missing kernfs_idr_lock to remove an ID from the IDR 2023-07-19 16:21:53 +02:00
lockd lockd: drop inappropriate svc_get() from locked_get() 2023-07-19 16:20:56 +02:00
minix
netfs
nfs NFSv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION 2023-07-19 16:21:43 +02:00
nfs_common
nfsd nfsd: fix double fget() bug in __write_ports_addfd() 2023-06-09 10:34:04 +02:00
nilfs2 nilfs2: prevent general protection fault in nilfs_clear_dirty_page() 2023-06-28 11:12:27 +02:00
nls
notify inotify: Avoid reporting event with invalid wd 2023-05-17 11:53:44 +02:00
ntfs
ntfs3 fs/ntfs3: Validate MFT flags before replaying logs 2023-06-09 10:34:28 +02:00
ocfs2 ocfs2: Fix use of slab data with sendpage 2023-07-19 16:21:13 +02:00
omfs
openpromfs
orangefs
overlayfs ovl: update of dentry revalidate flags after copy up 2023-07-19 16:21:33 +02:00
proc sysctl: clarify register_sysctl_init() base directory order 2023-05-17 11:53:46 +02:00
pstore pstore/ram: Add check for kstrdup 2023-07-19 16:21:03 +02:00
qnx4
qnx6
quota
ramfs
reiserfs reiserfs: Add security prefix to xattr name in reiserfs_security_write() 2023-05-11 23:03:02 +09:00
romfs
smb ksmbd: avoid field overflow warning 2023-07-19 16:21:44 +02:00
squashfs
sysfs
sysv
tracefs
ubifs ubifs: Fix memory leak in do_rename 2023-05-11 23:03:05 +09:00
udf udf: Fix off-by-one error when discarding preallocation 2023-03-17 08:50:19 +01:00
ufs
unicode
vboxsf
verity fsverity: don't drop pagecache at end of FS_IOC_ENABLE_VERITY 2023-04-06 12:10:34 +02:00
xfs xfs: verify buffer contents when we skip log replay 2023-06-09 10:34:29 +02:00
zonefs zonefs: Always invalidate last cached page on append write 2023-04-06 12:10:52 +02:00
Kconfig smb: move client and server files to common directory fs/smb 2023-06-28 11:12:40 +02:00
Kconfig.binfmt
Makefile smb: move client and server files to common directory fs/smb 2023-06-28 11:12:40 +02:00
aio.c
anon_inodes.c
attr.c
bad_inode.c
binfmt_elf.c mm: always expand the stack with the mmap write lock held 2023-07-01 13:16:25 +02:00
binfmt_elf_fdpic.c
binfmt_elf_test.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
buffer.c
char_dev.c
compat_binfmt_elf.c
coredump.c
d_path.c
dax.c
dcache.c
direct-io.c
drop_caches.c
eventfd.c
eventpoll.c epoll: ep_autoremove_wake_function should use list_del_init_careful 2023-06-21 16:00:54 +02:00
exec.c mm: always expand the stack with the mmap write lock held 2023-07-01 13:16:25 +02:00
fcntl.c
fhandle.c
file.c fs: prevent out-of-bounds array speculation when closing a file descriptor 2023-03-17 08:50:13 +01:00
file_table.c
filesystems.c
fs-writeback.c writeback: fix call of incorrect macro 2023-05-17 11:53:33 +02:00
fs_context.c
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fsopen.c
init.c
inode.c
internal.h
ioctl.c
kernel_read_file.c
libfs.c
locks.c filelocks: use mount idmapping for setlease permission check 2023-03-17 08:50:32 +01:00
mbcache.c
mount.h
mpage.c
namei.c
namespace.c fs: drop peer group ids under namespace lock 2023-04-13 16:55:33 +02:00
no-block.c
nsfs.c
open.c open: return EINVAL for O_DIRECTORY | O_CREAT 2023-05-24 17:32:34 +01:00
pipe.c
pnode.c
pnode.h
posix_acl.c
proc_namespace.c
read_write.c
readdir.c
remap_range.c
select.c
seq_file.c
signalfd.c
splice.c
stack.c
stat.c
statfs.c statfs: enforce statfs[64] structure initialization 2023-05-24 17:32:51 +01:00
super.c fscrypt: destroy keyring after security_sb_delete() 2023-03-30 12:49:23 +02:00
sync.c
sysctls.c
timerfd.c
userfaultfd.c Revert "userfaultfd: don't fail on unrecognized features" 2023-04-26 14:28:37 +02:00
utimes.c
xattr.c