shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-06 10:58:48 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
229b2b992bfbb6330deb5c7296e13e02cab9df50
linux/fs
History
Chao Yu 229b2b992b f2fs: fix to do sanity check on curseg->alloc_type 
As Wenqing Liu reported in bugzilla:

https://bugzilla.kernel.org/show_bug.cgi?id=215657

- Overview
UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 when mount and operate a corrupted image

- Reproduce
tested on kernel 5.17-rc4, 5.17-rc6

1. mkdir test_crash
2. cd test_crash
3. unzip tmp2.zip
4. mkdir mnt
5. ./single_test.sh f2fs 2

- Kernel dump
[   46.434454] loop0: detected capacity change from 0 to 131072
[   46.529839] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d9
[   46.738319] ================================================================================
[   46.738412] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2
[   46.738475] index 231 is out of range for type 'unsigned int [2]'
[   46.738539] CPU: 2 PID: 939 Comm: umount Not tainted 5.17.0-rc6 #1
[   46.738547] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[   46.738551] Call Trace:
[   46.738556]  <TASK>
[   46.738563]  dump_stack_lvl+0x47/0x5c
[   46.738581]  ubsan_epilogue+0x5/0x50
[   46.738592]  __ubsan_handle_out_of_bounds+0x68/0x80
[   46.738604]  f2fs_allocate_data_block+0xdff/0xe60 [f2fs]
[   46.738819]  do_write_page+0xef/0x210 [f2fs]
[   46.738934]  f2fs_do_write_node_page+0x3f/0x80 [f2fs]
[   46.739038]  __write_node_page+0x2b7/0x920 [f2fs]
[   46.739162]  f2fs_sync_node_pages+0x943/0xb00 [f2fs]
[   46.739293]  f2fs_write_checkpoint+0x7bb/0x1030 [f2fs]
[   46.739405]  kill_f2fs_super+0x125/0x150 [f2fs]
[   46.739507]  deactivate_locked_super+0x60/0xc0
[   46.739517]  deactivate_super+0x70/0xb0
[   46.739524]  cleanup_mnt+0x11a/0x200
[   46.739532]  __cleanup_mnt+0x16/0x20
[   46.739538]  task_work_run+0x67/0xa0
[   46.739547]  exit_to_user_mode_prepare+0x18c/0x1a0
[   46.739559]  syscall_exit_to_user_mode+0x26/0x40
[   46.739568]  do_syscall_64+0x46/0xb0
[   46.739584]  entry_SYSCALL_64_after_hwframe+0x44/0xae

The root cause is we missed to do sanity check on curseg->alloc_type,
result in out-of-bound accessing on sbi->block_count[] array, fix it.

Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
2022-03-03 18:23:29 -08:00
..
9p
9p: Fix a bunch of kerneldoc warnings shown up by W=1
2021-10-04 22:07:46 +01:00
adfs
mm: require ->set_page_dirty to be explicitly wired up
2021-06-29 10:53:48 -07:00
affs
mm: require ->set_page_dirty to be explicitly wired up
2021-06-29 10:53:48 -07:00
afs
Merge tag 'misc-fixes-20211007' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
2021-10-07 11:20:08 -07:00
autofs
autofs: fix wait name hash calculation in autofs_wait()
2021-10-20 21:09:02 -04:00
befs
isystem: ship and use stdarg.h
2021-08-19 09:02:55 +09:00
bfs
mm: require ->set_page_dirty to be explicitly wired up
2021-06-29 10:53:48 -07:00
btrfs
iomap: Add done_before argument to iomap_dio_rw
2021-12-06 10:51:33 -08:00
cachefiles
cachefiles: Change %p in format strings to something else
2021-08-27 13:34:02 +01:00
ceph
ceph: fix handling of "meta" errors
2021-10-19 09:36:06 +02:00
cifs
cifs: fix incorrect check for null pointer in header_assemble
2021-09-23 21:12:53 -05:00
coda
coda: fix reference counting in coda_file_mmap error path
2021-04-23 14:42:39 -07:00
configfs
configfs: fix a race in configfs_lookup()
2021-08-25 07:58:49 +02:00
cramfs
crypto
fscrypt: improve a few comments
2021-11-16 13:58:03 -08:00
debugfs
debugfs: debugfs_create_file_size(): use IS_ERR to check for error
2021-09-21 09:09:06 +02:00
devpts
dlm
fs: dlm: avoid comms shutdown delay in release_lockspace
2021-09-01 11:29:14 -05:00
ecryptfs
mm: require ->set_page_dirty to be explicitly wired up
2021-06-29 10:53:48 -07:00
efivarfs
efivars: convert to fileattr
2021-04-12 15:04:29 +02:00
efs
erofs
iomap: Add done_before argument to iomap_dio_rw
2021-12-06 10:51:33 -08:00
exfat
Merge tag 'exfat-for-5.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat
2021-07-06 11:06:04 -07:00
exportfs
ext2
ext2: fix sleeping in atomic bugs on error
2021-09-22 13:05:23 +02:00
ext4
iomap: Add done_before argument to iomap_dio_rw
2021-12-06 10:51:33 -08:00
f2fs
f2fs: fix to do sanity check on curseg->alloc_type
2022-03-03 18:23:29 -08:00
fat
Merge tag 'linux-kselftest-kunit-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
2021-09-02 12:32:12 -07:00
freevxfs
fscache
fscache: Remove an unused static variable
2021-10-04 22:13:12 +01:00
fuse
fuse: clean up error exits in fuse_fill_super()
2021-10-21 10:01:39 +02:00
gfs2
iomap: Add done_before argument to iomap_dio_rw
2021-12-06 10:51:33 -08:00
hfs
hfs: add lock nesting notation to hfs_find_init
2021-07-15 10:13:49 -07:00
hfsplus
hfsplus: report create_date to kstat.btime
2021-07-01 11:06:06 -07:00
hostfs
hostfs: support splice_write
2021-08-26 22:28:02 +02:00
hpfs
hpfs: use iomap_fiemap to implement ->fiemap
2021-07-27 11:00:36 +02:00
hugetlbfs
hugetlbfs: fix mount mode command line processing
2021-07-23 17:43:28 -07:00
iomap
iomap: Add done_before argument to iomap_dio_rw
2021-12-06 10:51:33 -08:00
isofs
isofs: Fix out of bound access for corrupted isofs image
2021-11-12 15:05:50 +01:00
jbd2
jbd2: add sparse annotations for add_transaction_credits()
2021-08-30 23:36:50 -04:00
jffs2
vfs: add rcu argument to ->get_acl() callback
2021-08-18 22:08:24 +02:00
jfs
vfs: add rcu argument to ->get_acl() callback
2021-08-18 22:08:24 +02:00
kernfs
kernfs: don't create a negative dentry if inactive node exists
2021-10-04 10:27:18 +02:00
ksmbd
ksmbd: add buffer validation in session setup
2021-10-20 00:07:10 -05:00
lockd
Merge tag 'nfsd-5.15-2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux
2021-09-22 09:21:02 -07:00
minix
mm: require ->set_page_dirty to be explicitly wired up
2021-06-29 10:53:48 -07:00
netfs
netfs: Fix READ/WRITE confusion when calling iov_iter_xarray()
2021-10-05 11:22:06 +01:00
nfs
Merge tag 'nfs-for-5.15-1' of git://git.linux-nfs.org/projects/anna/linux-nfs
2021-09-04 10:25:26 -07:00
nfs_common
nfs: Fix kerneldoc warning shown up by W=1
2021-10-04 22:02:17 +01:00
nfsd
Merge tag 'nfsd-5.15-3' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux
2021-10-07 14:11:40 -07:00
nilfs2
Merge branch 'akpm' (patches from Andrew)
2021-09-08 12:55:35 -07:00
nls
notify
fsnotify: fix sb_connectors leak
2021-09-10 09:46:48 -07:00
ntfs
Merge branch 'work.iov_iter' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2021-07-03 11:30:04 -07:00
ntfs3
Merge tag 'ntfs3_for_5.15' of git://github.com/Paragon-Software-Group/linux-ntfs3
2021-10-15 09:58:11 -04:00
ocfs2
ocfs2: fix race between searching chunks and release journal_head from buffer_head
2021-10-28 17:18:55 -07:00
omfs
mm: require ->set_page_dirty to be explicitly wired up
2021-06-29 10:53:48 -07:00
openpromfs
orangefs
vfs: add rcu argument to ->get_acl() callback
2021-08-18 22:08:24 +02:00
overlayfs
ovl: fix IOCB_DIRECT if underlying fs doesn't support direct IO
2021-09-28 09:16:12 +02:00
proc
Revert "proc/wchan: use printk format instead of lookup_symbol_name()"
2021-11-12 15:05:48 +01:00
pstore
Merge tag 'for-5.14/drivers-2021-06-29' of git://git.kernel.dk/linux-block
2021-06-30 12:21:16 -07:00
qnx4
qnx4: work around gcc false positive warning bug
2021-09-21 08:36:48 -07:00
qnx6
quota
quota: remove unnecessary oom message
2021-06-22 10:40:52 +02:00
ramfs
fs: move ramfs_aops to libfs
2021-06-29 10:53:48 -07:00
reiserfs
Merge tag 'kbuild-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
2021-09-03 15:33:47 -07:00
romfs
smbfs_common
cifs: remove pathname for file from SPDX header
2021-09-13 14:51:10 -05:00
squashfs
squashfs: use bvec_virt
2021-08-16 10:50:32 -06:00
sysfs
Merge tag 'sysfs_defferred_iomem_get_mapping-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core driver-core-next
2021-08-06 13:05:28 +02:00
sysv
mm: require ->set_page_dirty to be explicitly wired up
2021-06-29 10:53:48 -07:00
tracefs
tracing: Fix various typos in comments
2021-03-23 14:08:18 -04:00
ubifs
fscrypt: remove fscrypt_operations::max_namelen
2021-11-16 13:58:02 -08:00
udf
udf_get_extendedattr() had no boundary checks.
2021-08-23 13:35:19 +02:00
ufs
isystem: ship and use stdarg.h
2021-08-19 09:02:55 +09:00
unicode
.gitignore: prefix local generated files with a slash
2021-05-02 00:43:35 +09:00
vboxsf
vboxfs: fix broken legacy mount signature checking
2021-09-27 11:26:21 -07:00
verity
fs-verity: fix signed integer overflow with i_size near S64_MAX
2021-09-22 10:56:34 -07:00
xfs
iomap: Add done_before argument to iomap_dio_rw
2021-12-06 10:51:33 -08:00
zonefs
iomap: Add done_before argument to iomap_dio_rw
2021-12-06 10:51:33 -08:00
aio.c
eventfd: Make signal recursion protection a task bit
2021-08-28 01:33:02 +02:00
anon_inodes.c
attr.c
fs: handle circular mappings correctly
2022-02-15 13:42:55 -08:00
bad_inode.c
vfs: add rcu argument to ->get_acl() callback
2021-08-18 22:08:24 +02:00
binfmt_aout.c
binfmt: a.out: Fix bogus semicolon
2021-09-05 10:15:05 -07:00
binfmt_elf_fdpic.c
binfmt: remove in-tree usage of MAP_DENYWRITE
2021-09-03 18:42:01 +02:00
binfmt_elf.c
elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings
2021-10-03 14:02:58 -07:00
binfmt_flat.c
binfmt: remove in-tree usage of MAP_EXECUTABLE
2021-06-29 10:53:50 -07:00
binfmt_misc.c
binfmt_script.c
buffer.c
mm: fs: invalidate bh_lrus for only cold path
2021-09-24 16:13:35 -07:00
char_dev.c
compat_binfmt_elf.c
coredump.c
coredump: fix memleak in dump_vma_snapshot()
2021-09-08 11:50:27 -07:00
d_path.c
d_path: make 'prepend()' fill up the buffer exactly on overflow
2021-09-02 10:07:29 -07:00
dax.c
Merge tag 'iomap-5.15-merge-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
2021-08-31 11:13:35 -07:00
dcache.c
useful constants: struct qstr for ".."
2021-04-15 22:36:45 -04:00
direct-io.c
fs: direct-io: fix missing sdio->boundary
2021-04-09 14:54:23 -07:00
drop_caches.c
fs: drop_caches: fix skipping over shadow cache inodes
2021-09-03 09:58:10 -07:00
eventfd.c
eventfd: Export eventfd_wake_count to modules
2021-09-06 07:20:56 -04:00
eventpoll.c
Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm
2021-09-09 13:25:49 -07:00
exec.c
Merge tag 'denywrite-for-5.15' of git://github.com/davidhildenbrand/linux
2021-09-04 11:35:47 -07:00
fcntl.c
Merge branch 'akpm' (patches from Andrew)
2021-09-03 10:08:28 -07:00
fhandle.c
switch file_open_root() to struct path
2021-04-07 13:56:43 -04:00
file_table.c
file.c
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
2021-09-11 14:48:42 -07:00
filesystems.c
fs: simplify get_filesystem_list / get_all_fs_names
2021-08-23 01:25:40 -04:00
fs_context.c
memcg: charge fs_context and legacy_fs_context
2021-09-03 09:58:12 -07:00
fs_parser.c
namei: Standardize callers of filename_lookup()
2021-09-07 16:07:47 -04:00
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c
Merge branch 'akpm' (patches from Andrew)
2021-09-03 10:08:28 -07:00
fsopen.c
init.c
inode.c
mm: Fully initialize invalidate_lock, amend lock class later
2021-09-17 13:39:23 +02:00
internal.h
block: move fs/block_dev.c to block/bdev.c
2021-09-07 08:39:40 -06:00
io_uring.c
io_uring: apply worker limits to previous users
2021-10-21 11:19:38 -06:00
io-wq.c
io-wq: max_worker fixes
2021-10-19 17:09:34 -06:00
io-wq.h
io-wq: provide a way to limit max number of workers
2021-08-29 07:55:55 -06:00
ioctl.c
Merge tag 'vfs-5.15-merge-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
2021-08-31 11:06:32 -07:00
Kconfig
Merge tag '5.15-rc-cifs-part2' of git://git.samba.org/sfrench/cifs-2.6
2021-09-12 10:10:21 -07:00
Kconfig.binfmt
binfmt: remove support for em86 (alpha only)
2021-07-25 22:33:03 -07:00
kernel_read_file.c
vfs: check fd has read access in kernel_read_file_from_fd()
2021-10-18 20:22:03 -10:00
libfs.c
fs: remove noop_set_page_dirty()
2021-06-29 10:53:48 -07:00
locks.c
Revert "memcg: enable accounting for file lock caches"
2021-09-07 11:21:48 -07:00
Makefile
Merge tag '5.15-rc-cifs-part2' of git://git.samba.org/sfrench/cifs-2.6
2021-09-12 10:10:21 -07:00
mbcache.c
mount.h
mpage.c
namei.c
putname(): IS_ERR_OR_NULL() is wrong here
2021-09-07 16:14:05 -04:00
namespace.c
Merge branch 'akpm' (patches from Andrew)
2021-09-03 10:08:28 -07:00
no-block.c
nsfs.c
open.c
fs: remove mandatory file locking support
2021-08-23 06:15:36 -04:00
pipe.c
Revert "mm/gup: remove try_get_page(), call try_get_compound_head() directly"
2021-09-07 11:03:45 -07:00
pnode.c
pnode.h
posix_acl.c
ovl: enable RCU'd ->get_acl()
2021-08-18 22:08:24 +02:00
proc_namespace.c
read_write.c
fs: clean up after mandatory file locking support removal
2021-08-24 07:52:45 -04:00
readdir.c
readdir: make sure to verify directory entry for legacy interfaces too
2021-04-17 11:39:49 -07:00
remap_range.c
fs: remove mandatory file locking support
2021-08-23 06:15:36 -04:00
select.c
Revert "memcg: enable accounting for pollfd and select bits arrays"
2021-09-07 11:26:23 -07:00
seq_file.c
seq_file: disallow extremely large seq buffer allocations
2021-07-19 17:18:48 -07:00
signalfd.c
signal: Rename SIL_PERF_EVENT SIL_FAULT_PERF_EVENT for consistency
2021-07-23 13:16:43 -05:00
splice.c
stack.c
stat.c
fs: add generic helper for filling statx attribute flags
2021-08-17 11:47:43 +02:00
statfs.c
super.c
block: remove the bd_bdi in struct block_device
2021-08-09 11:53:26 -06:00
sync.c
timerfd.c
timerfd: Provide timerfd_resume()
2021-08-10 17:57:22 +02:00
userfaultfd.c
userfaultfd: fix a race between writeprotect and exit_mmap()
2021-10-18 20:22:02 -10:00
utimes.c
xattr.c
xattr: fix kernel-doc for mnt_userns and vfs xattr helpers
2021-03-23 11:20:26 +01:00