From patchwork Wed Aug 2 14:22:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1816017 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=ZTSe5ijd; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RGDhX1rKXz1ydk for ; Thu, 3 Aug 2023 00:22:35 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qRCk5-0006c7-OU; Wed, 02 Aug 2023 14:22:25 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qRCk2-0006ba-Cr for kernel-team@lists.ubuntu.com; Wed, 02 Aug 2023 14:22:22 +0000 Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com [209.85.222.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 94D933F077 for ; Wed, 2 Aug 2023 14:22:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1690986141; bh=zx5qHXwHsbI1KBHowqw6ZknnksZUCKWUBTyhuJqhIeM=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=ZTSe5ijdBsJtcYmYalsniSX+MkCo6wIovrpGr6RrEPTd8ONkK0JcNWeaq47psVOMr jM3Gkiv+3/5Jy2NK1weRKX/Lm2Tf8hJsVlUkc76y3WPkgW8UpQCJcbM3CkFxerHkkB wmhpj0aPIJW/nxfMhfXG1eWQMAFqUl845uApgCBt4VIGmM2zIheB0VL2IdNkXPAtgD VQTH7ui0aJ4nLUnbRAKtxNyuL06NXzdYHHqjd9+guxljC29A71+3OQWV+umirscDpR CW3lSxZgDBqqGBE6JEHVlBJFU1XKvG6LzZVA2Vr9nqGHbQTLXtvRDs6pekxl1jot0f lgpW3lCD02nnQ== Received: by mail-qk1-f198.google.com with SMTP id af79cd13be357-76c973b8973so444064885a.1 for ; Wed, 02 Aug 2023 07:22:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690986139; x=1691590939; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zx5qHXwHsbI1KBHowqw6ZknnksZUCKWUBTyhuJqhIeM=; b=Gp41n7AjW3blVIdfpkYu5bJ0ODjRr9JKG9xNnNO8hSFt6m/lbeBLrxlAVlt3k5NynF ZxOpWC+IaV61EIkGyvn7DHYFlxMFpvJET1qnjMZx8N7o1wLhpNt/A2T9p9IjTNHsvYG0 Z1NQbxybrBYCSxzpsd2vZeIzr5I5vcdav80u4OPqv0hr6pYSwRJGXmPxwZnY6eNMIJBx kRsARpGG6mBzMGmkHP0CsRwpR4Tfp8Fs4V5z5nHJMzemX49rbPZ4LcDs/ECuBI27sICy rkUOr5GCRC69heGTH83o8m24PaVXvPcP/Vfk/btL+/833ceGXhD/Y7P/89AqeAY6g5Cu e2xg== X-Gm-Message-State: ABy/qLZrNVM1A8H1T4OX1H+w7Mk0gMx8IZO6CiJ3Q4xfhWDvxFJTmmCe xCku6f70go/7q+ucxr8yuwhGjFLhO88OF+6rnPBI8pWpBXsHIPKjD1s9KvOBS8lPXfJOVXxPyXP svDlSmpcAQS/fWs1I87lMU0o21CCjvo1tU7YXIL/bUIBrLTBOoOMA X-Received: by 2002:a05:620a:479c:b0:76c:a996:bc45 with SMTP id dt28-20020a05620a479c00b0076ca996bc45mr8974806qkb.33.1690986138896; Wed, 02 Aug 2023 07:22:18 -0700 (PDT) X-Google-Smtp-Source: APBJJlElAxL/RIJLh14bIXCi7CzFaUiBSizIJ35UG0kn4HB8A5N5/chkWiXlc1B0syftxSLjB84BeQ== X-Received: by 2002:a05:620a:479c:b0:76c:a996:bc45 with SMTP id dt28-20020a05620a479c00b0076ca996bc45mr8974792qkb.33.1690986138618; Wed, 02 Aug 2023 07:22:18 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:1201:e3c9:3f58:80cf]) by smtp.gmail.com with ESMTPSA id i15-20020ae9ee0f000000b0076c89639526sm4221755qkg.93.2023.08.02.07.22.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 02 Aug 2023 07:22:18 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Jammy-OEM-5.17][PATCH 1/1] f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io() Date: Wed, 2 Aug 2023 10:22:14 -0400 Message-Id: <20230802142215.11776-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230802142215.11776-1-yuxuan.luo@canonical.com> References: <20230802142215.11776-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Chao Yu butt3rflyh4ck reports a bug as below: When a thread always calls F2FS_IOC_RESIZE_FS to resize fs, if resize fs is failed, f2fs kernel thread would invoke callback function to update f2fs io info, it would call f2fs_write_end_io and may trigger null-ptr-deref in NODE_MAPPING. general protection fault, probably for non-canonical address KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] RIP: 0010:NODE_MAPPING fs/f2fs/f2fs.h:1972 [inline] RIP: 0010:f2fs_write_end_io+0x727/0x1050 fs/f2fs/data.c:370 bio_endio+0x5af/0x6c0 block/bio.c:1608 req_bio_endio block/blk-mq.c:761 [inline] blk_update_request+0x5cc/0x1690 block/blk-mq.c:906 blk_mq_end_request+0x59/0x4c0 block/blk-mq.c:1023 lo_complete_rq+0x1c6/0x280 drivers/block/loop.c:370 blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1101 __do_softirq+0x1d4/0x8ef kernel/softirq.c:571 run_ksoftirqd kernel/softirq.c:939 [inline] run_ksoftirqd+0x31/0x60 kernel/softirq.c:931 smpboot_thread_fn+0x659/0x9e0 kernel/smpboot.c:164 kthread+0x33e/0x440 kernel/kthread.c:379 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 The root cause is below race case can cause leaving dirty metadata in f2fs after filesystem is remount as ro: Thread A Thread B - f2fs_ioc_resize_fs - f2fs_readonly --- return false - f2fs_resize_fs - f2fs_remount - write_checkpoint - set f2fs as ro - free_segment_range - update meta_inode's data Then, if f2fs_put_super() fails to write_checkpoint due to readonly status, and meta_inode's dirty data will be writebacked after node_inode is put, finally, f2fs_write_end_io will access NULL pointer on sbi->node_inode. Thread A IRQ context - f2fs_put_super - write_checkpoint fails - iput(node_inode) - node_inode = NULL - iput(meta_inode) - write_inode_now - f2fs_write_meta_page - f2fs_write_end_io - NODE_MAPPING(sbi) : access NULL pointer on node_inode Fixes: b4b10061ef98 ("f2fs: refactor resize_fs to avoid meta updates in progress") Reported-by: butt3rflyh4ck Closes: https://lore.kernel.org/r/1684480657-2375-1-git-send-email-yangtiezhu@loongson.cn Tested-by: butt3rflyh4ck Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim (backported from commit d8189834d4348ae608083e1f1f53792cfcc2a9bc) [yuxuan.luo: the conflicts in gc.c requires e4544b63a7ee (“f2fs: move f2fs to use reader-unfair rwsems”), which is mostly renaming functions. Ignore this commit. ] CVE-2023-2898 Signed-off-by: Yuxuan Luo --- fs/f2fs/f2fs.h | 2 +- fs/f2fs/file.c | 2 +- fs/f2fs/gc.c | 21 ++++++++++++++++++--- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h index 1a2256aec94f..0e4d3620fb17 100644 --- a/fs/f2fs/f2fs.h +++ b/fs/f2fs/f2fs.h @@ -3692,7 +3692,7 @@ block_t f2fs_start_bidx_of_node(unsigned int node_ofs, struct inode *inode); int f2fs_gc(struct f2fs_sb_info *sbi, bool sync, bool background, bool force, unsigned int segno); void f2fs_build_gc_manager(struct f2fs_sb_info *sbi); -int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count); +int f2fs_resize_fs(struct file *filp, __u64 block_count); int __init f2fs_create_garbage_collection_cache(void); void f2fs_destroy_garbage_collection_cache(void); diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index a2b7dead68e0..5f624fcf7580 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -3263,7 +3263,7 @@ static int f2fs_ioc_resize_fs(struct file *filp, unsigned long arg) sizeof(block_count))) return -EFAULT; - return f2fs_resize_fs(sbi, block_count); + return f2fs_resize_fs(filp, block_count); } static int f2fs_ioc_enable_verity(struct file *filp, unsigned long arg) diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index e020804f7b07..015ea455b9c9 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -1990,8 +1990,9 @@ static void update_fs_metadata(struct f2fs_sb_info *sbi, int secs) } } -int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count) +int f2fs_resize_fs(struct file *filp, __u64 block_count) { + struct f2fs_sb_info *sbi = F2FS_I_SB(file_inode(filp)); __u64 old_block_count, shrunk_blocks; struct cp_control cpc = { CP_RESIZE, 0, 0, 0 }; unsigned int secs; @@ -2029,12 +2030,18 @@ int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count) return -EINVAL; } + err = mnt_want_write_file(filp); + if (err) + return err; + shrunk_blocks = old_block_count - block_count; secs = div_u64(shrunk_blocks, BLKS_PER_SEC(sbi)); /* stop other GC */ - if (!down_write_trylock(&sbi->gc_lock)) - return -EAGAIN; + if (!down_write_trylock(&sbi->gc_lock)) { + err = -EAGAIN; + goto out_drop_write; + } /* stop CP to protect MAIN_SEC in free_segment_range */ f2fs_lock_op(sbi); @@ -2054,12 +2061,20 @@ int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count) out_unlock: f2fs_unlock_op(sbi); up_write(&sbi->gc_lock); +out_drop_write: + mnt_drop_write_file(filp); if (err) return err; set_sbi_flag(sbi, SBI_IS_RESIZEFS); freeze_super(sbi->sb); + + if (f2fs_readonly(sbi->sb)) { + thaw_super(sbi->sb); + return -EROFS; + } + down_write(&sbi->gc_lock); down_write(&sbi->cp_global_sem);