Linux-EROFS Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH for-4.19 1/4] staging: erofs: fix an error handling in erofs_readdir()
@ 2019-10-09 10:12 Gao Xiang
  2019-10-09 10:12 ` [PATCH for-4.19 2/4] staging: erofs: some compressed cluster should be submitted for corrupted images Gao Xiang
                   ` (3 more replies)
  0 siblings, 4 replies; 8+ messages in thread
From: Gao Xiang @ 2019-10-09 10:12 UTC (permalink / raw)
  To: Greg Kroah-Hartman, stable, Chao Yu; +Cc: Miao Xie, linux-erofs

commit acb383f1dcb4f1e79b66d4be3a0b6f519a957b0d upstream.

Richard observed a forever loop of erofs_read_raw_page() [1]
which can be generated by forcely setting ->u.i_blkaddr
to 0xdeadbeef (as my understanding block layer can
handle access beyond end of device correctly).

After digging into that, it seems the problem is highly
related with directories and then I found the root cause
is an improper error handling in erofs_readdir().

Let's fix it now.

[1] https://lore.kernel.org/r/1163995781.68824.1566084358245.JavaMail.zimbra@nod.at/

Reported-by: Richard Weinberger <richard@nod.at>
Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations")
Cc: <stable@vger.kernel.org> # 4.19+
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Link: https://lore.kernel.org/r/20190818125457.25906-1-hsiangkao@aol.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Gao Xiang: Since earlier kernels don't define EFSCORRUPTED,
             let's use original error code instead. ]
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
---

Compared with 5.3.y series, 
"staging: erofs: avoid endless loop of invalid lookback distance 0"
isn't included in this series since 4.19 is quite different from the
current code, no simple fix for this (used for corruptted images).
I will try a full fix later.

 drivers/staging/erofs/dir.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/erofs/dir.c b/drivers/staging/erofs/dir.c
index 0a089cf5c78f..fe6683effd05 100644
--- a/drivers/staging/erofs/dir.c
+++ b/drivers/staging/erofs/dir.c
@@ -100,8 +100,15 @@ static int erofs_readdir(struct file *f, struct dir_context *ctx)
 		unsigned nameoff, maxsize;
 
 		dentry_page = read_mapping_page(mapping, i, NULL);
-		if (IS_ERR(dentry_page))
-			continue;
+		if (dentry_page == ERR_PTR(-ENOMEM)) {
+			err = -ENOMEM;
+			break;
+		} else if (IS_ERR(dentry_page)) {
+			errln("fail to readdir of logical block %u of nid %llu",
+			      i, EROFS_V(dir)->nid);
+			err = PTR_ERR(dentry_page);
+			break;
+		}
 
 		lock_page(dentry_page);
 		de = (struct erofs_dirent *)kmap(dentry_page);
-- 
2.17.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH for-4.19 2/4] staging: erofs: some compressed cluster should be submitted for corrupted images
  2019-10-09 10:12 [PATCH for-4.19 1/4] staging: erofs: fix an error handling in erofs_readdir() Gao Xiang
@ 2019-10-09 10:12 ` Gao Xiang
  2019-10-09 13:36   ` Patch "staging: erofs: some compressed cluster should be submitted for corrupted images" has been added to the 4.19-stable tree gregkh
  2019-10-09 10:12 ` [PATCH for-4.19 3/4] staging: erofs: add two missing erofs_workgroup_put for corrupted images Gao Xiang
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 8+ messages in thread
From: Gao Xiang @ 2019-10-09 10:12 UTC (permalink / raw)
  To: Greg Kroah-Hartman, stable, Chao Yu; +Cc: Miao Xie, linux-erofs

commit ee45197c807895e156b2be0abcaebdfc116487c8 upstream.

As reported by erofs_utils fuzzer, a logical page can belong
to at most 2 compressed clusters, if one compressed cluster
is corrupted, but the other has been ready in submitting chain.

The chain needs to submit anyway in order to keep the page
working properly (page unlocked with PG_error set, PG_uptodate
not set).

Let's fix it now.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: <stable@vger.kernel.org> # 4.19+
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Link: https://lore.kernel.org/r/20190819103426.87579-2-gaoxiang25@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Gao Xiang: Manually backport to v4.19.y stable. ]
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
---
 drivers/staging/erofs/unzip_vle.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/drivers/staging/erofs/unzip_vle.c b/drivers/staging/erofs/unzip_vle.c
index ad6fe6d9d00a..fc44f5ce670b 100644
--- a/drivers/staging/erofs/unzip_vle.c
+++ b/drivers/staging/erofs/unzip_vle.c
@@ -1335,19 +1335,18 @@ static int z_erofs_vle_normalaccess_readpage(struct file *file,
 	err = z_erofs_do_read_page(&f, page, &pagepool);
 	(void)z_erofs_vle_work_iter_end(&f.builder);
 
-	if (err) {
+	/* if some compressed cluster ready, need submit them anyway */
+	z_erofs_submit_and_unzip(&f, &pagepool, true);
+
+	if (err)
 		errln("%s, failed to read, err [%d]", __func__, err);
-		goto out;
-	}
 
-	z_erofs_submit_and_unzip(&f, &pagepool, true);
-out:
 	if (f.m_iter.mpage != NULL)
 		put_page(f.m_iter.mpage);
 
 	/* clean up the remaining free pages */
 	put_pages_list(&pagepool);
-	return 0;
+	return err;
 }
 
 static inline int __z_erofs_vle_normalaccess_readpages(
-- 
2.17.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH for-4.19 3/4] staging: erofs: add two missing erofs_workgroup_put for corrupted images
  2019-10-09 10:12 [PATCH for-4.19 1/4] staging: erofs: fix an error handling in erofs_readdir() Gao Xiang
  2019-10-09 10:12 ` [PATCH for-4.19 2/4] staging: erofs: some compressed cluster should be submitted for corrupted images Gao Xiang
@ 2019-10-09 10:12 ` Gao Xiang
  2019-10-09 13:36   ` Patch "staging: erofs: add two missing erofs_workgroup_put for corrupted images" has been added to the 4.19-stable tree gregkh
  2019-10-09 10:12 ` [PATCH for-4.19 4/4] staging: erofs: detect potential multiref due to corrupted images Gao Xiang
  2019-10-09 13:36 ` Patch "staging: erofs: fix an error handling in erofs_readdir()" " gregkh
  3 siblings, 1 reply; 8+ messages in thread
From: Gao Xiang @ 2019-10-09 10:12 UTC (permalink / raw)
  To: Greg Kroah-Hartman, stable, Chao Yu; +Cc: Miao Xie, linux-erofs

commit 138e1a0990e80db486ab9f6c06bd5c01f9a97999 upstream.

As reported by erofs-utils fuzzer, these error handling
path will be entered to handle corrupted images.

Lack of erofs_workgroup_puts will cause unmounting
unsuccessfully.

Fix these return values to EFSCORRUPTED as well.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: <stable@vger.kernel.org> # 4.19+
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Link: https://lore.kernel.org/r/20190819103426.87579-4-gaoxiang25@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Gao Xiang: Older kernel versions don't have length validity check
             and EFSCORRUPTED, thus backport pageofs check for now. ]
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
---
 drivers/staging/erofs/unzip_vle.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/erofs/unzip_vle.c b/drivers/staging/erofs/unzip_vle.c
index fc44f5ce670b..7bd406f34f8b 100644
--- a/drivers/staging/erofs/unzip_vle.c
+++ b/drivers/staging/erofs/unzip_vle.c
@@ -311,7 +311,11 @@ z_erofs_vle_work_lookup(struct super_block *sb,
 	/* if multiref is disabled, `primary' is always true */
 	primary = true;
 
-	DBG_BUGON(work->pageofs != pageofs);
+	if (work->pageofs != pageofs) {
+		DBG_BUGON(1);
+		erofs_workgroup_put(egrp);
+		return ERR_PTR(-EIO);
+	}
 
 	/*
 	 * lock must be taken first to avoid grp->next == NIL between
-- 
2.17.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH for-4.19 4/4] staging: erofs: detect potential multiref due to corrupted images
  2019-10-09 10:12 [PATCH for-4.19 1/4] staging: erofs: fix an error handling in erofs_readdir() Gao Xiang
  2019-10-09 10:12 ` [PATCH for-4.19 2/4] staging: erofs: some compressed cluster should be submitted for corrupted images Gao Xiang
  2019-10-09 10:12 ` [PATCH for-4.19 3/4] staging: erofs: add two missing erofs_workgroup_put for corrupted images Gao Xiang
@ 2019-10-09 10:12 ` Gao Xiang
  2019-10-09 13:36   ` Patch "staging: erofs: detect potential multiref due to corrupted images" has been added to the 4.19-stable tree gregkh
  2019-10-09 13:36 ` Patch "staging: erofs: fix an error handling in erofs_readdir()" " gregkh
  3 siblings, 1 reply; 8+ messages in thread
From: Gao Xiang @ 2019-10-09 10:12 UTC (permalink / raw)
  To: Greg Kroah-Hartman, stable, Chao Yu; +Cc: Miao Xie, linux-erofs

commit e12a0ce2fa69798194f3a8628baf6edfbd5c548f upstream.

As reported by erofs-utils fuzzer, currently, multiref
(ondisk deduplication) hasn't been supported for now,
we should forbid it properly.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: <stable@vger.kernel.org> # 4.19+
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Link: https://lore.kernel.org/r/20190821140152.229648-1-gaoxiang25@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Gao Xiang: Since earlier kernels don't define EFSCORRUPTED,
             let's use EIO instead. ]
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
---
 drivers/staging/erofs/unzip_vle.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/erofs/unzip_vle.c b/drivers/staging/erofs/unzip_vle.c
index 7bd406f34f8b..0f1558c6747e 100644
--- a/drivers/staging/erofs/unzip_vle.c
+++ b/drivers/staging/erofs/unzip_vle.c
@@ -857,6 +857,7 @@ static int z_erofs_vle_unzip(struct super_block *sb,
 	for (i = 0; i < nr_pages; ++i)
 		pages[i] = NULL;
 
+	err = 0;
 	z_erofs_pagevec_ctor_init(&ctor,
 		Z_EROFS_VLE_INLINE_PAGEVECS, work->pagevec, 0);
 
@@ -878,8 +879,17 @@ static int z_erofs_vle_unzip(struct super_block *sb,
 			pagenr = z_erofs_onlinepage_index(page);
 
 		DBG_BUGON(pagenr >= nr_pages);
-		DBG_BUGON(pages[pagenr]);
 
+		/*
+		 * currently EROFS doesn't support multiref(dedup),
+		 * so here erroring out one multiref page.
+		 */
+		if (pages[pagenr]) {
+			DBG_BUGON(1);
+			SetPageError(pages[pagenr]);
+			z_erofs_onlinepage_endio(pages[pagenr]);
+			err = -EIO;
+		}
 		pages[pagenr] = page;
 	}
 	sparsemem_pages = i;
@@ -889,7 +899,6 @@ static int z_erofs_vle_unzip(struct super_block *sb,
 	overlapped = false;
 	compressed_pages = grp->compressed_pages;
 
-	err = 0;
 	for (i = 0; i < clusterpages; ++i) {
 		unsigned pagenr;
 
@@ -915,7 +924,12 @@ static int z_erofs_vle_unzip(struct super_block *sb,
 			pagenr = z_erofs_onlinepage_index(page);
 
 			DBG_BUGON(pagenr >= nr_pages);
-			DBG_BUGON(pages[pagenr]);
+			if (pages[pagenr]) {
+				DBG_BUGON(1);
+				SetPageError(pages[pagenr]);
+				z_erofs_onlinepage_endio(pages[pagenr]);
+				err = -EIO;
+			}
 			++sparsemem_pages;
 			pages[pagenr] = page;
 
-- 
2.17.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Patch "staging: erofs: add two missing erofs_workgroup_put for corrupted images" has been added to the 4.19-stable tree
  2019-10-09 10:12 ` [PATCH for-4.19 3/4] staging: erofs: add two missing erofs_workgroup_put for corrupted images Gao Xiang
@ 2019-10-09 13:36   ` gregkh
  0 siblings, 0 replies; 8+ messages in thread
From: gregkh @ 2019-10-09 13:36 UTC (permalink / raw)
  To: 20190819103426.87579-4-gaoxiang25, gaoxiang25, gregkh,
	linux-erofs, miaoxie, yuchao0
  Cc: stable-commits


This is a note to let you know that I've just added the patch titled

    staging: erofs: add two missing erofs_workgroup_put for corrupted images

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     staging-erofs-add-two-missing-erofs_workgroup_put-for-corrupted-images.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


From foo@baz Wed 09 Oct 2019 03:26:06 PM CEST
From: Gao Xiang <gaoxiang25@huawei.com>
Date: Wed, 9 Oct 2019 18:12:38 +0800
Subject: staging: erofs: add two missing erofs_workgroup_put for corrupted images
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, <stable@vger.kernel.org>, Chao Yu <yuchao0@huawei.com>
Cc: <linux-erofs@lists.ozlabs.org>, Miao Xie <miaoxie@huawei.com>, Gao Xiang <gaoxiang25@huawei.com>
Message-ID: <20191009101239.195587-3-gaoxiang25@huawei.com>

From: Gao Xiang <gaoxiang25@huawei.com>

commit 138e1a0990e80db486ab9f6c06bd5c01f9a97999 upstream.

As reported by erofs-utils fuzzer, these error handling
path will be entered to handle corrupted images.

Lack of erofs_workgroup_puts will cause unmounting
unsuccessfully.

Fix these return values to EFSCORRUPTED as well.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: <stable@vger.kernel.org> # 4.19+
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Link: https://lore.kernel.org/r/20190819103426.87579-4-gaoxiang25@huawei.com
[ Gao Xiang: Older kernel versions don't have length validity check
             and EFSCORRUPTED, thus backport pageofs check for now. ]
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/erofs/unzip_vle.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/staging/erofs/unzip_vle.c
+++ b/drivers/staging/erofs/unzip_vle.c
@@ -311,7 +311,11 @@ z_erofs_vle_work_lookup(struct super_blo
 	/* if multiref is disabled, `primary' is always true */
 	primary = true;
 
-	DBG_BUGON(work->pageofs != pageofs);
+	if (work->pageofs != pageofs) {
+		DBG_BUGON(1);
+		erofs_workgroup_put(egrp);
+		return ERR_PTR(-EIO);
+	}
 
 	/*
 	 * lock must be taken first to avoid grp->next == NIL between


Patches currently in stable-queue which might be from gaoxiang25@huawei.com are

queue-4.19/staging-erofs-fix-an-error-handling-in-erofs_readdir.patch
queue-4.19/staging-erofs-detect-potential-multiref-due-to-corrupted-images.patch
queue-4.19/staging-erofs-some-compressed-cluster-should-be-submitted-for-corrupted-images.patch
queue-4.19/staging-erofs-add-two-missing-erofs_workgroup_put-for-corrupted-images.patch

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Patch "staging: erofs: detect potential multiref due to corrupted images" has been added to the 4.19-stable tree
  2019-10-09 10:12 ` [PATCH for-4.19 4/4] staging: erofs: detect potential multiref due to corrupted images Gao Xiang
@ 2019-10-09 13:36   ` gregkh
  0 siblings, 0 replies; 8+ messages in thread
From: gregkh @ 2019-10-09 13:36 UTC (permalink / raw)
  To: 20190821140152.229648-1-gaoxiang25, gaoxiang25, gregkh,
	linux-erofs, miaoxie, yuchao0
  Cc: stable-commits


This is a note to let you know that I've just added the patch titled

    staging: erofs: detect potential multiref due to corrupted images

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     staging-erofs-detect-potential-multiref-due-to-corrupted-images.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


From foo@baz Wed 09 Oct 2019 03:26:06 PM CEST
From: Gao Xiang <gaoxiang25@huawei.com>
Date: Wed, 9 Oct 2019 18:12:39 +0800
Subject: staging: erofs: detect potential multiref due to corrupted images
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, <stable@vger.kernel.org>, Chao Yu <yuchao0@huawei.com>
Cc: <linux-erofs@lists.ozlabs.org>, Miao Xie <miaoxie@huawei.com>, Gao Xiang <gaoxiang25@huawei.com>
Message-ID: <20191009101239.195587-4-gaoxiang25@huawei.com>

From: Gao Xiang <gaoxiang25@huawei.com>

commit e12a0ce2fa69798194f3a8628baf6edfbd5c548f upstream.

As reported by erofs-utils fuzzer, currently, multiref
(ondisk deduplication) hasn't been supported for now,
we should forbid it properly.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: <stable@vger.kernel.org> # 4.19+
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Link: https://lore.kernel.org/r/20190821140152.229648-1-gaoxiang25@huawei.com
[ Gao Xiang: Since earlier kernels don't define EFSCORRUPTED,
             let's use EIO instead. ]
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/erofs/unzip_vle.c |   20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

--- a/drivers/staging/erofs/unzip_vle.c
+++ b/drivers/staging/erofs/unzip_vle.c
@@ -857,6 +857,7 @@ repeat:
 	for (i = 0; i < nr_pages; ++i)
 		pages[i] = NULL;
 
+	err = 0;
 	z_erofs_pagevec_ctor_init(&ctor,
 		Z_EROFS_VLE_INLINE_PAGEVECS, work->pagevec, 0);
 
@@ -878,8 +879,17 @@ repeat:
 			pagenr = z_erofs_onlinepage_index(page);
 
 		DBG_BUGON(pagenr >= nr_pages);
-		DBG_BUGON(pages[pagenr]);
 
+		/*
+		 * currently EROFS doesn't support multiref(dedup),
+		 * so here erroring out one multiref page.
+		 */
+		if (pages[pagenr]) {
+			DBG_BUGON(1);
+			SetPageError(pages[pagenr]);
+			z_erofs_onlinepage_endio(pages[pagenr]);
+			err = -EIO;
+		}
 		pages[pagenr] = page;
 	}
 	sparsemem_pages = i;
@@ -889,7 +899,6 @@ repeat:
 	overlapped = false;
 	compressed_pages = grp->compressed_pages;
 
-	err = 0;
 	for (i = 0; i < clusterpages; ++i) {
 		unsigned pagenr;
 
@@ -915,7 +924,12 @@ repeat:
 			pagenr = z_erofs_onlinepage_index(page);
 
 			DBG_BUGON(pagenr >= nr_pages);
-			DBG_BUGON(pages[pagenr]);
+			if (pages[pagenr]) {
+				DBG_BUGON(1);
+				SetPageError(pages[pagenr]);
+				z_erofs_onlinepage_endio(pages[pagenr]);
+				err = -EIO;
+			}
 			++sparsemem_pages;
 			pages[pagenr] = page;
 


Patches currently in stable-queue which might be from gaoxiang25@huawei.com are

queue-4.19/staging-erofs-fix-an-error-handling-in-erofs_readdir.patch
queue-4.19/staging-erofs-detect-potential-multiref-due-to-corrupted-images.patch
queue-4.19/staging-erofs-some-compressed-cluster-should-be-submitted-for-corrupted-images.patch
queue-4.19/staging-erofs-add-two-missing-erofs_workgroup_put-for-corrupted-images.patch

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Patch "staging: erofs: some compressed cluster should be submitted for corrupted images" has been added to the 4.19-stable tree
  2019-10-09 10:12 ` [PATCH for-4.19 2/4] staging: erofs: some compressed cluster should be submitted for corrupted images Gao Xiang
@ 2019-10-09 13:36   ` gregkh
  0 siblings, 0 replies; 8+ messages in thread
From: gregkh @ 2019-10-09 13:36 UTC (permalink / raw)
  To: 20190819103426.87579-2-gaoxiang25, gaoxiang25, gregkh,
	linux-erofs, miaoxie, yuchao0
  Cc: stable-commits


This is a note to let you know that I've just added the patch titled

    staging: erofs: some compressed cluster should be submitted for corrupted images

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     staging-erofs-some-compressed-cluster-should-be-submitted-for-corrupted-images.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


From foo@baz Wed 09 Oct 2019 03:26:06 PM CEST
From: Gao Xiang <gaoxiang25@huawei.com>
Date: Wed, 9 Oct 2019 18:12:37 +0800
Subject: staging: erofs: some compressed cluster should be submitted for corrupted images
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, <stable@vger.kernel.org>, Chao Yu <yuchao0@huawei.com>
Cc: <linux-erofs@lists.ozlabs.org>, Miao Xie <miaoxie@huawei.com>, Gao Xiang <gaoxiang25@huawei.com>
Message-ID: <20191009101239.195587-2-gaoxiang25@huawei.com>

From: Gao Xiang <gaoxiang25@huawei.com>

commit ee45197c807895e156b2be0abcaebdfc116487c8 upstream.

As reported by erofs_utils fuzzer, a logical page can belong
to at most 2 compressed clusters, if one compressed cluster
is corrupted, but the other has been ready in submitting chain.

The chain needs to submit anyway in order to keep the page
working properly (page unlocked with PG_error set, PG_uptodate
not set).

Let's fix it now.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: <stable@vger.kernel.org> # 4.19+
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Link: https://lore.kernel.org/r/20190819103426.87579-2-gaoxiang25@huawei.com
[ Gao Xiang: Manually backport to v4.19.y stable. ]
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/erofs/unzip_vle.c |   11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- a/drivers/staging/erofs/unzip_vle.c
+++ b/drivers/staging/erofs/unzip_vle.c
@@ -1335,19 +1335,18 @@ static int z_erofs_vle_normalaccess_read
 	err = z_erofs_do_read_page(&f, page, &pagepool);
 	(void)z_erofs_vle_work_iter_end(&f.builder);
 
-	if (err) {
+	/* if some compressed cluster ready, need submit them anyway */
+	z_erofs_submit_and_unzip(&f, &pagepool, true);
+
+	if (err)
 		errln("%s, failed to read, err [%d]", __func__, err);
-		goto out;
-	}
 
-	z_erofs_submit_and_unzip(&f, &pagepool, true);
-out:
 	if (f.m_iter.mpage != NULL)
 		put_page(f.m_iter.mpage);
 
 	/* clean up the remaining free pages */
 	put_pages_list(&pagepool);
-	return 0;
+	return err;
 }
 
 static inline int __z_erofs_vle_normalaccess_readpages(


Patches currently in stable-queue which might be from gaoxiang25@huawei.com are

queue-4.19/staging-erofs-fix-an-error-handling-in-erofs_readdir.patch
queue-4.19/staging-erofs-detect-potential-multiref-due-to-corrupted-images.patch
queue-4.19/staging-erofs-some-compressed-cluster-should-be-submitted-for-corrupted-images.patch
queue-4.19/staging-erofs-add-two-missing-erofs_workgroup_put-for-corrupted-images.patch

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Patch "staging: erofs: fix an error handling in erofs_readdir()" has been added to the 4.19-stable tree
  2019-10-09 10:12 [PATCH for-4.19 1/4] staging: erofs: fix an error handling in erofs_readdir() Gao Xiang
                   ` (2 preceding siblings ...)
  2019-10-09 10:12 ` [PATCH for-4.19 4/4] staging: erofs: detect potential multiref due to corrupted images Gao Xiang
@ 2019-10-09 13:36 ` " gregkh
  3 siblings, 0 replies; 8+ messages in thread
From: gregkh @ 2019-10-09 13:36 UTC (permalink / raw)
  To: 1163995781.68824.1566084358245.JavaMail.zimbra,
	20190818125457.25906-1-hsiangkao, gaoxiang25, gregkh,
	linux-erofs, miaoxie, richard, yuchao0
  Cc: stable-commits


This is a note to let you know that I've just added the patch titled

    staging: erofs: fix an error handling in erofs_readdir()

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     staging-erofs-fix-an-error-handling-in-erofs_readdir.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


From foo@baz Wed 09 Oct 2019 03:26:06 PM CEST
From: Gao Xiang <gaoxiang25@huawei.com>
Date: Wed, 9 Oct 2019 18:12:36 +0800
Subject: staging: erofs: fix an error handling in erofs_readdir()
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, <stable@vger.kernel.org>, Chao Yu <yuchao0@huawei.com>
Cc: <linux-erofs@lists.ozlabs.org>, Miao Xie <miaoxie@huawei.com>, Gao Xiang <gaoxiang25@huawei.com>
Message-ID: <20191009101239.195587-1-gaoxiang25@huawei.com>

From: Gao Xiang <gaoxiang25@huawei.com>

commit acb383f1dcb4f1e79b66d4be3a0b6f519a957b0d upstream.

Richard observed a forever loop of erofs_read_raw_page() [1]
which can be generated by forcely setting ->u.i_blkaddr
to 0xdeadbeef (as my understanding block layer can
handle access beyond end of device correctly).

After digging into that, it seems the problem is highly
related with directories and then I found the root cause
is an improper error handling in erofs_readdir().

Let's fix it now.

[1] https://lore.kernel.org/r/1163995781.68824.1566084358245.JavaMail.zimbra@nod.at/

Reported-by: Richard Weinberger <richard@nod.at>
Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations")
Cc: <stable@vger.kernel.org> # 4.19+
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Link: https://lore.kernel.org/r/20190818125457.25906-1-hsiangkao@aol.com
[ Gao Xiang: Since earlier kernels don't define EFSCORRUPTED,
             let's use original error code instead. ]
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/erofs/dir.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/drivers/staging/erofs/dir.c
+++ b/drivers/staging/erofs/dir.c
@@ -100,8 +100,15 @@ static int erofs_readdir(struct file *f,
 		unsigned nameoff, maxsize;
 
 		dentry_page = read_mapping_page(mapping, i, NULL);
-		if (IS_ERR(dentry_page))
-			continue;
+		if (dentry_page == ERR_PTR(-ENOMEM)) {
+			err = -ENOMEM;
+			break;
+		} else if (IS_ERR(dentry_page)) {
+			errln("fail to readdir of logical block %u of nid %llu",
+			      i, EROFS_V(dir)->nid);
+			err = PTR_ERR(dentry_page);
+			break;
+		}
 
 		lock_page(dentry_page);
 		de = (struct erofs_dirent *)kmap(dentry_page);


Patches currently in stable-queue which might be from gaoxiang25@huawei.com are

queue-4.19/staging-erofs-fix-an-error-handling-in-erofs_readdir.patch
queue-4.19/staging-erofs-detect-potential-multiref-due-to-corrupted-images.patch
queue-4.19/staging-erofs-some-compressed-cluster-should-be-submitted-for-corrupted-images.patch
queue-4.19/staging-erofs-add-two-missing-erofs_workgroup_put-for-corrupted-images.patch

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, back to index

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-09 10:12 [PATCH for-4.19 1/4] staging: erofs: fix an error handling in erofs_readdir() Gao Xiang
2019-10-09 10:12 ` [PATCH for-4.19 2/4] staging: erofs: some compressed cluster should be submitted for corrupted images Gao Xiang
2019-10-09 13:36   ` Patch "staging: erofs: some compressed cluster should be submitted for corrupted images" has been added to the 4.19-stable tree gregkh
2019-10-09 10:12 ` [PATCH for-4.19 3/4] staging: erofs: add two missing erofs_workgroup_put for corrupted images Gao Xiang
2019-10-09 13:36   ` Patch "staging: erofs: add two missing erofs_workgroup_put for corrupted images" has been added to the 4.19-stable tree gregkh
2019-10-09 10:12 ` [PATCH for-4.19 4/4] staging: erofs: detect potential multiref due to corrupted images Gao Xiang
2019-10-09 13:36   ` Patch "staging: erofs: detect potential multiref due to corrupted images" has been added to the 4.19-stable tree gregkh
2019-10-09 13:36 ` Patch "staging: erofs: fix an error handling in erofs_readdir()" " gregkh

Linux-EROFS Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-erofs/0 linux-erofs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-erofs linux-erofs/ https://lore.kernel.org/linux-erofs \
		linux-erofs@lists.ozlabs.org linux-erofs@ozlabs.org
	public-inbox-index linux-erofs

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.ozlabs.lists.linux-erofs


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git