linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Chao Yu <yuchao0@huawei.com>,
	Jaegeuk Kim <jaegeuk@kernel.org>,
	Ben Hutchings <ben.hutchings@codethink.co.uk>
Subject: [PATCH 4.9 092/101] f2fs: fix to do sanity check with secs_per_zone
Date: Thu,  6 Dec 2018 15:39:31 +0100	[thread overview]
Message-ID: <20181206143018.264982976@linuxfoundation.org> (raw)
In-Reply-To: <20181206143011.174892052@linuxfoundation.org>

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chao Yu <yuchao0@huawei.com>

commit 42bf546c1fe3f3654bdf914e977acbc2b80a5be5 upstream.

As Wen Xu reported in below link:

https://bugzilla.kernel.org/show_bug.cgi?id=200183

- Overview
Divide zero in reset_curseg() when mounting a crafted f2fs image

- Reproduce

- Kernel message
[  588.281510] divide error: 0000 [#1] SMP KASAN PTI
[  588.282701] CPU: 0 PID: 1293 Comm: mount Not tainted 4.18.0-rc1+ #4
[  588.284000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  588.286178] RIP: 0010:reset_curseg+0x94/0x1a0
[  588.298166] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246
[  588.299360] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b
[  588.300809] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64
[  588.305272] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000
[  588.306822] FS:  00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  588.308456] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  588.309623] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0
[  588.311085] Call Trace:
[  588.311637]  f2fs_build_segment_manager+0x103f/0x3410
[  588.316136]  ? f2fs_commit_super+0x1b0/0x1b0
[  588.317031]  ? set_blocksize+0x90/0x140
[  588.319473]  f2fs_mount+0x15/0x20
[  588.320166]  mount_fs+0x60/0x1a0
[  588.320847]  ? alloc_vfsmnt+0x309/0x360
[  588.321647]  vfs_kern_mount+0x6b/0x1a0
[  588.322432]  do_mount+0x34a/0x18c0
[  588.323175]  ? strndup_user+0x46/0x70
[  588.323937]  ? copy_mount_string+0x20/0x20
[  588.324793]  ? memcg_kmem_put_cache+0x1b/0xa0
[  588.325702]  ? kasan_check_write+0x14/0x20
[  588.326562]  ? _copy_from_user+0x6a/0x90
[  588.327375]  ? memdup_user+0x42/0x60
[  588.328118]  ksys_mount+0x83/0xd0
[  588.328808]  __x64_sys_mount+0x67/0x80
[  588.329607]  do_syscall_64+0x78/0x170
[  588.330400]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  588.331461] RIP: 0033:0x7fad848e8b9a
[  588.336022] RSP: 002b:00007ffd7c5b6be8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[  588.337547] RAX: ffffffffffffffda RBX: 00000000016f8030 RCX: 00007fad848e8b9a
[  588.338999] RDX: 00000000016f8210 RSI: 00000000016f9f30 RDI: 0000000001700ec0
[  588.340442] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
[  588.341887] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001700ec0
[  588.343341] R13: 00000000016f8210 R14: 0000000000000000 R15: 0000000000000003
[  588.354891] ---[ end trace 4ce02f25ff7d3df5 ]---
[  588.355862] RIP: 0010:reset_curseg+0x94/0x1a0
[  588.360742] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246
[  588.361812] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b
[  588.363485] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64
[  588.365213] RBP: ffff8801e88d7968 R08: ffffed003c32266f R09: ffffed003c32266f
[  588.366661] R10: 0000000000000001 R11: ffffed003c32266e R12: ffff8801f0337700
[  588.368110] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000
[  588.370057] FS:  00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  588.372099] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  588.373291] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0

- Location
https://elixir.bootlin.com/linux/latest/source/fs/f2fs/segment.c#L2147
        curseg->zone = GET_ZONE_FROM_SEG(sbi, curseg->segno);

If secs_per_zone is corrupted due to fuzzing test, it will cause divide
zero operation when using GET_ZONE_FROM_SEG macro, so we should do more
sanity check with secs_per_zone during mount to avoid this issue.

Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/f2fs/super.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1434,9 +1434,9 @@ static int sanity_check_raw_super(struct
 		return 1;
 	}
 
-	if (secs_per_zone > total_sections) {
+	if (secs_per_zone > total_sections || !secs_per_zone) {
 		f2fs_msg(sb, KERN_INFO,
-			"Wrong secs_per_zone (%u > %u)",
+			"Wrong secs_per_zone / total_sections (%u, %u)",
 			secs_per_zone, total_sections);
 		return 1;
 	}



  parent reply	other threads:[~2018-12-06 14:49 UTC|newest]

Thread overview: 115+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-06 14:37 [PATCH 4.9 000/101] 4.9.144-stable review Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 001/101] Kbuild: suppress packed-not-aligned warning for default setting only Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 002/101] disable stringop truncation warnings for now Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 003/101] test_hexdump: use memcpy instead of strncpy Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 004/101] kobject: Replace strncpy with memcpy Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 005/101] unifdef: use memcpy instead of strncpy Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 006/101] kernfs: Replace strncpy with memcpy Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 007/101] ip_tunnel: Fix name string concatenate in __ip_tunnel_create() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 008/101] drm: gma500: fix logic error Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 009/101] scsi: bfa: convert to strlcpy/strlcat Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 010/101] staging: rts5208: fix gcc-8 logic error warning Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 011/101] kdb: use memmove instead of overlapping memcpy Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 012/101] x86/power/64: Use char arrays for asm function names Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 013/101] iser: set sector for ambiguous mr status errors Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 014/101] uprobes: Fix handle_swbp() vs. unregister() + register() race once more Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 015/101] MIPS: ralink: Fix mt7620 nd_sd pinmux Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 016/101] mips: fix mips_get_syscall_arg o32 check Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 017/101] IB/mlx5: Avoid load failure due to unknown link width Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 018/101] drm/ast: Fix incorrect free on ioregs Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 019/101] drm: set is_master to 0 upon drm_new_set_master() failure Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 020/101] scsi: scsi_devinfo: cleanly zero-pad devinfo strings Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 021/101] ALSA: trident: Suppress gcc string warning Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 022/101] scsi: csiostor: Avoid content leaks and casts Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 023/101] kgdboc: Fix restrict error Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 024/101] kgdboc: Fix warning with module build Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 025/101] binder: fix proc->files use-after-free Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 026/101] svm: Add mutex_lock to protect apic_access_page_done on AMD systems Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 027/101] drm/mediatek: fix OF sibling-node lookup Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 028/101] Input: xpad - quirk all PDP Xbox One gamepads Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 029/101] Input: matrix_keypad - check for errors from of_get_named_gpio() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 030/101] Input: elan_i2c - add ELAN0620 to the ACPI table Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 031/101] Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 032/101] Input: elan_i2c - add support for ELAN0621 touchpad Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 033/101] btrfs: Always try all copies when reading extent buffers Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 034/101] Btrfs: fix use-after-free when dumping free space Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 035/101] ARC: change defconfig defaults to ARCv2 Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 036/101] arc: [devboards] Add support of NFSv3 ACL Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 037/101] udf: Allow mounting volumes with incorrect identification strings Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 038/101] reset: make optional functions really optional Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 039/101] reset: core: fix reset_control_put Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 040/101] reset: fix optional reset_control_get stubs to return NULL Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 041/101] reset: add exported __reset_control_get, return NULL if optional Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 042/101] reset: make device_reset_optional() really optional Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 043/101] reset: remove remaining WARN_ON() in <linux/reset.h> Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 044/101] mm: cleancache: fix corruption on missed inode invalidation Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 045/101] usb: gadget: dummy: fix nonsensical comparisons Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 046/101] net: qed: use correct strncpy() size Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 047/101] tipc: use destination length for copy string Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 048/101] libceph: drop len argument of *verify_authorizer_reply() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 049/101] libceph: no need to drop con->mutex for ->get_authorizer() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 050/101] libceph: store ceph_auth_handshake pointer in ceph_connection Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 051/101] libceph: factor out __prepare_write_connect() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 052/101] libceph: factor out __ceph_x_decrypt() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 053/101] libceph: factor out encrypt_authorizer() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 054/101] libceph: add authorizer challenge Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 055/101] libceph: implement CEPHX_V2 calculation mode Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 056/101] libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 057/101] libceph: check authorizer reply/challenge length before reading Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 058/101] bpf/verifier: Add spi variable to check_stack_write() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 059/101] bpf/verifier: Pass instruction index to check_mem_access() and check_xadd() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 060/101] bpf: Prevent memory disambiguation attack Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 061/101] wil6210: missing length check in wmi_set_ie Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 062/101] mm/hugetlb.c: dont call region_abort if region_chg fails Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 063/101] hugetlbfs: fix offset overflow in hugetlbfs mmap Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 064/101] hugetlbfs: check for pgoff value overflow Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 065/101] btrfs: validate type when reading a chunk Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 066/101] btrfs: Verify that every chunk has corresponding block group at mount time Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 067/101] btrfs: Refactor check_leaf function for later expansion Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 068/101] btrfs: Check if item pointer overlaps with the item itself Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 069/101] btrfs: Add sanity check for EXTENT_DATA when reading out leaf Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 070/101] btrfs: Add checker for EXTENT_CSUM Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 071/101] btrfs: Move leaf and node validation checker to tree-checker.c Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 072/101] btrfs: struct-funcs, constify readers Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 073/101] btrfs: tree-checker: Enhance btrfs_check_node output Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 074/101] btrfs: tree-checker: Fix false panic for sanity test Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 075/101] btrfs: tree-checker: Add checker for dir item Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 076/101] btrfs: tree-checker: use %zu format string for size_t Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 077/101] btrfs: tree-check: reduce stack consumption in check_dir_item Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 078/101] btrfs: tree-checker: Verify block_group_item Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 079/101] btrfs: tree-checker: Detect invalid and empty essential trees Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 080/101] btrfs: Check that each block group has corresponding chunk at mount time Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 081/101] btrfs: tree-checker: Check level for leaves and nodes Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 082/101] btrfs: tree-checker: Fix misleading group system information Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 083/101] f2fs: fix a panic caused by NULL flush_cmd_control Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 084/101] f2fs: fix race condition in between free nid allocator/initializer Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 085/101] f2fs: detect wrong layout Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 086/101] f2fs: return error during fill_super Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 087/101] f2fs: check blkaddr more accuratly before issue a bio Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 088/101] f2fs: sanity check on sit entry Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 089/101] f2fs: enhance sanity_check_raw_super() to avoid potential overflow Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 090/101] f2fs: clean up with is_valid_blkaddr() Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 091/101] f2fs: introduce and spread verify_blkaddr Greg Kroah-Hartman
2018-12-06 14:39 ` Greg Kroah-Hartman [this message]
2018-12-06 14:39 ` [PATCH 4.9 093/101] f2fs: fix to do sanity check with user_block_count Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 094/101] f2fs: Add sanity_check_inode() function Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 095/101] f2fs: fix to do sanity check with node footer and iblocks Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 096/101] f2fs: fix to do sanity check with block address in main area Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 097/101] f2fs: fix missing up_read Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 098/101] f2fs: fix to do sanity check with block address in main area v2 Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 099/101] f2fs: free meta pages if sanity check for ckpt is failed Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 100/101] f2fs: fix to do sanity check with cp_pack_start_sum Greg Kroah-Hartman
2018-12-07 18:12   ` Ben Hutchings
2018-12-08  9:01     ` Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 101/101] xfs: dont fail when converting shortform attr to long form during ATTR_REPLACE Greg Kroah-Hartman
2018-12-06 20:12 ` [PATCH 4.9 000/101] 4.9.144-stable review kernelci.org bot
2018-12-06 22:08 ` shuah
2018-12-07  9:03 ` Jon Hunter
2018-12-07 14:41   ` Greg Kroah-Hartman
2018-12-07  9:10 ` Naresh Kamboju
2018-12-07 14:41   ` Greg Kroah-Hartman
2018-12-07 15:34     ` Ben Hutchings
2018-12-07 15:51       ` Greg Kroah-Hartman
2018-12-07 17:53         ` Naresh Kamboju
2018-12-08  8:39           ` Greg Kroah-Hartman
2018-12-07 23:38 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181206143018.264982976@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=ben.hutchings@codethink.co.uk \
    --cc=jaegeuk@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=yuchao0@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).