Hi!

> From: Chao Yu <chao@kernel.org>
> 
> commit 77900c45ee5cd5da63bd4d818a41dbdf367e81cd upstream.
> 
> In fuzzed image, SSA table may indicate that a data block belongs to
> invalid node, which node ID is out-of-range (0, 1, 2 or max_nid), in
> order to avoid migrating inconsistent data in such corrupted image,
> let's do sanity check anyway before data block migration.

This may be good idea, but AFAICT this leads to leak of page reference.

> +++ b/fs/f2fs/gc.c
> @@ -589,6 +589,9 @@ static bool is_alive(struct f2fs_sb_info
>  		set_sbi_flag(sbi, SBI_NEED_FSCK);
>  	}
>  
> +	if (f2fs_check_nid_range(sbi, dni->ino))
> +		return false;
> +
>  	*nofs = ofs_of_node(node_page);
>  	source_blkaddr = datablock_addr(NULL, node_page, ofs_in_node);
>  	f2fs_put_page(node_page, 1);

AFAICT f2fs_put_page() needs to be done in the error path, too.

(Problem seems to exist in mainline, too).

Something like this?

Signed-off-by: Pavel Machek <pavel@denx.de>

Best regards,
								Pavel

diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index ee308a8de432..e020804f7b07 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -1038,8 +1038,10 @@ static bool is_alive(struct f2fs_sb_info *sbi, struct f2fs_summary *sum,
 		set_sbi_flag(sbi, SBI_NEED_FSCK);
 	}
 
-	if (f2fs_check_nid_range(sbi, dni->ino))
+	if (f2fs_check_nid_range(sbi, dni->ino)) {
+		f2fs_put_page(node_page, 1);
 		return false;
+	}
 
 	*nofs = ofs_of_node(node_page);
 	source_blkaddr = data_blkaddr(NULL, node_page, ofs_in_node);


-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany