From: Gao Xiang <gaoxiang25@huawei.com> To: Chao Yu <yuchao0@huawei.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, <devel@driverdev.osuosl.org>, <linux-fsdevel@vger.kernel.org> Cc: LKML <linux-kernel@vger.kernel.org>, <linux-erofs@lists.ozlabs.org>, "Chao Yu" <chao@kernel.org>, Miao Xie <miaoxie@huawei.com>, <weidu.du@huawei.com>, Fang Wei <fangwei1@huawei.com>, Gao Xiang <gaoxiang25@huawei.com> Subject: [PATCH 4/6] staging: erofs: avoid loop in submit chains Date: Mon, 19 Aug 2019 18:34:24 +0800 [thread overview] Message-ID: <20190819103426.87579-5-gaoxiang25@huawei.com> (raw) In-Reply-To: <20190819103426.87579-1-gaoxiang25@huawei.com> As reported by erofs-utils fuzzer, 2 conditions can happen in corrupted images, which can cause unexpected behaviors. - access the same pcluster one more time; - access the tail end pcluster again, e.g. _ access again (will trigger tail merging) | 1 2 3 1 2 -> 1 2 3 1 |_ tail end of the chain \___/ (unexpected behavior) Let's detect and avoid them now. Signed-off-by: Gao Xiang <gaoxiang25@huawei.com> --- drivers/staging/erofs/zdata.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/staging/erofs/zdata.c b/drivers/staging/erofs/zdata.c index 23283c97fd3b..aae2f2b8353f 100644 --- a/drivers/staging/erofs/zdata.c +++ b/drivers/staging/erofs/zdata.c @@ -132,7 +132,7 @@ enum z_erofs_collectmode { struct z_erofs_collector { struct z_erofs_pagevec_ctor vector; - struct z_erofs_pcluster *pcl; + struct z_erofs_pcluster *pcl, *tailpcl; struct z_erofs_collection *cl; struct page **compressedpages; z_erofs_next_pcluster_t owned_head; @@ -353,6 +353,11 @@ static struct z_erofs_collection *cllookup(struct z_erofs_collector *clt, return NULL; pcl = container_of(grp, struct z_erofs_pcluster, obj); + if (clt->owned_head == &pcl->next || pcl == clt->tailpcl) { + DBG_BUGON(1); + erofs_workgroup_put(grp); + return ERR_PTR(-EFSCORRUPTED); + } cl = z_erofs_primarycollection(pcl); if (unlikely(cl->pageofs != (map->m_la & ~PAGE_MASK))) { @@ -381,6 +386,9 @@ static struct z_erofs_collection *cllookup(struct z_erofs_collector *clt, } } mutex_lock(&cl->lock); + /* used to check tail merging loop due to corrupted images */ + if (clt->owned_head == Z_EROFS_PCLUSTER_TAIL) + clt->tailpcl = pcl; clt->mode = try_to_claim_pcluster(pcl, &clt->owned_head); clt->pcl = pcl; clt->cl = cl; @@ -434,6 +442,9 @@ static struct z_erofs_collection *clregister(struct z_erofs_collector *clt, kmem_cache_free(pcluster_cachep, pcl); return ERR_PTR(-EAGAIN); } + /* used to check tail merging loop due to corrupted images */ + if (clt->owned_head == Z_EROFS_PCLUSTER_TAIL) + clt->tailpcl = pcl; clt->owned_head = &pcl->next; clt->pcl = pcl; clt->cl = cl; -- 2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: gaoxiang25@huawei.com (Gao Xiang) Subject: [PATCH 4/6] staging: erofs: avoid loop in submit chains Date: Mon, 19 Aug 2019 18:34:24 +0800 [thread overview] Message-ID: <20190819103426.87579-5-gaoxiang25@huawei.com> (raw) In-Reply-To: <20190819103426.87579-1-gaoxiang25@huawei.com> As reported by erofs-utils fuzzer, 2 conditions can happen in corrupted images, which can cause unexpected behaviors. - access the same pcluster one more time; - access the tail end pcluster again, e.g. _ access again (will trigger tail merging) | 1 2 3 1 2 -> 1 2 3 1 |_ tail end of the chain \___/ (unexpected behavior) Let's detect and avoid them now. Signed-off-by: Gao Xiang <gaoxiang25 at huawei.com> --- drivers/staging/erofs/zdata.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/staging/erofs/zdata.c b/drivers/staging/erofs/zdata.c index 23283c97fd3b..aae2f2b8353f 100644 --- a/drivers/staging/erofs/zdata.c +++ b/drivers/staging/erofs/zdata.c @@ -132,7 +132,7 @@ enum z_erofs_collectmode { struct z_erofs_collector { struct z_erofs_pagevec_ctor vector; - struct z_erofs_pcluster *pcl; + struct z_erofs_pcluster *pcl, *tailpcl; struct z_erofs_collection *cl; struct page **compressedpages; z_erofs_next_pcluster_t owned_head; @@ -353,6 +353,11 @@ static struct z_erofs_collection *cllookup(struct z_erofs_collector *clt, return NULL; pcl = container_of(grp, struct z_erofs_pcluster, obj); + if (clt->owned_head == &pcl->next || pcl == clt->tailpcl) { + DBG_BUGON(1); + erofs_workgroup_put(grp); + return ERR_PTR(-EFSCORRUPTED); + } cl = z_erofs_primarycollection(pcl); if (unlikely(cl->pageofs != (map->m_la & ~PAGE_MASK))) { @@ -381,6 +386,9 @@ static struct z_erofs_collection *cllookup(struct z_erofs_collector *clt, } } mutex_lock(&cl->lock); + /* used to check tail merging loop due to corrupted images */ + if (clt->owned_head == Z_EROFS_PCLUSTER_TAIL) + clt->tailpcl = pcl; clt->mode = try_to_claim_pcluster(pcl, &clt->owned_head); clt->pcl = pcl; clt->cl = cl; @@ -434,6 +442,9 @@ static struct z_erofs_collection *clregister(struct z_erofs_collector *clt, kmem_cache_free(pcluster_cachep, pcl); return ERR_PTR(-EAGAIN); } + /* used to check tail merging loop due to corrupted images */ + if (clt->owned_head == Z_EROFS_PCLUSTER_TAIL) + clt->tailpcl = pcl; clt->owned_head = &pcl->next; clt->pcl = pcl; clt->cl = cl; -- 2.17.1
next prev parent reply other threads:[~2019-08-19 10:35 UTC|newest] Thread overview: 170+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-08-17 8:23 [PATCH] erofs: move erofs out of staging Gao Xiang 2019-08-17 8:23 ` Gao Xiang 2019-08-17 21:19 ` Richard Weinberger 2019-08-17 21:19 ` Richard Weinberger 2019-08-17 22:07 ` Gao Xiang 2019-08-17 22:07 ` Gao Xiang 2019-08-17 23:25 ` Richard Weinberger 2019-08-17 23:25 ` Richard Weinberger 2019-08-17 23:38 ` Gao Xiang 2019-08-17 23:38 ` Gao Xiang 2019-08-18 0:04 ` Gao Xiang 2019-08-18 0:04 ` Gao Xiang 2019-08-18 0:52 ` Gao Xiang 2019-08-18 0:52 ` Gao Xiang 2019-08-18 8:16 ` Richard Weinberger 2019-08-18 8:16 ` Richard Weinberger 2019-08-18 8:45 ` Gao Xiang 2019-08-18 8:45 ` Gao Xiang 2019-08-18 9:03 ` Richard Weinberger 2019-08-18 9:03 ` Richard Weinberger 2019-08-18 9:09 ` Greg Kroah-Hartman 2019-08-18 9:09 ` Greg Kroah-Hartman 2019-08-18 9:21 ` Richard Weinberger 2019-08-18 9:21 ` Richard Weinberger 2019-08-18 10:12 ` Chao Yu 2019-08-18 10:12 ` Chao Yu 2019-08-18 15:11 ` Theodore Y. Ts'o 2019-08-18 15:11 ` Theodore Y. Ts'o 2019-08-18 15:58 ` Christoph Hellwig 2019-08-18 15:58 ` Christoph Hellwig 2019-08-18 16:16 ` Eric Biggers 2019-08-18 16:16 ` Eric Biggers 2019-08-18 16:22 ` Christoph Hellwig 2019-08-18 16:22 ` Christoph Hellwig 2019-08-18 16:33 ` Gao Xiang 2019-08-18 16:33 ` Gao Xiang 2019-08-18 17:29 ` Eric Biggers 2019-08-18 17:29 ` Eric Biggers 2019-08-18 17:47 ` Christoph Hellwig 2019-08-18 17:47 ` Christoph Hellwig 2019-08-18 18:16 ` Gao Xiang 2019-08-18 18:16 ` Gao Xiang 2019-08-18 20:14 ` Gao Xiang 2019-08-18 20:14 ` Gao Xiang 2019-08-19 7:35 ` Richard Weinberger 2019-08-19 7:35 ` Richard Weinberger 2019-08-19 8:02 ` Gao Xiang 2019-08-19 8:02 ` Gao Xiang 2019-08-19 10:34 ` [PATCH 0/6] staging: erofs: first stage of corrupted compressed images Gao Xiang 2019-08-19 10:34 ` Gao Xiang 2019-08-19 10:34 ` [PATCH 1/6] staging: erofs: some compressed cluster should be submitted for corrupted images Gao Xiang 2019-08-19 10:34 ` Gao Xiang 2019-08-19 14:36 ` Chao Yu 2019-08-19 14:36 ` Chao Yu 2019-08-19 14:36 ` Chao Yu 2019-08-19 14:39 ` Chao Yu 2019-08-19 14:39 ` Chao Yu 2019-08-19 14:39 ` Chao Yu 2019-08-19 10:34 ` [PATCH 2/6] staging: erofs: cannot set EROFS_V_Z_INITED_BIT if fill_inode_lazy fails Gao Xiang 2019-08-19 10:34 ` Gao Xiang 2019-08-19 14:43 ` Chao Yu 2019-08-19 14:43 ` Chao Yu 2019-08-19 14:43 ` Chao Yu 2019-08-19 10:34 ` [PATCH 3/6] staging: erofs: add two missing erofs_workgroup_put for corrupted images Gao Xiang 2019-08-19 10:34 ` Gao Xiang 2019-08-19 14:40 ` Chao Yu 2019-08-19 14:40 ` Chao Yu 2019-08-19 14:40 ` Chao Yu 2019-08-19 10:34 ` Gao Xiang [this message] 2019-08-19 10:34 ` [PATCH 4/6] staging: erofs: avoid loop in submit chains Gao Xiang 2019-08-19 14:50 ` Chao Yu 2019-08-19 14:50 ` Chao Yu 2019-08-19 14:50 ` Chao Yu 2019-08-19 10:34 ` [PATCH 5/6] staging: erofs: detect potential multiref due to corrupted images Gao Xiang 2019-08-19 10:34 ` Gao Xiang 2019-08-19 14:57 ` Chao Yu 2019-08-19 14:57 ` Chao Yu 2019-08-19 14:57 ` Chao Yu 2019-08-21 2:19 ` Greg Kroah-Hartman 2019-08-21 2:19 ` Greg Kroah-Hartman 2019-08-21 2:19 ` Greg Kroah-Hartman 2019-08-21 14:01 ` [PATCH v2 " Gao Xiang 2019-08-21 14:01 ` Gao Xiang 2019-08-21 14:24 ` Chao Yu 2019-08-21 14:24 ` Chao Yu 2019-08-19 10:34 ` [PATCH 6/6] staging: erofs: avoid endless loop of invalid lookback distance 0 Gao Xiang 2019-08-19 10:34 ` Gao Xiang 2019-08-19 14:58 ` Chao Yu 2019-08-19 14:58 ` Chao Yu 2019-08-19 14:58 ` Chao Yu 2019-08-19 16:09 ` [PATCH] erofs: move erofs out of staging Darrick J. Wong 2019-08-19 16:09 ` Darrick J. Wong 2019-08-19 16:09 ` Darrick J. Wong 2019-08-19 20:30 ` Gao Xiang 2019-08-19 20:30 ` Gao Xiang via Linux-erofs 2019-08-19 20:30 ` Gao Xiang 2019-08-20 0:55 ` Qu Wenruo 2019-08-20 0:55 ` Qu Wenruo 2019-08-20 0:55 ` Qu Wenruo 2019-08-20 1:55 ` Gao Xiang 2019-08-20 1:55 ` Gao Xiang 2019-08-20 1:55 ` Gao Xiang 2019-08-20 2:24 ` Chao Yu 2019-08-20 2:24 ` Chao Yu 2019-08-20 2:24 ` Chao Yu 2019-08-20 2:38 ` Qu Wenruo 2019-08-20 2:38 ` Qu Wenruo 2019-08-20 2:38 ` Qu Wenruo 2019-08-20 7:15 ` Chao Yu 2019-08-20 7:15 ` Chao Yu 2019-08-20 7:15 ` Chao Yu 2019-08-20 8:46 ` Qu Wenruo 2019-08-20 8:46 ` Qu Wenruo 2019-08-20 8:46 ` Qu Wenruo 2019-08-21 2:12 ` Chao Yu 2019-08-21 2:12 ` Chao Yu 2019-08-21 2:12 ` Chao Yu 2019-08-20 15:56 ` Theodore Y. Ts'o 2019-08-20 15:56 ` Theodore Y. Ts'o 2019-08-20 15:56 ` Theodore Y. Ts'o 2019-08-20 16:35 ` Gao Xiang 2019-08-20 16:35 ` Gao Xiang via Linux-erofs 2019-08-20 16:35 ` Gao Xiang 2019-08-21 0:51 ` Theodore Y. Ts'o 2019-08-21 0:51 ` Theodore Y. Ts'o 2019-08-21 0:51 ` Theodore Y. Ts'o 2019-08-21 1:34 ` Chao Yu 2019-08-21 1:34 ` Chao Yu 2019-08-21 1:48 ` Darrick J. Wong 2019-08-21 1:48 ` Darrick J. Wong 2019-08-21 1:48 ` Darrick J. Wong 2019-08-21 1:57 ` Chao Yu 2019-08-21 1:57 ` Chao Yu 2019-08-21 1:57 ` Chao Yu 2019-08-20 3:33 ` Miao Xie 2019-08-20 3:33 ` Miao Xie 2019-08-20 3:33 ` Miao Xie 2019-08-20 3:46 ` Gao Xiang 2019-08-20 3:46 ` Gao Xiang 2019-08-20 3:46 ` Gao Xiang 2019-08-20 6:04 ` Qu Wenruo 2019-08-20 6:04 ` Qu Wenruo 2019-08-20 6:04 ` Qu Wenruo 2019-08-20 6:22 ` Gao Xiang 2019-08-20 6:22 ` Gao Xiang 2019-08-20 6:22 ` Gao Xiang 2019-08-19 7:37 ` Richard Weinberger 2019-08-19 7:37 ` Richard Weinberger 2019-08-18 17:43 ` Theodore Y. Ts'o 2019-08-18 17:43 ` Theodore Y. Ts'o 2019-08-18 16:03 ` Gao Xiang 2019-08-18 16:03 ` Gao Xiang 2019-08-18 17:06 ` Richard Weinberger 2019-08-18 17:06 ` Richard Weinberger 2019-08-18 17:46 ` Theodore Y. Ts'o 2019-08-18 17:46 ` Theodore Y. Ts'o 2019-08-18 18:00 ` Richard Weinberger 2019-08-18 18:00 ` Richard Weinberger 2019-08-18 18:31 ` Gao Xiang 2019-08-18 18:31 ` Gao Xiang 2019-08-18 9:28 ` Gao Xiang 2019-08-18 9:28 ` Gao Xiang 2019-08-19 5:28 ` [PATCH] erofs: Use common kernel logging style Joe Perches 2019-08-19 5:28 ` Joe Perches 2019-08-19 5:52 ` Gao Xiang 2019-08-19 5:52 ` Gao Xiang 2019-08-19 5:47 ` Joe Perches 2019-08-19 5:47 ` Joe Perches 2019-08-19 6:08 ` Gao Xiang 2019-08-19 6:08 ` Gao Xiang
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190819103426.87579-5-gaoxiang25@huawei.com \ --to=gaoxiang25@huawei.com \ --cc=chao@kernel.org \ --cc=devel@driverdev.osuosl.org \ --cc=fangwei1@huawei.com \ --cc=gregkh@linuxfoundation.org \ --cc=linux-erofs@lists.ozlabs.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=miaoxie@huawei.com \ --cc=weidu.du@huawei.com \ --cc=yuchao0@huawei.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.