From: Yangtao Li <frank.li@vivo.com> To: jaegeuk@kernel.org, chao@kernel.org Cc: linux-f2fs-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org, Yangtao Li <frank.li@vivo.com>, kernel test robot <lkp@intel.com>, Dan Carpenter <error27@gmail.com> Subject: [PATCH v3 1/2] f2fs: fix to avoid potential memory corruption in __update_iostat_latency() Date: Sat, 21 Jan 2023 00:16:55 +0800 [thread overview] Message-ID: <20230120161656.70308-1-frank.li@vivo.com> (raw) Add iotype sanity check to avoid potential memory corruption. This is to fix the compile error below: fs/f2fs/iostat.c:231 __update_iostat_latency() error: buffer overflow 'io_lat->peak_lat[type]' 3 <= 3 vim +228 fs/f2fs/iostat.c 211 static inline void __update_iostat_latency(struct bio_iostat_ctx *iostat_ctx, 212 enum iostat_lat_type type) 213 { 214 unsigned long ts_diff; 215 unsigned int page_type = iostat_ctx->type; 216 struct f2fs_sb_info *sbi = iostat_ctx->sbi; 217 struct iostat_lat_info *io_lat = sbi->iostat_io_lat; 218 unsigned long flags; 219 220 if (!sbi->iostat_enable) 221 return; 222 223 ts_diff = jiffies - iostat_ctx->submit_ts; 224 if (page_type >= META_FLUSH) ^^^^^^^^^^ 225 page_type = META; 226 227 spin_lock_irqsave(&sbi->iostat_lat_lock, flags); @228 io_lat->sum_lat[type][page_type] += ts_diff; ^^^^^^^^^ Mixup between META_FLUSH and NR_PAGE_TYPE leads to memory corruption. Fixes: a4b6817625e7 ("f2fs: introduce periodic iostat io latency traces") Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Suggested-by: Chao Yu <chao@kernel.org> Suggested-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Yangtao Li <frank.li@vivo.com> --- v3: -convert to warn fs/f2fs/iostat.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/f2fs/iostat.c b/fs/f2fs/iostat.c index ed8176939aa5..96637756eae8 100644 --- a/fs/f2fs/iostat.c +++ b/fs/f2fs/iostat.c @@ -223,8 +223,12 @@ static inline void __update_iostat_latency(struct bio_iostat_ctx *iostat_ctx, return; ts_diff = jiffies - iostat_ctx->submit_ts; - if (iotype >= META_FLUSH) + if (iotype == META_FLUSH) { iotype = META; + } else if (iotype >= NR_PAGE_TYPE) { + f2fs_warn(sbi, "%s: %d over NR_PAGE_TYPE", __func__, iotype); + return; + } if (rw == 0) { idx = READ_IO; -- 2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Yangtao Li via Linux-f2fs-devel <linux-f2fs-devel@lists.sourceforge.net> To: jaegeuk@kernel.org, chao@kernel.org Cc: kernel test robot <lkp@intel.com>, Yangtao Li <frank.li@vivo.com>, Dan Carpenter <error27@gmail.com>, linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net Subject: [f2fs-dev] [PATCH v3 1/2] f2fs: fix to avoid potential memory corruption in __update_iostat_latency() Date: Sat, 21 Jan 2023 00:16:55 +0800 [thread overview] Message-ID: <20230120161656.70308-1-frank.li@vivo.com> (raw) Add iotype sanity check to avoid potential memory corruption. This is to fix the compile error below: fs/f2fs/iostat.c:231 __update_iostat_latency() error: buffer overflow 'io_lat->peak_lat[type]' 3 <= 3 vim +228 fs/f2fs/iostat.c 211 static inline void __update_iostat_latency(struct bio_iostat_ctx *iostat_ctx, 212 enum iostat_lat_type type) 213 { 214 unsigned long ts_diff; 215 unsigned int page_type = iostat_ctx->type; 216 struct f2fs_sb_info *sbi = iostat_ctx->sbi; 217 struct iostat_lat_info *io_lat = sbi->iostat_io_lat; 218 unsigned long flags; 219 220 if (!sbi->iostat_enable) 221 return; 222 223 ts_diff = jiffies - iostat_ctx->submit_ts; 224 if (page_type >= META_FLUSH) ^^^^^^^^^^ 225 page_type = META; 226 227 spin_lock_irqsave(&sbi->iostat_lat_lock, flags); @228 io_lat->sum_lat[type][page_type] += ts_diff; ^^^^^^^^^ Mixup between META_FLUSH and NR_PAGE_TYPE leads to memory corruption. Fixes: a4b6817625e7 ("f2fs: introduce periodic iostat io latency traces") Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Suggested-by: Chao Yu <chao@kernel.org> Suggested-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Yangtao Li <frank.li@vivo.com> --- v3: -convert to warn fs/f2fs/iostat.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/f2fs/iostat.c b/fs/f2fs/iostat.c index ed8176939aa5..96637756eae8 100644 --- a/fs/f2fs/iostat.c +++ b/fs/f2fs/iostat.c @@ -223,8 +223,12 @@ static inline void __update_iostat_latency(struct bio_iostat_ctx *iostat_ctx, return; ts_diff = jiffies - iostat_ctx->submit_ts; - if (iotype >= META_FLUSH) + if (iotype == META_FLUSH) { iotype = META; + } else if (iotype >= NR_PAGE_TYPE) { + f2fs_warn(sbi, "%s: %d over NR_PAGE_TYPE", __func__, iotype); + return; + } if (rw == 0) { idx = READ_IO; -- 2.25.1 _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
next reply other threads:[~2023-01-20 16:17 UTC|newest] Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-01-20 16:16 Yangtao Li [this message] 2023-01-20 16:16 ` [f2fs-dev] [PATCH v3 1/2] f2fs: fix to avoid potential memory corruption in __update_iostat_latency() Yangtao Li via Linux-f2fs-devel 2023-01-20 16:16 ` [PATCH v3 2/2] f2fs: use iostat_lat_type directly as a parameter in the iostat_update_and_unbind_ctx() Yangtao Li 2023-01-20 16:16 ` [f2fs-dev] " Yangtao Li via Linux-f2fs-devel 2023-01-31 1:55 ` Chao Yu 2023-01-31 1:55 ` [f2fs-dev] " Chao Yu 2023-01-31 18:53 ` Jaegeuk Kim 2023-01-31 18:53 ` [f2fs-dev] " Jaegeuk Kim 2023-01-31 1:40 ` [PATCH v3 1/2] f2fs: fix to avoid potential memory corruption in __update_iostat_latency() Chao Yu 2023-01-31 1:40 ` [f2fs-dev] " Chao Yu 2023-01-31 19:10 ` patchwork-bot+f2fs 2023-01-31 19:10 ` patchwork-bot+f2fs
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20230120161656.70308-1-frank.li@vivo.com \ --to=frank.li@vivo.com \ --cc=chao@kernel.org \ --cc=error27@gmail.com \ --cc=jaegeuk@kernel.org \ --cc=linux-f2fs-devel@lists.sourceforge.net \ --cc=linux-kernel@vger.kernel.org \ --cc=lkp@intel.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.