• Chao Yu's avatar
    f2fs: fix to do sanity check on valid block count of segment · 5fd8cf82
    Chao Yu authored
    BugLink: https://bugs.launchpad.net/bugs/1836666
    
    [ Upstream commit e95bcdb2 ]
    
    As Jungyeon reported in bugzilla:
    
    https://bugzilla.kernel.org/show_bug.cgi?id=203233
    
    - Overview
    When mounting the attached crafted image and running program, following errors are reported.
    Additionally, it hangs on sync after running program.
    
    The image is intentionally fuzzed from a normal f2fs image for testing.
    Compile options for F2FS are as follows.
    CONFIG_F2FS_FS=y
    CONFIG_F2FS_STAT_FS=y
    CONFIG_F2FS_FS_XATTR=y
    CONFIG_F2FS_FS_POSIX_ACL=y
    CONFIG_F2FS_CHECK_FS=y
    
    - Reproduces
    cc poc_13.c
    mkdir test
    mount -t f2fs tmp.img test
    cp a.out test
    cd test
    sudo ./a.out
    sync
    
    - Kernel messages
     F2FS-fs (sdb): Bitmap was wrongly set, blk:4608
     kernel BUG at fs/f2fs/segment.c:2102!
     RIP: 0010:update_sit_entry+0x394/0x410
     Call Trace:
      f2fs_allocate_data_block+0x16f/0x660
      do_write_page+0x62/0x170
      f2fs_do_write_node_page+0x33/0xa0
      __write_node_page+0x270/0x4e0
      f2fs_sync_node_pages+0x5df/0x670
      f2fs_write_checkpoint+0x372/0x1400
      f2fs_sync_fs+0xa3/0x130
      f2fs_do_sync_file+0x1a6/0x810
      do_fsync+0x33/0x60
      __x64_sys_fsync+0xb/0x10
      do_syscall_64+0x43/0xf0
      entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    sit.vblocks and sum valid block count in sit.valid_map may be
    inconsistent, segment w/ zero vblocks will be treated as free
    segment, while allocating in free segment, we may allocate a
    free block, if its bitmap is valid previously, it can cause
    kernel crash due to bitmap verification failure.
    
    Anyway, to avoid further serious metadata inconsistence and
    corruption, it is necessary and worth to detect SIT
    inconsistence. So let's enable check_block_count() to verify
    vblocks and valid_map all the time rather than do it only
    CONFIG_F2FS_CHECK_FS is enabled.
    Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
    Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
    Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
    5fd8cf82
segment.h 22.7 KB