MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-10-22 23:13:01 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
80bc1e5d9e
linux-yocto/fs
History
Chao Yu 6b7784ea07 f2fs: fix to avoid out-of-boundary access in dnode page 
[ Upstream commit 77de19b686 ]

As Jiaming Zhang reported:

 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x17e/0x800 mm/kasan/report.c:480
 kasan_report+0x147/0x180 mm/kasan/report.c:593
 data_blkaddr fs/f2fs/f2fs.h:3053 [inline]
 f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline]
 f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855
 f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195
 prepare_write_begin fs/f2fs/data.c:3395 [inline]
 f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594
 generic_perform_write+0x2c7/0x910 mm/filemap.c:4112
 f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline]
 f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x546/0xa90 fs/read_write.c:686
 ksys_write+0x149/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The root cause is in the corrupted image, there is a dnode has the same
node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to
access block address in dnode at offset 934, however it parses the dnode
as inode node, so that get_dnode_addr() returns 360, then it tries to
access page address from 360 + 934 * 4 = 4096 w/ 4 bytes.

To fix this issue, let's add sanity check for node id of all direct nodes
during f2fs_get_dnode_of_data().

Cc: stable@kernel.org
Reported-by: Jiaming Zhang <r772577952@gmail.com>
Closes: https://groups.google.com/g/syzkaller/c/-ZnaaOOfO3M
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ replaced f2fs_err_ratelimited() with f2fs_err() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-08-28 16:24:36 +02:00
..
9p 9p: add missing locking around taking dentry fid list 2024-10-17 15:11:47 +02:00
adfs
affs affs: don't write overlarge OFS data block size fields 2025-04-10 14:32:03 +02:00
afs afs: Fix the server_list to unuse a displaced server rather than putting it 2025-03-13 12:50:56 +01:00
autofs autofs: fix memory leak of waitqueues in autofs_catatonic_mode 2023-09-23 11:09:54 +02:00
befs
bfs
btrfs btrfs: populate otime when logging an inode item 2025-08-28 16:24:32 +02:00
cachefiles cachefiles: fix memory leak in cachefiles_add_cache() 2024-03-06 14:38:50 +00:00
ceph ceph: fix possible integer overflow in ceph_zero_objects() 2025-07-10 15:57:34 +02:00
cifs smb: client: fix use-after-free in crypt_message when using async crypto 2025-08-28 16:24:31 +02:00
coda coda: Avoid partial allocation of sig_inputArgs 2023-03-10 09:39:50 +01:00
configfs configfs: Do not override creating attribute file failure in populate_attrs() 2025-06-27 11:05:22 +01:00
cramfs
crypto
debugfs debugfs: fix automount d_fsdata usage 2024-01-25 14:52:27 -08:00
devpts
dlm dlm: make tcp still work in multi-link env 2025-06-04 14:37:56 +02:00
ecryptfs ecryptfs: Fix buffer size for tag 66 packet 2024-06-16 13:39:16 +02:00
efivarfs efivarfs: Fix error on non-existent file 2025-01-09 13:28:32 +01:00
efs
erofs erofs: fix incorrect symlink detection in fast symlink 2025-01-09 13:28:30 +01:00
exfat exfat: fix double free in delayed_free 2025-06-27 11:05:28 +01:00
exportfs exportfs: use pr_debug for unreachable debug statements 2024-04-10 16:19:21 +02:00
ext2 ext2: Handle fiemap on empty files to prevent EINVAL 2025-08-28 16:24:17 +02:00
ext4 ext4: fix hole length calculation overflow in non-extent inodes 2025-08-28 16:24:28 +02:00
f2fs f2fs: fix to avoid out-of-boundary access in dnode page 2025-08-28 16:24:36 +02:00
fat fat: fix uninitialized variable 2024-10-22 15:40:40 +02:00
freevxfs
fscache
fuse virtiofs: add filesystem context source name check 2025-05-02 07:44:14 +02:00
gfs2 gfs2: move msleep to sleepable context 2025-06-27 11:05:23 +01:00
hfs hfs: fix not erasing deleted b-tree node issue 2025-08-28 16:24:16 +02:00
hfsplus hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() 2025-08-28 16:24:16 +02:00
hostfs
hpfs
hugetlbfs mm: update memfd seal write check to include F_SEAL_WRITE 2025-08-28 16:24:30 +02:00
iomap iomap: update ki_pos a little later in iomap_dio_complete 2023-12-08 08:48:05 +01:00
isofs isofs: Verify inode mode when loading from disk 2025-08-28 16:23:59 +02:00
jbd2 jbd2: prevent softlockup in jbd2_log_do_checkpoint() 2025-08-28 16:24:29 +02:00
jffs2 jffs2: check jffs2_prealloc_raw_node_refs() result in few other places 2025-06-27 11:05:34 +01:00
jfs jfs: upper bound check of tree index in dbAllocAG 2025-08-28 16:24:23 +02:00
kernfs fs/kernfs/dir: obey S_ISGID 2024-02-23 08:54:51 +01:00
ksmbd smb: server: Fix extension string in ksmbd_extract_shortname() 2025-08-28 16:24:31 +02:00
lockd nfsd: stop setting ->pg_stats for unused stats 2024-09-04 13:23:30 +02:00
minix
netfs
nfs NFS: Fix the setting of capabilities when automounting a new filesystem 2025-08-28 16:24:32 +02:00
nfs_common
nfsd NFSD: detect mismatch of file handle and delegation stateid in OPEN op 2025-08-28 16:24:15 +02:00
nilfs2 nilfs2: reject invalid file types when reading inodes 2025-08-28 16:24:05 +02:00
nls fs/nls: make load_nls() take a const parameter 2023-09-19 12:22:27 +02:00
notify fsnotify: fix sending inotify event with unexpected filename 2024-12-14 19:51:13 +01:00
ntfs
ntfs3 fs/ntfs3: correctly create symlink for relative path 2025-08-28 16:24:17 +02:00
ocfs2 ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery 2025-06-27 11:05:14 +01:00
omfs
openpromfs openpromfs: finish conversion to the new mount API 2024-06-16 13:39:16 +02:00
orangefs fs/orangefs: use snprintf() instead of sprintf() 2025-08-28 16:24:23 +02:00
overlayfs ovl: Check for NULL d_inode() in ovl_dentry_upper() 2025-07-10 15:57:34 +02:00
proc fs/proc: do_task_stat: use __for_each_thread() 2025-07-17 18:30:47 +02:00
pstore pstore/blk: trivial typo fixes 2025-03-13 12:49:51 +01:00
qnx4
qnx6
quota quota: flush quota_release_work upon quota writeback 2024-12-14 19:51:22 +01:00
ramfs shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs 2023-07-23 13:47:33 +02:00
reiserfs reiserfs: Check the return value from __getblk() 2023-09-19 12:22:30 +02:00
romfs
smbfs_common
squashfs squashfs: fix memory leak in squashfs_fill_super 2025-08-28 16:24:34 +02:00
sysfs fs: sysfs: Fix reference leak in sysfs_break_active_protection() 2024-04-27 17:05:28 +02:00
sysv sysv: don't call sb_bread() with pointers_lock held 2024-04-13 13:01:44 +02:00
tracefs tracefs: Add missing lockdown check to tracefs_create_dir() 2023-09-23 11:10:02 +02:00
ubifs ubifs: skip dumping tnc tree when zroot is null 2025-03-13 12:50:11 +01:00
udf udf: Verify partition map count 2025-08-28 16:24:16 +02:00
ufs
unicode Revert "unicode: Don't special case ignorable code points" 2024-12-14 19:51:44 +01:00
vboxsf vboxsf: fix building with GCC 15 2025-04-10 14:31:50 +02:00
verity fsverity: skip PKCS#7 parser when keyring is empty 2023-09-19 12:22:52 +02:00
xfs xfs: allow inode inactivation during a ro mount log recovery 2025-06-27 11:05:22 +01:00
zonefs zonefs: Improve error handling 2024-03-01 13:21:43 +01:00
aio.c fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion 2024-04-10 16:18:46 +02:00
anon_inodes.c
attr.c attr: block mode changes of symlinks 2023-09-23 11:10:01 +02:00
bad_inode.c
binfmt_aout.c
binfmt_elf_fdpic.c fs: binfmt_elf_efpic: don't use missing interpreter's properties 2024-09-04 13:23:24 +02:00
binfmt_elf.c
binfmt_flat.c binfmt_flat: Fix integer overflow bug on 32 bit systems 2025-03-13 12:50:24 +01:00
binfmt_misc.c binfmt_misc: cleanup on filesystem umount 2024-09-04 13:23:22 +02:00
binfmt_script.c
buffer.c fs/buffer: fix use-after-free when call bh_read() helper 2025-08-28 16:24:34 +02:00
char_dev.c
compat_binfmt_elf.c
coredump.c coredump: hand a pidfd to the usermode coredump helper 2025-06-04 14:38:07 +02:00
d_path.c
dax.c
dcache.c fs: better handle deep ancestor chains in is_subdir() 2024-07-27 10:46:13 +02:00
direct-io.c
drop_caches.c
eventfd.c eventfd: prevent underflow for eventfd semaphores 2023-09-19 12:22:30 +02:00
eventpoll.c eventpoll: Fix semi-unbounded recursion 2025-08-28 16:24:15 +02:00
exec.c exec: don't WARN for racy path_noexec check 2024-11-01 01:52:35 +01:00
fcntl.c fs: Fix file_set_fowner LSM hook inconsistencies 2024-10-17 15:11:15 +02:00
fhandle.c do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak 2024-03-26 18:21:14 -04:00
file_table.c fs: fix proc_handler for sysctl_nr_open 2025-03-13 12:49:50 +01:00
file.c fs: Prevent file descriptor table allocations exceeding INT_MAX 2025-08-28 16:24:15 +02:00
filesystems.c fs/filesystems: Fix potential unsigned integer underflow in fs_name() 2025-06-27 11:05:20 +01:00
fs_context.c fs: avoid empty option when generating legacy mount string 2023-07-23 13:47:34 +02:00
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c writeback, cgroup: switch inodes with dirty timestamps to release dying cgwbs 2023-11-20 11:08:13 +01:00
fsopen.c
init.c
inode.c fs: move inode sysctls to its own file 2025-03-13 12:49:50 +01:00
internal.h nfs: use vfs setgid helper 2023-08-30 16:18:19 +02:00
ioctl.c lsm: new security_file_ioctl_compat() hook 2024-02-23 08:54:25 +01:00
Kconfig nfs: add missing selections of CONFIG_CRC32 2025-05-02 07:44:12 +02:00
Kconfig.binfmt
kernel_read_file.c
libfs.c better lockdep annotations for simple_recursive_removal() 2025-08-28 16:24:16 +02:00
locks.c filelock: Fix fcntl/close race recovery compat path 2024-07-27 10:46:17 +02:00
Makefile
mbcache.c mbcache: Avoid nesting of cache->c_list_lock under bit locks 2023-01-12 11:59:20 +01:00
mount.h
mpage.c
namei.c fuse: don't truncate cached, mutated symlink 2025-04-10 14:31:51 +02:00
namespace.c use uniform permission checks for all mount propagation changes 2025-08-28 16:24:34 +02:00
no-block.c
nsfs.c
open.c openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) 2024-11-01 01:52:37 +01:00
pipe.c fs/pipe: Fix lockdep false-positive in watchqueue pipe_write() 2024-04-10 16:19:42 +02:00
pnode.c pnode: terminate at peers of source 2023-01-12 11:58:47 +01:00
pnode.h
posix_acl.c
proc_namespace.c
read_write.c
readdir.c
remap_range.c
select.c select: Fix unbalanced user_access_end() 2025-03-13 12:49:51 +01:00
seq_file.c
signalfd.c
splice.c
stack.c
stat.c
statfs.c statfs: enforce statfs[64] structure initialization 2023-05-24 17:36:54 +01:00
super.c fs: explicitly unregister per-superblock BDIs 2024-10-17 15:10:43 +02:00
sync.c
timerfd.c
userfaultfd.c Fix userfaultfd_api to return EINVAL as expected 2024-07-18 13:07:42 +02:00
utimes.c
xattr.c