1. 05 Dec, 2018 40 commits
    • Thomas Gleixner's avatar
      x86/Kconfig: Select SCHED_SMT if SMP enabled · 44ac7cd0
      Thomas Gleixner authored
      commit dbe73364
      
       upstream
      
      CONFIG_SCHED_SMT is enabled by all distros, so there is not a real point to
      have it configurable. The runtime overhead in the core scheduler code is
      minimal because the actual SMT scheduling parts are conditional on a static
      key.
      
      This allows to expose the scheduler's SMT state static key to the
      speculation control code. Alternatively the scheduler's static key could be
      made always available when CONFIG_SMP is enabled, but that's just adding an
      unused static key to every other architecture for nothing.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Casey Schaufler <casey.schaufler@intel.com>
      Cc: Asit Mallick <asit.k.mallick@intel.com>
      Cc: Arjan van de Ven <arjan@linux.intel.com>
      Cc: Jon Masters <jcm@redhat.com>
      Cc: Waiman Long <longman9394@gmail.com>
      Cc: Greg KH <gregkh@linuxfoundation.org>
      Cc: Dave Stewart <david.c.stewart@intel.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20181125185004.337452245@linutronix.de
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      44ac7cd0
    • Peter Zijlstra (Intel)'s avatar
      sched/smt: Make sched_smt_present track topology · 01659361
      Peter Zijlstra (Intel) authored
      commit c5511d03
      
       upstream
      
      Currently the 'sched_smt_present' static key is enabled when at CPU bringup
      SMT topology is observed, but it is never disabled. However there is demand
      to also disable the key when the topology changes such that there is no SMT
      present anymore.
      
      Implement this by making the key count the number of cores that have SMT
      enabled.
      
      In particular, the SMT topology bits are set before interrrupts are enabled
      and similarly, are cleared after interrupts are disabled for the last time
      and the CPU dies.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Casey Schaufler <casey.schaufler@intel.com>
      Cc: Asit Mallick <asit.k.mallick@intel.com>
      Cc: Arjan van de Ven <arjan@linux.intel.com>
      Cc: Jon Masters <jcm@redhat.com>
      Cc: Waiman Long <longman9394@gmail.com>
      Cc: Greg KH <gregkh@linuxfoundation.org>
      Cc: Dave Stewart <david.c.stewart@intel.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20181125185004.246110444@linutronix.de
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      01659361
    • Tim Chen's avatar
      x86/speculation: Reorganize speculation control MSRs update · bc4aa78e
      Tim Chen authored
      commit 01daf568
      
       upstream
      
      The logic to detect whether there's a change in the previous and next
      task's flag relevant to update speculation control MSRs is spread out
      across multiple functions.
      
      Consolidate all checks needed for updating speculation control MSRs into
      the new __speculation_ctrl_update() helper function.
      
      This makes it easy to pick the right speculation control MSR and the bits
      in MSR_IA32_SPEC_CTRL that need updating based on TIF flags changes.
      Originally-by: default avatarThomas Lendacky <Thomas.Lendacky@amd.com>
      Signed-off-by: default avatarTim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Casey Schaufler <casey.schaufler@intel.com>
      Cc: Asit Mallick <asit.k.mallick@intel.com>
      Cc: Arjan van de Ven <arjan@linux.intel.com>
      Cc: Jon Masters <jcm@redhat.com>
      Cc: Waiman Long <longman9394@gmail.com>
      Cc: Greg KH <gregkh@linuxfoundation.org>
      Cc: Dave Stewart <david.c.stewart@intel.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20181125185004.151077005@linutronix.de
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bc4aa78e
    • Thomas Gleixner's avatar
      x86/speculation: Rename SSBD update functions · 999b295a
      Thomas Gleixner authored
      commit 26c4d75b
      
       upstream
      
      During context switch, the SSBD bit in SPEC_CTRL MSR is updated according
      to changes of the TIF_SSBD flag in the current and next running task.
      
      Currently, only the bit controlling speculative store bypass disable in
      SPEC_CTRL MSR is updated and the related update functions all have
      "speculative_store" or "ssb" in their names.
      
      For enhanced mitigation control other bits in SPEC_CTRL MSR need to be
      updated as well, which makes the SSB names inadequate.
      
      Rename the "speculative_store*" functions to a more generic name. No
      functional change.
      Signed-off-by: default avatarTim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Casey Schaufler <casey.schaufler@intel.com>
      Cc: Asit Mallick <asit.k.mallick@intel.com>
      Cc: Arjan van de Ven <arjan@linux.intel.com>
      Cc: Jon Masters <jcm@redhat.com>
      Cc: Waiman Long <longman9394@gmail.com>
      Cc: Greg KH <gregkh@linuxfoundation.org>
      Cc: Dave Stewart <david.c.stewart@intel.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20181125185004.058866968@linutronix.de
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      999b295a
    • Tim Chen's avatar
      x86/speculation: Disable STIBP when enhanced IBRS is in use · aca2ddbc
      Tim Chen authored
      commit 34bce7c9
      
       upstream
      
      If enhanced IBRS is active, STIBP is redundant for mitigating Spectre v2
      user space exploits from hyperthread sibling.
      
      Disable STIBP when enhanced IBRS is used.
      Signed-off-by: default avatarTim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Casey Schaufler <casey.schaufler@intel.com>
      Cc: Asit Mallick <asit.k.mallick@intel.com>
      Cc: Arjan van de Ven <arjan@linux.intel.com>
      Cc: Jon Masters <jcm@redhat.com>
      Cc: Waiman Long <longman9394@gmail.com>
      Cc: Greg KH <gregkh@linuxfoundation.org>
      Cc: Dave Stewart <david.c.stewart@intel.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20181125185003.966801480@linutronix.de
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aca2ddbc
    • Tim Chen's avatar
      x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() · 8588c7d4
      Tim Chen authored
      commit a8f76ae4
      
       upstream
      
      The Spectre V2 printout in cpu_show_common() handles conditionals for the
      various mitigation methods directly in the sprintf() argument list. That's
      hard to read and will become unreadable if more complex decisions need to
      be made for a particular method.
      
      Move the conditionals for STIBP and IBPB string selection into helper
      functions, so they can be extended later on.
      Signed-off-by: default avatarTim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Casey Schaufler <casey.schaufler@intel.com>
      Cc: Asit Mallick <asit.k.mallick@intel.com>
      Cc: Arjan van de Ven <arjan@linux.intel.com>
      Cc: Jon Masters <jcm@redhat.com>
      Cc: Waiman Long <longman9394@gmail.com>
      Cc: Greg KH <gregkh@linuxfoundation.org>
      Cc: Dave Stewart <david.c.stewart@intel.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20181125185003.874479208@linutronix.de
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8588c7d4
    • Tim Chen's avatar
      x86/speculation: Remove unnecessary ret variable in cpu_show_common() · 05dd5dc4
      Tim Chen authored
      commit b86bda04
      
       upstream
      Signed-off-by: default avatarTim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Casey Schaufler <casey.schaufler@intel.com>
      Cc: Asit Mallick <asit.k.mallick@intel.com>
      Cc: Arjan van de Ven <arjan@linux.intel.com>
      Cc: Jon Masters <jcm@redhat.com>
      Cc: Waiman Long <longman9394@gmail.com>
      Cc: Greg KH <gregkh@linuxfoundation.org>
      Cc: Dave Stewart <david.c.stewart@intel.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20181125185003.783903657@linutronix.de
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      05dd5dc4
    • Tim Chen's avatar
      x86/speculation: Clean up spectre_v2_parse_cmdline() · 4398714c
      Tim Chen authored
      commit 24848509
      
       upstream
      
      Remove the unnecessary 'else' statement in spectre_v2_parse_cmdline()
      to save an indentation level.
      Signed-off-by: default avatarTim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Casey Schaufler <casey.schaufler@intel.com>
      Cc: Asit Mallick <asit.k.mallick@intel.com>
      Cc: Arjan van de Ven <arjan@linux.intel.com>
      Cc: Jon Masters <jcm@redhat.com>
      Cc: Waiman Long <longman9394@gmail.com>
      Cc: Greg KH <gregkh@linuxfoundation.org>
      Cc: Dave Stewart <david.c.stewart@intel.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20181125185003.688010903@linutronix.de
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4398714c
    • Tim Chen's avatar
      x86/speculation: Update the TIF_SSBD comment · 7d422ca1
      Tim Chen authored
      commit 8eb729b7
      
       upstream
      
      "Reduced Data Speculation" is an obsolete term. The correct new name is
      "Speculative store bypass disable" - which is abbreviated into SSBD.
      Signed-off-by: default avatarTim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Casey Schaufler <casey.schaufler@intel.com>
      Cc: Asit Mallick <asit.k.mallick@intel.com>
      Cc: Arjan van de Ven <arjan@linux.intel.com>
      Cc: Jon Masters <jcm@redhat.com>
      Cc: Waiman Long <longman9394@gmail.com>
      Cc: Greg KH <gregkh@linuxfoundation.org>
      Cc: Dave Stewart <david.c.stewart@intel.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20181125185003.593893901@linutronix.de
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7d422ca1
    • Zhenzhong Duan's avatar
      x86/retpoline: Remove minimal retpoline support · 8bbb50b6
      Zhenzhong Duan authored
      commit ef014aae
      
       upstream
      
      Now that CONFIG_RETPOLINE hard depends on compiler support, there is no
      reason to keep the minimal retpoline support around which only provided
      basic protection in the assembly files.
      Suggested-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarZhenzhong Duan <zhenzhong.duan@oracle.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: <srinivas.eeda@oracle.com>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/f06f0a89-5587-45db-8ed2-0a9d6638d5c0@default
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8bbb50b6
    • Zhenzhong Duan's avatar
      x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support · a9c90037
      Zhenzhong Duan authored
      commit 4cd24de3
      
       upstream
      
      Since retpoline capable compilers are widely available, make
      CONFIG_RETPOLINE hard depend on the compiler capability.
      
      Break the build when CONFIG_RETPOLINE is enabled and the compiler does not
      support it. Emit an error message in that case:
      
       "arch/x86/Makefile:226: *** You are building kernel with non-retpoline
        compiler, please update your compiler..  Stop."
      
      [dwmw: Fail the build with non-retpoline compiler]
      Suggested-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarZhenzhong Duan <zhenzhong.duan@oracle.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
      Cc: Michal Marek <michal.lkml@markovi.net>
      Cc: <srinivas.eeda@oracle.com>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/cca0cb20-f9e2-4094-840b-fb0f8810cd34@default
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a9c90037
    • Zhenzhong Duan's avatar
      x86/speculation: Add RETPOLINE_AMD support to the inline asm CALL_NOSPEC variant · 46dfe55f
      Zhenzhong Duan authored
      commit 0cbb76d6
      
       upstream
      
      ..so that they match their asm counterpart.
      
      Add the missing ANNOTATE_NOSPEC_ALTERNATIVE in CALL_NOSPEC, while at it.
      Signed-off-by: default avatarZhenzhong Duan <zhenzhong.duan@oracle.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Wang YanQing <udknight@gmail.com>
      Cc: dhaval.giani@oracle.com
      Cc: srinivas.eeda@oracle.com
      Link: http://lkml.kernel.org/r/c3975665-173e-4d70-8dee-06c926ac26ee@default
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      46dfe55f
    • Jiri Kosina's avatar
      x86/speculation: Propagate information about RSB filling mitigation to sysfs · 0d55dce7
      Jiri Kosina authored
      commit bb4b3b77
      
       upstream
      
      If spectrev2 mitigation has been enabled, RSB is filled on context switch
      in order to protect from various classes of spectrev2 attacks.
      
      If this mitigation is enabled, say so in sysfs for spectrev2.
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc:  "WoodhouseDavid" <dwmw@amazon.co.uk>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc:  "SchauflerCasey" <casey.schaufler@intel.com>
      Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1809251438580.15880@cbobk.fhfr.pm
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0d55dce7
    • Jiri Kosina's avatar
      x86/speculation: Apply IBPB more strictly to avoid cross-process data leak · 4741e319
      Jiri Kosina authored
      commit dbfe2953 upstream
      
      Currently, IBPB is only issued in cases when switching into a non-dumpable
      process, the rationale being to protect such 'important and security
      sensitive' processess (such as GPG) from data leaking into a different
      userspace process via spectre v2.
      
      This is however completely insufficient to provide proper userspace-to-userpace
      spectrev2 protection, as any process can poison branch buffers before being
      scheduled out, and the newly scheduled process immediately becomes spectrev2
      victim.
      
      In order to minimize the performance impact (for usecases that do require
      spectrev2 protection), issue the barrier only in cases when switching between
      processess where the victim can't be ptraced by the potential attacker (as in
      such cases, the attacker doesn't have to bother with branch buffers at all).
      
      [ tglx: Split up PTRACE_MODE_NOACCESS_CHK into PTRACE_MODE_SCHED and
        PTRACE_MODE_IBPB to be able to do ptrace() context tracking reasonably
        fine-grained ]
      
      Fixes: 18bf3c3e
      
       ("x86/speculation: Use Indirect Branch Prediction Barrier in context switch")
      Originally-by: default avatarTim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc:  "WoodhouseDavid" <dwmw@amazon.co.uk>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc:  "SchauflerCasey" <casey.schaufler@intel.com>
      Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1809251437340.15880@cbobk.fhfr.pm
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4741e319
    • Jiri Kosina's avatar
      x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation · 300a6f27
      Jiri Kosina authored
      commit 53c613fe
      
       upstream
      
      STIBP is a feature provided by certain Intel ucodes / CPUs. This feature
      (once enabled) prevents cross-hyperthread control of decisions made by
      indirect branch predictors.
      
      Enable this feature if
      
      - the CPU is vulnerable to spectre v2
      - the CPU supports SMT and has SMT siblings online
      - spectre_v2 mitigation autoselection is enabled (default)
      
      After some previous discussion, this leaves STIBP on all the time, as wrmsr
      on crossing kernel boundary is a no-no. This could perhaps later be a bit
      more optimized (like disabling it in NOHZ, experiment with disabling it in
      idle, etc) if needed.
      
      Note that the synchronization of the mask manipulation via newly added
      spec_ctrl_mutex is currently not strictly needed, as the only updater is
      already being serialized by cpu_add_remove_lock, but let's make this a
      little bit more future-proof.
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc:  "WoodhouseDavid" <dwmw@amazon.co.uk>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc:  "SchauflerCasey" <casey.schaufler@intel.com>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1809251438240.15880@cbobk.fhfr.pm
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      300a6f27
    • Tom Lendacky's avatar
      x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR · 82647e46
      Tom Lendacky authored
      commit 612bc3b3
      
       upstream
      
      On AMD, the presence of the MSR_SPEC_CTRL feature does not imply that the
      SSBD mitigation support should use the SPEC_CTRL MSR. Other features could
      have caused the MSR_SPEC_CTRL feature to be set, while a different SSBD
      mitigation option is in place.
      
      Update the SSBD support to check for the actual SSBD features that will
      use the SPEC_CTRL MSR.
      Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Cc: Borislav Petkov <bpetkov@suse.de>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 6ac2f49e ("x86/bugs: Add AMD's SPEC_CTRL MSR usage")
      Link: http://lkml.kernel.org/r/20180702213602.29202.33151.stgit@tlendack-t1.amdoffice.net
      
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      82647e46
    • Tom Lendacky's avatar
      x86/bugs: Update when to check for the LS_CFG SSBD mitigation · 0071cdff
      Tom Lendacky authored
      commit 845d382b
      
       upstream
      
      If either the X86_FEATURE_AMD_SSBD or X86_FEATURE_VIRT_SSBD features are
      present, then there is no need to perform the check for the LS_CFG SSBD
      mitigation support.
      Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Cc: Borislav Petkov <bpetkov@suse.de>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20180702213553.29202.21089.stgit@tlendack-t1.amdoffice.net
      
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0071cdff
    • Konrad Rzeszutek Wilk's avatar
      x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features · 6d2533a6
      Konrad Rzeszutek Wilk authored
      commit 108fab4b
      
       upstream
      
      Both AMD and Intel can have SPEC_CTRL_MSR for SSBD.
      
      However AMD also has two more other ways of doing it - which
      are !SPEC_CTRL MSR ways.
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: kvm@vger.kernel.org
      Cc: KarimAllah Ahmed <karahmed@amazon.de>
      Cc: andrew.cooper3@citrix.com
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Link: https://lkml.kernel.org/r/20180601145921.9500-4-konrad.wilk@oracle.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6d2533a6
    • Konrad Rzeszutek Wilk's avatar
      x86/bugs: Add AMD's SPEC_CTRL MSR usage · 54b65f8e
      Konrad Rzeszutek Wilk authored
      commit 6ac2f49e upstream
      
      The AMD document outlining the SSBD handling
      124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf
      mentions that if CPUID 8000_0008.EBX[24] is set we should be using
      the SPEC_CTRL MSR (0x48) over the VIRT SPEC_CTRL MSR (0xC001_011f)
      for speculative store bypass disable.
      
      This in effect means we should clear the X86_FEATURE_VIRT_SSBD
      flag so that we would prefer the SPEC_CTRL MSR.
      
      See the document titled:
         124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf
      
      A copy of this document is available at
         https://bugzilla.kernel.org/show_bug.cgi?id=199889
      
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
      Cc: kvm@vger.kernel.org
      Cc: KarimAllah Ahmed <karahmed@amazon.de>
      Cc: andrew.cooper3@citrix.com
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Cc: Kees Cook <keescook@chromium.org>
      Link: https://lkml.kernel.org/r/20180601145921.9500-3-konrad.wilk@oracle.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      54b65f8e
    • Konrad Rzeszutek Wilk's avatar
      x86/bugs: Add AMD's variant of SSB_NO · da06d6d1
      Konrad Rzeszutek Wilk authored
      commit 24809860 upstream
      
      The AMD document outlining the SSBD handling
      124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf
      mentions that the CPUID 8000_0008.EBX[26] will mean that the
      speculative store bypass disable is no longer needed.
      
      A copy of this document is available at:
          https://bugzilla.kernel.org/show_bug.cgi?id=199889
      
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
      Cc: kvm@vger.kernel.org
      Cc: andrew.cooper3@citrix.com
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Link: https://lkml.kernel.org/r/20180601145921.9500-2-konrad.wilk@oracle.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      da06d6d1
    • Peter Zijlstra's avatar
      sched/core: Fix cpu.max vs. cpuhotplug deadlock · e5d981df
      Peter Zijlstra authored
      commit ce48c146
      
       upstream
      
      Tejun reported the following cpu-hotplug lock (percpu-rwsem) read recursion:
      
        tg_set_cfs_bandwidth()
          get_online_cpus()
            cpus_read_lock()
      
          cfs_bandwidth_usage_inc()
            static_key_slow_inc()
              cpus_read_lock()
      Reported-by: default avatarTejun Heo <tj@kernel.org>
      Tested-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20180122215328.GP3397@worktop
      
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e5d981df
    • Bernd Eckstein's avatar
      usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 · 72e5a2bd
      Bernd Eckstein authored
      [ Upstream commit 45611c61
      
       ]
      
      The bug is not easily reproducable, as it may occur very infrequently
      (we had machines with 20minutes heavy downloading before it occurred)
      However, on a virual machine (VMWare on Windows 10 host) it occurred
      pretty frequently (1-2 seconds after a speedtest was started)
      
      dev->tx_skb mab be freed via dev_kfree_skb_irq on a callback
      before it is set.
      
      This causes the following problems:
      - double free of the skb or potential memory leak
      - in dmesg: 'recvmsg bug' and 'recvmsg bug 2' and eventually
        general protection fault
      
      Example dmesg output:
      [  134.841986] ------------[ cut here ]------------
      [  134.841987] recvmsg bug: copied 9C24A555 seq 9C24B557 rcvnxt 9C25A6B3 fl 0
      [  134.841993] WARNING: CPU: 7 PID: 2629 at /build/linux-hwe-On9fm7/linux-hwe-4.15.0/net/ipv4/tcp.c:1865 tcp_recvmsg+0x44d/0xab0
      [  134.841994] Modules linked in: ipheth(OE) kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd vmw_balloon intel_rapl_perf joydev input_leds serio_raw vmw_vsock_vmci_transport vsock shpchp i2c_piix4 mac_hid binfmt_misc vmw_vmci parport_pc ppdev lp parport autofs4 vmw_pvscsi vmxnet3 hid_generic usbhid hid vmwgfx ttm drm_kms_helper syscopyarea sysfillrect mptspi mptscsih sysimgblt ahci psmouse fb_sys_fops pata_acpi mptbase libahci e1000 drm scsi_transport_spi
      [  134.842046] CPU: 7 PID: 2629 Comm: python Tainted: G        W  OE    4.15.0-34-generic #37~16.04.1-Ubuntu
      [  134.842046] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
      [  134.842048] RIP: 0010:tcp_recvmsg+0x44d/0xab0
      [  134.842048] RSP: 0018:ffffa6630422bcc8 EFLAGS: 00010286
      [  134.842049] RAX: 0000000000000000 RBX: ffff997616f4f200 RCX: 0000000000000006
      [  134.842049] RDX: 0000000000000007 RSI: 0000000000000082 RDI: ffff9976257d6490
      [  134.842050] RBP: ffffa6630422bd98 R08: 0000000000000001 R09: 000000000004bba4
      [  134.842050] R10: 0000000001e00c6f R11: 000000000004bba4 R12: ffff99760dee3000
      [  134.842051] R13: 0000000000000000 R14: ffff99760dee3514 R15: 0000000000000000
      [  134.842051] FS:  00007fe332347700(0000) GS:ffff9976257c0000(0000) knlGS:0000000000000000
      [  134.842052] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  134.842053] CR2: 0000000001e41000 CR3: 000000020e9b4006 CR4: 00000000003606e0
      [  134.842055] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  134.842055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  134.842057] Call Trace:
      [  134.842060]  ? aa_sk_perm+0x53/0x1a0
      [  134.842064]  inet_recvmsg+0x51/0xc0
      [  134.842066]  sock_recvmsg+0x43/0x50
      [  134.842070]  SYSC_recvfrom+0xe4/0x160
      [  134.842072]  ? __schedule+0x3de/0x8b0
      [  134.842075]  ? ktime_get_ts64+0x4c/0xf0
      [  134.842079]  SyS_recvfrom+0xe/0x10
      [  134.842082]  do_syscall_64+0x73/0x130
      [  134.842086]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      [  134.842086] RIP: 0033:0x7fe331f5a81d
      [  134.842088] RSP: 002b:00007ffe8da98398 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
      [  134.842090] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00007fe331f5a81d
      [  134.842094] RDX: 00000000000003fb RSI: 0000000001e00874 RDI: 0000000000000003
      [  134.842095] RBP: 00007fe32f642c70 R08: 0000000000000000 R09: 0000000000000000
      [  134.842097] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe332347698
      [  134.842099] R13: 0000000001b7e0a0 R14: 0000000001e00874 R15: 0000000000000000
      [  134.842103] Code: 24 fd ff ff e9 cc fe ff ff 48 89 d8 41 8b 8c 24 10 05 00 00 44 8b 45 80 48 c7 c7 08 bd 59 8b 48 89 85 68 ff ff ff e8 b3 c4 7d ff <0f> 0b 48 8b 85 68 ff ff ff e9 e9 fe ff ff 41 8b 8c 24 10 05 00
      [  134.842126] ---[ end trace b7138fc08c83147f ]---
      [  134.842144] general protection fault: 0000 [#1] SMP PTI
      [  134.842145] Modules linked in: ipheth(OE) kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd vmw_balloon intel_rapl_perf joydev input_leds serio_raw vmw_vsock_vmci_transport vsock shpchp i2c_piix4 mac_hid binfmt_misc vmw_vmci parport_pc ppdev lp parport autofs4 vmw_pvscsi vmxnet3 hid_generic usbhid hid vmwgfx ttm drm_kms_helper syscopyarea sysfillrect mptspi mptscsih sysimgblt ahci psmouse fb_sys_fops pata_acpi mptbase libahci e1000 drm scsi_transport_spi
      [  134.842161] CPU: 7 PID: 2629 Comm: python Tainted: G        W  OE    4.15.0-34-generic #37~16.04.1-Ubuntu
      [  134.842162] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
      [  134.842164] RIP: 0010:tcp_close+0x2c6/0x440
      [  134.842165] RSP: 0018:ffffa6630422bde8 EFLAGS: 00010202
      [  134.842167] RAX: 0000000000000000 RBX: ffff99760dee3000 RCX: 0000000180400034
      [  134.842168] RDX: 5c4afd407207a6c4 RSI: ffffe868495bd300 RDI: ffff997616f4f200
      [  134.842169] RBP: ffffa6630422be08 R08: 0000000016f4d401 R09: 0000000180400034
      [  134.842169] R10: ffffa6630422bd98 R11: 0000000000000000 R12: 000000000000600c
      [  134.842170] R13: 0000000000000000 R14: ffff99760dee30c8 R15: ffff9975bd44fe00
      [  134.842171] FS:  00007fe332347700(0000) GS:ffff9976257c0000(0000) knlGS:0000000000000000
      [  134.842173] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  134.842174] CR2: 0000000001e41000 CR3: 000000020e9b4006 CR4: 00000000003606e0
      [  134.842177] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  134.842178] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  134.842179] Call Trace:
      [  134.842181]  inet_release+0x42/0x70
      [  134.842183]  __sock_release+0x42/0xb0
      [  134.842184]  sock_close+0x15/0x20
      [  134.842187]  __fput+0xea/0x220
      [  134.842189]  ____fput+0xe/0x10
      [  134.842191]  task_work_run+0x8a/0xb0
      [  134.842193]  exit_to_usermode_loop+0xc4/0xd0
      [  134.842195]  do_syscall_64+0xf4/0x130
      [  134.842197]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      [  134.842197] RIP: 0033:0x7fe331f5a560
      [  134.842198] RSP: 002b:00007ffe8da982e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
      [  134.842200] RAX: 0000000000000000 RBX: 00007fe32f642c70 RCX: 00007fe331f5a560
      [  134.842201] RDX: 00000000008f5320 RSI: 0000000001cd4b50 RDI: 0000000000000003
      [  134.842202] RBP: 00007fe32f6500f8 R08: 000000000000003c R09: 00000000009343c0
      [  134.842203] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe32f6500d0
      [  134.842204] R13: 00000000008f5320 R14: 00000000008f5320 R15: 0000000001cd4770
      [  134.842205] Code: c8 00 00 00 45 31 e4 49 39 fe 75 4d eb 50 83 ab d8 00 00 00 01 48 8b 17 48 8b 47 08 48 c7 07 00 00 00 00 48 c7 47 08 00 00 00 00 <48> 89 42 08 48 89 10 0f b6 57 34 8b 47 2c 2b 47 28 83 e2 01 80
      [  134.842226] RIP: tcp_close+0x2c6/0x440 RSP: ffffa6630422bde8
      [  134.842227] ---[ end trace b7138fc08c831480 ]---
      
      The proposed patch eliminates a potential racing condition.
      Before, usb_submit_urb was called and _after_ that, the skb was attached
      (dev->tx_skb). So, on a callback it was possible, however unlikely that the
      skb was freed before it was set. That way (because dev->tx_skb was not set
      to NULL after it was freed), it could happen that a skb from a earlier
      transmission was freed a second time (and the skb we should have freed did
      not get freed at all)
      
      Now we free the skb directly in ipheth_tx(). It is not passed to the
      callback anymore, eliminating the posibility of a double free of the same
      skb. Depending on the retval of usb_submit_urb() we use dev_kfree_skb_any()
      respectively dev_consume_skb_any() to free the skb.
      Signed-off-by: default avatarOliver Zweigle <Oliver.Zweigle@faro.com>
      Signed-off-by: default avatarBernd Eckstein <3ernd.Eckstein@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      72e5a2bd
    • Julian Wiedmann's avatar
      s390/qeth: fix length check in SNMP processing · eb09c6db
      Julian Wiedmann authored
      [ Upstream commit 9a764c1e ]
      
      The response for a SNMP request can consist of multiple parts, which
      the cmd callback stages into a kernel buffer until all parts have been
      received. If the callback detects that the staging buffer provides
      insufficient space, it bails out with error.
      This processing is buggy for the first part of the response - while it
      initially checks for a length of 'data_len', it later copies an
      additional amount of 'offsetof(struct qeth_snmp_cmd, data)' bytes.
      
      Fix the calculation of 'data_len' for the first part of the response.
      This also nicely cleans up the memcpy code.
      
      Fixes: 1da177e4
      
       ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Reviewed-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eb09c6db
    • Pan Bian's avatar
      rapidio/rionet: do not free skb before reading its length · 47897682
      Pan Bian authored
      [ Upstream commit cfc43519 ]
      
      skb is freed via dev_kfree_skb_any, however, skb->len is read then. This
      may result in a use-after-free bug.
      
      Fixes: e6161d64
      
       ("rapidio/rionet: rework driver initialization and removal")
      Signed-off-by: default avatarPan Bian <bianpan2016@163.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      47897682
    • Willem de Bruijn's avatar
      packet: copy user buffers before orphan or clone · 67f6fba7
      Willem de Bruijn authored
      [ Upstream commit 5cd8d46e ]
      
      tpacket_snd sends packets with user pages linked into skb frags. It
      notifies that pages can be reused when the skb is released by setting
      skb->destructor to tpacket_destruct_skb.
      
      This can cause data corruption if the skb is orphaned (e.g., on
      transmit through veth) or cloned (e.g., on mirror to another psock).
      
      Create a kernel-private copy of data in these cases, same as tun/tap
      zerocopy transmission. Reuse that infrastructure: mark the skb as
      SKBTX_ZEROCOPY_FRAG, which will trigger copy in skb_orphan_frags(_rx).
      
      Unlike other zerocopy packets, do not set shinfo destructor_arg to
      struct ubuf_info. tpacket_destruct_skb already uses that ptr to notify
      when the original skb is released and a timestamp is recorded. Do not
      change this timestamp behavior. The ubuf_info->callback is not needed
      anyway, as no zerocopy notification is expected.
      
      Mark destructor_arg as not-a-uarg by setting the lower bit to 1. The
      resulting value is not a valid ubuf_info pointer, nor a valid
      tpacket_snd frame address. Add skb_zcopy_.._nouarg helpers for this.
      
      The fix relies on features introduced in commit 52267790 ("sock:
      add MSG_ZEROCOPY"), so can be backported as is only to 4.14.
      
      Tested with from `./in_netns.sh ./txring_overwrite` from
      http://github.com/wdebruij/kerneltools/tests
      
      Fixes: 69e3c75f
      
       ("net: TX_RING and packet mmap")
      Reported-by: default avatarAnand H. Krishnan <anandhkrishnan@gmail.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      67f6fba7
    • Lorenzo Bianconi's avatar
      net: thunderx: set tso_hdrs pointer to NULL in nicvf_free_snd_queue · 42412faf
      Lorenzo Bianconi authored
      [ Upstream commit ef2a7cf1 ]
      
      Reset snd_queue tso_hdrs pointer to NULL in nicvf_free_snd_queue routine
      since it is used to check if tso dma descriptor queue has been previously
      allocated. The issue can be triggered with the following reproducer:
      
      $ip link set dev enP2p1s0v0 xdpdrv obj xdp_dummy.o
      $ip link set dev enP2p1s0v0 xdpdrv off
      
      [  341.467649] WARNING: CPU: 74 PID: 2158 at mm/vmalloc.c:1511 __vunmap+0x98/0xe0
      [  341.515010] Hardware name: GIGABYTE H270-T70/MT70-HD0, BIOS T49 02/02/2018
      [  341.521874] pstate: 60400005 (nZCv daif +PAN -UAO)
      [  341.526654] pc : __vunmap+0x98/0xe0
      [  341.530132] lr : __vunmap+0x98/0xe0
      [  341.533609] sp : ffff00001c5db860
      [  341.536913] x29: ffff00001c5db860 x28: 0000000000020000
      [  341.542214] x27: ffff810feb5090b0 x26: ffff000017e57000
      [  341.547515] x25: 0000000000000000 x24: 00000000fbd00000
      [  341.552816] x23: 0000000000000000 x22: ffff810feb5090b0
      [  341.558117] x21: 0000000000000000 x20: 0000000000000000
      [  341.563418] x19: ffff000017e57000 x18: 0000000000000000
      [  341.568719] x17: 0000000000000000 x16: 0000000000000000
      [  341.574020] x15: 0000000000000010 x14: ffffffffffffffff
      [  341.579321] x13: ffff00008985eb27 x12: ffff00000985eb2f
      [  341.584622] x11: ffff0000096b3000 x10: ffff00001c5db510
      [  341.589923] x9 : 00000000ffffffd0 x8 : ffff0000086868e8
      [  341.595224] x7 : 3430303030303030 x6 : 00000000000006ef
      [  341.600525] x5 : 00000000003fffff x4 : 0000000000000000
      [  341.605825] x3 : 0000000000000000 x2 : ffffffffffffffff
      [  341.611126] x1 : ffff0000096b3728 x0 : 0000000000000038
      [  341.616428] Call trace:
      [  341.618866]  __vunmap+0x98/0xe0
      [  341.621997]  vunmap+0x3c/0x50
      [  341.624961]  arch_dma_free+0x68/0xa0
      [  341.628534]  dma_direct_free+0x50/0x80
      [  341.632285]  nicvf_free_resources+0x160/0x2d8 [nicvf]
      [  341.637327]  nicvf_config_data_transfer+0x174/0x5e8 [nicvf]
      [  341.642890]  nicvf_stop+0x298/0x340 [nicvf]
      [  341.647066]  __dev_close_many+0x9c/0x108
      [  341.650977]  dev_close_many+0xa4/0x158
      [  341.654720]  rollback_registered_many+0x140/0x530
      [  341.659414]  rollback_registered+0x54/0x80
      [  341.663499]  unregister_netdevice_queue+0x9c/0xe8
      [  341.668192]  unregister_netdev+0x28/0x38
      [  341.672106]  nicvf_remove+0xa4/0xa8 [nicvf]
      [  341.676280]  nicvf_shutdown+0x20/0x30 [nicvf]
      [  341.680630]  pci_device_shutdown+0x44/0x88
      [  341.684720]  device_shutdown+0x144/0x250
      [  341.688640]  kernel_restart_prepare+0x44/0x50
      [  341.692986]  kernel_restart+0x20/0x68
      [  341.696638]  __se_sys_reboot+0x210/0x238
      [  341.700550]  __arm64_sys_reboot+0x24/0x30
      [  341.704555]  el0_svc_handler+0x94/0x110
      [  341.708382]  el0_svc+0x8/0xc
      [  341.711252] ---[ end trace 3f4019c8439959c9 ]---
      [  341.715874] page:ffff7e0003ef4000 count:0 mapcount:0 mapping:0000000000000000 index:0x4
      [  341.723872] flags: 0x1fffe000000000()
      [  341.727527] raw: 001fffe000000000 ffff7e0003f1a008 ffff7e0003ef4048 0000000000000000
      [  341.735263] raw: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
      [  341.742994] page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
      
      where xdp_dummy.c is a simple bpf program that forwards the incoming
      frames to the network stack (available here:
      https://github.com/altoor/xdp_walkthrough_examples/blob/master/sample_1/xdp_dummy.c)
      
      Fixes: 05c773f5 ("net: thunderx: Add basic XDP support")
      Fixes: 4863dea3
      
       ("net: Adding support for Cavium ThunderX network controller")
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      42412faf
    • Jason Wang's avatar
      virtio-net: fail XDP set if guest csum is negotiated · 0435cabc
      Jason Wang authored
      [ Upstream commit 18ba58e1 ]
      
      We don't support partial csumed packet since its metadata will be lost
      or incorrect during XDP processing. So fail the XDP set if guest_csum
      feature is negotiated.
      
      Fixes: f600b690
      
       ("virtio_net: Add XDP support")
      Reported-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Cc: Jesper Dangaard Brouer <brouer@redhat.com>
      Cc: Pavel Popa <pashinho1990@gmail.com>
      Cc: David Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0435cabc
    • Jason Wang's avatar
      virtio-net: disable guest csum during XDP set · e5cfda6c
      Jason Wang authored
      [ Upstream commit e59ff2c4 ]
      
      We don't disable VIRTIO_NET_F_GUEST_CSUM if XDP was set. This means we
      can receive partial csumed packets with metadata kept in the
      vnet_hdr. This may have several side effects:
      
      - It could be overridden by header adjustment, thus is might be not
        correct after XDP processing.
      - There's no way to pass such metadata information through
        XDP_REDIRECT to another driver.
      - XDP does not support checksum offload right now.
      
      So simply disable guest csum if possible in this the case of XDP.
      
      Fixes: 3f93522f
      
       ("virtio-net: switch off offloads on demand if possible on XDP set")
      Reported-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Cc: Jesper Dangaard Brouer <brouer@redhat.com>
      Cc: Pavel Popa <pashinho1990@gmail.com>
      Cc: David Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e5cfda6c
    • Lorenzo Bianconi's avatar
      net: thunderx: set xdp_prog to NULL if bpf_prog_add fails · 44e4f364
      Lorenzo Bianconi authored
      [ Upstream commit 6d0f60b0 ]
      
      Set xdp_prog pointer to NULL if bpf_prog_add fails since that routine
      reports the error code instead of NULL in case of failure and xdp_prog
      pointer value is used in the driver to verify if XDP is currently
      enabled.
      Moreover report the error code to userspace if nicvf_xdp_setup fails
      
      Fixes: 05c773f5
      
       ("net: thunderx: Add basic XDP support")
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      44e4f364
    • Petr Machata's avatar
      net: skb_scrub_packet(): Scrub offload_fwd_mark · 3a8a411c
      Petr Machata authored
      [ Upstream commit b5dd186d ]
      
      When a packet is trapped and the corresponding SKB marked as
      already-forwarded, it retains this marking even after it is forwarded
      across veth links into another bridge. There, since it ingresses the
      bridge over veth, which doesn't have offload_fwd_mark, it triggers a
      warning in nbp_switchdev_frame_mark().
      
      Then nbp_switchdev_allowed_egress() decides not to allow egress from
      this bridge through another veth, because the SKB is already marked, and
      the mark (of 0) of course matches. Thus the packet is incorrectly
      blocked.
      
      Solve by resetting offload_fwd_mark() in skb_scrub_packet(). That
      function is called from tunnels and also from veth, and thus catches the
      cases where traffic is forwarded between bridges and transformed in a
      way that invalidates the marking.
      
      Fixes: 6bc506b4 ("bridge: switchdev: Add forward mark support for stacked devices")
      Fixes: abf4bb6b
      
       ("skbuff: Add the offload_mr_fwd_mark field")
      Signed-off-by: default avatarPetr Machata <petrm@mellanox.com>
      Suggested-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3a8a411c
    • Sasha Levin's avatar
      Revert "wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()" · 04d26961
      Sasha Levin authored
      This reverts commit e87efc44 which was
      upstream commit 4ec7cece.
      
      From Dietmar May's report on the stable mailing list
      (https://www.spinics.net/lists/stable/msg272201.html):
      
      > I've run into some problems which appear due to (a) recent patch(es) on
      > the wlcore wifi driver.
      >
      > 4.4.160 - commit 3fdd34643ffc378b5924941fad40352c04610294
      > 4.9.131 - commit afeeecc764436f31d4447575bb9007732333818c
      >
      > Earlier versions (4.9.130 and 4.4.159 - tested back to 4.4.49) do not
      > exhibit this problem. It is still present in 4.9.141.
      >
      > master as of 4.20.0-rc4 does not exhibit this problem.
      >
      > Basically, during client association when in AP mode (running hostapd),
      > handshake may or may not complete following a noticeable delay. If
      > successful, then the driver fails consistently in warn_slowpath_null
      > during disassociation. If unsuccessful, the wifi client attempts multiple
      > times, sometimes failing repeatedly. I've had clients unable to connect
      > for 3-5 minutes during testing, with the syslog filled with dozens of
      > backtraces. syslog details are below.
      >
      > I'm working on an embedded device with a TI 3352 ARM processor and a
      > murata wl1271 module in sdio mode. We're running a fully patched ubuntu
      > 18.04 ARM build, with a kernel built from kernel.org's stable/linux repo <https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=afeeecc764436f31d4447575bb9007732333818c
      
      >.
      > Relevant parts of the kernel config are included below.
      >
      > The commit message states:
      >
      > > /I've only seen this few times with the runtime PM patches enabled so
      > > this one is probably not needed before that. This seems to work
      > > currently based on the current PM implementation timer. Let's apply
      > > this separately though in case others are hitting this issue./
      > We're not doing anything explicit with power management. The device is an
      > IoT edge gateway with battery backup, normally running on wall power. The
      > battery is currently used solely to shut down the system cleanly to avoid
      > filesystem corruption.
      >
      > The device tree is configured to keep power in suspend; but the device
      > should never suspend, so in our case, there is no need to call
      > wl1271_ps_elp_wakeup() or wl1271_ps_elp_sleep(), as occurs in the patch.
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      04d26961
    • Darrick J. Wong's avatar
      xfs: don't fail when converting shortform attr to long form during ATTR_REPLACE · cb7ccb99
      Darrick J. Wong authored
      commit 7b38460d upstream.
      
      Kanda Motohiro reported that expanding a tiny xattr into a large xattr
      fails on XFS because we remove the tiny xattr from a shortform fork and
      then try to re-add it after converting the fork to extents format having
      not removed the ATTR_REPLACE flag.  This fails because the attr is no
      longer present, causing a fs shutdown.
      
      This is derived from the patch in his bug report, but we really
      shouldn't ignore a nonzero retval from the remove call.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199119
      
      
      Reported-by: kanda.motohiro@gmail.com
      Reviewed-by: default avatarDave Chinner <dchinner@redhat.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      cb7ccb99
    • Chao Yu's avatar
      f2fs: fix to do sanity check with cp_pack_start_sum · 30130700
      Chao Yu authored
      commit e494c2f9 upstream.
      
      After fuzzing, cp_pack_start_sum could be corrupted, so current log's
      summary info should be wrong due to loading incorrect summary block.
      Then, if segment's type in current log is exceeded NR_CURSEG_TYPE, it
      can lead accessing invalid dirty_i->dirty_segmap bitmap finally.
      
      Add sanity check for cp_pack_start_sum to fix this issue.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200419
      
      - Reproduce
      
      - Kernel message (f2fs-dev w/ KASAN)
      [ 3117.578432] F2FS-fs (loop0): Invalid log blocks per segment (8)
      
      [ 3117.578445] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
      [ 3117.581364] F2FS-fs (loop0): invalid crc_offset: 30716
      [ 3117.583564] WARNING: CPU: 1 PID: 1225 at fs/f2fs/checkpoint.c:90 __get_meta_page+0x448/0x4b0
      [ 3117.583570] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer joydev input_leds serio_raw snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel psmouse aes_x86_64 8139cp crypto_simd cryptd mii glue_helper pata_acpi floppy
      [ 3117.584014] CPU: 1 PID: 1225 Comm: mount Not tainted 4.17.0+ #1
      [ 3117.584017] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [ 3117.584022] RIP: 0010:__get_meta_page+0x448/0x4b0
      [ 3117.584023] Code: 00 49 8d bc 24 84 00 00 00 e8 74 54 da ff 41 83 8c 24 84 00 00 00 08 4c 89 f6 4c 89 ef e8 c0 d9 95 00 48 89 ef e8 18 e3 00 00 <0f> 0b f0 80 4d 48 04 e9 0f fe ff ff 0f 0b 48 89 c7 48 89 04 24 e8
      [ 3117.584072] RSP: 0018:ffff88018eb678c0 EFLAGS: 00010286
      [ 3117.584082] RAX: ffff88018f0a6a78 RBX: ffffea0007a46600 RCX: ffffffff9314d1b2
      [ 3117.584085] RDX: ffffffff00000001 RSI: 0000000000000000 RDI: ffff88018f0a6a98
      [ 3117.584087] RBP: ffff88018ebe9980 R08: 0000000000000002 R09: 0000000000000001
      [ 3117.584090] R10: 0000000000000001 R11: ffffed00326e4450 R12: ffff880193722200
      [ 3117.584092] R13: ffff88018ebe9afc R14: 0000000000000206 R15: ffff88018eb67900
      [ 3117.584096] FS:  00007f5694636840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000
      [ 3117.584098] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 3117.584101] CR2: 00000000016f21b8 CR3: 0000000191c22000 CR4: 00000000000006e0
      [ 3117.584112] Call Trace:
      [ 3117.584121]  ? f2fs_set_meta_page_dirty+0x150/0x150
      [ 3117.584127]  ? f2fs_build_segment_manager+0xbf9/0x3190
      [ 3117.584133]  ? f2fs_npages_for_summary_flush+0x75/0x120
      [ 3117.584145]  f2fs_build_segment_manager+0xda8/0x3190
      [ 3117.584151]  ? f2fs_get_valid_checkpoint+0x298/0xa00
      [ 3117.584156]  ? f2fs_flush_sit_entries+0x10e0/0x10e0
      [ 3117.584184]  ? map_id_range_down+0x17c/0x1b0
      [ 3117.584188]  ? __put_user_ns+0x30/0x30
      [ 3117.584206]  ? find_next_bit+0x53/0x90
      [ 3117.584237]  ? cpumask_next+0x16/0x20
      [ 3117.584249]  f2fs_fill_super+0x1948/0x2b40
      [ 3117.584258]  ? f2fs_commit_super+0x1a0/0x1a0
      [ 3117.584279]  ? sget_userns+0x65e/0x690
      [ 3117.584296]  ? set_blocksize+0x88/0x130
      [ 3117.584302]  ? f2fs_commit_super+0x1a0/0x1a0
      [ 3117.584305]  mount_bdev+0x1c0/0x200
      [ 3117.584310]  mount_fs+0x5c/0x190
      [ 3117.584320]  vfs_kern_mount+0x64/0x190
      [ 3117.584330]  do_mount+0x2e4/0x1450
      [ 3117.584343]  ? lockref_put_return+0x130/0x130
      [ 3117.584347]  ? copy_mount_string+0x20/0x20
      [ 3117.584357]  ? kasan_unpoison_shadow+0x31/0x40
      [ 3117.584362]  ? kasan_kmalloc+0xa6/0xd0
      [ 3117.584373]  ? memcg_kmem_put_cache+0x16/0x90
      [ 3117.584377]  ? __kmalloc_track_caller+0x196/0x210
      [ 3117.584383]  ? _copy_from_user+0x61/0x90
      [ 3117.584396]  ? memdup_user+0x3e/0x60
      [ 3117.584401]  ksys_mount+0x7e/0xd0
      [ 3117.584405]  __x64_sys_mount+0x62/0x70
      [ 3117.584427]  do_syscall_64+0x73/0x160
      [ 3117.584440]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 3117.584455] RIP: 0033:0x7f5693f14b9a
      [ 3117.584456] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [ 3117.584505] RSP: 002b:00007fff27346488 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [ 3117.584510] RAX: ffffffffffffffda RBX: 00000000016e2030 RCX: 00007f5693f14b9a
      [ 3117.584512] RDX: 00000000016e2210 RSI: 00000000016e3f30 RDI: 00000000016ee040
      [ 3117.584514] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [ 3117.584516] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 00000000016ee040
      [ 3117.584519] R13: 00000000016e2210 R14: 0000000000000000 R15: 0000000000000003
      [ 3117.584523] ---[ end trace a8e0d899985faf31 ]---
      [ 3117.685663] F2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=2, run fsck to fix.
      [ 3117.685673] F2FS-fs (loop0): recover_data: ino = 2 (i_size: recover) recovered = 1, err = 0
      [ 3117.685707] ==================================================================
      [ 3117.685955] BUG: KASAN: slab-out-of-bounds in __remove_dirty_segment+0xdd/0x1e0
      [ 3117.686175] Read of size 8 at addr ffff88018f0a63d0 by task mount/1225
      
      [ 3117.686477] CPU: 0 PID: 1225 Comm: mount Tainted: G        W         4.17.0+ #1
      [ 3117.686481] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [ 3117.686483] Call Trace:
      [ 3117.686494]  dump_stack+0x71/0xab
      [ 3117.686512]  print_address_description+0x6b/0x290
      [ 3117.686517]  kasan_report+0x28e/0x390
      [ 3117.686522]  ? __remove_dirty_segment+0xdd/0x1e0
      [ 3117.686527]  __remove_dirty_segment+0xdd/0x1e0
      [ 3117.686532]  locate_dirty_segment+0x189/0x190
      [ 3117.686538]  f2fs_allocate_new_segments+0xa9/0xe0
      [ 3117.686543]  recover_data+0x703/0x2c20
      [ 3117.686547]  ? f2fs_recover_fsync_data+0x48f/0xd50
      [ 3117.686553]  ? ksys_mount+0x7e/0xd0
      [ 3117.686564]  ? policy_nodemask+0x1a/0x90
      [ 3117.686567]  ? policy_node+0x56/0x70
      [ 3117.686571]  ? add_fsync_inode+0xf0/0xf0
      [ 3117.686592]  ? blk_finish_plug+0x44/0x60
      [ 3117.686597]  ? f2fs_ra_meta_pages+0x38b/0x5e0
      [ 3117.686602]  ? find_inode_fast+0xac/0xc0
      [ 3117.686606]  ? f2fs_is_valid_blkaddr+0x320/0x320
      [ 3117.686618]  ? __radix_tree_lookup+0x150/0x150
      [ 3117.686633]  ? dqget+0x670/0x670
      [ 3117.686648]  ? pagecache_get_page+0x29/0x410
      [ 3117.686656]  ? kmem_cache_alloc+0x176/0x1e0
      [ 3117.686660]  ? f2fs_is_valid_blkaddr+0x11d/0x320
      [ 3117.686664]  f2fs_recover_fsync_data+0xc23/0xd50
      [ 3117.686670]  ? f2fs_space_for_roll_forward+0x60/0x60
      [ 3117.686674]  ? rb_insert_color+0x323/0x3d0
      [ 3117.686678]  ? f2fs_recover_orphan_inodes+0xa5/0x700
      [ 3117.686683]  ? proc_register+0x153/0x1d0
      [ 3117.686686]  ? f2fs_remove_orphan_inode+0x10/0x10
      [ 3117.686695]  ? f2fs_attr_store+0x50/0x50
      [ 3117.686700]  ? proc_create_single_data+0x52/0x60
      [ 3117.686707]  f2fs_fill_super+0x1d06/0x2b40
      [ 3117.686728]  ? f2fs_commit_super+0x1a0/0x1a0
      [ 3117.686735]  ? sget_userns+0x65e/0x690
      [ 3117.686740]  ? set_blocksize+0x88/0x130
      [ 3117.686745]  ? f2fs_commit_super+0x1a0/0x1a0
      [ 3117.686748]  mount_bdev+0x1c0/0x200
      [ 3117.686753]  mount_fs+0x5c/0x190
      [ 3117.686758]  vfs_kern_mount+0x64/0x190
      [ 3117.686762]  do_mount+0x2e4/0x1450
      [ 3117.686769]  ? lockref_put_return+0x130/0x130
      [ 3117.686773]  ? copy_mount_string+0x20/0x20
      [ 3117.686777]  ? kasan_unpoison_shadow+0x31/0x40
      [ 3117.686780]  ? kasan_kmalloc+0xa6/0xd0
      [ 3117.686786]  ? memcg_kmem_put_cache+0x16/0x90
      [ 3117.686790]  ? __kmalloc_track_caller+0x196/0x210
      [ 3117.686795]  ? _copy_from_user+0x61/0x90
      [ 3117.686801]  ? memdup_user+0x3e/0x60
      [ 3117.686804]  ksys_mount+0x7e/0xd0
      [ 3117.686809]  __x64_sys_mount+0x62/0x70
      [ 3117.686816]  do_syscall_64+0x73/0x160
      [ 3117.686824]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 3117.686829] RIP: 0033:0x7f5693f14b9a
      [ 3117.686830] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [ 3117.686887] RSP: 002b:00007fff27346488 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [ 3117.686892] RAX: ffffffffffffffda RBX: 00000000016e2030 RCX: 00007f5693f14b9a
      [ 3117.686894] RDX: 00000000016e2210 RSI: 00000000016e3f30 RDI: 00000000016ee040
      [ 3117.686896] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [ 3117.686899] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 00000000016ee040
      [ 3117.686901] R13: 00000000016e2210 R14: 0000000000000000 R15: 0000000000000003
      
      [ 3117.687005] Allocated by task 1225:
      [ 3117.687152]  kasan_kmalloc+0xa6/0xd0
      [ 3117.687157]  kmem_cache_alloc_trace+0xfd/0x200
      [ 3117.687161]  f2fs_build_segment_manager+0x2d09/0x3190
      [ 3117.687165]  f2fs_fill_super+0x1948/0x2b40
      [ 3117.687168]  mount_bdev+0x1c0/0x200
      [ 3117.687171]  mount_fs+0x5c/0x190
      [ 3117.687174]  vfs_kern_mount+0x64/0x190
      [ 3117.687177]  do_mount+0x2e4/0x1450
      [ 3117.687180]  ksys_mount+0x7e/0xd0
      [ 3117.687182]  __x64_sys_mount+0x62/0x70
      [ 3117.687186]  do_syscall_64+0x73/0x160
      [ 3117.687190]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [ 3117.687285] Freed by task 19:
      [ 3117.687412]  __kasan_slab_free+0x137/0x190
      [ 3117.687416]  kfree+0x8b/0x1b0
      [ 3117.687460]  ttm_bo_man_put_node+0x61/0x80 [ttm]
      [ 3117.687476]  ttm_bo_cleanup_refs+0x15f/0x250 [ttm]
      [ 3117.687492]  ttm_bo_delayed_delete+0x2f0/0x300 [ttm]
      [ 3117.687507]  ttm_bo_delayed_workqueue+0x17/0x50 [ttm]
      [ 3117.687528]  process_one_work+0x2f9/0x740
      [ 3117.687531]  worker_thread+0x78/0x6b0
      [ 3117.687541]  kthread+0x177/0x1c0
      [ 3117.687545]  ret_from_fork+0x35/0x40
      
      [ 3117.687638] The buggy address belongs to the object at ffff88018f0a6300
                      which belongs to the cache kmalloc-192 of size 192
      [ 3117.688014] The buggy address is located 16 bytes to the right of
                      192-byte region [ffff88018f0a6300, ffff88018f0a63c0)
      [ 3117.688382] The buggy address belongs to the page:
      [ 3117.688554] page:ffffea00063c2980 count:1 mapcount:0 mapping:ffff8801f3403180 index:0x0
      [ 3117.688788] flags: 0x17fff8000000100(slab)
      [ 3117.688944] raw: 017fff8000000100 ffffea00063c2840 0000000e0000000e ffff8801f3403180
      [ 3117.689166] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      [ 3117.689386] page dumped because: kasan: bad access detected
      
      [ 3117.689653] Memory state around the buggy address:
      [ 3117.689816]  ffff88018f0a6280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [ 3117.690027]  ffff88018f0a6300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [ 3117.690239] >ffff88018f0a6380: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [ 3117.690448]                                                  ^
      [ 3117.690644]  ffff88018f0a6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [ 3117.690868]  ffff88018f0a6480: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [ 3117.691077] ==================================================================
      [ 3117.691290] Disabling lock debugging due to kernel taint
      [ 3117.693893] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
      [ 3117.694120] PGD 80000001f01bc067 P4D 80000001f01bc067 PUD 1d9638067 PMD 0
      [ 3117.694338] Oops: 0002 [#1] SMP KASAN PTI
      [ 3117.694490] CPU: 1 PID: 1225 Comm: mount Tainted: G    B   W         4.17.0+ #1
      [ 3117.694703] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [ 3117.695073] RIP: 0010:__remove_dirty_segment+0xe2/0x1e0
      [ 3117.695246] Code: c4 48 89 c7 e8 cf bb d7 ff 45 0f b6 24 24 41 83 e4 3f 44 88 64 24 07 41 83 e4 3f 4a 8d 7c e3 08 e8 b3 bc d7 ff 4a 8b 4c e3 08 <f0> 4c 0f b3 29 0f 82 94 00 00 00 48 8d bd 20 04 00 00 e8 97 bb d7
      [ 3117.695793] RSP: 0018:ffff88018eb67638 EFLAGS: 00010292
      [ 3117.695969] RAX: 0000000000000000 RBX: ffff88018f0a6300 RCX: 0000000000000000
      [ 3117.696182] RDX: 0000000000000000 RSI: 0000000000000297 RDI: 0000000000000297
      [ 3117.696391] RBP: ffff88018ebe9980 R08: ffffed003e743ebb R09: ffffed003e743ebb
      [ 3117.696604] R10: 0000000000000001 R11: ffffed003e743eba R12: 0000000000000019
      [ 3117.696813] R13: 0000000000000014 R14: 0000000000000320 R15: ffff88018ebe99e0
      [ 3117.697032] FS:  00007f5694636840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000
      [ 3117.697280] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 3117.702357] CR2: 00007fe89bb1a000 CR3: 0000000191c22000 CR4: 00000000000006e0
      [ 3117.707235] Call Trace:
      [ 3117.712077]  locate_dirty_segment+0x189/0x190
      [ 3117.716891]  f2fs_allocate_new_segments+0xa9/0xe0
      [ 3117.721617]  recover_data+0x703/0x2c20
      [ 3117.726316]  ? f2fs_recover_fsync_data+0x48f/0xd50
      [ 3117.730957]  ? ksys_mount+0x7e/0xd0
      [ 3117.735573]  ? policy_nodemask+0x1a/0x90
      [ 3117.740198]  ? policy_node+0x56/0x70
      [ 3117.744829]  ? add_fsync_inode+0xf0/0xf0
      [ 3117.749487]  ? blk_finish_plug+0x44/0x60
      [ 3117.754152]  ? f2fs_ra_meta_pages+0x38b/0x5e0
      [ 3117.758831]  ? find_inode_fast+0xac/0xc0
      [ 3117.763448]  ? f2fs_is_valid_blkaddr+0x320/0x320
      [ 3117.768046]  ? __radix_tree_lookup+0x150/0x150
      [ 3117.772603]  ? dqget+0x670/0x670
      [ 3117.777159]  ? pagecache_get_page+0x29/0x410
      [ 3117.781648]  ? kmem_cache_alloc+0x176/0x1e0
      [ 3117.786067]  ? f2fs_is_valid_blkaddr+0x11d/0x320
      [ 3117.790476]  f2fs_recover_fsync_data+0xc23/0xd50
      [ 3117.794790]  ? f2fs_space_for_roll_forward+0x60/0x60
      [ 3117.799086]  ? rb_insert_color+0x323/0x3d0
      [ 3117.803304]  ? f2fs_recover_orphan_inodes+0xa5/0x700
      [ 3117.807563]  ? proc_register+0x153/0x1d0
      [ 3117.811766]  ? f2fs_remove_orphan_inode+0x10/0x10
      [ 3117.815947]  ? f2fs_attr_store+0x50/0x50
      [ 3117.820087]  ? proc_create_single_data+0x52/0x60
      [ 3117.824262]  f2fs_fill_super+0x1d06/0x2b40
      [ 3117.828367]  ? f2fs_commit_super+0x1a0/0x1a0
      [ 3117.832432]  ? sget_userns+0x65e/0x690
      [ 3117.836500]  ? set_blocksize+0x88/0x130
      [ 3117.840501]  ? f2fs_commit_super+0x1a0/0x1a0
      [ 3117.844420]  mount_bdev+0x1c0/0x200
      [ 3117.848275]  mount_fs+0x5c/0x190
      [ 3117.852053]  vfs_kern_mount+0x64/0x190
      [ 3117.855810]  do_mount+0x2e4/0x1450
      [ 3117.859441]  ? lockref_put_return+0x130/0x130
      [ 3117.862996]  ? copy_mount_string+0x20/0x20
      [ 3117.866417]  ? kasan_unpoison_shadow+0x31/0x40
      [ 3117.869719]  ? kasan_kmalloc+0xa6/0xd0
      [ 3117.872948]  ? memcg_kmem_put_cache+0x16/0x90
      [ 3117.876121]  ? __kmalloc_track_caller+0x196/0x210
      [ 3117.879333]  ? _copy_from_user+0x61/0x90
      [ 3117.882467]  ? memdup_user+0x3e/0x60
      [ 3117.885604]  ksys_mount+0x7e/0xd0
      [ 3117.888700]  __x64_sys_mount+0x62/0x70
      [ 3117.891742]  do_syscall_64+0x73/0x160
      [ 3117.894692]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 3117.897669] RIP: 0033:0x7f5693f14b9a
      [ 3117.900563] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [ 3117.906922] RSP: 002b:00007fff27346488 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [ 3117.910159] RAX: ffffffffffffffda RBX: 00000000016e2030 RCX: 00007f5693f14b9a
      [ 3117.913469] RDX: 00000000016e2210 RSI: 00000000016e3f30 RDI: 00000000016ee040
      [ 3117.916764] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [ 3117.920071] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 00000000016ee040
      [ 3117.923393] R13: 00000000016e2210 R14: 0000000000000000 R15: 0000000000000003
      [ 3117.926680] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer joydev input_leds serio_raw snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel psmouse aes_x86_64 8139cp crypto_simd cryptd mii glue_helper pata_acpi floppy
      [ 3117.949979] CR2: 0000000000000000
      [ 3117.954283] ---[ end trace a8e0d899985faf32 ]---
      [ 3117.958575] RIP: 0010:__remove_dirty_segment+0xe2/0x1e0
      [ 3117.962810] Code: c4 48 89 c7 e8 cf bb d7 ff 45 0f b6 24 24 41 83 e4 3f 44 88 64 24 07 41 83 e4 3f 4a 8d 7c e3 08 e8 b3 bc d7 ff 4a 8b 4c e3 08 <f0> 4c 0f b3 29 0f 82 94 00 00 00 48 8d bd 20 04 00 00 e8 97 bb d7
      [ 3117.971789] RSP: 0018:ffff88018eb67638 EFLAGS: 00010292
      [ 3117.976333] RAX: 0000000000000000 RBX: ffff88018f0a6300 RCX: 0000000000000000
      [ 3117.980926] RDX: 0000000000000000 RSI: 0000000000000297 RDI: 0000000000000297
      [ 3117.985497] RBP: ffff88018ebe9980 R08: ffffed003e743ebb R09: ffffed003e743ebb
      [ 3117.990098] R10: 0000000000000001 R11: ffffed003e743eba R12: 0000000000000019
      [ 3117.994761] R13: 0000000000000014 R14: 0000000000000320 R15: ffff88018ebe99e0
      [ 3117.999392] FS:  00007f5694636840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000
      [ 3118.004096] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 3118.008816] CR2: 00007fe89bb1a000 CR3: 0000000191c22000 CR4: 00000000000006e0
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc3/source/fs/f2fs/segment.c#L775
      
      
      		if (test_and_clear_bit(segno, dirty_i->dirty_segmap[t]))
      			dirty_i->nr_dirty[t]--;
      Here dirty_i->dirty_segmap[t] can be NULL which leads to crash in test_and_clear_bit()
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      [bwh: Backported to 4.14: The function is called sanity_check_ckpt()]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      30130700
    • Chao Yu's avatar
      f2fs: fix to do sanity check with i_extra_isize · d7d9d29a
      Chao Yu authored
      commit 18dd6470 upstream.
      
      If inode.i_extra_isize was fuzzed to an abnormal value, when
      calculating inline data size, the result will overflow, result
      in accessing invalid memory area when operating inline data.
      
      Let's do sanity check with i_extra_isize during inode loading
      for fixing.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200421
      
      - Reproduce
      
      - POC (poc.c)
          #define _GNU_SOURCE
          #include <sys/types.h>
          #include <sys/mount.h>
          #include <sys/mman.h>
          #include <sys/stat.h>
          #include <sys/xattr.h>
      
          #include <dirent.h>
          #include <errno.h>
          #include <error.h>
          #include <fcntl.h>
          #include <stdio.h>
          #include <stdlib.h>
          #include <string.h>
          #include <unistd.h>
      
          #include <linux/falloc.h>
          #include <linux/loop.h>
      
          static void activity(char *mpoint) {
      
            char *foo_bar_baz;
            char *foo_baz;
            char *xattr;
            int err;
      
            err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
            err = asprintf(&foo_baz, "%s/foo/baz", mpoint);
            err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint);
      
            rename(foo_bar_baz, foo_baz);
      
            char buf2[113];
            memset(buf2, 0, sizeof(buf2));
            listxattr(xattr, buf2, sizeof(buf2));
            removexattr(xattr, "user.mime_type");
      
          }
      
          int main(int argc, char *argv[]) {
            activity(argv[1]);
            return 0;
          }
      
      - Kernel message
      Umount the image will leave the following message
      [ 2910.995489] F2FS-fs (loop0): Mounted with checkpoint version = 2
      [ 2918.416465] ==================================================================
      [ 2918.416807] BUG: KASAN: slab-out-of-bounds in f2fs_iget+0xcb9/0x1a80
      [ 2918.417009] Read of size 4 at addr ffff88018efc2068 by task a.out/1229
      
      [ 2918.417311] CPU: 1 PID: 1229 Comm: a.out Not tainted 4.17.0+ #1
      [ 2918.417314] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [ 2918.417323] Call Trace:
      [ 2918.417366]  dump_stack+0x71/0xab
      [ 2918.417401]  print_address_description+0x6b/0x290
      [ 2918.417407]  kasan_report+0x28e/0x390
      [ 2918.417411]  ? f2fs_iget+0xcb9/0x1a80
      [ 2918.417415]  f2fs_iget+0xcb9/0x1a80
      [ 2918.417422]  ? f2fs_lookup+0x2e7/0x580
      [ 2918.417425]  f2fs_lookup+0x2e7/0x580
      [ 2918.417433]  ? __recover_dot_dentries+0x400/0x400
      [ 2918.417447]  ? legitimize_path.isra.29+0x5a/0xa0
      [ 2918.417453]  __lookup_slow+0x11c/0x220
      [ 2918.417457]  ? may_delete+0x2a0/0x2a0
      [ 2918.417475]  ? deref_stack_reg+0xe0/0xe0
      [ 2918.417479]  ? __lookup_hash+0xb0/0xb0
      [ 2918.417483]  lookup_slow+0x3e/0x60
      [ 2918.417488]  walk_component+0x3ac/0x990
      [ 2918.417492]  ? generic_permission+0x51/0x1e0
      [ 2918.417495]  ? inode_permission+0x51/0x1d0
      [ 2918.417499]  ? pick_link+0x3e0/0x3e0
      [ 2918.417502]  ? link_path_walk+0x4b1/0x770
      [ 2918.417513]  ? _raw_spin_lock_irqsave+0x25/0x50
      [ 2918.417518]  ? walk_component+0x990/0x990
      [ 2918.417522]  ? path_init+0x2e6/0x580
      [ 2918.417526]  path_lookupat+0x13f/0x430
      [ 2918.417531]  ? trailing_symlink+0x3a0/0x3a0
      [ 2918.417534]  ? do_renameat2+0x270/0x7b0
      [ 2918.417538]  ? __kasan_slab_free+0x14c/0x190
      [ 2918.417541]  ? do_renameat2+0x270/0x7b0
      [ 2918.417553]  ? kmem_cache_free+0x85/0x1e0
      [ 2918.417558]  ? do_renameat2+0x270/0x7b0
      [ 2918.417563]  filename_lookup+0x13c/0x280
      [ 2918.417567]  ? filename_parentat+0x2b0/0x2b0
      [ 2918.417572]  ? kasan_unpoison_shadow+0x31/0x40
      [ 2918.417575]  ? kasan_kmalloc+0xa6/0xd0
      [ 2918.417593]  ? strncpy_from_user+0xaa/0x1c0
      [ 2918.417598]  ? getname_flags+0x101/0x2b0
      [ 2918.417614]  ? path_listxattr+0x87/0x110
      [ 2918.417619]  path_listxattr+0x87/0x110
      [ 2918.417623]  ? listxattr+0xc0/0xc0
      [ 2918.417637]  ? mm_fault_error+0x1b0/0x1b0
      [ 2918.417654]  do_syscall_64+0x73/0x160
      [ 2918.417660]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 2918.417676] RIP: 0033:0x7f2f3a3480d7
      [ 2918.417677] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
      [ 2918.417732] RSP: 002b:00007fff4095b7d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000c2
      [ 2918.417744] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2f3a3480d7
      [ 2918.417746] RDX: 0000000000000071 RSI: 00007fff4095b810 RDI: 000000000126a0c0
      [ 2918.417749] RBP: 00007fff4095b890 R08: 000000000126a010 R09: 0000000000000000
      [ 2918.417751] R10: 00000000000001ab R11: 0000000000000206 R12: 00000000004005e0
      [ 2918.417753] R13: 00007fff4095b990 R14: 0000000000000000 R15: 0000000000000000
      
      [ 2918.417853] Allocated by task 329:
      [ 2918.418002]  kasan_kmalloc+0xa6/0xd0
      [ 2918.418007]  kmem_cache_alloc+0xc8/0x1e0
      [ 2918.418023]  mempool_init_node+0x194/0x230
      [ 2918.418027]  mempool_init+0x12/0x20
      [ 2918.418042]  bioset_init+0x2bd/0x380
      [ 2918.418052]  blk_alloc_queue_node+0xe9/0x540
      [ 2918.418075]  dm_create+0x2c0/0x800
      [ 2918.418080]  dev_create+0xd2/0x530
      [ 2918.418083]  ctl_ioctl+0x2a3/0x5b0
      [ 2918.418087]  dm_ctl_ioctl+0xa/0x10
      [ 2918.418092]  do_vfs_ioctl+0x13e/0x8c0
      [ 2918.418095]  ksys_ioctl+0x66/0x70
      [ 2918.418098]  __x64_sys_ioctl+0x3d/0x50
      [ 2918.418102]  do_syscall_64+0x73/0x160
      [ 2918.418106]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [ 2918.418204] Freed by task 0:
      [ 2918.418301] (stack is not available)
      
      [ 2918.418521] The buggy address belongs to the object at ffff88018efc0000
                      which belongs to the cache biovec-max of size 8192
      [ 2918.418894] The buggy address is located 104 bytes to the right of
                      8192-byte region [ffff88018efc0000, ffff88018efc2000)
      [ 2918.419257] The buggy address belongs to the page:
      [ 2918.419431] page:ffffea00063bf000 count:1 mapcount:0 mapping:ffff8801f2242540 index:0x0 compound_mapcount: 0
      [ 2918.419702] flags: 0x17fff8000008100(slab|head)
      [ 2918.419879] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f2242540
      [ 2918.420101] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000
      [ 2918.420322] page dumped because: kasan: bad access detected
      
      [ 2918.420599] Memory state around the buggy address:
      [ 2918.420764]  ffff88018efc1f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 2918.420975]  ffff88018efc1f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 2918.421194] >ffff88018efc2000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [ 2918.421406]                                                           ^
      [ 2918.421627]  ffff88018efc2080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [ 2918.421838]  ffff88018efc2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 2918.422046] ==================================================================
      [ 2918.422264] Disabling lock debugging due to kernel taint
      [ 2923.901641] BUG: unable to handle kernel paging request at ffff88018f0db000
      [ 2923.901884] PGD 22226a067 P4D 22226a067 PUD 222273067 PMD 18e642063 PTE 800000018f0db061
      [ 2923.902120] Oops: 0003 [#1] SMP KASAN PTI
      [ 2923.902274] CPU: 1 PID: 1231 Comm: umount Tainted: G    B             4.17.0+ #1
      [ 2923.902490] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [ 2923.902761] RIP: 0010:__memset+0x24/0x30
      [ 2923.902906] Code: 90 90 90 90 90 90 66 66 90 66 90 49 89 f9 48 89 d1 83 e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3
      [ 2923.903446] RSP: 0018:ffff88018ddf7ae0 EFLAGS: 00010206
      [ 2923.903622] RAX: 0000000000000000 RBX: ffff8801d549d888 RCX: 1ffffffffffdaffb
      [ 2923.903833] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88018f0daffc
      [ 2923.904062] RBP: ffff88018efc206c R08: 1ffff10031df840d R09: ffff88018efc206c
      [ 2923.904273] R10: ffffffffffffe1ee R11: ffffed0031df65fa R12: 0000000000000000
      [ 2923.904485] R13: ffff8801d549dc98 R14: 00000000ffffc3db R15: ffffea00063bec80
      [ 2923.904693] FS:  00007fa8b2f8a840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000
      [ 2923.904937] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2923.910080] CR2: ffff88018f0db000 CR3: 000000018f892000 CR4: 00000000000006e0
      [ 2923.914930] Call Trace:
      [ 2923.919724]  f2fs_truncate_inline_inode+0x114/0x170
      [ 2923.924487]  f2fs_truncate_blocks+0x11b/0x7c0
      [ 2923.929178]  ? f2fs_truncate_data_blocks+0x10/0x10
      [ 2923.933834]  ? dqget+0x670/0x670
      [ 2923.938437]  ? f2fs_destroy_extent_tree+0xd6/0x270
      [ 2923.943107]  ? __radix_tree_lookup+0x2f/0x150
      [ 2923.947772]  f2fs_truncate+0xd4/0x1a0
      [ 2923.952491]  f2fs_evict_inode+0x5ab/0x610
      [ 2923.957204]  evict+0x15f/0x280
      [ 2923.961898]  __dentry_kill+0x161/0x250
      [ 2923.966634]  shrink_dentry_list+0xf3/0x250
      [ 2923.971897]  shrink_dcache_parent+0xa9/0x100
      [ 2923.976561]  ? shrink_dcache_sb+0x1f0/0x1f0
      [ 2923.981177]  ? wait_for_completion+0x8a/0x210
      [ 2923.985781]  ? migrate_swap_stop+0x2d0/0x2d0
      [ 2923.990332]  do_one_tree+0xe/0x40
      [ 2923.994735]  shrink_dcache_for_umount+0x3a/0xa0
      [ 2923.999077]  generic_shutdown_super+0x3e/0x1c0
      [ 2924.003350]  kill_block_super+0x4b/0x70
      [ 2924.007619]  deactivate_locked_super+0x65/0x90
      [ 2924.011812]  cleanup_mnt+0x5c/0xa0
      [ 2924.015995]  task_work_run+0xce/0xf0
      [ 2924.020174]  exit_to_usermode_loop+0x115/0x120
      [ 2924.024293]  do_syscall_64+0x12f/0x160
      [ 2924.028479]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 2924.032709] RIP: 0033:0x7fa8b2868487
      [ 2924.036888] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
      [ 2924.045750] RSP: 002b:00007ffc39824d58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
      [ 2924.050190] RAX: 0000000000000000 RBX: 00000000008ea030 RCX: 00007fa8b2868487
      [ 2924.054604] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000008f4360
      [ 2924.058940] RBP: 00000000008f4360 R08: 0000000000000000 R09: 0000000000000014
      [ 2924.063186] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007fa8b2d7183c
      [ 2924.067418] R13: 0000000000000000 R14: 00000000008ea210 R15: 00007ffc39824fe0
      [ 2924.071534] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer joydev input_leds serio_raw snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel psmouse aes_x86_64 8139cp crypto_simd cryptd mii glue_helper pata_acpi floppy
      [ 2924.098044] CR2: ffff88018f0db000
      [ 2924.102520] ---[ end trace a8e0d899985faf31 ]---
      [ 2924.107012] RIP: 0010:__memset+0x24/0x30
      [ 2924.111448] Code: 90 90 90 90 90 90 66 66 90 66 90 49 89 f9 48 89 d1 83 e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3
      [ 2924.120724] RSP: 0018:ffff88018ddf7ae0 EFLAGS: 00010206
      [ 2924.125312] RAX: 0000000000000000 RBX: ffff8801d549d888 RCX: 1ffffffffffdaffb
      [ 2924.129931] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88018f0daffc
      [ 2924.134537] RBP: ffff88018efc206c R08: 1ffff10031df840d R09: ffff88018efc206c
      [ 2924.139175] R10: ffffffffffffe1ee R11: ffffed0031df65fa R12: 0000000000000000
      [ 2924.143825] R13: ffff8801d549dc98 R14: 00000000ffffc3db R15: ffffea00063bec80
      [ 2924.148500] FS:  00007fa8b2f8a840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000
      [ 2924.153247] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2924.158003] CR2: ffff88018f0db000 CR3: 000000018f892000 CR4: 00000000000006e0
      [ 2924.164641] BUG: Bad rss-counter state mm:00000000fa04621e idx:0 val:4
      [ 2924.170007] BUG: Bad rss-counter
      tate mm:00000000fa04621e idx:1 val:2
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc3/source/fs/f2fs/inline.c#L78
      
      
      	memset(addr + from, 0, MAX_INLINE_DATA(inode) - from);
      Here the length can be negative.
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      [bwh: Backported to 4.14: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d7d9d29a
    • Chao Yu's avatar
      f2fs: fix to do sanity check with block address in main area · ad19d1e7
      Chao Yu authored
      commit c9b60788 upstream.
      
      This patch add to do sanity check with below field:
      - cp_pack_total_block_count
      - blkaddr of data/node
      - extent info
      
      - Overview
      BUG() in verify_block_addr() when writing to a corrupted f2fs image
      
      - Reproduce (4.18 upstream kernel)
      
      - POC (poc.c)
      
      static void activity(char *mpoint) {
      
        char *foo_bar_baz;
        int err;
      
        static int buf[8192];
        memset(buf, 0, sizeof(buf));
      
        err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
      
        int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777);
        if (fd >= 0) {
          write(fd, (char *)buf, sizeof(buf));
          fdatasync(fd);
          close(fd);
        }
      }
      
      int main(int argc, char *argv[]) {
        activity(argv[1]);
        return 0;
      }
      
      - Kernel message
      [  689.349473] F2FS-fs (loop0): Mounted with checkpoint version = 3
      [  699.728662] WARNING: CPU: 0 PID: 1309 at fs/f2fs/segment.c:2860 f2fs_inplace_write_data+0x232/0x240
      [  699.728670] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  699.729056] CPU: 0 PID: 1309 Comm: a.out Not tainted 4.18.0-rc1+ #4
      [  699.729064] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  699.729074] RIP: 0010:f2fs_inplace_write_data+0x232/0x240
      [  699.729076] Code: ff e9 cf fe ff ff 49 8d 7d 10 e8 39 45 ad ff 4d 8b 7d 10 be 04 00 00 00 49 8d 7f 48 e8 07 49 ad ff 45 8b 7f 48 e9 fb fe ff ff <0f> 0b f0 41 80 4d 48 04 e9 65 fe ff ff 90 66 66 66 66 90 55 48 8d
      [  699.729130] RSP: 0018:ffff8801f43af568 EFLAGS: 00010202
      [  699.729139] RAX: 000000000000003f RBX: ffff8801f43af7b8 RCX: ffffffffb88c9113
      [  699.729142] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffff8802024e5540
      [  699.729144] RBP: ffff8801f43af590 R08: 0000000000000009 R09: ffffffffffffffe8
      [  699.729147] R10: 0000000000000001 R11: ffffed0039b0596a R12: ffff8802024e5540
      [  699.729149] R13: ffff8801f0335500 R14: ffff8801e3e7a700 R15: ffff8801e1ee4450
      [  699.729154] FS:  00007f9bf97f5700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  699.729156] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  699.729159] CR2: 00007f9bf925d170 CR3: 00000001f0c34000 CR4: 00000000000006f0
      [  699.729171] Call Trace:
      [  699.729192]  f2fs_do_write_data_page+0x2e2/0xe00
      [  699.729203]  ? f2fs_should_update_outplace+0xd0/0xd0
      [  699.729238]  ? memcg_drain_all_list_lrus+0x280/0x280
      [  699.729269]  ? __radix_tree_replace+0xa3/0x120
      [  699.729276]  __write_data_page+0x5c7/0xe30
      [  699.729291]  ? kasan_check_read+0x11/0x20
      [  699.729310]  ? page_mapped+0x8a/0x110
      [  699.729321]  ? page_mkclean+0xe9/0x160
      [  699.729327]  ? f2fs_do_write_data_page+0xe00/0xe00
      [  699.729331]  ? invalid_page_referenced_vma+0x130/0x130
      [  699.729345]  ? clear_page_dirty_for_io+0x332/0x450
      [  699.729351]  f2fs_write_cache_pages+0x4ca/0x860
      [  699.729358]  ? __write_data_page+0xe30/0xe30
      [  699.729374]  ? percpu_counter_add_batch+0x22/0xa0
      [  699.729380]  ? kasan_check_write+0x14/0x20
      [  699.729391]  ? _raw_spin_lock+0x17/0x40
      [  699.729403]  ? f2fs_mark_inode_dirty_sync.part.18+0x16/0x30
      [  699.729413]  ? iov_iter_advance+0x113/0x640
      [  699.729418]  ? f2fs_write_end+0x133/0x2e0
      [  699.729423]  ? balance_dirty_pages_ratelimited+0x239/0x640
      [  699.729428]  f2fs_write_data_pages+0x329/0x520
      [  699.729433]  ? generic_perform_write+0x250/0x320
      [  699.729438]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.729454]  ? current_time+0x110/0x110
      [  699.729459]  ? f2fs_preallocate_blocks+0x1ef/0x370
      [  699.729464]  do_writepages+0x37/0xb0
      [  699.729468]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.729472]  ? do_writepages+0x37/0xb0
      [  699.729478]  __filemap_fdatawrite_range+0x19a/0x1f0
      [  699.729483]  ? delete_from_page_cache_batch+0x4e0/0x4e0
      [  699.729496]  ? __vfs_write+0x2b2/0x410
      [  699.729501]  file_write_and_wait_range+0x66/0xb0
      [  699.729506]  f2fs_do_sync_file+0x1f9/0xd90
      [  699.729511]  ? truncate_partial_data_page+0x290/0x290
      [  699.729521]  ? __sb_end_write+0x30/0x50
      [  699.729526]  ? vfs_write+0x20f/0x260
      [  699.729530]  f2fs_sync_file+0x9a/0xb0
      [  699.729534]  ? f2fs_do_sync_file+0xd90/0xd90
      [  699.729548]  vfs_fsync_range+0x68/0x100
      [  699.729554]  ? __fget_light+0xc9/0xe0
      [  699.729558]  do_fsync+0x3d/0x70
      [  699.729562]  __x64_sys_fdatasync+0x24/0x30
      [  699.729585]  do_syscall_64+0x78/0x170
      [  699.729595]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  699.729613] RIP: 0033:0x7f9bf930d800
      [  699.729615] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 49 bf 2c 00 00 75 10 b8 4b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be 78 01 00 48 89 04 24
      [  699.729668] RSP: 002b:00007ffee3606c68 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
      [  699.729673] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bf930d800
      [  699.729675] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003
      [  699.729678] RBP: 00007ffee3606ca0 R08: 0000000001503010 R09: 0000000000000000
      [  699.729680] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400610
      [  699.729683] R13: 00007ffee3606da0 R14: 0000000000000000 R15: 0000000000000000
      [  699.729687] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  699.729782] ------------[ cut here ]------------
      [  699.729785] kernel BUG at fs/f2fs/segment.h:654!
      [  699.731055] invalid opcode: 0000 [#1] SMP KASAN PTI
      [  699.732104] CPU: 0 PID: 1309 Comm: a.out Tainted: G        W         4.18.0-rc1+ #4
      [  699.733684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  699.735611] RIP: 0010:f2fs_submit_page_bio+0x29b/0x730
      [  699.736649] Code: 54 49 8d bd 18 04 00 00 e8 b2 59 af ff 41 8b 8d 18 04 00 00 8b 45 b8 41 d3 e6 44 01 f0 4c 8d 73 14 41 39 c7 0f 82 37 fe ff ff <0f> 0b 65 8b 05 2c 04 77 47 89 c0 48 0f a3 05 52 c1 d5 01 0f 92 c0
      [  699.740524] RSP: 0018:ffff8801f43af508 EFLAGS: 00010283
      [  699.741573] RAX: 0000000000000000 RBX: ffff8801f43af7b8 RCX: ffffffffb88a7cef
      [  699.743006] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffff8801e3e7a64c
      [  699.744426] RBP: ffff8801f43af558 R08: ffffed003e066b55 R09: ffffed003e066b55
      [  699.745833] R10: 0000000000000001 R11: ffffed003e066b54 R12: ffffea0007876940
      [  699.747256] R13: ffff8801f0335500 R14: ffff8801e3e7a600 R15: 0000000000000001
      [  699.748683] FS:  00007f9bf97f5700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  699.750293] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  699.751462] CR2: 00007f9bf925d170 CR3: 00000001f0c34000 CR4: 00000000000006f0
      [  699.752874] Call Trace:
      [  699.753386]  ? f2fs_inplace_write_data+0x93/0x240
      [  699.754341]  f2fs_inplace_write_data+0xd2/0x240
      [  699.755271]  f2fs_do_write_data_page+0x2e2/0xe00
      [  699.756214]  ? f2fs_should_update_outplace+0xd0/0xd0
      [  699.757215]  ? memcg_drain_all_list_lrus+0x280/0x280
      [  699.758209]  ? __radix_tree_replace+0xa3/0x120
      [  699.759164]  __write_data_page+0x5c7/0xe30
      [  699.760002]  ? kasan_check_read+0x11/0x20
      [  699.760823]  ? page_mapped+0x8a/0x110
      [  699.761573]  ? page_mkclean+0xe9/0x160
      [  699.762345]  ? f2fs_do_write_data_page+0xe00/0xe00
      [  699.763332]  ? invalid_page_referenced_vma+0x130/0x130
      [  699.764374]  ? clear_page_dirty_for_io+0x332/0x450
      [  699.765347]  f2fs_write_cache_pages+0x4ca/0x860
      [  699.766276]  ? __write_data_page+0xe30/0xe30
      [  699.767161]  ? percpu_counter_add_batch+0x22/0xa0
      [  699.768112]  ? kasan_check_write+0x14/0x20
      [  699.768951]  ? _raw_spin_lock+0x17/0x40
      [  699.769739]  ? f2fs_mark_inode_dirty_sync.part.18+0x16/0x30
      [  699.770885]  ? iov_iter_advance+0x113/0x640
      [  699.771743]  ? f2fs_write_end+0x133/0x2e0
      [  699.772569]  ? balance_dirty_pages_ratelimited+0x239/0x640
      [  699.773680]  f2fs_write_data_pages+0x329/0x520
      [  699.774603]  ? generic_perform_write+0x250/0x320
      [  699.775544]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.776510]  ? current_time+0x110/0x110
      [  699.777299]  ? f2fs_preallocate_blocks+0x1ef/0x370
      [  699.778279]  do_writepages+0x37/0xb0
      [  699.779026]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.779978]  ? do_writepages+0x37/0xb0
      [  699.780755]  __filemap_fdatawrite_range+0x19a/0x1f0
      [  699.781746]  ? delete_from_page_cache_batch+0x4e0/0x4e0
      [  699.782820]  ? __vfs_write+0x2b2/0x410
      [  699.783597]  file_write_and_wait_range+0x66/0xb0
      [  699.784540]  f2fs_do_sync_file+0x1f9/0xd90
      [  699.785381]  ? truncate_partial_data_page+0x290/0x290
      [  699.786415]  ? __sb_end_write+0x30/0x50
      [  699.787204]  ? vfs_write+0x20f/0x260
      [  699.787941]  f2fs_sync_file+0x9a/0xb0
      [  699.788694]  ? f2fs_do_sync_file+0xd90/0xd90
      [  699.789572]  vfs_fsync_range+0x68/0x100
      [  699.790360]  ? __fget_light+0xc9/0xe0
      [  699.791128]  do_fsync+0x3d/0x70
      [  699.791779]  __x64_sys_fdatasync+0x24/0x30
      [  699.792614]  do_syscall_64+0x78/0x170
      [  699.793371]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  699.794406] RIP: 0033:0x7f9bf930d800
      [  699.795134] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 49 bf 2c 00 00 75 10 b8 4b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be 78 01 00 48 89 04 24
      [  699.798960] RSP: 002b:00007ffee3606c68 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
      [  699.800483] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bf930d800
      [  699.801923] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003
      [  699.803373] RBP: 00007ffee3606ca0 R08: 0000000001503010 R09: 0000000000000000
      [  699.804798] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400610
      [  699.806233] R13: 00007ffee3606da0 R14: 0000000000000000 R15: 0000000000000000
      [  699.807667] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  699.817079] ---[ end trace 4ce02f25ff7d3df6 ]---
      [  699.818068] RIP: 0010:f2fs_submit_page_bio+0x29b/0x730
      [  699.819114] Code: 54 49 8d bd 18 04 00 00 e8 b2 59 af ff 41 8b 8d 18 04 00 00 8b 45 b8 41 d3 e6 44 01 f0 4c 8d 73 14 41 39 c7 0f 82 37 fe ff ff <0f> 0b 65 8b 05 2c 04 77 47 89 c0 48 0f a3 05 52 c1 d5 01 0f 92 c0
      [  699.822919] RSP: 0018:ffff8801f43af508 EFLAGS: 00010283
      [  699.823977] RAX: 0000000000000000 RBX: ffff8801f43af7b8 RCX: ffffffffb88a7cef
      [  699.825436] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffff8801e3e7a64c
      [  699.826881] RBP: ffff8801f43af558 R08: ffffed003e066b55 R09: ffffed003e066b55
      [  699.828292] R10: 0000000000000001 R11: ffffed003e066b54 R12: ffffea0007876940
      [  699.829750] R13: ffff8801f0335500 R14: ffff8801e3e7a600 R15: 0000000000000001
      [  699.831192] FS:  00007f9bf97f5700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  699.832793] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  699.833981] CR2: 00007f9bf925d170 CR3: 00000001f0c34000 CR4: 00000000000006f0
      [  699.835556] ==================================================================
      [  699.837029] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
      [  699.838462] Read of size 8 at addr ffff8801f43af970 by task a.out/1309
      
      [  699.840086] CPU: 0 PID: 1309 Comm: a.out Tainted: G      D W         4.18.0-rc1+ #4
      [  699.841603] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  699.843475] Call Trace:
      [  699.843982]  dump_stack+0x7b/0xb5
      [  699.844661]  print_address_description+0x70/0x290
      [  699.845607]  kasan_report+0x291/0x390
      [  699.846351]  ? update_stack_state+0x38c/0x3e0
      [  699.853831]  __asan_load8+0x54/0x90
      [  699.854569]  update_stack_state+0x38c/0x3e0
      [  699.855428]  ? __read_once_size_nocheck.constprop.7+0x20/0x20
      [  699.856601]  ? __save_stack_trace+0x5e/0x100
      [  699.857476]  unwind_next_frame.part.5+0x18e/0x490
      [  699.858448]  ? unwind_dump+0x290/0x290
      [  699.859217]  ? clear_page_dirty_for_io+0x332/0x450
      [  699.860185]  __unwind_start+0x106/0x190
      [  699.860974]  __save_stack_trace+0x5e/0x100
      [  699.861808]  ? __save_stack_trace+0x5e/0x100
      [  699.862691]  ? unlink_anon_vmas+0xba/0x2c0
      [  699.863525]  save_stack_trace+0x1f/0x30
      [  699.864312]  save_stack+0x46/0xd0
      [  699.864993]  ? __alloc_pages_slowpath+0x1420/0x1420
      [  699.865990]  ? flush_tlb_mm_range+0x15e/0x220
      [  699.866889]  ? kasan_check_write+0x14/0x20
      [  699.867724]  ? __dec_node_state+0x92/0xb0
      [  699.868543]  ? lock_page_memcg+0x85/0xf0
      [  699.869350]  ? unlock_page_memcg+0x16/0x80
      [  699.870185]  ? page_remove_rmap+0x198/0x520
      [  699.871048]  ? mark_page_accessed+0x133/0x200
      [  699.871930]  ? _cond_resched+0x1a/0x50
      [  699.872700]  ? unmap_page_range+0xcd4/0xe50
      [  699.873551]  ? rb_next+0x58/0x80
      [  699.874217]  ? rb_next+0x58/0x80
      [  699.874895]  __kasan_slab_free+0x13c/0x1a0
      [  699.875734]  ? unlink_anon_vmas+0xba/0x2c0
      [  699.876563]  kasan_slab_free+0xe/0x10
      [  699.877315]  kmem_cache_free+0x89/0x1e0
      [  699.878095]  unlink_anon_vmas+0xba/0x2c0
      [  699.878913]  free_pgtables+0x101/0x1b0
      [  699.879677]  exit_mmap+0x146/0x2a0
      [  699.880378]  ? __ia32_sys_munmap+0x50/0x50
      [  699.881214]  ? kasan_check_read+0x11/0x20
      [  699.882052]  ? mm_update_next_owner+0x322/0x380
      [  699.882985]  mmput+0x8b/0x1d0
      [  699.883602]  do_exit+0x43a/0x1390
      [  699.884288]  ? mm_update_next_owner+0x380/0x380
      [  699.885212]  ? f2fs_sync_file+0x9a/0xb0
      [  699.885995]  ? f2fs_do_sync_file+0xd90/0xd90
      [  699.886877]  ? vfs_fsync_range+0x68/0x100
      [  699.887694]  ? __fget_light+0xc9/0xe0
      [  699.888442]  ? do_fsync+0x3d/0x70
      [  699.889118]  ? __x64_sys_fdatasync+0x24/0x30
      [  699.889996]  rewind_stack_do_exit+0x17/0x20
      [  699.890860] RIP: 0033:0x7f9bf930d800
      [  699.891585] Code: Bad RIP value.
      [  699.892268] RSP: 002b:00007ffee3606c68 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
      [  699.893781] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bf930d800
      [  699.895220] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003
      [  699.896643] RBP: 00007ffee3606ca0 R08: 0000000001503010 R09: 0000000000000000
      [  699.898069] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400610
      [  699.899505] R13: 00007ffee3606da0 R14: 0000000000000000 R15: 0000000000000000
      
      [  699.901241] The buggy address belongs to the page:
      [  699.902215] page:ffffea0007d0ebc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  699.903811] flags: 0x2ffff0000000000()
      [  699.904585] raw: 02ffff0000000000 0000000000000000 ffffffff07d00101 0000000000000000
      [  699.906125] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000
      [  699.907673] page dumped because: kasan: bad access detected
      
      [  699.909108] Memory state around the buggy address:
      [  699.910077]  ffff8801f43af800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
      [  699.911528]  ffff8801f43af880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  699.912953] >ffff8801f43af900: 00 00 00 00 00 00 00 00 f1 01 f4 f4 f4 f2 f2 f2
      [  699.914392]                                                              ^
      [  699.915758]  ffff8801f43af980: f2 00 f4 f4 00 00 00 00 f2 00 00 00 00 00 00 00
      [  699.917193]  ffff8801f43afa00: 00 00 00 00 00 00 00 00 00 f3 f3 f3 00 00 00 00
      [  699.918634] ==================================================================
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.h#L644
      
      
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      [bwh: Backported to 4.14:
       - Error label is different in validate_checkpoint() due to the earlier
         backport of "f2fs: fix invalid memory access"
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ad19d1e7
    • Chao Yu's avatar
      f2fs: fix to do sanity check with node footer and iblocks · b8321ccd
      Chao Yu authored
      commit e34438c9 upstream.
      
      This patch adds to do sanity check with below fields of inode to
      avoid reported panic.
      - node footer
      - iblocks
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200223
      
      - Overview
      BUG() triggered in f2fs_truncate_inode_blocks() when un-mounting a mounted f2fs image after writing to it
      
      - Reproduce
      
      - POC (poc.c)
      
      static void activity(char *mpoint) {
      
        char *foo_bar_baz;
        int err;
      
        static int buf[8192];
        memset(buf, 0, sizeof(buf));
      
        err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
      
        // open / write / read
        int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777);
        if (fd >= 0) {
          write(fd, (char *)buf, 517);
          write(fd, (char *)buf, sizeof(buf));
          close(fd);
        }
      
      }
      
      int main(int argc, char *argv[]) {
        activity(argv[1]);
        return 0;
      }
      
      - Kernel meesage
      [  552.479723] F2FS-fs (loop0): Mounted with checkpoint version = 2
      [  556.451891] ------------[ cut here ]------------
      [  556.451899] kernel BUG at fs/f2fs/node.c:987!
      [  556.452920] invalid opcode: 0000 [#1] SMP KASAN PTI
      [  556.453936] CPU: 1 PID: 1310 Comm: umount Not tainted 4.18.0-rc1+ #4
      [  556.455213] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  556.457140] RIP: 0010:f2fs_truncate_inode_blocks+0x4a7/0x6f0
      [  556.458280] Code: e8 ae ea ff ff 41 89 c7 c1 e8 1f 84 c0 74 0a 41 83 ff fe 0f 85 35 ff ff ff 81 85 b0 fe ff ff fb 03 00 00 e9 f7 fd ff ff 0f 0b <0f> 0b e8 62 b7 9a 00 48 8b bd a0 fe ff ff e8 56 54 ae ff 48 8b b5
      [  556.462015] RSP: 0018:ffff8801f292f808 EFLAGS: 00010286
      [  556.463068] RAX: ffffed003e73242d RBX: ffff8801f292f958 RCX: ffffffffb88b81bc
      [  556.464479] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8801f3992164
      [  556.465901] RBP: ffff8801f292f980 R08: ffffed003e73242d R09: ffffed003e73242d
      [  556.467311] R10: 0000000000000001 R11: ffffed003e73242c R12: 00000000fffffc64
      [  556.468706] R13: ffff8801f3992000 R14: 0000000000000058 R15: 00000000ffff8801
      [  556.470117] FS:  00007f8029297840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  556.471702] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  556.472838] CR2: 000055f5f57305d8 CR3: 00000001f18b0000 CR4: 00000000000006e0
      [  556.474265] Call Trace:
      [  556.474782]  ? f2fs_alloc_nid_failed+0xf0/0xf0
      [  556.475686]  ? truncate_nodes+0x980/0x980
      [  556.476516]  ? pagecache_get_page+0x21f/0x2f0
      [  556.477412]  ? __asan_loadN+0xf/0x20
      [  556.478153]  ? __get_node_page+0x331/0x5b0
      [  556.478992]  ? reweight_entity+0x1e6/0x3b0
      [  556.479826]  f2fs_truncate_blocks+0x55e/0x740
      [  556.480709]  ? f2fs_truncate_data_blocks+0x20/0x20
      [  556.481689]  ? __radix_tree_lookup+0x34/0x160
      [  556.482630]  ? radix_tree_lookup+0xd/0x10
      [  556.483445]  f2fs_truncate+0xd4/0x1a0
      [  556.484206]  f2fs_evict_inode+0x5ce/0x630
      [  556.485032]  evict+0x16f/0x290
      [  556.485664]  iput+0x280/0x300
      [  556.486300]  dentry_unlink_inode+0x165/0x1e0
      [  556.487169]  __dentry_kill+0x16a/0x260
      [  556.487936]  dentry_kill+0x70/0x250
      [  556.488651]  shrink_dentry_list+0x125/0x260
      [  556.489504]  shrink_dcache_parent+0xc1/0x110
      [  556.490379]  ? shrink_dcache_sb+0x200/0x200
      [  556.491231]  ? bit_wait_timeout+0xc0/0xc0
      [  556.492047]  do_one_tree+0x12/0x40
      [  556.492743]  shrink_dcache_for_umount+0x3f/0xa0
      [  556.493656]  generic_shutdown_super+0x43/0x1c0
      [  556.494561]  kill_block_super+0x52/0x80
      [  556.495341]  kill_f2fs_super+0x62/0x70
      [  556.496105]  deactivate_locked_super+0x6f/0xa0
      [  556.497004]  deactivate_super+0x5e/0x80
      [  556.497785]  cleanup_mnt+0x61/0xa0
      [  556.498492]  __cleanup_mnt+0x12/0x20
      [  556.499218]  task_work_run+0xc8/0xf0
      [  556.499949]  exit_to_usermode_loop+0x125/0x130
      [  556.500846]  do_syscall_64+0x138/0x170
      [  556.501609]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  556.502659] RIP: 0033:0x7f8028b77487
      [  556.503384] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
      [  556.507137] RSP: 002b:00007fff9f2e3598 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
      [  556.508637] RAX: 0000000000000000 RBX: 0000000000ebd030 RCX: 00007f8028b77487
      [  556.510069] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000ec41e0
      [  556.511481] RBP: 0000000000ec41e0 R08: 0000000000000000 R09: 0000000000000014
      [  556.512892] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f802908083c
      [  556.514320] R13: 0000000000000000 R14: 0000000000ebd210 R15: 00007fff9f2e3820
      [  556.515745] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  556.529276] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  556.530340] RIP: 0010:f2fs_truncate_inode_blocks+0x4a7/0x6f0
      [  556.531513] Code: e8 ae ea ff ff 41 89 c7 c1 e8 1f 84 c0 74 0a 41 83 ff fe 0f 85 35 ff ff ff 81 85 b0 fe ff ff fb 03 00 00 e9 f7 fd ff ff 0f 0b <0f> 0b e8 62 b7 9a 00 48 8b bd a0 fe ff ff e8 56 54 ae ff 48 8b b5
      [  556.535330] RSP: 0018:ffff8801f292f808 EFLAGS: 00010286
      [  556.536395] RAX: ffffed003e73242d RBX: ffff8801f292f958 RCX: ffffffffb88b81bc
      [  556.537824] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8801f3992164
      [  556.539290] RBP: ffff8801f292f980 R08: ffffed003e73242d R09: ffffed003e73242d
      [  556.540709] R10: 0000000000000001 R11: ffffed003e73242c R12: 00000000fffffc64
      [  556.542131] R13: ffff8801f3992000 R14: 0000000000000058 R15: 00000000ffff8801
      [  556.543579] FS:  00007f8029297840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  556.545180] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  556.546338] CR2: 000055f5f57305d8 CR3: 00000001f18b0000 CR4: 00000000000006e0
      [  556.547809] ==================================================================
      [  556.549248] BUG: KASAN: stack-out-of-bounds in arch_tlb_gather_mmu+0x52/0x170
      [  556.550672] Write of size 8 at addr ffff8801f292fd10 by task umount/1310
      
      [  556.552338] CPU: 1 PID: 1310 Comm: umount Tainted: G      D           4.18.0-rc1+ #4
      [  556.553886] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  556.555756] Call Trace:
      [  556.556264]  dump_stack+0x7b/0xb5
      [  556.556944]  print_address_description+0x70/0x290
      [  556.557903]  kasan_report+0x291/0x390
      [  556.558649]  ? arch_tlb_gather_mmu+0x52/0x170
      [  556.559537]  __asan_store8+0x57/0x90
      [  556.560268]  arch_tlb_gather_mmu+0x52/0x170
      [  556.561110]  tlb_gather_mmu+0x12/0x40
      [  556.561862]  exit_mmap+0x123/0x2a0
      [  556.562555]  ? __ia32_sys_munmap+0x50/0x50
      [  556.563384]  ? exit_aio+0x98/0x230
      [  556.564079]  ? __x32_compat_sys_io_submit+0x260/0x260
      [  556.565099]  ? taskstats_exit+0x1f4/0x640
      [  556.565925]  ? kasan_check_read+0x11/0x20
      [  556.566739]  ? mm_update_next_owner+0x322/0x380
      [  556.567652]  mmput+0x8b/0x1d0
      [  556.568260]  do_exit+0x43a/0x1390
      [  556.568937]  ? mm_update_next_owner+0x380/0x380
      [  556.569855]  ? deactivate_super+0x5e/0x80
      [  556.570668]  ? cleanup_mnt+0x61/0xa0
      [  556.571395]  ? __cleanup_mnt+0x12/0x20
      [  556.572156]  ? task_work_run+0xc8/0xf0
      [  556.572917]  ? exit_to_usermode_loop+0x125/0x130
      [  556.573861]  rewind_stack_do_exit+0x17/0x20
      [  556.574707] RIP: 0033:0x7f8028b77487
      [  556.575428] Code: Bad RIP value.
      [  556.576106] RSP: 002b:00007fff9f2e3598 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
      [  556.577599] RAX: 0000000000000000 RBX: 0000000000ebd030 RCX: 00007f8028b77487
      [  556.579020] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000ec41e0
      [  556.580422] RBP: 0000000000ec41e0 R08: 0000000000000000 R09: 0000000000000014
      [  556.581833] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f802908083c
      [  556.583252] R13: 0000000000000000 R14: 0000000000ebd210 R15: 00007fff9f2e3820
      
      [  556.584983] The buggy address belongs to the page:
      [  556.585961] page:ffffea0007ca4bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  556.587540] flags: 0x2ffff0000000000()
      [  556.588296] raw: 02ffff0000000000 0000000000000000 dead000000000200 0000000000000000
      [  556.589822] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [  556.591359] page dumped because: kasan: bad access detected
      
      [  556.592786] Memory state around the buggy address:
      [  556.593753]  ffff8801f292fc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  556.595191]  ffff8801f292fc80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
      [  556.596613] >ffff8801f292fd00: 00 00 f3 00 00 00 00 f3 f3 00 00 00 00 f4 f4 f4
      [  556.598044]                          ^
      [  556.598797]  ffff8801f292fd80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
      [  556.600225]  ffff8801f292fe00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4
      [  556.601647] ==================================================================
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/node.c#L987
      
      
      		case NODE_DIND_BLOCK:
      			err = truncate_nodes(&dn, nofs, offset[1], 3);
      			cont = 0;
      			break;
      
      		default:
      			BUG(); <---
      		}
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b8321ccd
    • Chao Yu's avatar
      f2fs: fix to do sanity check with user_block_count · f9cf5462
      Chao Yu authored
      commit 9dc956b2 upstream.
      
      This patch fixs to do sanity check with user_block_count.
      
      - Overview
      Divide zero in utilization when mount() a corrupted f2fs image
      
      - Reproduce (4.18 upstream kernel)
      
      - Kernel message
      [  564.099503] F2FS-fs (loop0): invalid crc value
      [  564.101991] divide error: 0000 [#1] SMP KASAN PTI
      [  564.103103] CPU: 1 PID: 1298 Comm: f2fs_discard-7: Not tainted 4.18.0-rc1+ #4
      [  564.104584] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  564.106624] RIP: 0010:issue_discard_thread+0x248/0x5c0
      [  564.107692] Code: ff ff 48 8b bd e8 fe ff ff 41 8b 9d 4c 04 00 00 e8 cd b8 ad ff 41 8b 85 50 04 00 00 31 d2 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <48> f7 f3 83 f8 50 7e 16 41 c7 86 7c ff ff ff 01 00 00 00 41 c7 86
      [  564.111686] RSP: 0018:ffff8801f3117dc0 EFLAGS: 00010206
      [  564.112775] RAX: 0000000000000384 RBX: 0000000000000000 RCX: ffffffffb88c1e03
      [  564.114250] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e3aa4850
      [  564.115706] RBP: ffff8801f3117f00 R08: 1ffffffff751a1d0 R09: fffffbfff751a1d0
      [  564.117177] R10: 0000000000000001 R11: fffffbfff751a1d0 R12: 00000000fffffffc
      [  564.118634] R13: ffff8801e3aa4400 R14: ffff8801f3117ed8 R15: ffff8801e2050000
      [  564.120094] FS:  0000000000000000(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  564.121748] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  564.122923] CR2: 000000000202b078 CR3: 00000001f11ac000 CR4: 00000000000006e0
      [  564.124383] Call Trace:
      [  564.124924]  ? __issue_discard_cmd+0x480/0x480
      [  564.125882]  ? __sched_text_start+0x8/0x8
      [  564.126756]  ? __kthread_parkme+0xcb/0x100
      [  564.127620]  ? kthread_blkcg+0x70/0x70
      [  564.128412]  kthread+0x180/0x1d0
      [  564.129105]  ? __issue_discard_cmd+0x480/0x480
      [  564.130029]  ? kthread_associate_blkcg+0x150/0x150
      [  564.131033]  ret_from_fork+0x35/0x40
      [  564.131794] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  564.141798] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  564.142773] RIP: 0010:issue_discard_thread+0x248/0x5c0
      [  564.143885] Code: ff ff 48 8b bd e8 fe ff ff 41 8b 9d 4c 04 00 00 e8 cd b8 ad ff 41 8b 85 50 04 00 00 31 d2 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <48> f7 f3 83 f8 50 7e 16 41 c7 86 7c ff ff ff 01 00 00 00 41 c7 86
      [  564.147776] RSP: 0018:ffff8801f3117dc0 EFLAGS: 00010206
      [  564.148856] RAX: 0000000000000384 RBX: 0000000000000000 RCX: ffffffffb88c1e03
      [  564.150424] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e3aa4850
      [  564.151906] RBP: ffff8801f3117f00 R08: 1ffffffff751a1d0 R09: fffffbfff751a1d0
      [  564.153463] R10: 0000000000000001 R11: fffffbfff751a1d0 R12: 00000000fffffffc
      [  564.154915] R13: ffff8801e3aa4400 R14: ffff8801f3117ed8 R15: ffff8801e2050000
      [  564.156405] FS:  0000000000000000(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  564.158070] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  564.159279] CR2: 000000000202b078 CR3: 00000001f11ac000 CR4: 00000000000006e0
      [  564.161043] ==================================================================
      [  564.162587] BUG: KASAN: stack-out-of-bounds in from_kuid_munged+0x1d/0x50
      [  564.163994] Read of size 4 at addr ffff8801f3117c84 by task f2fs_discard-7:/1298
      
      [  564.165852] CPU: 1 PID: 1298 Comm: f2fs_discard-7: Tainted: G      D           4.18.0-rc1+ #4
      [  564.167593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  564.169522] Call Trace:
      [  564.170057]  dump_stack+0x7b/0xb5
      [  564.170778]  print_address_description+0x70/0x290
      [  564.171765]  kasan_report+0x291/0x390
      [  564.172540]  ? from_kuid_munged+0x1d/0x50
      [  564.173408]  __asan_load4+0x78/0x80
      [  564.174148]  from_kuid_munged+0x1d/0x50
      [  564.174962]  do_notify_parent+0x1f5/0x4f0
      [  564.175808]  ? send_sigqueue+0x390/0x390
      [  564.176639]  ? css_set_move_task+0x152/0x340
      [  564.184197]  do_exit+0x1290/0x1390
      [  564.184950]  ? __issue_discard_cmd+0x480/0x480
      [  564.185884]  ? mm_update_next_owner+0x380/0x380
      [  564.186829]  ? __sched_text_start+0x8/0x8
      [  564.187672]  ? __kthread_parkme+0xcb/0x100
      [  564.188528]  ? kthread_blkcg+0x70/0x70
      [  564.189333]  ? kthread+0x180/0x1d0
      [  564.190052]  ? __issue_discard_cmd+0x480/0x480
      [  564.190983]  rewind_stack_do_exit+0x17/0x20
      
      [  564.192190] The buggy address belongs to the page:
      [  564.193213] page:ffffea0007cc45c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  564.194856] flags: 0x2ffff0000000000()
      [  564.195644] raw: 02ffff0000000000 0000000000000000 dead000000000200 0000000000000000
      [  564.197247] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [  564.198826] page dumped because: kasan: bad access detected
      
      [  564.200299] Memory state around the buggy address:
      [  564.201306]  ffff8801f3117b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  564.202779]  ffff8801f3117c00: 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3
      [  564.204252] >ffff8801f3117c80: f3 f3 f3 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
      [  564.205742]                    ^
      [  564.206424]  ffff8801f3117d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  564.207908]  ffff8801f3117d80: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
      [  564.209389] ==================================================================
      [  564.231795] F2FS-fs (loop0): Mounted with checkpoint version = 2
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.h#L586
      
      
      	return div_u64((u64)valid_user_blocks(sbi) * 100,
      					sbi->user_block_count);
      Missing checks on sbi->user_block_count.
      Reported-by: default avatarWen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f9cf5462
    • Chao Yu's avatar
      f2fs: fix to do sanity check with extra_attr feature · 0081c90e
      Chao Yu authored
      commit 76d56d4a
      
       upstream.
      
      If FI_EXTRA_ATTR is set in inode by fuzzing, inode.i_addr[0] will be
      parsed as inode.i_extra_isize, then in __recover_inline_status, inline
      data address will beyond boundary of page, result in accessing invalid
      memory.
      
      So in this condition, during reading inode page, let's do sanity check
      with EXTRA_ATTR feature of fs and extra_attr bit of inode, if they're
      inconsistent, deny to load this inode.
      
      - Overview
      Out-of-bound access in f2fs_iget() when mounting a corrupted f2fs image
      
      - Reproduce
      
      The following message will be got in KASAN build of 4.18 upstream kernel.
      [  819.392227] ==================================================================
      [  819.393901] BUG: KASAN: slab-out-of-bounds in f2fs_iget+0x736/0x1530
      [  819.395329] Read of size 4 at addr ffff8801f099c968 by task mount/1292
      
      [  819.397079] CPU: 1 PID: 1292 Comm: mount Not tainted 4.18.0-rc1+ #4
      [  819.397082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  819.397088] Call Trace:
      [  819.397124]  dump_stack+0x7b/0xb5
      [  819.397154]  print_address_description+0x70/0x290
      [  819.397159]  kasan_report+0x291/0x390
      [  819.397163]  ? f2fs_iget+0x736/0x1530
      [  819.397176]  check_memory_region+0x139/0x190
      [  819.397182]  __asan_loadN+0xf/0x20
      [  819.397185]  f2fs_iget+0x736/0x1530
      [  819.397197]  f2fs_fill_super+0x1b4f/0x2b40
      [  819.397202]  ? f2fs_fill_super+0x1b4f/0x2b40
      [  819.397208]  ? f2fs_commit_super+0x1b0/0x1b0
      [  819.397227]  ? set_blocksize+0x90/0x140
      [  819.397241]  mount_bdev+0x1c5/0x210
      [  819.397245]  ? f2fs_commit_super+0x1b0/0x1b0
      [  819.397252]  f2fs_mount+0x15/0x20
      [  819.397256]  mount_fs+0x60/0x1a0
      [  819.397267]  ? alloc_vfsmnt+0x309/0x360
      [  819.397272]  vfs_kern_mount+0x6b/0x1a0
      [  819.397282]  do_mount+0x34a/0x18c0
      [  819.397300]  ? lockref_put_or_lock+0xcf/0x160
      [  819.397306]  ? copy_mount_string+0x20/0x20
      [  819.397318]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  819.397324]  ? kasan_check_write+0x14/0x20
      [  819.397334]  ? _copy_from_user+0x6a/0x90
      [  819.397353]  ? memdup_user+0x42/0x60
      [  819.397359]  ksys_mount+0x83/0xd0
      [  819.397365]  __x64_sys_mount+0x67/0x80
      [  819.397388]  do_syscall_64+0x78/0x170
      [  819.397403]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  819.397422] RIP: 0033:0x7f54c667cb9a
      [  819.397424] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [  819.397483] RSP: 002b:00007ffd8f46cd08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
      [  819.397496] RAX: ffffffffffffffda RBX: 0000000000dfa030 RCX: 00007f54c667cb9a
      [  819.397498] RDX: 0000000000dfa210 RSI: 0000000000dfbf30 RDI: 0000000000e02ec0
      [  819.397501] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  819.397503] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000000e02ec0
      [  819.397505] R13: 0000000000dfa210 R14: 0000000000000000 R15: 0000000000000003
      
      [  819.397866] Allocated by task 139:
      [  819.398702]  save_stack+0x46/0xd0
      [  819.398705]  kasan_kmalloc+0xad/0xe0
      [  819.398709]  kasan_slab_alloc+0x11/0x20
      [  819.398713]  kmem_cache_alloc+0xd1/0x1e0
      [  819.398717]  dup_fd+0x50/0x4c0
      [  819.398740]  copy_process.part.37+0xbed/0x32e0
      [  819.398744]  _do_fork+0x16e/0x590
      [  819.398748]  __x64_sys_clone+0x69/0x80
      [  819.398752]  do_syscall_64+0x78/0x170
      [  819.398756]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [  819.399097] Freed by task 159:
      [  819.399743]  save_stack+0x46/0xd0
      [  819.399747]  __kasan_slab_free+0x13c/0x1a0
      [  819.399750]  kasan_slab_free+0xe/0x10
      [  819.399754]  kmem_cache_free+0x89/0x1e0
      [  819.399757]  put_files_struct+0x132/0x150
      [  819.399761]  exit_files+0x62/0x70
      [  819.399766]  do_exit+0x47b/0x1390
      [  819.399770]  do_group_exit+0x86/0x130
      [  819.399774]  __x64_sys_exit_group+0x2c/0x30
      [  819.399778]  do_syscall_64+0x78/0x170
      [  819.399782]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [  819.400115] The buggy address belongs to the object at ffff8801f099c680
                      which belongs to the cache files_cache of size 704
      [  819.403234] The buggy address is located 40 bytes to the right of
                      704-byte region [ffff8801f099c680, ffff8801f099c940)
      [  819.405689] The buggy address belongs to the page:
      [  819.406709] page:ffffea0007c26700 count:1 mapcount:0 mapping:ffff8801f69a3340 index:0xffff8801f099d380 compound_mapcount: 0
      [  819.408984] flags: 0x2ffff0000008100(slab|head)
      [  819.409932] raw: 02ffff0000008100 ffffea00077fb600 0000000200000002 ffff8801f69a3340
      [  819.411514] raw: ffff8801f099d380 0000000080130000 00000001ffffffff 0000000000000000
      [  819.413073] page dumped because: kasan: bad access detected
      
      [  819.414539] Memory state around the buggy address:
      [  819.415521]  ffff8801f099c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  819.416981]  ffff8801f099c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  819.418454] >ffff8801f099c900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [  819.419921]                                                           ^
      [  819.421265]  ffff8801f099c980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
      [  819.422745]  ffff8801f099ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  819.424206] ==================================================================
      [  819.425668] Disabling lock debugging due to kernel taint
      [  819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3
      
      The kernel still mounts the image. If you run the following program on the mounted folder mnt,
      
      (poc.c)
      
      static void activity(char *mpoint) {
      
        char *foo_bar_baz;
        int err;
      
        static int buf[8192];
        memset(buf, 0, sizeof(buf));
      
        err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
          int fd = open(foo_bar_baz, O_RDONLY, 0);
        if (fd >= 0) {
            read(fd, (char *)buf, 11);
            close(fd);
        }
      }
      
      int main(int argc, char *argv[]) {
        activity(argv[1]);
        return 0;
      }
      
      You can get kernel crash:
      [  819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3
      [  918.028501] BUG: unable to handle kernel paging request at ffffed0048000d82
      [  918.044020] PGD 23ffee067 P4D 23ffee067 PUD 23fbef067 PMD 0
      [  918.045207] Oops: 0000 [#1] SMP KASAN PTI
      [  918.046048] CPU: 0 PID: 1309 Comm: poc Tainted: G    B             4.18.0-rc1+ #4
      [  918.047573] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  918.049552] RIP: 0010:check_memory_region+0x5e/0x190
      [  918.050565] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0
      [  918.054322] RSP: 0018:ffff8801e3a1f258 EFLAGS: 00010202
      [  918.055400] RAX: ffffed0048000d82 RBX: ffff880240006c11 RCX: ffffffffb8867d14
      [  918.056832] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff880240006c10
      [  918.058253] RBP: ffff8801e3a1f268 R08: 1ffff10048000d82 R09: ffffed0048000d82
      [  918.059717] R10: 0000000000000001 R11: ffffed0048000d82 R12: ffffed0048000d83
      [  918.061159] R13: ffff8801e3a1f390 R14: 0000000000000000 R15: ffff880240006c08
      [  918.062614] FS:  00007fac9732c700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  918.064246] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  918.065412] CR2: ffffed0048000d82 CR3: 00000001df77a000 CR4: 00000000000006f0
      [  918.066882] Call Trace:
      [  918.067410]  __asan_loadN+0xf/0x20
      [  918.068149]  f2fs_find_target_dentry+0xf4/0x270
      [  918.069083]  ? __get_node_page+0x331/0x5b0
      [  918.069925]  f2fs_find_in_inline_dir+0x24b/0x310
      [  918.070881]  ? f2fs_recover_inline_data+0x4c0/0x4c0
      [  918.071905]  ? unwind_next_frame.part.5+0x34f/0x490
      [  918.072901]  ? unwind_dump+0x290/0x290
      [  918.073695]  ? is_bpf_text_address+0xe/0x20
      [  918.074566]  __f2fs_find_entry+0x599/0x670
      [  918.075408]  ? kasan_unpoison_shadow+0x36/0x50
      [  918.076315]  ? kasan_kmalloc+0xad/0xe0
      [  918.077100]  ? memcg_kmem_put_cache+0x55/0xa0
      [  918.077998]  ? f2fs_find_target_dentry+0x270/0x270
      [  918.079006]  ? d_set_d_op+0x30/0x100
      [  918.079749]  ? __d_lookup_rcu+0x69/0x2e0
      [  918.080556]  ? __d_alloc+0x275/0x450
      [  918.081297]  ? kasan_check_write+0x14/0x20
      [  918.082135]  ? memset+0x31/0x40
      [  918.082820]  ? fscrypt_setup_filename+0x1ec/0x4c0
      [  918.083782]  ? d_alloc_parallel+0x5bb/0x8c0
      [  918.084640]  f2fs_find_entry+0xe9/0x110
      [  918.085432]  ? __f2fs_find_entry+0x670/0x670
      [  918.086308]  ? kasan_check_write+0x14/0x20
      [  918.087163]  f2fs_lookup+0x297/0x590
      [  918.087902]  ? f2fs_link+0x2b0/0x2b0
      [  918.088646]  ? legitimize_path.isra.29+0x61/0xa0
      [  918.089589]  __lookup_slow+0x12e/0x240
      [  918.090371]  ? may_delete+0x2b0/0x2b0
      [  918.091123]  ? __nd_alloc_stack+0xa0/0xa0
      [  918.091944]  lookup_slow+0x44/0x60
      [  918.092642]  walk_component+0x3ee/0xa40
      [  918.093428]  ? is_bpf_text_address+0xe/0x20
      [  918.094283]  ? pick_link+0x3e0/0x3e0
      [  918.095047]  ? in_group_p+0xa5/0xe0
      [  918.095771]  ? generic_permission+0x53/0x1e0
      [  918.096666]  ? security_inode_permission+0x1d/0x70
      [  918.097646]  ? inode_permission+0x7a/0x1f0
      [  918.098497]  link_path_walk+0x2a2/0x7b0
      [  918.099298]  ? apparmor_capget+0x3d0/0x3d0
      [  918.100140]  ? walk_component+0xa40/0xa40
      [  918.100958]  ? path_init+0x2e6/0x580
      [  918.101695]  path_openat+0x1bb/0x2160
      [  918.102471]  ? __save_stack_trace+0x92/0x100
      [  918.103352]  ? save_stack+0xb5/0xd0
      [  918.104070]  ? vfs_unlink+0x250/0x250
      [  918.104822]  ? save_stack+0x46/0xd0
      [  918.105538]  ? kasan_slab_alloc+0x11/0x20
      [  918.106370]  ? kmem_cache_alloc+0xd1/0x1e0
      [  918.107213]  ? getname_flags+0x76/0x2c0
      [  918.107997]  ? getname+0x12/0x20
      [  918.108677]  ? do_sys_open+0x14b/0x2c0
      [  918.109450]  ? __x64_sys_open+0x4c/0x60
      [  918.110255]  ? do_syscall_64+0x78/0x170
      [  918.111083]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  918.112148]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  918.113204]  ? f2fs_empty_inline_dir+0x1e0/0x1e0
      [  918.114150]  ? timespec64_trunc+0x5c/0x90
      [  918.114993]  ? wb_io_lists_depopulated+0x1a/0xc0
      [  918.115937]  ? inode_io_list_move_locked+0x102/0x110
      [  918.116949]  do_filp_open+0x12b/0x1d0
      [  918.117709]  ? may_open_dev+0x50/0x50
      [  918.118475]  ? kasan_kmalloc+0xad/0xe0
      [  918.119246]  do_sys_open+0x17c/0x2c0
      [  918.119983]  ? do_sys_open+0x17c/0x2c0
      [  918.120751]  ? filp_open+0x60/0x60
      [  918.121463]  ? task_work_run+0x4d/0xf0
      [  918.122237]  __x64_sys_open+0x4c/0x60
      [  918.123001]  do_syscall_64+0x78/0x170
      [  918.123759]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  918.124802] RIP: 0033:0x7fac96e3e040
      [  918.125537] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 09 27 2d 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 7e e0 01 00 48 89 04 24
      [  918.129341] RSP: 002b:00007fff1b37f848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
      [  918.130870] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fac96e3e040
      [  918.132295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000122d080
      [  918.133748] RBP: 00007fff1b37f9b0 R08: 00007fac9710bbd8 R09: 0000000000000001
      [  918.135209] R10: 000000000000069d R11: 0000000000000246 R12: 0000000000400c20
      [  918.136650] R13: 00007fff1b37fab0 R14: 0000000000000000 R15: 0000000000000000
      [  918.138093] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  918.147924] CR2: ffffed0048000d82
      [  918.148619] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  918.149563] RIP: 0010:check_memory_region+0x5e/0x190
      [  918.150576] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0
      [  918.154360] RSP: 0018:ffff8801e3a1f258 EFLAGS: 00010202
      [  918.155411] RAX: ffffed0048000d82 RBX: ffff880240006c11 RCX: ffffffffb8867d14
      [  918.156833] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff880240006c10
      [  918.158257] RBP: ffff8801e3a1f268 R08: 1ffff10048000d82 R09: ffffed0048000d82
      [  918.159722] R10: 0000000000000001 R11: ffffed0048000d82 R12: ffffed0048000d83
      [  918.161149] R13: ffff8801e3a1f390 R14: 0000000000000000 R15: ffff880240006c08
      [  918.162587] FS:  00007fac9732c700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  918.164203] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  918.165356] CR2: ffffed0048000d82 CR3: 00000001df77a000 CR4: 00000000000006f0
      Reported-by: default avatarWen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      [bwh: Backported to 4.14: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0081c90e
    • Ben Hutchings's avatar
      f2fs: Add sanity_check_inode() function · 2598fc56
      Ben Hutchings authored
      This was done as part of commit 5d64600d
      
       "f2fs: avoid bug_on on
      corrupted inode" upstream, but the specific check that commit added is
      not applicable to 4.14.
      
      Cc: Jaegeuk Kim <jaegeuk@kernel.org>
      Cc: Chao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2598fc56
    • Chao Yu's avatar
      f2fs: fix to do sanity check with secs_per_zone · f3d6361a
      Chao Yu authored
      commit 42bf546c upstream.
      
      As Wen Xu reported in below link:
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200183
      
      - Overview
      Divide zero in reset_curseg() when mounting a crafted f2fs image
      
      - Reproduce
      
      - Kernel message
      [  588.281510] divide error: 0000 [#1] SMP KASAN PTI
      [  588.282701] CPU: 0 PID: 1293 Comm: mount Not tainted 4.18.0-rc1+ #4
      [  588.284000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  588.286178] RIP: 0010:reset_curseg+0x94/0x1a0
      [  588.298166] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246
      [  588.299360] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b
      [  588.300809] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64
      [  588.305272] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000
      [  588.306822] FS:  00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  588.308456] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  588.309623] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0
      [  588.311085] Call Trace:
      [  588.311637]  f2fs_build_segment_manager+0x103f/0x3410
      [  588.316136]  ? f2fs_commit_super+0x1b0/0x1b0
      [  588.317031]  ? set_blocksize+0x90/0x140
      [  588.319473]  f2fs_mount+0x15/0x20
      [  588.320166]  mount_fs+0x60/0x1a0
      [  588.320847]  ? alloc_vfsmnt+0x309/0x360
      [  588.321647]  vfs_kern_mount+0x6b/0x1a0
      [  588.322432]  do_mount+0x34a/0x18c0
      [  588.323175]  ? strndup_user+0x46/0x70
      [  588.323937]  ? copy_mount_string+0x20/0x20
      [  588.324793]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  588.325702]  ? kasan_check_write+0x14/0x20
      [  588.326562]  ? _copy_from_user+0x6a/0x90
      [  588.327375]  ? memdup_user+0x42/0x60
      [  588.328118]  ksys_mount+0x83/0xd0
      [  588.328808]  __x64_sys_mount+0x67/0x80
      [  588.329607]  do_syscall_64+0x78/0x170
      [  588.330400]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  588.331461] RIP: 0033:0x7fad848e8b9a
      [  588.336022] RSP: 002b:00007ffd7c5b6be8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [  588.337547] RAX: ffffffffffffffda RBX: 00000000016f8030 RCX: 00007fad848e8b9a
      [  588.338999] RDX: 00000000016f8210 RSI: 00000000016f9f30 RDI: 0000000001700ec0
      [  588.340442] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  588.341887] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001700ec0
      [  588.343341] R13: 00000000016f8210 R14: 0000000000000000 R15: 0000000000000003
      [  588.354891] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  588.355862] RIP: 0010:reset_curseg+0x94/0x1a0
      [  588.360742] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246
      [  588.361812] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b
      [  588.363485] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64
      [  588.365213] RBP: ffff8801e88d7968 R08: ffffed003c32266f R09: ffffed003c32266f
      [  588.366661] R10: 0000000000000001 R11: ffffed003c32266e R12: ffff8801f0337700
      [  588.368110] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000
      [  588.370057] FS:  00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  588.372099] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  588.373291] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0
      
      - Location
      https://elixir.bootlin.com/linux/latest/source/fs/f2fs/segment.c#L2147
      
      
              curseg->zone = GET_ZONE_FROM_SEG(sbi, curseg->segno);
      
      If secs_per_zone is corrupted due to fuzzing test, it will cause divide
      zero operation when using GET_ZONE_FROM_SEG macro, so we should do more
      sanity check with secs_per_zone during mount to avoid this issue.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f3d6361a