WSL2-Linux-Kernel/fs/f2fs
Chao Yu 982c29e0d2 f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io()
commit d8189834d4 upstream.

butt3rflyh4ck reports a bug as below:

When a thread always calls F2FS_IOC_RESIZE_FS to resize fs, if resize fs is
failed, f2fs kernel thread would invoke callback function to update f2fs io
info, it would call  f2fs_write_end_io and may trigger null-ptr-deref in
NODE_MAPPING.

general protection fault, probably for non-canonical address
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
RIP: 0010:NODE_MAPPING fs/f2fs/f2fs.h:1972 [inline]
RIP: 0010:f2fs_write_end_io+0x727/0x1050 fs/f2fs/data.c:370
 <TASK>
 bio_endio+0x5af/0x6c0 block/bio.c:1608
 req_bio_endio block/blk-mq.c:761 [inline]
 blk_update_request+0x5cc/0x1690 block/blk-mq.c:906
 blk_mq_end_request+0x59/0x4c0 block/blk-mq.c:1023
 lo_complete_rq+0x1c6/0x280 drivers/block/loop.c:370
 blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1101
 __do_softirq+0x1d4/0x8ef kernel/softirq.c:571
 run_ksoftirqd kernel/softirq.c:939 [inline]
 run_ksoftirqd+0x31/0x60 kernel/softirq.c:931
 smpboot_thread_fn+0x659/0x9e0 kernel/smpboot.c:164
 kthread+0x33e/0x440 kernel/kthread.c:379
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

The root cause is below race case can cause leaving dirty metadata
in f2fs after filesystem is remount as ro:

Thread A				Thread B
- f2fs_ioc_resize_fs
 - f2fs_readonly   --- return false
 - f2fs_resize_fs
					- f2fs_remount
					 - write_checkpoint
					 - set f2fs as ro
  - free_segment_range
   - update meta_inode's data

Then, if f2fs_put_super()  fails to write_checkpoint due to readonly
status, and meta_inode's dirty data will be writebacked after node_inode
is put, finally, f2fs_write_end_io will access NULL pointer on
sbi->node_inode.

Thread A				IRQ context
- f2fs_put_super
 - write_checkpoint fails
 - iput(node_inode)
 - node_inode = NULL
 - iput(meta_inode)
  - write_inode_now
   - f2fs_write_meta_page
					- f2fs_write_end_io
					 - NODE_MAPPING(sbi)
					 : access NULL pointer on node_inode

Fixes: b4b10061ef ("f2fs: refactor resize_fs to avoid meta updates in progress")
Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Closes: https://lore.kernel.org/r/1684480657-2375-1-git-send-email-yangtiezhu@loongson.cn
Tested-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-07-23 13:47:46 +02:00
..
Kconfig f2fs: separate out iostat feature 2021-08-23 10:25:51 -07:00
Makefile f2fs: separate out iostat feature 2021-08-23 10:25:51 -07:00
acl.c vfs: add rcu argument to ->get_acl() callback 2021-08-18 22:08:24 +02:00
acl.h vfs: add rcu argument to ->get_acl() callback 2021-08-18 22:08:24 +02:00
checkpoint.c f2fs: fix to drop all dirty pages during umount() if cp_error is set 2023-05-24 17:36:45 +01:00
compress.c f2fs: compress: fix to call f2fs_wait_on_page_writeback() in f2fs_write_raw_pages() 2023-05-11 23:00:27 +09:00
data.c f2fs: fix to drop all dirty pages during umount() if cp_error is set 2023-05-24 17:36:45 +01:00
debug.c f2fs: use spin_lock to avoid hang 2022-04-08 14:23:58 +02:00
dir.c f2fs: don't use casefolded comparison for "." and ".." 2022-06-09 10:23:17 +02:00
extent_cache.c f2fs: let's avoid panic if extent_tree is not created 2023-01-24 07:22:42 +01:00
f2fs.h f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io() 2023-07-23 13:47:46 +02:00
file.c f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io() 2023-07-23 13:47:46 +02:00
gc.c f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io() 2023-07-23 13:47:46 +02:00
gc.h f2fs: introduce gc_merge mount option 2021-03-30 18:48:56 -07:00
hash.c f2fs: don't use casefolded comparison for "." and ".." 2022-06-09 10:23:17 +02:00
inline.c f2fs: do not bother checkpoint by f2fs_get_node_info 2023-03-17 08:48:50 +01:00
inode.c f2fs: retry to update the inode page given data corruption 2023-03-17 08:48:50 +01:00
iostat.c f2fs: fix to avoid potential memory corruption in __update_iostat_latency() 2023-03-11 13:57:26 +01:00
iostat.h f2fs: introduce periodic iostat io latency traces 2021-08-23 10:25:51 -07:00
namei.c Revert "f2fs: fix potential corruption when moving a directory" 2023-07-23 13:47:33 +02:00
node.c f2fs: fix error path handling in truncate_dnode() 2023-07-23 13:47:28 +02:00
node.h f2fs: swap: support migrating swapfile in aligned write mode 2021-06-23 01:09:35 -07:00
recovery.c f2fs: do not bother checkpoint by f2fs_get_node_info 2023-03-17 08:48:50 +01:00
segment.c f2fs: apply zone capacity to all zone type 2023-05-11 23:00:27 +09:00
segment.h f2fs: apply zone capacity to all zone type 2023-05-11 23:00:27 +09:00
shrinker.c f2fs: avoid race condition for shrinker count 2020-12-03 00:59:26 -08:00
super.c f2fs: fix to check readonly condition correctly 2023-05-24 17:36:45 +01:00
sysfs.c f2fs: fix iostat lock protection 2023-06-14 11:13:00 +02:00
verity.c fs: f2fs: initialize fsdata in pagecache_write() 2023-03-11 13:57:23 +01:00
xattr.c f2fs: support fault injection for dquot_initialize() 2022-06-09 10:23:13 +02:00
xattr.h f2fs: code cleanup by removing ifdef macro surrounding 2020-05-26 18:56:10 -07:00