Chao Yu b862676e37 f2fs: fix to avoid out-of-bounds memory access ... butt3rflyh4ck <butterflyhuangxx@gmail.com> reported a bug found by syzkaller fuzzer with custom modifications in 5.12.0-rc3+ [1]: dump_stack+0xfa/0x151 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline] current_nat_addr fs/f2fs/node.h:213 [inline] get_next_nat_page fs/f2fs/node.c:123 [inline] __flush_nat_entry_set fs/f2fs/node.c:2888 [inline] f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991 f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640 f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807 f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454 __sync_filesystem fs/sync.c:39 [inline] sync_filesystem fs/sync.c:67 [inline] sync_filesystem+0x1b5/0x260 fs/sync.c:48 generic_shutdown_super+0x70/0x370 fs/super.c:448 kill_block_super+0x97/0xf0 fs/super.c:1394 The root cause is, if nat entry in checkpoint journal area is corrupted, e.g. nid of journalled nat entry exceeds max nid value, during checkpoint, once it tries to flush nat journal to NAT area, get_next_nat_page() may access out-of-bounds memory on nat_bitmap due to it uses wrong nid value as bitmap offset. [1] https://lore.kernel.org/lkml/CAFcO6XOMWdr8pObek6eN6-fs58KG9doRFadgJj-FnF-1x43s2g@mail.gmail.com/T/#u Reported-and-tested-by: butt3rflyh4ck <butterflyhuangxx@gmail.com> Signed-off-by: Chao Yu <yuchao0@huawei.com> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>		2021-03-25 18:20:51 -07:00
..
acl.c	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
acl.h	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
checkpoint.c	f2fs: update comments for explicit memory barrier	2021-03-12 13:16:42 -08:00
compress.c	f2fs: add sysfs nodes to get runtime compression stat	2021-03-25 18:20:50 -07:00
compress.h	f2fs: compress: fix compression chksum	2020-12-10 09:13:53 -08:00
data.c	f2fs: fix to use per-inode maxbytes in f2fs_fiemap	2021-03-25 18:20:50 -07:00
debug.c	f2fs: introduce checkpoint_merge mount option	2021-02-03 13:03:06 -08:00
dir.c	f2fs-for-5.11-rc1	2020-12-17 11:18:00 -08:00
extent_cache.c	f2fs: support 64-bits key in f2fs rb-tree node entry	2020-09-10 14:03:30 -07:00
f2fs.h	f2fs: add sysfs nodes to get runtime compression stat	2021-03-25 18:20:50 -07:00
file.c	f2fs: fix to align to section for fallocate() on pinned file	2021-03-23 10:41:12 -07:00
gc.c	f2fs: do not use AT_SSR mode in FG_GC & high urgent BG_GC	2021-03-25 18:20:50 -07:00
gc.h	f2fs: support age threshold based garbage collection	2020-09-11 11:11:15 -07:00
hash.c	f2fs: Handle casefolding with Encryption	2020-12-02 22:00:21 -08:00
inline.c	f2fs: fix a redundant call to f2fs_balance_fs if an error occurs	2021-03-12 13:16:44 -08:00
inode.c	f2fs: compress: support chksum	2020-12-02 22:00:22 -08:00
Kconfig	f2fs: compress: Allow modular (de)compression algorithms	2021-03-12 13:16:42 -08:00
Makefile	f2fs: deprecate f2fs_trace_io	2021-01-27 15:20:07 -08:00
namei.c	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
node.c	f2fs: fix to avoid out-of-bounds memory access	2021-03-25 18:20:51 -07:00
node.h	f2fs: avoid race condition for shrinker count	2020-12-03 00:59:26 -08:00
recovery.c	f2fs: change to use rwsem for cp_mutex	2020-12-02 22:00:21 -08:00
segment.c	f2fs: do not use AT_SSR mode in FG_GC & high urgent BG_GC	2021-03-25 18:20:50 -07:00
segment.h	f2fs: remove unused FORCE_FG_GC macro	2021-03-12 13:16:42 -08:00
shrinker.c	f2fs: avoid race condition for shrinker count	2020-12-03 00:59:26 -08:00
super.c	f2fs: don't start checkpoint thread in readonly mountpoint	2021-03-25 18:20:51 -07:00
sysfs.c	f2fs: add sysfs nodes to get runtime compression stat	2021-03-25 18:20:50 -07:00
verity.c	f2fs: fix error handling in f2fs_end_enable_verity()	2021-03-12 13:16:44 -08:00
xattr.c	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
xattr.h	f2fs: code cleanup by removing ifdef macro surrounding	2020-05-26 18:56:10 -07:00