Patch "f2fs: fix to avoid potential memory corruption in __update_iostat_latency()" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 10 Mar 2023 05:43:08 -0500

This is a note to let you know that I've just added the patch titled

    f2fs: fix to avoid potential memory corruption in __update_iostat_latency()

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     f2fs-fix-to-avoid-potential-memory-corruption-in-__u.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit dcca5b4e2d5e346711aa8f20f2a36ee40099233d
Author: Yangtao Li <frank.li@xxxxxxxx>
Date:   Sat Jan 21 00:16:55 2023 +0800

    f2fs: fix to avoid potential memory corruption in __update_iostat_latency()
    
    [ Upstream commit 0dbbf0fb38d5ec5d4138d1aeaeb43d9217b9a592 ]
    
    Add iotype sanity check to avoid potential memory corruption.
    This is to fix the compile error below:
    
    fs/f2fs/iostat.c:231 __update_iostat_latency() error: buffer overflow
    'io_lat->peak_lat[type]' 3 <= 3
    
    vim +228 fs/f2fs/iostat.c
    
      211  static inline void __update_iostat_latency(struct bio_iostat_ctx
            *iostat_ctx,
      212                                   enum iostat_lat_type type)
      213  {
      214           unsigned long ts_diff;
      215           unsigned int page_type = iostat_ctx->type;
      216           struct f2fs_sb_info *sbi = iostat_ctx->sbi;
      217           struct iostat_lat_info *io_lat = sbi->iostat_io_lat;
      218           unsigned long flags;
      219
      220           if (!sbi->iostat_enable)
      221                   return;
      222
      223           ts_diff = jiffies - iostat_ctx->submit_ts;
      224           if (page_type >= META_FLUSH)
                                     ^^^^^^^^^^
    
      225                   page_type = META;
      226
      227           spin_lock_irqsave(&sbi->iostat_lat_lock, flags);
     @228           io_lat->sum_lat[type][page_type] += ts_diff;
                                          ^^^^^^^^^
    Mixup between META_FLUSH and NR_PAGE_TYPE leads to memory corruption.
    
    Fixes: a4b6817625e7 ("f2fs: introduce periodic iostat io latency traces")
    Reported-by: kernel test robot <lkp@xxxxxxxxx>
    Reported-by: Dan Carpenter <error27@xxxxxxxxx>
    Suggested-by: Chao Yu <chao@xxxxxxxxxx>
    Suggested-by: Jaegeuk Kim <jaegeuk@xxxxxxxxxx>
    Signed-off-by: Yangtao Li <frank.li@xxxxxxxx>
    Reviewed-by: Chao Yu <chao@xxxxxxxxxx>
    Signed-off-by: Jaegeuk Kim <jaegeuk@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/f2fs/iostat.c b/fs/f2fs/iostat.c
index 3166a8939ed4f..02393c95c9f86 100644
--- a/fs/f2fs/iostat.c
+++ b/fs/f2fs/iostat.c
@@ -227,8 +227,12 @@ static inline void __update_iostat_latency(struct bio_iostat_ctx *iostat_ctx,
 		return;
 
 	ts_diff = jiffies - iostat_ctx->submit_ts;
-	if (iotype >= META_FLUSH)
+	if (iotype == META_FLUSH) {
 		iotype = META;
+	} else if (iotype >= NR_PAGE_TYPE) {
+		f2fs_warn(sbi, "%s: %d over NR_PAGE_TYPE", __func__, iotype);
+		return;
+	}
 
 	if (rw == 0) {
 		idx = READ_IO;






