On 2022/1/25 4:36, Pavel Machek wrote:
Hi!
From: Chao Yu <chao@xxxxxxxxxx>
commit 77900c45ee5cd5da63bd4d818a41dbdf367e81cd upstream.
In fuzzed image, SSA table may indicate that a data block belongs to
invalid node, which node ID is out-of-range (0, 1, 2 or max_nid), in
order to avoid migrating inconsistent data in such corrupted image,
let's do sanity check anyway before data block migration.
This may be good idea, but AFAICT this leads to leak of page reference.
Hi Pavel,
Oops, you're right, my bad.
+++ b/fs/f2fs/gc.c
@@ -589,6 +589,9 @@ static bool is_alive(struct f2fs_sb_info
set_sbi_flag(sbi, SBI_NEED_FSCK);
}
+ if (f2fs_check_nid_range(sbi, dni->ino))
+ return false;
+
*nofs = ofs_of_node(node_page);
source_blkaddr = datablock_addr(NULL, node_page, ofs_in_node);
f2fs_put_page(node_page, 1);
AFAICT f2fs_put_page() needs to be done in the error path, too.
(Problem seems to exist in mainline, too).
Something like this?
Could you please send a formal patch to f2fs mailing list for better review?
Anyway, thanks a lot for the report and the patch!
Thanks,
Signed-off-by: Pavel Machek <pavel@xxxxxxx>
Best regards,
Pavel
diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index ee308a8de432..e020804f7b07 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -1038,8 +1038,10 @@ static bool is_alive(struct f2fs_sb_info *sbi, struct f2fs_summary *sum,
set_sbi_flag(sbi, SBI_NEED_FSCK);
}
- if (f2fs_check_nid_range(sbi, dni->ino))
+ if (f2fs_check_nid_range(sbi, dni->ino)) {
+ f2fs_put_page(node_page, 1);
return false;
+ }
*nofs = ofs_of_node(node_page);
source_blkaddr = data_blkaddr(NULL, node_page, ofs_in_node);