From patchwork Sat Jan 13 15:06:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gao Xiang X-Patchwork-Id: 187920 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:693c:2614:b0:101:6a76:bbe3 with SMTP id mm20csp801773dyc; Sat, 13 Jan 2024 07:06:36 -0800 (PST) X-Google-Smtp-Source: AGHT+IFkLpG1t16IbtjQFJrnXzTxxTHTJo2lKBV8EGGEGUBQw91XZnhLyJxeuObtVAsf4yENWj/G X-Received: by 2002:a05:620a:2e1:b0:783:4273:bcd with SMTP id a1-20020a05620a02e100b0078342730bcdmr3263100qko.52.1705158395993; Sat, 13 Jan 2024 07:06:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705158395; cv=none; d=google.com; s=arc-20160816; b=mbSwDmzsHxel5ChUfeTrd90FkGkE8UkeC/Y6m7h0Ajw4hAksZYZ+0/Hh7/dmqVMr9h Tm738F3t13wUohCh7W7u59SJuhMao6TZ8duqIttgVpux8lXGCOpJQHUhhHKthgQL8pKS O44mho69aGfBM208s4H8fsuuPH7c2Ih9cpbZhKtuEbje+fIIJAkyilzOSv5BSq1D1uYs LtsJe/bX2/oQTJggq8HHYWtPEzC6jkANeyzJsjv+PLGVSaIkj29/8orAQj/HN1Qqg2+9 1ytCNIKKWs5mizikt4LHw0MflokiNC89nGLPliBzc1lLcflrQa3TeeH9/LjP40QqEYAf GCag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from; bh=9oLkBY8M6Q+BqF1VszJcr5zTajdXkzZzmsIrnoH+iJ8=; fh=A9PhMLaldOG4M4PAWMkSyPK96TL2+ErURVDQJUXxfFA=; b=U/01W1XYls1tla0+oWiZ3+Emt0/Gf7C7aUi57+4WmeOEBtpNOYQ5VpondyHqa0oFef j8wsFZKszI9//e7TVUi0skEDHHbnVFoo8EqiOJ3zKKPfROHSQLhyRyvQqbPlW8t4DYd+ mlaFJiSXVC/xmb8GGpfe6vu0/pD1KN50jKr57SJjV7fcEViqxYpgK1wmfFvfl0tQ7Y4L H0oytHRYj8gJjgjCM/f87FXztTLiNoXml4bLKgYv0MqAtnoR4rrEszhPcjMLy5cVtun/ 5dYWoprgCjJ1TzGgAHcVvDTIIdl9qqt7LDzDtQbXoyQr0QwllGs25kaKjKt9N23IISCe 3y4Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-25314-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-25314-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id c3-20020a05620a11a300b0078314abc23dsi4825247qkk.478.2024.01.13.07.06.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 13 Jan 2024 07:06:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-25314-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-25314-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-25314-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id C65561C211DA for ; Sat, 13 Jan 2024 15:06:35 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 19DF91FA4; Sat, 13 Jan 2024 15:06:23 +0000 (UTC) Received: from out30-119.freemail.mail.aliyun.com (out30-119.freemail.mail.aliyun.com [115.124.30.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C78CC360 for ; Sat, 13 Jan 2024 15:06:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R551e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018046049;MF=hsiangkao@linux.alibaba.com;NM=1;PH=DS;RN=5;SR=0;TI=SMTPD_---0W-Vyax8_1705158364; Received: from e69b19392.et15sqa.tbsite.net(mailfrom:hsiangkao@linux.alibaba.com fp:SMTPD_---0W-Vyax8_1705158364) by smtp.aliyun-inc.com; Sat, 13 Jan 2024 23:06:10 +0800 From: Gao Xiang To: linux-erofs@lists.ozlabs.org, Yue Hu Cc: LKML , Gao Xiang , bugreport@ubisectech.com Subject: [PATCH v3] erofs: fix inconsistent per-file compression format Date: Sat, 13 Jan 2024 23:06:02 +0800 Message-Id: <20240113150602.1471050-1-hsiangkao@linux.alibaba.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20231227050633.1507448-1-hsiangkao@linux.alibaba.com> References: <20231227050633.1507448-1-hsiangkao@linux.alibaba.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1786407213098482187 X-GMAIL-MSGID: 1787988170366464715 EROFS can select compression algorithms on a per-file basis, and each per-file compression algorithm needs to be marked in the on-disk superblock for initialization. However, syzkaller can generate inconsistent crafted images that use an unsupported algorithmtype for specific inodes, e.g. use MicroLZMA algorithmtype even it's not set in `sbi->available_compr_algs`. This can lead to an unexpected "BUG: kernel NULL pointer dereference" if the corresponding decompressor isn't built-in. Fix this by checking against `sbi->available_compr_algs` for each m_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset bitmap is now fixed together since it was harmless previously. Reported-by: Fixes: 8f89926290c4 ("erofs: get compression algorithms directly on mapping") Fixes: 622ceaddb764 ("erofs: lzma compression support") Reviewed-by: Yue Hu Signed-off-by: Gao Xiang Reviewed-by: Yue Hu --- changes since v2: - Should check in z_erofs_do_map_blocks() runtimely since another algorithmtype[0/1] could leave as unused (0) but it can be problematic if LZ4 is not set in `sbi->available_compr_algs`. fs/erofs/decompressor.c | 2 +- fs/erofs/zmap.c | 23 +++++++++++++---------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 1d65b9f60a39..072ef6a66823 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -408,7 +408,7 @@ int z_erofs_parse_cfgs(struct super_block *sb, struct erofs_super_block *dsb) int size, ret = 0; if (!erofs_sb_has_compr_cfgs(sbi)) { - sbi->available_compr_algs = Z_EROFS_COMPRESSION_LZ4; + sbi->available_compr_algs = 1 << Z_EROFS_COMPRESSION_LZ4; return z_erofs_load_lz4_config(sb, dsb, NULL, 0); } diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c index 9753875e41cb..7e1116804008 100644 --- a/fs/erofs/zmap.c +++ b/fs/erofs/zmap.c @@ -454,7 +454,7 @@ static int z_erofs_do_map_blocks(struct inode *inode, .map = map, }; int err = 0; - unsigned int lclusterbits, endoff; + unsigned int lclusterbits, endoff, afmt; unsigned long initial_lcn; unsigned long long ofs, end; @@ -543,17 +543,20 @@ static int z_erofs_do_map_blocks(struct inode *inode, err = -EFSCORRUPTED; goto unmap_out; } - if (vi->z_advise & Z_EROFS_ADVISE_INTERLACED_PCLUSTER) - map->m_algorithmformat = - Z_EROFS_COMPRESSION_INTERLACED; - else - map->m_algorithmformat = - Z_EROFS_COMPRESSION_SHIFTED; - } else if (m.headtype == Z_EROFS_LCLUSTER_TYPE_HEAD2) { - map->m_algorithmformat = vi->z_algorithmtype[1]; + afmt = vi->z_advise & Z_EROFS_ADVISE_INTERLACED_PCLUSTER ? + Z_EROFS_COMPRESSION_INTERLACED : + Z_EROFS_COMPRESSION_SHIFTED; } else { - map->m_algorithmformat = vi->z_algorithmtype[0]; + afmt = m.headtype == Z_EROFS_LCLUSTER_TYPE_HEAD2 ? + vi->z_algorithmtype[1] : vi->z_algorithmtype[0]; + if (!(EROFS_I_SB(inode)->available_compr_algs & (1 << afmt))) { + erofs_err(inode->i_sb, "inconsistent algorithmtype %u for nid %llu", + afmt, vi->nid); + err = -EFSCORRUPTED; + goto unmap_out; + } } + map->m_algorithmformat = afmt; if ((flags & EROFS_GET_BLOCKS_FIEMAP) || ((flags & EROFS_GET_BLOCKS_READMORE) &&