From 23892d383bee15b64f5463bd7195615734bb2415 Mon Sep 17 00:00:00 2001 From: Yifei Liu Date: Wed, 3 Aug 2022 15:53:12 +0000 Subject: jffs2: correct logic when creating a hole in jffs2_write_begin Bug description and fix: 1. Write data to a file, say all 1s from offset 0 to 16. 2. Truncate the file to a smaller size, say 8 bytes. 3. Write new bytes (say 2s) from an offset past the original size of the file, say at offset 20, for 4 bytes. This is supposed to create a "hole" in the file, meaning that the bytes from offset 8 (where it was truncated above) up to the new write at offset 20, should all be 0s (zeros). 4. Flush all caches using "echo 3 > /proc/sys/vm/drop_caches" (or unmount and remount) the f/s. 5. Check the content of the file. It is wrong. The 1s that used to be between bytes 9 and 16, before the truncation, have REAPPEARED (they should be 0s). We wrote a script and helper C program to reproduce the bug (reproduce_jffs2_write_begin_issue.sh, write_file.c, and Makefile). We can make them available to anyone. The above example is shown when writing a small file within the same first page. But the bug happens for larger files, as long as steps 1, 2, and 3 above all happen within the same page. The problem was traced to the jffs2_write_begin code, where it goes into an 'if' statement intended to handle writes past the current EOF (i.e., writes that may create a hole). The code computes a 'pageofs' that is the floor of the write position (pos), aligned to the page size boundary. In other words, 'pageofs' will never be larger than 'pos'. The code then sets the internal jffs2_raw_inode->isize to the size of max(current inode size, pageofs) but that is wrong: the new file size should be the 'pos', which is larger than both the current inode size and pageofs. Similarly, the code incorrectly sets the internal jffs2_raw_inode->dsize to the difference between the pageofs minus current inode size; instead it should be the current pos minus the current inode size. Finally, inode->i_size was also set incorrectly. The patch below fixes this bug. The bug was discovered using a new tool for finding f/s bugs using model checking, called MCFS (Model Checking File Systems). Signed-off-by: Yifei Liu Signed-off-by: Erez Zadok Signed-off-by: Manish Adkar Signed-off-by: Richard Weinberger --- fs/jffs2/file.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) (limited to 'fs/jffs2') diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c index 3cf71befa475..96b0275ce957 100644 --- a/fs/jffs2/file.c +++ b/fs/jffs2/file.c @@ -137,19 +137,18 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode); struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb); pgoff_t index = pos >> PAGE_SHIFT; - uint32_t pageofs = index << PAGE_SHIFT; int ret = 0; jffs2_dbg(1, "%s()\n", __func__); - if (pageofs > inode->i_size) { - /* Make new hole frag from old EOF to new page */ + if (pos > inode->i_size) { + /* Make new hole frag from old EOF to new position */ struct jffs2_raw_inode ri; struct jffs2_full_dnode *fn; uint32_t alloc_len; - jffs2_dbg(1, "Writing new hole frag 0x%x-0x%x between current EOF and new page\n", - (unsigned int)inode->i_size, pageofs); + jffs2_dbg(1, "Writing new hole frag 0x%x-0x%x between current EOF and new position\n", + (unsigned int)inode->i_size, (uint32_t)pos); ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len, ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE); @@ -169,10 +168,10 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, ri.mode = cpu_to_jemode(inode->i_mode); ri.uid = cpu_to_je16(i_uid_read(inode)); ri.gid = cpu_to_je16(i_gid_read(inode)); - ri.isize = cpu_to_je32(max((uint32_t)inode->i_size, pageofs)); + ri.isize = cpu_to_je32((uint32_t)pos); ri.atime = ri.ctime = ri.mtime = cpu_to_je32(JFFS2_NOW()); ri.offset = cpu_to_je32(inode->i_size); - ri.dsize = cpu_to_je32(pageofs - inode->i_size); + ri.dsize = cpu_to_je32((uint32_t)pos - inode->i_size); ri.csize = cpu_to_je32(0); ri.compr = JFFS2_COMPR_ZERO; ri.node_crc = cpu_to_je32(crc32(0, &ri, sizeof(ri)-8)); @@ -202,7 +201,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping, goto out_err; } jffs2_complete_reservation(c); - inode->i_size = pageofs; + inode->i_size = pos; mutex_unlock(&f->sem); } -- cgit From 7198c9c00338287fe364d76bba35b3b10feec3c5 Mon Sep 17 00:00:00 2001 From: Yu Zhe Date: Fri, 18 Nov 2022 16:51:04 +0800 Subject: jffs2: fix spelling mistake "neccecary"->"necessary" There is a spelling mistake in comment. Fix it. Signed-off-by: Yu Zhe Signed-off-by: Richard Weinberger --- fs/jffs2/fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'fs/jffs2') diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c index 66af51c41619..e952b0bd548b 100644 --- a/fs/jffs2/fs.c +++ b/fs/jffs2/fs.c @@ -403,7 +403,7 @@ int jffs2_do_remount_fs(struct super_block *sb, struct fs_context *fc) /* We stop if it was running, then restart if it needs to. This also catches the case where it was stopped and this is just a remount to restart it. - Flush the writebuffer, if neccecary, else we loose it */ + Flush the writebuffer, if necessary, else we loose it */ if (!sb_rdonly(sb)) { jffs2_stop_garbage_collect_thread(c); mutex_lock(&c->alloc_sem); -- cgit From d5711ae52d5a548d16e5c177c92c15338ec63624 Mon Sep 17 00:00:00 2001 From: Zhang Xiaoxu Date: Thu, 27 Oct 2022 20:49:05 +0800 Subject: jffs2: Use function instead of macro when initialize compressors The initialized compressors should be released if one of them initialize fail, this is the pre-patch for fix the problem, use function instead of the macro in jffs2_compressors_init() to simplify the codes, no functional change intended. Signed-off-by: Zhang Xiaoxu Signed-off-by: Richard Weinberger --- fs/jffs2/compr.c | 17 +---------------- fs/jffs2/compr.h | 26 ++++++++++++++++++++------ 2 files changed, 21 insertions(+), 22 deletions(-) (limited to 'fs/jffs2') diff --git a/fs/jffs2/compr.c b/fs/jffs2/compr.c index 4849a4c9a0e2..afe74c65f1e4 100644 --- a/fs/jffs2/compr.c +++ b/fs/jffs2/compr.c @@ -365,19 +365,12 @@ void jffs2_free_comprbuf(unsigned char *comprbuf, unsigned char *orig) int __init jffs2_compressors_init(void) { /* Registering compressors */ -#ifdef CONFIG_JFFS2_ZLIB jffs2_zlib_init(); -#endif -#ifdef CONFIG_JFFS2_RTIME jffs2_rtime_init(); -#endif -#ifdef CONFIG_JFFS2_RUBIN jffs2_rubinmips_init(); jffs2_dynrubin_init(); -#endif -#ifdef CONFIG_JFFS2_LZO jffs2_lzo_init(); -#endif + /* Setting default compression mode */ #ifdef CONFIG_JFFS2_CMODE_NONE jffs2_compression_mode = JFFS2_COMPR_MODE_NONE; @@ -401,18 +394,10 @@ int __init jffs2_compressors_init(void) int jffs2_compressors_exit(void) { /* Unregistering compressors */ -#ifdef CONFIG_JFFS2_LZO jffs2_lzo_exit(); -#endif -#ifdef CONFIG_JFFS2_RUBIN jffs2_dynrubin_exit(); jffs2_rubinmips_exit(); -#endif -#ifdef CONFIG_JFFS2_RTIME jffs2_rtime_exit(); -#endif -#ifdef CONFIG_JFFS2_ZLIB jffs2_zlib_exit(); -#endif return 0; } diff --git a/fs/jffs2/compr.h b/fs/jffs2/compr.h index 5e91d578f4ed..3716b6b7924c 100644 --- a/fs/jffs2/compr.h +++ b/fs/jffs2/compr.h @@ -88,18 +88,32 @@ int jffs2_rubinmips_init(void); void jffs2_rubinmips_exit(void); int jffs2_dynrubin_init(void); void jffs2_dynrubin_exit(void); +#else +static inline int jffs2_rubinmips_init(void) { return 0; } +static inline void jffs2_rubinmips_exit(void) {} +static inline int jffs2_dynrubin_init(void) { return 0; } +static inline void jffs2_dynrubin_exit(void) {} #endif #ifdef CONFIG_JFFS2_RTIME -int jffs2_rtime_init(void); -void jffs2_rtime_exit(void); +extern int jffs2_rtime_init(void); +extern void jffs2_rtime_exit(void); +#else +static inline int jffs2_rtime_init(void) { return 0; } +static inline void jffs2_rtime_exit(void) {} #endif #ifdef CONFIG_JFFS2_ZLIB -int jffs2_zlib_init(void); -void jffs2_zlib_exit(void); +extern int jffs2_zlib_init(void); +extern void jffs2_zlib_exit(void); +#else +static inline int jffs2_zlib_init(void) { return 0; } +static inline void jffs2_zlib_exit(void) {} #endif #ifdef CONFIG_JFFS2_LZO -int jffs2_lzo_init(void); -void jffs2_lzo_exit(void); +extern int jffs2_lzo_init(void); +extern void jffs2_lzo_exit(void); +#else +static inline int jffs2_lzo_init(void) { return 0; } +static inline void jffs2_lzo_exit(void) {} #endif #endif /* __JFFS2_COMPR_H__ */ -- cgit From 3432e57493c278c1cb48abc2d69c6c055a19723e Mon Sep 17 00:00:00 2001 From: Zhang Xiaoxu Date: Thu, 27 Oct 2022 20:49:06 +0800 Subject: jffs2: Fix list_del corruption if compressors initialized failed There is a list_del corruption when remove the jffs2 module: list_del corruption, ffffffffa0623e60->next is NULL WARNING: CPU: 6 PID: 6332 at lib/list_debug.c:49 __list_del_entry_valid+0x98/0x130 Modules linked in: jffs2(-) ] CPU: 6 PID: 6332 Comm: rmmod Tainted: G W 6.1.0-rc2+ #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 RIP: 0010:__list_del_entry_valid+0x98/0x130 ... Call Trace: jffs2_unregister_compressor+0x3e/0xe0 [jffs2] jffs2_zlib_exit+0x11/0x30 [jffs2] jffs2_compressors_exit+0x1e/0x30 [jffs2] exit_jffs2_fs+0x16/0x44f [jffs2] __do_sys_delete_module.constprop.0+0x244/0x370 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 If one of the compressor initialize failed, the module always insert success since jffs2_compressors_init() always return success, then something bad may happen during remove the module. For this scenario, let's insmod failed. Signed-off-by: Zhang Xiaoxu Signed-off-by: Richard Weinberger --- fs/jffs2/compr.c | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) (limited to 'fs/jffs2') diff --git a/fs/jffs2/compr.c b/fs/jffs2/compr.c index afe74c65f1e4..764f19dec3f0 100644 --- a/fs/jffs2/compr.c +++ b/fs/jffs2/compr.c @@ -364,12 +364,24 @@ void jffs2_free_comprbuf(unsigned char *comprbuf, unsigned char *orig) int __init jffs2_compressors_init(void) { + int ret = 0; /* Registering compressors */ - jffs2_zlib_init(); - jffs2_rtime_init(); - jffs2_rubinmips_init(); - jffs2_dynrubin_init(); - jffs2_lzo_init(); + ret = jffs2_zlib_init(); + if (ret) + goto exit; + ret = jffs2_rtime_init(); + if (ret) + goto exit_zlib; + ret = jffs2_rubinmips_init(); + if (ret) + goto exit_rtime; + ret = jffs2_dynrubin_init(); + if (ret) + goto exit_runinmips; + ret = jffs2_lzo_init(); + if (ret) + goto exit_dynrubin; + /* Setting default compression mode */ #ifdef CONFIG_JFFS2_CMODE_NONE @@ -389,6 +401,17 @@ int __init jffs2_compressors_init(void) #endif #endif return 0; + +exit_dynrubin: + jffs2_dynrubin_exit(); +exit_runinmips: + jffs2_rubinmips_exit(); +exit_rtime: + jffs2_rtime_exit(); +exit_zlib: + jffs2_zlib_exit(); +exit: + return ret; } int jffs2_compressors_exit(void) -- cgit