On 5/26/26 13:38, Wenjie Qi wrote: > Agreed, SBI_NEED_FSCK may not be persisted at this stage. > > I sent v2 to add ERROR_INCONSISTENT_ORPHAN and call f2fs_handle_error() on > invalid orphan entry_count, so the corruption reason can be recorded in > s_errors[] as a persistent hint for fsck.
So, it needs another patch to let fsck recognize the new flag? Thanks, > > https://lore.kernel.org/linux-f2fs-devel/[email protected]/T/#u > > On Tue, May 26, 2026 at 10:19 AM Chao Yu <[email protected]> wrote: >> >> On 5/25/26 19:46, Wenjie Qi wrote: >>> f2fs_recover_orphan_inodes() trusts the orphan block entry_count when >>> replaying orphan inodes from the checkpoint pack. A corrupted >>> entry_count larger than F2FS_ORPHANS_PER_BLOCK makes the recovery loop >>> read past the ino[] array and interpret footer or following data as >>> inode numbers. >>> >>> On a crafted image, mounting an unpatched kernel can drive orphan >>> recovery into f2fs_bug_on() and panic the kernel. Validate entry_count >>> before consuming entries so corrupted checkpoint data fails the mount >>> with -EFSCORRUPTED and requests fsck instead. >>> >>> Fixes: 127e670abfa7 ("f2fs: add checkpoint operations") >>> Cc: [email protected] >>> Signed-off-by: Wenjie Qi <[email protected]> >>> --- >>> fs/f2fs/checkpoint.c | 13 ++++++++++++- >>> 1 file changed, 12 insertions(+), 1 deletion(-) >>> >>> diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c >>> index c00a6b6ebcbd..fc72b69ff769 100644 >>> --- a/fs/f2fs/checkpoint.c >>> +++ b/fs/f2fs/checkpoint.c >>> @@ -943,6 +943,7 @@ int f2fs_recover_orphan_inodes(struct f2fs_sb_info *sbi) >>> for (i = 0; i < orphan_blocks; i++) { >>> struct folio *folio; >>> struct f2fs_orphan_block *orphan_blk; >>> + unsigned int entry_count; >>> >>> folio = f2fs_get_meta_folio(sbi, start_blk + i); >>> if (IS_ERR(folio)) { >>> @@ -951,7 +952,17 @@ int f2fs_recover_orphan_inodes(struct f2fs_sb_info >>> *sbi) >>> } >>> >>> orphan_blk = folio_address(folio); >>> - for (j = 0; j < le32_to_cpu(orphan_blk->entry_count); j++) { >>> + entry_count = le32_to_cpu(orphan_blk->entry_count); >>> + if (entry_count > F2FS_ORPHANS_PER_BLOCK) { >>> + f2fs_err(sbi, "invalid orphan inode entry count %u", >>> + entry_count); >>> + set_sbi_flag(sbi, SBI_NEED_FSCK); >> >> Well, at this stage, I guess there is no chance to persist SBI_NEED_FSCK >> flag, >> what about introduce ERROR_INCONSISTENT_ORPHAN in enum f2fs_error, so that >> we can persist the new bit to provide hint to fsck? >> >> Thanks, >> >>> + err = -EFSCORRUPTED; >>> + f2fs_folio_put(folio, true); >>> + goto out; >>> + } >>> + >>> + for (j = 0; j < entry_count; j++) { >>> nid_t ino = le32_to_cpu(orphan_blk->ino[j]); >>> >>> err = recover_orphan_inode(sbi, ino); >> _______________________________________________ Linux-f2fs-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
