From nobody Mon Jun  8 23:58:32 2026
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com
 [209.85.216.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 16C57305662
	for <linux-kernel@vger.kernel.org>; Mon, 25 May 2026 11:46:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779709590; cv=none;
 b=ri/EL9eqs41roFFQ+RhnWgW+qGUcNfkETxqAbd4F1vW0YIzsncuTYRYkSBwt58+2frSB/RGM37Se0wQz17e8KstB8x3P9aQiYIiihXCMOw4lfcDeg3tyktU7mYApqv8HlHM9Uq7cVtOz5lyGKDmHDnUKR/ZGliDCxa29Pv12Qpw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779709590; c=relaxed/simple;
	bh=OfhK1Rri1V2IrG6lqZHXP360rmbD5ixm9f5Bmyp9gEM=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=IUdH/xXoTfWoBwAEGPrV97TkWB4/OYh7OpyG2orI6H8Nm9jmO3EsANdyyhSrgMSkzfB2QALIJKGSE11NWN5h1SYaLfq8aqGocp/naUKWBRHPtKDKyDSfFyFDBBf0QLh/zACFPNcAarD2dENjNe33dXWJ7f49b2xbVL6LJ6wnPVU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=e5y7I9gX; arc=none smtp.client-ip=209.85.216.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="e5y7I9gX"
Received: by mail-pj1-f45.google.com with SMTP id
 98e67ed59e1d1-36a35e4eefeso2950812a91.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 25 May 2026 04:46:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779709588; x=1780314388;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=X5+abP3UnnxN7BlV9ZGzPIjCXHgbyHlMPqVv/kHZ1T4=;
        b=e5y7I9gX1OVympEn645FtsmrIBxiLDYkSpLGJgwzRuvTzQULUGfl0E6qHUNerlQnA8
         D5kkDcRjWMg6vPQw23fynrlUDoCcMSFElwGGH4QzrLCvSFGqtGgLqgbotFa0RJFICrCN
         B4wiim9DAUrfTXsARMVrC/NsL/qlup70MpG54ieVRevvyWywdcePATnmWmkgS4W/QDZY
         ylebmvaP7I2ImxH98/lkFwVSPBFqVJizGss0g3PTblu6YLIqzdR3jW4rqJ/T4BEFiAAs
         LXG0hwAUzjUzJXBWYTii9M8quaRw70pK4HeNlHIpFxbSTYx9lTWjS2GHfcmFp0re25Jb
         KSAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779709588; x=1780314388;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=X5+abP3UnnxN7BlV9ZGzPIjCXHgbyHlMPqVv/kHZ1T4=;
        b=jNkUB+VaGrNBYbXqsGYB/pyLSg8vXfGxMUasmfegwDAIPQ6deJdLhJP9DKGi8JoOrR
         xOBf8XdBcgX27jnxb1YChsh2EFi4eqZHXgXVAzPyvSPyWh34rmR9uvnVpAtJ2PT/6lLE
         pWZWwsf/LUvLA6dM03eY5Apm16rjiqU6N1YHFm13PUrg89gfcpLCi0fPddR2i+oiJds7
         O1N5Y3vCFhfgjx3nLfyuNf+NT+QKwvEtE1b9IK84pwm7R43T/mjDJ/sB0K/leNp781RT
         X3+x3dWfq5ftnlWXZ4B5Z8cgvU9l8DbKZy+Dkd9QXYpDFPZsuyzD7qQMOt17Fh1EoHiD
         thjg==
X-Forwarded-Encrypted: i=1;
 AFNElJ8jOQOurFb/e1fGte4DvsB+T6LzSTKEgeou8gbogOybBL18uXnyUipz+cQ381a65QZSdSY+tE/y2gSp8ZA=@vger.kernel.org
X-Gm-Message-State: AOJu0Yzp7WqJ0oh/YV5dPvaekJWijVisKZsI/qdl8GoQquLC+mTm7Kkh
	H6GiKCly9qcYofXEIi2Szl/m3yluOHrWkIMBiMfFEi7MMxkhUXndew1S
X-Gm-Gg: Acq92OGfnDMcD4+pA+xz5OTZuHEHZCx2Ak1KXdGk8viWiKHJrZlZha1UZ2iSHvz7ibY
	1A+Y7zokvW2s+NQy34TcLylhtAiZEdq3O/c9LVyF6lJNPLcapysIBRxVgGuCGZd7Ymw4oNAOEyE
	VWZX6mDUsT7CwcKG0edolRGZaHw3mF7GR1RtyPmmZVRdJIYcaqkGTo6+WXlj5rSaJXMAia4YPhV
	7zhnxKbSf2I4+1kK4309cltIh/5a4CfpTd+wwWF8eIVyNImzJcFpzsUZc5/eYDmRVmhDoJgnRs+
	CkZCO4DuNmSU0CaJcl92Hc5heAhKPJ34jyrzT7aIN8A5hbYv8ndHk8HCOawSbi4y+Bqey6aN+qM
	CCGeLM4X/AaU25gpltEsa7zcW7ceFHqu8HXwljdfAaYealzZS7bDa0I5Lv/OE3ftXqhtaZ29PPx
	bwsqzzImy2UVmxRxWuugcMi5lNhulC+WyshEFBXskSYs/UZv7tIbjh7JuD4ZEtcA4RlqO4RX93K
	MCKulN3
X-Received: by 2002:a17:90b:5785:b0:369:1dcf:4a46 with SMTP id
 98e67ed59e1d1-36a67649211mr13293548a91.25.1779709588226;
        Mon, 25 May 2026 04:46:28 -0700 (PDT)
Received: from qiwenjie-ThinkCentre-M760t.mioffice.cn ([43.224.245.241])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-36a6787fe2esm4402143a91.3.2026.05.25.04.46.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 May 2026 04:46:27 -0700 (PDT)
From: Wenjie Qi <qwjhust@gmail.com>
X-Google-Original-From: Wenjie Qi <qiwenjie@xiaomi.com>
To: jaegeuk@kernel.org,
	chao@kernel.org
Cc: chur.lee@samsung.com,
	linux-f2fs-devel@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	qiwenjie@xiaomi.com,
	qwjhust@gmail.com,
	stable@kernel.org
Subject: [PATCH] f2fs: validate orphan inode entry count
Date: Mon, 25 May 2026 19:46:21 +0800
Message-ID: <20260525114621.571845-1-qiwenjie@xiaomi.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

f2fs_recover_orphan_inodes() trusts the orphan block entry_count when
replaying orphan inodes from the checkpoint pack.  A corrupted
entry_count larger than F2FS_ORPHANS_PER_BLOCK makes the recovery loop
read past the ino[] array and interpret footer or following data as
inode numbers.

On a crafted image, mounting an unpatched kernel can drive orphan
recovery into f2fs_bug_on() and panic the kernel.  Validate entry_count
before consuming entries so corrupted checkpoint data fails the mount
with -EFSCORRUPTED and requests fsck instead.

Fixes: 127e670abfa7 ("f2fs: add checkpoint operations")
Cc: stable@kernel.org
Signed-off-by: Wenjie Qi <qiwenjie@xiaomi.com>
---
 fs/f2fs/checkpoint.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c
index c00a6b6ebcbd..fc72b69ff769 100644
--- a/fs/f2fs/checkpoint.c
+++ b/fs/f2fs/checkpoint.c
@@ -943,6 +943,7 @@ int f2fs_recover_orphan_inodes(struct f2fs_sb_info *sbi)
 	for (i =3D 0; i < orphan_blocks; i++) {
 		struct folio *folio;
 		struct f2fs_orphan_block *orphan_blk;
+		unsigned int entry_count;
=20
 		folio =3D f2fs_get_meta_folio(sbi, start_blk + i);
 		if (IS_ERR(folio)) {
@@ -951,7 +952,17 @@ int f2fs_recover_orphan_inodes(struct f2fs_sb_info *sb=
i)
 		}
=20
 		orphan_blk =3D folio_address(folio);
-		for (j =3D 0; j < le32_to_cpu(orphan_blk->entry_count); j++) {
+		entry_count =3D le32_to_cpu(orphan_blk->entry_count);
+		if (entry_count > F2FS_ORPHANS_PER_BLOCK) {
+			f2fs_err(sbi, "invalid orphan inode entry count %u",
+				 entry_count);
+			set_sbi_flag(sbi, SBI_NEED_FSCK);
+			err =3D -EFSCORRUPTED;
+			f2fs_folio_put(folio, true);
+			goto out;
+		}
+
+		for (j =3D 0; j < entry_count; j++) {
 			nid_t ino =3D le32_to_cpu(orphan_blk->ino[j]);
=20
 			err =3D recover_orphan_inode(sbi, ino);
--=20
2.43.0