• Chao Yu's avatar
    f2fs: fix to do sanity check with current segment number · 042be0f8
    Chao Yu authored
    https://bugzilla.kernel.org/show_bug.cgi?id=200219
    
    Reproduction way:
    - mount image
    - run poc code
    - umount image
    
    F2FS-fs (loop1): Bitmap was wrongly set, blk:15364
    ------------[ cut here ]------------
    kernel BUG at /home/yuchao/git/devf2fs/segment.c:2061!
    invalid opcode: 0000 [#1] PREEMPT SMP
    CPU: 2 PID: 17686 Comm: umount Tainted: G        W  O      4.18.0-rc2+ #39
    Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
    EIP: update_sit_entry+0x459/0x4e0 [f2fs]
    Code: e8 1c b5 fd ff 0f 0b 0f 0b 8b 45 e4 c7 44 24 08 9c 7a 6c f8 c7 44 24 04 bc 4a 6c f8 89 44 24 0c 8b 06 89 04 24 e8 f7 b4 fd ff <0f> 0b 8b 45 e4 0f b6 d2 89 54 24 10 c7 44 24 08 60 7a 6c f8 c7 44
    EAX: 00000032 EBX: 000000f8 ECX: 00000002 EDX: 00000001
    ESI: d7177000 EDI: f520fe68 EBP: d6477c6c ESP: d6477c34
    DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010282
    CR0: 80050033 CR2: b7fbe000 CR3: 2a99b3c0 CR4: 000406f0
    Call Trace:
     f2fs_allocate_data_block+0x124/0x580 [f2fs]
     do_write_page+0x78/0x150 [f2fs]
     f2fs_do_write_node_page+0x25/0xa0 [f2fs]
     __write_node_page+0x2bf/0x550 [f2fs]
     f2fs_sync_node_pages+0x60e/0x6d0 [f2fs]
     ? sync_inode_metadata+0x2f/0x40
     ? f2fs_write_checkpoint+0x28f/0x7d0 [f2fs]
     ? up_write+0x1e/0x80
     f2fs_write_checkpoint+0x2a9/0x7d0 [f2fs]
     ? mark_held_locks+0x5d/0x80
     ? _raw_spin_unlock_irq+0x27/0x50
     kill_f2fs_super+0x68/0x90 [f2fs]
     deactivate_locked_super+0x3d/0x70
     deactivate_super+0x40/0x60
     cleanup_mnt+0x39/0x70
     __cleanup_mnt+0x10/0x20
     task_work_run+0x81/0xa0
     exit_to_usermode_loop+0x59/0xa7
     do_fast_syscall_32+0x1f5/0x22c
     entry_SYSENTER_32+0x53/0x86
    EIP: 0xb7f95c51
    Code: c1 1e f7 ff ff 89 e5 8b 55 08 85 d2 8b 81 64 cd ff ff 74 02 89 02 5d c3 8b 0c 24 c3 8b 1c 24 c3 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
    EAX: 00000000 EBX: 0871ab90 ECX: bfb2cd00 EDX: 00000000
    ESI: 00000000 EDI: 0871ab90 EBP: 0871ab90 ESP: bfb2cd7c
    DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246
    Modules linked in: f2fs(O) crc32_generic bnep rfcomm bluetooth ecdh_generic snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq pcbc joydev aesni_intel snd_seq_device aes_i586 snd_timer crypto_simd snd cryptd soundcore mac_hid serio_raw video i2c_piix4 parport_pc ppdev lp parport hid_generic psmouse usbhid hid e1000 [last unloaded: f2fs]
    ---[ end trace d423f83982cfcdc5 ]---
    
    The reason is, different log headers using the same segment, once
    one log's next block address is used by another log, it will cause
    panic as above.
    
    Main area: 24 segs, 24 secs 24 zones
      - COLD  data: 0, 0, 0
      - WARM  data: 1, 1, 1
      - HOT   data: 20, 20, 20
      - Dir   dnode: 22, 22, 22
      - File   dnode: 22, 22, 22
      - Indir nodes: 21, 21, 21
    
    So this patch adds sanity check to detect such condition to avoid
    this issue.
    Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
    Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
    042be0f8
super.c 84.6 KB