1. 01 Aug, 2018 26 commits
    • Sheng Yong's avatar
      f2fs: quota: decrease the lock granularity of statfs_project · 955ac6e5
      Sheng Yong authored
      According to fs/quota/dquot.c, `dq_data_lock' protects mem_dqinfo
      structures and modifications of dquot pointers in the inode, and
      `dquot->dq_dqb_lock' protects data from dq_dqb.
      
      We should use dquot->dq_dqb_lock in statfs_project instead of
      dq_dat_lock.
      Signed-off-by: default avatarSheng Yong <shengyong1@huawei.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      955ac6e5
    • Yunlong Song's avatar
      f2fs: add proc entry to show victim_secmap bitmap · 970e348d
      Yunlong Song authored
      This patch adds a new proc entry to show victim_secmap information in
      more detail, which is very helpful to know the get_victim candidate
      status clearly, and helpful to debug problems (e.g., some sections can
      not gc all of its blocks, since some blocks belong to atomic file,
      leaving victim_secmap with section bit setting, in extrem case, this
      will lead all bytes of victim_secmap setting with 0xff).
      Signed-off-by: default avatarYunlong Song <yunlong.song@huawei.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      970e348d
    • Chao Yu's avatar
      f2fs: let checkpoint flush dnode page of regular · fd8c8caf
      Chao Yu authored
      Fsyncer will wait on all dnode pages of regular writeback before flushing,
      if there are async dnode pages blocked by IO scheduler, it may decrease
      fsync's performance.
      
      In this patch, we choose to let f2fs_balance_fs_bg() to trigger checkpoint
      to flush these dnode pages of regular, so async IO of dnode page can be
      elimitnated, making fsyncer only need to wait for sync IO.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      fd8c8caf
    • Yunlong Song's avatar
      f2fs: issue discard align to section in LFS mode · ad6672bb
      Yunlong Song authored
      For the case when sbi->segs_per_sec > 1 with lfs mode, take
      section:segment = 5 for example, if the section prefree_map is
      ...previous section | current section (1 1 0 1 1) | next section...,
      then the start = x, end = x + 1, after start = start_segno +
      sbi->segs_per_sec, start = x + 5, then it will skip x + 3 and x + 4, but
      their bitmap is still set, which will cause duplicated
      f2fs_issue_discard of this same section in the next write_checkpoint:
      
      round 1: section bitmap : 1 1 1 1 1, all valid, prefree_map: 0 0 0 0 0
      then rm data block NO.2, block NO.2 becomes invalid, prefree_map: 0 0 1 0 0
      write_checkpoint: section bitmap: 1 1 0 1 1, prefree_map: 0 0 0 0 0,
      prefree of NO.2 is cleared, and no discard issued
      
      round 2: rm data block NO.0, NO.1, NO.3, NO.4
      all invalid, but prefree bit of NO.2 is set and cleared in round 1, then
      prefree_map: 1 1 0 1 1
      write_checkpoint: section bitmap: 0 0 0 0 0, prefree_map: 0 0 0 1 1, no
      valid blocks of this section, so discard issued, but this time prefree
      bit of NO.3 and NO.4 is skipped due to start = start_segno + sbi->segs_per_sec;
      
      round 3:
      write_checkpoint: section bitmap: 0 0 0 0 0, prefree_map: 0 0 0 1 1 ->
      0 0 0 0 0, no valid blocks of this section, so discard issued,
      this time prefree bit of NO.3 and NO.4 is cleared, but the discard of
      this section is sent again...
      
      To fix this problem, we can align the start and end value to section
      boundary for fstrim and real-time discard operation, and decide to issue
      discard only when the whole section is invalid, which can issue discard
      aligned to section size as much as possible and avoid redundant discard.
      Signed-off-by: default avatarYunlong Song <yunlong.song@huawei.com>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      ad6672bb
    • Jaegeuk Kim's avatar
      f2fs: don't allow any writes on aborted atomic writes · 455e3a58
      Jaegeuk Kim authored
      In order to prevent abusing atomic writes by abnormal users, we've added a
      threshold, 20% over memory footprint, which disallows further atomic writes.
      Previously, however, SQLite doesn't know the files became normal, so that
      it could write stale data and commit on revoked normal database file.
      
      Once f2fs detects such the abnormal behavior, this patch tries to avoid further
      writes in write_begin().
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      455e3a58
    • Chao Yu's avatar
      f2fs: restrict setting up inode.i_advise · 797c1cb5
      Chao Yu authored
      In order to give advise to f2fs to recognize hot/cold file, it is possible
      that we can set specific bit in inode.i_advise through setxattr(), but
      there are several bits which are used internally, such as encrypt_bit,
      keep_size_bit, they should never be changed through setxattr().
      
      So that this patch 1) adds FADVISE_MODIFIABLE_BITS to filter modifiable
      bits user given, 2) supports to clear {hot,cold}_file bits.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      797c1cb5
    • Yunlei He's avatar
      f2fs: fix wrong kernel message when recover fsync data on ro fs · e6b0b159
      Yunlei He authored
      This patch fix wrong message info for recover fsync data
      on readonly fs.
      Signed-off-by: default avatarYunlei He <heyunlei@huawei.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      e6b0b159
    • Chao Yu's avatar
      f2fs: clean up ioctl interface naming · 059c0648
      Chao Yu authored
      Romve redundant prefix 'f2fs_' in the middle of f2fs_ioc_f2fs_write_checkpoint().
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      059c0648
    • Chao Yu's avatar
      2079f115
    • Chao Yu's avatar
      f2fs: clean up with f2fs_encrypted_inode() · 5b72d5e0
      Chao Yu authored
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      5b72d5e0
    • Chao Yu's avatar
      f2fs: clean up with get_current_nat_page · 80551d17
      Chao Yu authored
      Just cleanup, no logic change.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      80551d17
    • Chao Yu's avatar
      f2fs: kill EXT_TREE_VEC_SIZE · 6122003a
      Chao Yu authored
      Since commit 201ef5e0 ("f2fs: improve shrink performance of extent nodes"),
      there is no user of EXT_TREE_VEC_SIZE, just kill it for cleanup.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      6122003a
    • Hyunchul Lee's avatar
      f2fs: avoid duplicated permission check for "trusted." xattrs · 5d3ce4f7
      Hyunchul Lee authored
      Because xattr_permission already checks CAP_SYS_ADMIN
      capability, we don't need to check it.
      Signed-off-by: default avatarHyunchul Lee <cheol.lee@lge.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      5d3ce4f7
    • Chao Yu's avatar
      f2fs: fix to propagate error from __get_meta_page() · 7735730d
      Chao Yu authored
      If caller of __get_meta_page() can handle error, let's propagate error
      from __get_meta_page().
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      7735730d
    • Chao Yu's avatar
      f2fs: fix to do sanity check with i_extra_isize · 18dd6470
      Chao Yu authored
      If inode.i_extra_isize was fuzzed to an abnormal value, when
      calculating inline data size, the result will overflow, result
      in accessing invalid memory area when operating inline data.
      
      Let's do sanity check with i_extra_isize during inode loading
      for fixing.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200421
      
      - Reproduce
      
      - POC (poc.c)
          #define _GNU_SOURCE
          #include <sys/types.h>
          #include <sys/mount.h>
          #include <sys/mman.h>
          #include <sys/stat.h>
          #include <sys/xattr.h>
      
          #include <dirent.h>
          #include <errno.h>
          #include <error.h>
          #include <fcntl.h>
          #include <stdio.h>
          #include <stdlib.h>
          #include <string.h>
          #include <unistd.h>
      
          #include <linux/falloc.h>
          #include <linux/loop.h>
      
          static void activity(char *mpoint) {
      
            char *foo_bar_baz;
            char *foo_baz;
            char *xattr;
            int err;
      
            err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
            err = asprintf(&foo_baz, "%s/foo/baz", mpoint);
            err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint);
      
            rename(foo_bar_baz, foo_baz);
      
            char buf2[113];
            memset(buf2, 0, sizeof(buf2));
            listxattr(xattr, buf2, sizeof(buf2));
            removexattr(xattr, "user.mime_type");
      
          }
      
          int main(int argc, char *argv[]) {
            activity(argv[1]);
            return 0;
          }
      
      - Kernel message
      Umount the image will leave the following message
      [ 2910.995489] F2FS-fs (loop0): Mounted with checkpoint version = 2
      [ 2918.416465] ==================================================================
      [ 2918.416807] BUG: KASAN: slab-out-of-bounds in f2fs_iget+0xcb9/0x1a80
      [ 2918.417009] Read of size 4 at addr ffff88018efc2068 by task a.out/1229
      
      [ 2918.417311] CPU: 1 PID: 1229 Comm: a.out Not tainted 4.17.0+ #1
      [ 2918.417314] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [ 2918.417323] Call Trace:
      [ 2918.417366]  dump_stack+0x71/0xab
      [ 2918.417401]  print_address_description+0x6b/0x290
      [ 2918.417407]  kasan_report+0x28e/0x390
      [ 2918.417411]  ? f2fs_iget+0xcb9/0x1a80
      [ 2918.417415]  f2fs_iget+0xcb9/0x1a80
      [ 2918.417422]  ? f2fs_lookup+0x2e7/0x580
      [ 2918.417425]  f2fs_lookup+0x2e7/0x580
      [ 2918.417433]  ? __recover_dot_dentries+0x400/0x400
      [ 2918.417447]  ? legitimize_path.isra.29+0x5a/0xa0
      [ 2918.417453]  __lookup_slow+0x11c/0x220
      [ 2918.417457]  ? may_delete+0x2a0/0x2a0
      [ 2918.417475]  ? deref_stack_reg+0xe0/0xe0
      [ 2918.417479]  ? __lookup_hash+0xb0/0xb0
      [ 2918.417483]  lookup_slow+0x3e/0x60
      [ 2918.417488]  walk_component+0x3ac/0x990
      [ 2918.417492]  ? generic_permission+0x51/0x1e0
      [ 2918.417495]  ? inode_permission+0x51/0x1d0
      [ 2918.417499]  ? pick_link+0x3e0/0x3e0
      [ 2918.417502]  ? link_path_walk+0x4b1/0x770
      [ 2918.417513]  ? _raw_spin_lock_irqsave+0x25/0x50
      [ 2918.417518]  ? walk_component+0x990/0x990
      [ 2918.417522]  ? path_init+0x2e6/0x580
      [ 2918.417526]  path_lookupat+0x13f/0x430
      [ 2918.417531]  ? trailing_symlink+0x3a0/0x3a0
      [ 2918.417534]  ? do_renameat2+0x270/0x7b0
      [ 2918.417538]  ? __kasan_slab_free+0x14c/0x190
      [ 2918.417541]  ? do_renameat2+0x270/0x7b0
      [ 2918.417553]  ? kmem_cache_free+0x85/0x1e0
      [ 2918.417558]  ? do_renameat2+0x270/0x7b0
      [ 2918.417563]  filename_lookup+0x13c/0x280
      [ 2918.417567]  ? filename_parentat+0x2b0/0x2b0
      [ 2918.417572]  ? kasan_unpoison_shadow+0x31/0x40
      [ 2918.417575]  ? kasan_kmalloc+0xa6/0xd0
      [ 2918.417593]  ? strncpy_from_user+0xaa/0x1c0
      [ 2918.417598]  ? getname_flags+0x101/0x2b0
      [ 2918.417614]  ? path_listxattr+0x87/0x110
      [ 2918.417619]  path_listxattr+0x87/0x110
      [ 2918.417623]  ? listxattr+0xc0/0xc0
      [ 2918.417637]  ? mm_fault_error+0x1b0/0x1b0
      [ 2918.417654]  do_syscall_64+0x73/0x160
      [ 2918.417660]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 2918.417676] RIP: 0033:0x7f2f3a3480d7
      [ 2918.417677] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
      [ 2918.417732] RSP: 002b:00007fff4095b7d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000c2
      [ 2918.417744] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2f3a3480d7
      [ 2918.417746] RDX: 0000000000000071 RSI: 00007fff4095b810 RDI: 000000000126a0c0
      [ 2918.417749] RBP: 00007fff4095b890 R08: 000000000126a010 R09: 0000000000000000
      [ 2918.417751] R10: 00000000000001ab R11: 0000000000000206 R12: 00000000004005e0
      [ 2918.417753] R13: 00007fff4095b990 R14: 0000000000000000 R15: 0000000000000000
      
      [ 2918.417853] Allocated by task 329:
      [ 2918.418002]  kasan_kmalloc+0xa6/0xd0
      [ 2918.418007]  kmem_cache_alloc+0xc8/0x1e0
      [ 2918.418023]  mempool_init_node+0x194/0x230
      [ 2918.418027]  mempool_init+0x12/0x20
      [ 2918.418042]  bioset_init+0x2bd/0x380
      [ 2918.418052]  blk_alloc_queue_node+0xe9/0x540
      [ 2918.418075]  dm_create+0x2c0/0x800
      [ 2918.418080]  dev_create+0xd2/0x530
      [ 2918.418083]  ctl_ioctl+0x2a3/0x5b0
      [ 2918.418087]  dm_ctl_ioctl+0xa/0x10
      [ 2918.418092]  do_vfs_ioctl+0x13e/0x8c0
      [ 2918.418095]  ksys_ioctl+0x66/0x70
      [ 2918.418098]  __x64_sys_ioctl+0x3d/0x50
      [ 2918.418102]  do_syscall_64+0x73/0x160
      [ 2918.418106]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [ 2918.418204] Freed by task 0:
      [ 2918.418301] (stack is not available)
      
      [ 2918.418521] The buggy address belongs to the object at ffff88018efc0000
                      which belongs to the cache biovec-max of size 8192
      [ 2918.418894] The buggy address is located 104 bytes to the right of
                      8192-byte region [ffff88018efc0000, ffff88018efc2000)
      [ 2918.419257] The buggy address belongs to the page:
      [ 2918.419431] page:ffffea00063bf000 count:1 mapcount:0 mapping:ffff8801f2242540 index:0x0 compound_mapcount: 0
      [ 2918.419702] flags: 0x17fff8000008100(slab|head)
      [ 2918.419879] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f2242540
      [ 2918.420101] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000
      [ 2918.420322] page dumped because: kasan: bad access detected
      
      [ 2918.420599] Memory state around the buggy address:
      [ 2918.420764]  ffff88018efc1f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 2918.420975]  ffff88018efc1f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 2918.421194] >ffff88018efc2000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [ 2918.421406]                                                           ^
      [ 2918.421627]  ffff88018efc2080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [ 2918.421838]  ffff88018efc2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 2918.422046] ==================================================================
      [ 2918.422264] Disabling lock debugging due to kernel taint
      [ 2923.901641] BUG: unable to handle kernel paging request at ffff88018f0db000
      [ 2923.901884] PGD 22226a067 P4D 22226a067 PUD 222273067 PMD 18e642063 PTE 800000018f0db061
      [ 2923.902120] Oops: 0003 [#1] SMP KASAN PTI
      [ 2923.902274] CPU: 1 PID: 1231 Comm: umount Tainted: G    B             4.17.0+ #1
      [ 2923.902490] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [ 2923.902761] RIP: 0010:__memset+0x24/0x30
      [ 2923.902906] Code: 90 90 90 90 90 90 66 66 90 66 90 49 89 f9 48 89 d1 83 e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3
      [ 2923.903446] RSP: 0018:ffff88018ddf7ae0 EFLAGS: 00010206
      [ 2923.903622] RAX: 0000000000000000 RBX: ffff8801d549d888 RCX: 1ffffffffffdaffb
      [ 2923.903833] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88018f0daffc
      [ 2923.904062] RBP: ffff88018efc206c R08: 1ffff10031df840d R09: ffff88018efc206c
      [ 2923.904273] R10: ffffffffffffe1ee R11: ffffed0031df65fa R12: 0000000000000000
      [ 2923.904485] R13: ffff8801d549dc98 R14: 00000000ffffc3db R15: ffffea00063bec80
      [ 2923.904693] FS:  00007fa8b2f8a840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000
      [ 2923.904937] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2923.910080] CR2: ffff88018f0db000 CR3: 000000018f892000 CR4: 00000000000006e0
      [ 2923.914930] Call Trace:
      [ 2923.919724]  f2fs_truncate_inline_inode+0x114/0x170
      [ 2923.924487]  f2fs_truncate_blocks+0x11b/0x7c0
      [ 2923.929178]  ? f2fs_truncate_data_blocks+0x10/0x10
      [ 2923.933834]  ? dqget+0x670/0x670
      [ 2923.938437]  ? f2fs_destroy_extent_tree+0xd6/0x270
      [ 2923.943107]  ? __radix_tree_lookup+0x2f/0x150
      [ 2923.947772]  f2fs_truncate+0xd4/0x1a0
      [ 2923.952491]  f2fs_evict_inode+0x5ab/0x610
      [ 2923.957204]  evict+0x15f/0x280
      [ 2923.961898]  __dentry_kill+0x161/0x250
      [ 2923.966634]  shrink_dentry_list+0xf3/0x250
      [ 2923.971897]  shrink_dcache_parent+0xa9/0x100
      [ 2923.976561]  ? shrink_dcache_sb+0x1f0/0x1f0
      [ 2923.981177]  ? wait_for_completion+0x8a/0x210
      [ 2923.985781]  ? migrate_swap_stop+0x2d0/0x2d0
      [ 2923.990332]  do_one_tree+0xe/0x40
      [ 2923.994735]  shrink_dcache_for_umount+0x3a/0xa0
      [ 2923.999077]  generic_shutdown_super+0x3e/0x1c0
      [ 2924.003350]  kill_block_super+0x4b/0x70
      [ 2924.007619]  deactivate_locked_super+0x65/0x90
      [ 2924.011812]  cleanup_mnt+0x5c/0xa0
      [ 2924.015995]  task_work_run+0xce/0xf0
      [ 2924.020174]  exit_to_usermode_loop+0x115/0x120
      [ 2924.024293]  do_syscall_64+0x12f/0x160
      [ 2924.028479]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 2924.032709] RIP: 0033:0x7fa8b2868487
      [ 2924.036888] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
      [ 2924.045750] RSP: 002b:00007ffc39824d58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
      [ 2924.050190] RAX: 0000000000000000 RBX: 00000000008ea030 RCX: 00007fa8b2868487
      [ 2924.054604] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000008f4360
      [ 2924.058940] RBP: 00000000008f4360 R08: 0000000000000000 R09: 0000000000000014
      [ 2924.063186] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007fa8b2d7183c
      [ 2924.067418] R13: 0000000000000000 R14: 00000000008ea210 R15: 00007ffc39824fe0
      [ 2924.071534] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer joydev input_leds serio_raw snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel psmouse aes_x86_64 8139cp crypto_simd cryptd mii glue_helper pata_acpi floppy
      [ 2924.098044] CR2: ffff88018f0db000
      [ 2924.102520] ---[ end trace a8e0d899985faf31 ]---
      [ 2924.107012] RIP: 0010:__memset+0x24/0x30
      [ 2924.111448] Code: 90 90 90 90 90 90 66 66 90 66 90 49 89 f9 48 89 d1 83 e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3
      [ 2924.120724] RSP: 0018:ffff88018ddf7ae0 EFLAGS: 00010206
      [ 2924.125312] RAX: 0000000000000000 RBX: ffff8801d549d888 RCX: 1ffffffffffdaffb
      [ 2924.129931] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88018f0daffc
      [ 2924.134537] RBP: ffff88018efc206c R08: 1ffff10031df840d R09: ffff88018efc206c
      [ 2924.139175] R10: ffffffffffffe1ee R11: ffffed0031df65fa R12: 0000000000000000
      [ 2924.143825] R13: ffff8801d549dc98 R14: 00000000ffffc3db R15: ffffea00063bec80
      [ 2924.148500] FS:  00007fa8b2f8a840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000
      [ 2924.153247] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2924.158003] CR2: ffff88018f0db000 CR3: 000000018f892000 CR4: 00000000000006e0
      [ 2924.164641] BUG: Bad rss-counter state mm:00000000fa04621e idx:0 val:4
      [ 2924.170007] BUG: Bad rss-counter
      tate mm:00000000fa04621e idx:1 val:2
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc3/source/fs/f2fs/inline.c#L78
      	memset(addr + from, 0, MAX_INLINE_DATA(inode) - from);
      Here the length can be negative.
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      18dd6470
    • Yunlong Song's avatar
      f2fs: blk_finish_plug of submit_bio in lfs mode · 66415cee
      Yunlong Song authored
      Expand the blk_finish_plug action from blkzoned to normal lfs mode,
      since plug will cause the out-of-order IO submission, which is not
      friendly to flash in lfs mode.
      Signed-off-by: default avatarYunlong Song <yunlong.song@huawei.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      66415cee
    • Yunlong Song's avatar
      f2fs: do not set free of current section · 3611ce99
      Yunlong Song authored
      For the case when sbi->segs_per_sec > 1, take section:segment = 5 for
      example, if segment 1 is just used and allocate new segment 2, and the
      blocks of segment 1 is invalidated, at this time, the previous code will
      use __set_test_and_free to free the free_secmap and free_sections++,
      this is not correct since it is still a current section, so fix it.
      Signed-off-by: default avatarYunlong Song <yunlong.song@huawei.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      3611ce99
    • Daniel Rosenberg's avatar
      f2fs: Keep alloc_valid_block_count in sync · 36b877af
      Daniel Rosenberg authored
      If we attempt to request more blocks than we have room for, we try to
      instead request as much as we can, however, alloc_valid_block_count
      is not decremented to match the new value, allowing it to drift higher
      until the next checkpoint. This always decrements it when the requested
      amount cannot be fulfilled.
      Signed-off-by: default avatarDaniel Rosenberg <drosen@google.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      36b877af
    • Chao Yu's avatar
      f2fs: issue small discard by LBA order · 20ee4382
      Chao Yu authored
      For small granularity discard which size is smaller than 64KB, if we
      issue those kind of discards orderly by size, their IOs will be spread
      into entire logical address, so that in FTL, L2P table will be updated
      randomly, result bad wear rate in the table.
      
      In this patch, we choose to issue small discard by LBA order, by this
      way, we can expect that L2P table updates from adjacent discard IOs can
      be merged in the cache, so it can reduce lifetime wearing of flash.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      20ee4382
    • Chao Yu's avatar
      f2fs: stop issuing discard immediately if there is queued IO · 522d1711
      Chao Yu authored
      For background discard policy, even if there is queued user IO, still
      we will check max_requests times for next discard entry, it is unneeded,
      let's just stop this round submission immediately.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      522d1711
    • Chao Yu's avatar
      f2fs: clean up with IS_INODE() · 4c6b56c0
      Chao Yu authored
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      4c6b56c0
    • Chao Yu's avatar
      f2fs: detect bug_on in f2fs_wait_discard_bios · 2482c432
      Chao Yu authored
      Add bug_on to detect potential non-empty discard wait list.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      2482c432
    • Randy Dunlap's avatar
      f2fs: fix defined but not used build warnings · cb15d1e4
      Randy Dunlap authored
      Fix build warnings in f2fs when CONFIG_PROC_FS is not enabled
      by marking the unused functions as __maybe_unused.
      
      ../fs/f2fs/sysfs.c:519:12: warning: 'segment_info_seq_show' defined but not used [-Wunused-function]
      ../fs/f2fs/sysfs.c:546:12: warning: 'segment_bits_seq_show' defined but not used [-Wunused-function]
      ../fs/f2fs/sysfs.c:570:12: warning: 'iostat_info_seq_show' defined but not used [-Wunused-function]
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Jaegeuk Kim <jaegeuk@kernel.org>
      Cc: Chao Yu <yuchao0@huawei.com>
      Cc: linux-f2fs-devel@lists.sourceforge.net
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      cb15d1e4
    • Chao Yu's avatar
      f2fs: enable real-time discard by default · a39e5365
      Chao Yu authored
      f2fs is focused on flash based storage, so let's enable real-time
      discard by default, if user don't want to enable it, 'nodiscard'
      mount option should be used on mount.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      a39e5365
    • Chao Yu's avatar
      f2fs: fix to detect looped node chain correctly · 82902c06
      Chao Yu authored
      Below dmesg was printed when testing generic/388 of fstest:
      
      F2FS-fs (zram1): find_fsync_dnodes: detect looped node chain, blkaddr:526615, next:526616
      F2FS-fs (zram1): Cannot recover all fsync data errno=-22
      F2FS-fs (zram1): Mounted with checkpoint version = 22300d0e
      F2FS-fs (zram1): find_fsync_dnodes: detect looped node chain, blkaddr:526615, next:526616
      F2FS-fs (zram1): Cannot recover all fsync data errno=-22
      
      The reason is that we initialize free_blocks with free blocks of
      filesystem, so if filesystem is full, free_blocks can be zero,
      below condition will be true, so that, it will fail recovery.
      
      if (++loop_cnt >= free_blocks ||
      	blkaddr == next_blkaddr_of_node(page))
      
      To fix this issue, initialize free_blocks with correct value which
      includes over-privision blocks.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      82902c06
    • Chao Yu's avatar
      f2fs: fix to do sanity check with block address in main area · c9b60788
      Chao Yu authored
      This patch add to do sanity check with below field:
      - cp_pack_total_block_count
      - blkaddr of data/node
      - extent info
      
      - Overview
      BUG() in verify_block_addr() when writing to a corrupted f2fs image
      
      - Reproduce (4.18 upstream kernel)
      
      - POC (poc.c)
      
      static void activity(char *mpoint) {
      
        char *foo_bar_baz;
        int err;
      
        static int buf[8192];
        memset(buf, 0, sizeof(buf));
      
        err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
      
        int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777);
        if (fd >= 0) {
          write(fd, (char *)buf, sizeof(buf));
          fdatasync(fd);
          close(fd);
        }
      }
      
      int main(int argc, char *argv[]) {
        activity(argv[1]);
        return 0;
      }
      
      - Kernel message
      [  689.349473] F2FS-fs (loop0): Mounted with checkpoint version = 3
      [  699.728662] WARNING: CPU: 0 PID: 1309 at fs/f2fs/segment.c:2860 f2fs_inplace_write_data+0x232/0x240
      [  699.728670] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  699.729056] CPU: 0 PID: 1309 Comm: a.out Not tainted 4.18.0-rc1+ #4
      [  699.729064] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  699.729074] RIP: 0010:f2fs_inplace_write_data+0x232/0x240
      [  699.729076] Code: ff e9 cf fe ff ff 49 8d 7d 10 e8 39 45 ad ff 4d 8b 7d 10 be 04 00 00 00 49 8d 7f 48 e8 07 49 ad ff 45 8b 7f 48 e9 fb fe ff ff <0f> 0b f0 41 80 4d 48 04 e9 65 fe ff ff 90 66 66 66 66 90 55 48 8d
      [  699.729130] RSP: 0018:ffff8801f43af568 EFLAGS: 00010202
      [  699.729139] RAX: 000000000000003f RBX: ffff8801f43af7b8 RCX: ffffffffb88c9113
      [  699.729142] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffff8802024e5540
      [  699.729144] RBP: ffff8801f43af590 R08: 0000000000000009 R09: ffffffffffffffe8
      [  699.729147] R10: 0000000000000001 R11: ffffed0039b0596a R12: ffff8802024e5540
      [  699.729149] R13: ffff8801f0335500 R14: ffff8801e3e7a700 R15: ffff8801e1ee4450
      [  699.729154] FS:  00007f9bf97f5700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  699.729156] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  699.729159] CR2: 00007f9bf925d170 CR3: 00000001f0c34000 CR4: 00000000000006f0
      [  699.729171] Call Trace:
      [  699.729192]  f2fs_do_write_data_page+0x2e2/0xe00
      [  699.729203]  ? f2fs_should_update_outplace+0xd0/0xd0
      [  699.729238]  ? memcg_drain_all_list_lrus+0x280/0x280
      [  699.729269]  ? __radix_tree_replace+0xa3/0x120
      [  699.729276]  __write_data_page+0x5c7/0xe30
      [  699.729291]  ? kasan_check_read+0x11/0x20
      [  699.729310]  ? page_mapped+0x8a/0x110
      [  699.729321]  ? page_mkclean+0xe9/0x160
      [  699.729327]  ? f2fs_do_write_data_page+0xe00/0xe00
      [  699.729331]  ? invalid_page_referenced_vma+0x130/0x130
      [  699.729345]  ? clear_page_dirty_for_io+0x332/0x450
      [  699.729351]  f2fs_write_cache_pages+0x4ca/0x860
      [  699.729358]  ? __write_data_page+0xe30/0xe30
      [  699.729374]  ? percpu_counter_add_batch+0x22/0xa0
      [  699.729380]  ? kasan_check_write+0x14/0x20
      [  699.729391]  ? _raw_spin_lock+0x17/0x40
      [  699.729403]  ? f2fs_mark_inode_dirty_sync.part.18+0x16/0x30
      [  699.729413]  ? iov_iter_advance+0x113/0x640
      [  699.729418]  ? f2fs_write_end+0x133/0x2e0
      [  699.729423]  ? balance_dirty_pages_ratelimited+0x239/0x640
      [  699.729428]  f2fs_write_data_pages+0x329/0x520
      [  699.729433]  ? generic_perform_write+0x250/0x320
      [  699.729438]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.729454]  ? current_time+0x110/0x110
      [  699.729459]  ? f2fs_preallocate_blocks+0x1ef/0x370
      [  699.729464]  do_writepages+0x37/0xb0
      [  699.729468]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.729472]  ? do_writepages+0x37/0xb0
      [  699.729478]  __filemap_fdatawrite_range+0x19a/0x1f0
      [  699.729483]  ? delete_from_page_cache_batch+0x4e0/0x4e0
      [  699.729496]  ? __vfs_write+0x2b2/0x410
      [  699.729501]  file_write_and_wait_range+0x66/0xb0
      [  699.729506]  f2fs_do_sync_file+0x1f9/0xd90
      [  699.729511]  ? truncate_partial_data_page+0x290/0x290
      [  699.729521]  ? __sb_end_write+0x30/0x50
      [  699.729526]  ? vfs_write+0x20f/0x260
      [  699.729530]  f2fs_sync_file+0x9a/0xb0
      [  699.729534]  ? f2fs_do_sync_file+0xd90/0xd90
      [  699.729548]  vfs_fsync_range+0x68/0x100
      [  699.729554]  ? __fget_light+0xc9/0xe0
      [  699.729558]  do_fsync+0x3d/0x70
      [  699.729562]  __x64_sys_fdatasync+0x24/0x30
      [  699.729585]  do_syscall_64+0x78/0x170
      [  699.729595]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  699.729613] RIP: 0033:0x7f9bf930d800
      [  699.729615] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 49 bf 2c 00 00 75 10 b8 4b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be 78 01 00 48 89 04 24
      [  699.729668] RSP: 002b:00007ffee3606c68 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
      [  699.729673] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bf930d800
      [  699.729675] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003
      [  699.729678] RBP: 00007ffee3606ca0 R08: 0000000001503010 R09: 0000000000000000
      [  699.729680] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400610
      [  699.729683] R13: 00007ffee3606da0 R14: 0000000000000000 R15: 0000000000000000
      [  699.729687] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  699.729782] ------------[ cut here ]------------
      [  699.729785] kernel BUG at fs/f2fs/segment.h:654!
      [  699.731055] invalid opcode: 0000 [#1] SMP KASAN PTI
      [  699.732104] CPU: 0 PID: 1309 Comm: a.out Tainted: G        W         4.18.0-rc1+ #4
      [  699.733684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  699.735611] RIP: 0010:f2fs_submit_page_bio+0x29b/0x730
      [  699.736649] Code: 54 49 8d bd 18 04 00 00 e8 b2 59 af ff 41 8b 8d 18 04 00 00 8b 45 b8 41 d3 e6 44 01 f0 4c 8d 73 14 41 39 c7 0f 82 37 fe ff ff <0f> 0b 65 8b 05 2c 04 77 47 89 c0 48 0f a3 05 52 c1 d5 01 0f 92 c0
      [  699.740524] RSP: 0018:ffff8801f43af508 EFLAGS: 00010283
      [  699.741573] RAX: 0000000000000000 RBX: ffff8801f43af7b8 RCX: ffffffffb88a7cef
      [  699.743006] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffff8801e3e7a64c
      [  699.744426] RBP: ffff8801f43af558 R08: ffffed003e066b55 R09: ffffed003e066b55
      [  699.745833] R10: 0000000000000001 R11: ffffed003e066b54 R12: ffffea0007876940
      [  699.747256] R13: ffff8801f0335500 R14: ffff8801e3e7a600 R15: 0000000000000001
      [  699.748683] FS:  00007f9bf97f5700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  699.750293] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  699.751462] CR2: 00007f9bf925d170 CR3: 00000001f0c34000 CR4: 00000000000006f0
      [  699.752874] Call Trace:
      [  699.753386]  ? f2fs_inplace_write_data+0x93/0x240
      [  699.754341]  f2fs_inplace_write_data+0xd2/0x240
      [  699.755271]  f2fs_do_write_data_page+0x2e2/0xe00
      [  699.756214]  ? f2fs_should_update_outplace+0xd0/0xd0
      [  699.757215]  ? memcg_drain_all_list_lrus+0x280/0x280
      [  699.758209]  ? __radix_tree_replace+0xa3/0x120
      [  699.759164]  __write_data_page+0x5c7/0xe30
      [  699.760002]  ? kasan_check_read+0x11/0x20
      [  699.760823]  ? page_mapped+0x8a/0x110
      [  699.761573]  ? page_mkclean+0xe9/0x160
      [  699.762345]  ? f2fs_do_write_data_page+0xe00/0xe00
      [  699.763332]  ? invalid_page_referenced_vma+0x130/0x130
      [  699.764374]  ? clear_page_dirty_for_io+0x332/0x450
      [  699.765347]  f2fs_write_cache_pages+0x4ca/0x860
      [  699.766276]  ? __write_data_page+0xe30/0xe30
      [  699.767161]  ? percpu_counter_add_batch+0x22/0xa0
      [  699.768112]  ? kasan_check_write+0x14/0x20
      [  699.768951]  ? _raw_spin_lock+0x17/0x40
      [  699.769739]  ? f2fs_mark_inode_dirty_sync.part.18+0x16/0x30
      [  699.770885]  ? iov_iter_advance+0x113/0x640
      [  699.771743]  ? f2fs_write_end+0x133/0x2e0
      [  699.772569]  ? balance_dirty_pages_ratelimited+0x239/0x640
      [  699.773680]  f2fs_write_data_pages+0x329/0x520
      [  699.774603]  ? generic_perform_write+0x250/0x320
      [  699.775544]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.776510]  ? current_time+0x110/0x110
      [  699.777299]  ? f2fs_preallocate_blocks+0x1ef/0x370
      [  699.778279]  do_writepages+0x37/0xb0
      [  699.779026]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.779978]  ? do_writepages+0x37/0xb0
      [  699.780755]  __filemap_fdatawrite_range+0x19a/0x1f0
      [  699.781746]  ? delete_from_page_cache_batch+0x4e0/0x4e0
      [  699.782820]  ? __vfs_write+0x2b2/0x410
      [  699.783597]  file_write_and_wait_range+0x66/0xb0
      [  699.784540]  f2fs_do_sync_file+0x1f9/0xd90
      [  699.785381]  ? truncate_partial_data_page+0x290/0x290
      [  699.786415]  ? __sb_end_write+0x30/0x50
      [  699.787204]  ? vfs_write+0x20f/0x260
      [  699.787941]  f2fs_sync_file+0x9a/0xb0
      [  699.788694]  ? f2fs_do_sync_file+0xd90/0xd90
      [  699.789572]  vfs_fsync_range+0x68/0x100
      [  699.790360]  ? __fget_light+0xc9/0xe0
      [  699.791128]  do_fsync+0x3d/0x70
      [  699.791779]  __x64_sys_fdatasync+0x24/0x30
      [  699.792614]  do_syscall_64+0x78/0x170
      [  699.793371]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  699.794406] RIP: 0033:0x7f9bf930d800
      [  699.795134] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 49 bf 2c 00 00 75 10 b8 4b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be 78 01 00 48 89 04 24
      [  699.798960] RSP: 002b:00007ffee3606c68 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
      [  699.800483] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bf930d800
      [  699.801923] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003
      [  699.803373] RBP: 00007ffee3606ca0 R08: 0000000001503010 R09: 0000000000000000
      [  699.804798] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400610
      [  699.806233] R13: 00007ffee3606da0 R14: 0000000000000000 R15: 0000000000000000
      [  699.807667] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  699.817079] ---[ end trace 4ce02f25ff7d3df6 ]---
      [  699.818068] RIP: 0010:f2fs_submit_page_bio+0x29b/0x730
      [  699.819114] Code: 54 49 8d bd 18 04 00 00 e8 b2 59 af ff 41 8b 8d 18 04 00 00 8b 45 b8 41 d3 e6 44 01 f0 4c 8d 73 14 41 39 c7 0f 82 37 fe ff ff <0f> 0b 65 8b 05 2c 04 77 47 89 c0 48 0f a3 05 52 c1 d5 01 0f 92 c0
      [  699.822919] RSP: 0018:ffff8801f43af508 EFLAGS: 00010283
      [  699.823977] RAX: 0000000000000000 RBX: ffff8801f43af7b8 RCX: ffffffffb88a7cef
      [  699.825436] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffff8801e3e7a64c
      [  699.826881] RBP: ffff8801f43af558 R08: ffffed003e066b55 R09: ffffed003e066b55
      [  699.828292] R10: 0000000000000001 R11: ffffed003e066b54 R12: ffffea0007876940
      [  699.829750] R13: ffff8801f0335500 R14: ffff8801e3e7a600 R15: 0000000000000001
      [  699.831192] FS:  00007f9bf97f5700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  699.832793] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  699.833981] CR2: 00007f9bf925d170 CR3: 00000001f0c34000 CR4: 00000000000006f0
      [  699.835556] ==================================================================
      [  699.837029] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
      [  699.838462] Read of size 8 at addr ffff8801f43af970 by task a.out/1309
      
      [  699.840086] CPU: 0 PID: 1309 Comm: a.out Tainted: G      D W         4.18.0-rc1+ #4
      [  699.841603] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  699.843475] Call Trace:
      [  699.843982]  dump_stack+0x7b/0xb5
      [  699.844661]  print_address_description+0x70/0x290
      [  699.845607]  kasan_report+0x291/0x390
      [  699.846351]  ? update_stack_state+0x38c/0x3e0
      [  699.853831]  __asan_load8+0x54/0x90
      [  699.854569]  update_stack_state+0x38c/0x3e0
      [  699.855428]  ? __read_once_size_nocheck.constprop.7+0x20/0x20
      [  699.856601]  ? __save_stack_trace+0x5e/0x100
      [  699.857476]  unwind_next_frame.part.5+0x18e/0x490
      [  699.858448]  ? unwind_dump+0x290/0x290
      [  699.859217]  ? clear_page_dirty_for_io+0x332/0x450
      [  699.860185]  __unwind_start+0x106/0x190
      [  699.860974]  __save_stack_trace+0x5e/0x100
      [  699.861808]  ? __save_stack_trace+0x5e/0x100
      [  699.862691]  ? unlink_anon_vmas+0xba/0x2c0
      [  699.863525]  save_stack_trace+0x1f/0x30
      [  699.864312]  save_stack+0x46/0xd0
      [  699.864993]  ? __alloc_pages_slowpath+0x1420/0x1420
      [  699.865990]  ? flush_tlb_mm_range+0x15e/0x220
      [  699.866889]  ? kasan_check_write+0x14/0x20
      [  699.867724]  ? __dec_node_state+0x92/0xb0
      [  699.868543]  ? lock_page_memcg+0x85/0xf0
      [  699.869350]  ? unlock_page_memcg+0x16/0x80
      [  699.870185]  ? page_remove_rmap+0x198/0x520
      [  699.871048]  ? mark_page_accessed+0x133/0x200
      [  699.871930]  ? _cond_resched+0x1a/0x50
      [  699.872700]  ? unmap_page_range+0xcd4/0xe50
      [  699.873551]  ? rb_next+0x58/0x80
      [  699.874217]  ? rb_next+0x58/0x80
      [  699.874895]  __kasan_slab_free+0x13c/0x1a0
      [  699.875734]  ? unlink_anon_vmas+0xba/0x2c0
      [  699.876563]  kasan_slab_free+0xe/0x10
      [  699.877315]  kmem_cache_free+0x89/0x1e0
      [  699.878095]  unlink_anon_vmas+0xba/0x2c0
      [  699.878913]  free_pgtables+0x101/0x1b0
      [  699.879677]  exit_mmap+0x146/0x2a0
      [  699.880378]  ? __ia32_sys_munmap+0x50/0x50
      [  699.881214]  ? kasan_check_read+0x11/0x20
      [  699.882052]  ? mm_update_next_owner+0x322/0x380
      [  699.882985]  mmput+0x8b/0x1d0
      [  699.883602]  do_exit+0x43a/0x1390
      [  699.884288]  ? mm_update_next_owner+0x380/0x380
      [  699.885212]  ? f2fs_sync_file+0x9a/0xb0
      [  699.885995]  ? f2fs_do_sync_file+0xd90/0xd90
      [  699.886877]  ? vfs_fsync_range+0x68/0x100
      [  699.887694]  ? __fget_light+0xc9/0xe0
      [  699.888442]  ? do_fsync+0x3d/0x70
      [  699.889118]  ? __x64_sys_fdatasync+0x24/0x30
      [  699.889996]  rewind_stack_do_exit+0x17/0x20
      [  699.890860] RIP: 0033:0x7f9bf930d800
      [  699.891585] Code: Bad RIP value.
      [  699.892268] RSP: 002b:00007ffee3606c68 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
      [  699.893781] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bf930d800
      [  699.895220] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003
      [  699.896643] RBP: 00007ffee3606ca0 R08: 0000000001503010 R09: 0000000000000000
      [  699.898069] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400610
      [  699.899505] R13: 00007ffee3606da0 R14: 0000000000000000 R15: 0000000000000000
      
      [  699.901241] The buggy address belongs to the page:
      [  699.902215] page:ffffea0007d0ebc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  699.903811] flags: 0x2ffff0000000000()
      [  699.904585] raw: 02ffff0000000000 0000000000000000 ffffffff07d00101 0000000000000000
      [  699.906125] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000
      [  699.907673] page dumped because: kasan: bad access detected
      
      [  699.909108] Memory state around the buggy address:
      [  699.910077]  ffff8801f43af800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
      [  699.911528]  ffff8801f43af880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  699.912953] >ffff8801f43af900: 00 00 00 00 00 00 00 00 f1 01 f4 f4 f4 f2 f2 f2
      [  699.914392]                                                              ^
      [  699.915758]  ffff8801f43af980: f2 00 f4 f4 00 00 00 00 f2 00 00 00 00 00 00 00
      [  699.917193]  ffff8801f43afa00: 00 00 00 00 00 00 00 00 00 f3 f3 f3 00 00 00 00
      [  699.918634] ==================================================================
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.h#L644
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      c9b60788
  2. 29 Jul, 2018 10 commits
    • Chao Yu's avatar
      f2fs: fix to skip GC if type in SSA and SIT is inconsistent · 10d255c3
      Chao Yu authored
      If segment type in SSA and SIT is inconsistent, we will encounter below
      BUG_ON during GC, to avoid this panic, let's just skip doing GC on such
      segment.
      
      The bug is triggered with image reported in below link:
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200223
      
      [  388.060262] ------------[ cut here ]------------
      [  388.060268] kernel BUG at /home/y00370721/git/devf2fs/gc.c:989!
      [  388.061172] invalid opcode: 0000 [#1] SMP
      [  388.061773] Modules linked in: f2fs(O) bluetooth ecdh_generic xt_tcpudp iptable_filter ip_tables x_tables lp ttm drm_kms_helper drm intel_rapl sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel fb_sys_fops ppdev aes_x86_64 syscopyarea crypto_simd sysfillrect parport_pc joydev sysimgblt glue_helper parport cryptd i2c_piix4 serio_raw mac_hid btrfs hid_generic usbhid hid raid6_pq psmouse pata_acpi floppy
      [  388.064247] CPU: 7 PID: 4151 Comm: f2fs_gc-7:0 Tainted: G           O    4.13.0-rc1+ #26
      [  388.065306] Hardware name: Xen HVM domU, BIOS 4.1.2_115-900.260_ 11/06/2015
      [  388.066058] task: ffff880201583b80 task.stack: ffffc90004d7c000
      [  388.069948] RIP: 0010:do_garbage_collect+0xcc8/0xcd0 [f2fs]
      [  388.070766] RSP: 0018:ffffc90004d7fc68 EFLAGS: 00010202
      [  388.071783] RAX: ffff8801ed227000 RBX: 0000000000000001 RCX: ffffea0007b489c0
      [  388.072700] RDX: ffff880000000000 RSI: 0000000000000001 RDI: ffffea0007b489c0
      [  388.073607] RBP: ffffc90004d7fd58 R08: 0000000000000003 R09: ffffea0007b489dc
      [  388.074619] R10: 0000000000000000 R11: 0052782ab317138d R12: 0000000000000018
      [  388.075625] R13: 0000000000000018 R14: ffff880211ceb000 R15: ffff880211ceb000
      [  388.076687] FS:  0000000000000000(0000) GS:ffff880214fc0000(0000) knlGS:0000000000000000
      [  388.083277] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  388.084536] CR2: 0000000000e18c60 CR3: 00000001ecf2e000 CR4: 00000000001406e0
      [  388.085748] Call Trace:
      [  388.086690]  ? find_next_bit+0xb/0x10
      [  388.088091]  f2fs_gc+0x1a8/0x9d0 [f2fs]
      [  388.088888]  ? lock_timer_base+0x7d/0xa0
      [  388.090213]  ? try_to_del_timer_sync+0x44/0x60
      [  388.091698]  gc_thread_func+0x342/0x4b0 [f2fs]
      [  388.092892]  ? wait_woken+0x80/0x80
      [  388.094098]  kthread+0x109/0x140
      [  388.095010]  ? f2fs_gc+0x9d0/0x9d0 [f2fs]
      [  388.096043]  ? kthread_park+0x60/0x60
      [  388.097281]  ret_from_fork+0x25/0x30
      [  388.098401] Code: ff ff 48 83 e8 01 48 89 44 24 58 e9 27 f8 ff ff 48 83 e8 01 e9 78 fc ff ff 48 8d 78 ff e9 17 fb ff ff 48 83 ef 01 e9 4d f4 ff ff <0f> 0b 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55
      [  388.100864] RIP: do_garbage_collect+0xcc8/0xcd0 [f2fs] RSP: ffffc90004d7fc68
      [  388.101810] ---[ end trace 81c73d6e6b7da61d ]---
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      10d255c3
    • Chao Yu's avatar
      f2fs: try grabbing node page lock aggressively in sync scenario · 4b270a8c
      Chao Yu authored
      In synchronous scenario, like in checkpoint(), we are going to flush
      dirty node pages to device synchronously, we can easily failed
      writebacking node page due to trylock_page() failure, especially in
      condition of intensive lock competition, which can cause long latency
      of checkpoint(). So let's use lock_page() in synchronous scenario to
      avoid this issue.
      Signed-off-by: default avatarYunlei He <heyunlei@huawei.com>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      4b270a8c
    • Sahitya Tummala's avatar
      f2fs: show the fsync_mode=nobarrier mount option · dc132802
      Sahitya Tummala authored
      This patch shows the fsync_mode=nobarrier mount option in
      f2fs_show_options().
      Signed-off-by: default avatarSahitya Tummala <stummala@codeaurora.org>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      dc132802
    • Yunlei He's avatar
      f2fs: check the right return value of memory alloc function · 68c43a23
      Yunlei He authored
      This patch check the right return value of memory alloc function
      Signed-off-by: default avatarYunlei He <heyunlei@huawei.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      68c43a23
    • Guenter Roeck's avatar
      f2fs: Replace strncpy with memcpy · b1385478
      Guenter Roeck authored
      gcc 8.1.0 complains:
      
      fs/f2fs/namei.c: In function 'f2fs_update_extension_list':
      fs/f2fs/namei.c:257:3: warning:
      	'strncpy' output truncated before terminating nul copying
      	as many bytes from a string as its length
      fs/f2fs/namei.c:249:3: warning:
      	'strncpy' output truncated before terminating nul copying
      	as many bytes from a string as its length
      
      Using strncpy() is indeed less than perfect since the length of data to
      be copied has already been determined with strlen(). Replace strncpy()
      with memcpy() to address the warning and optimize the code a little.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      b1385478
    • Gao Xiang's avatar
      f2fs: avoid the global name 'fault_name' · 2d3a5856
      Gao Xiang authored
      Non-prefix global name 'fault_name' will pollute global
      namespace, fix it.
      
      Refer to:
      https://lists.01.org/pipermail/kbuild-all/2018-June/049660.html
      
      To: Jaegeuk Kim <jaegeuk@kernel.org>
      To: Chao Yu <yuchao0@huawei.com>
      Cc: linux-f2fs-devel@lists.sourceforge.net
      Cc: linux-kernel@vger.kernel.org
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarGao Xiang <gaoxiang25@huawei.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      2d3a5856
    • Chao Yu's avatar
      f2fs: fix to do sanity check with reserved blkaddr of inline inode · 4dbe38dc
      Chao Yu authored
      As Wen Xu reported in bugzilla, after image was injected with random data
      by fuzzing, inline inode would contain invalid reserved blkaddr, then
      during inline conversion, we will encounter illegal memory accessing
      reported by KASAN, the root cause of this is when writing out converted
      inline page, we will use invalid reserved blkaddr to update sit bitmap,
      result in accessing memory beyond sit bitmap boundary.
      
      In order to fix this issue, let's do sanity check with reserved block
      address of inline inode to avoid above condition.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200179
      
      [ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0
      [ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741
      
      [ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G        W         4.17.0+ #1
      [ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [ 1428.846860] Call Trace:
      [ 1428.846868]  dump_stack+0x71/0xab
      [ 1428.846875]  print_address_description+0x6b/0x290
      [ 1428.846881]  kasan_report+0x28e/0x390
      [ 1428.846888]  ? update_sit_entry+0x80/0x7f0
      [ 1428.846898]  update_sit_entry+0x80/0x7f0
      [ 1428.846906]  f2fs_allocate_data_block+0x6db/0xc70
      [ 1428.846914]  ? f2fs_get_node_info+0x14f/0x590
      [ 1428.846920]  do_write_page+0xc8/0x150
      [ 1428.846928]  f2fs_outplace_write_data+0xfe/0x210
      [ 1428.846935]  ? f2fs_do_write_node_page+0x170/0x170
      [ 1428.846941]  ? radix_tree_tag_clear+0xff/0x130
      [ 1428.846946]  ? __mod_node_page_state+0x22/0xa0
      [ 1428.846951]  ? inc_zone_page_state+0x54/0x100
      [ 1428.846956]  ? __test_set_page_writeback+0x336/0x5d0
      [ 1428.846964]  f2fs_convert_inline_page+0x407/0x6d0
      [ 1428.846971]  ? f2fs_read_inline_data+0x3b0/0x3b0
      [ 1428.846978]  ? __get_node_page+0x335/0x6b0
      [ 1428.846987]  f2fs_convert_inline_inode+0x41b/0x500
      [ 1428.846994]  ? f2fs_convert_inline_page+0x6d0/0x6d0
      [ 1428.847000]  ? kasan_unpoison_shadow+0x31/0x40
      [ 1428.847005]  ? kasan_kmalloc+0xa6/0xd0
      [ 1428.847024]  f2fs_file_mmap+0x79/0xc0
      [ 1428.847029]  mmap_region+0x58b/0x880
      [ 1428.847037]  ? arch_get_unmapped_area+0x370/0x370
      [ 1428.847042]  do_mmap+0x55b/0x7a0
      [ 1428.847048]  vm_mmap_pgoff+0x16f/0x1c0
      [ 1428.847055]  ? vma_is_stack_for_current+0x50/0x50
      [ 1428.847062]  ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
      [ 1428.847068]  ? do_sys_open+0x206/0x2a0
      [ 1428.847073]  ? __fget+0xb4/0x100
      [ 1428.847079]  ksys_mmap_pgoff+0x278/0x360
      [ 1428.847085]  ? find_mergeable_anon_vma+0x50/0x50
      [ 1428.847091]  do_syscall_64+0x73/0x160
      [ 1428.847098]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 1428.847102] RIP: 0033:0x7fb1430766ba
      [ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
      [ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
      [ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
      [ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
      [ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
      [ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
      [ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
      
      [ 1428.847252] Allocated by task 2683:
      [ 1428.847372]  kasan_kmalloc+0xa6/0xd0
      [ 1428.847380]  kmem_cache_alloc+0xc8/0x1e0
      [ 1428.847385]  getname_flags+0x73/0x2b0
      [ 1428.847390]  user_path_at_empty+0x1d/0x40
      [ 1428.847395]  vfs_statx+0xc1/0x150
      [ 1428.847401]  __do_sys_newlstat+0x7e/0xd0
      [ 1428.847405]  do_syscall_64+0x73/0x160
      [ 1428.847411]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [ 1428.847466] Freed by task 2683:
      [ 1428.847566]  __kasan_slab_free+0x137/0x190
      [ 1428.847571]  kmem_cache_free+0x85/0x1e0
      [ 1428.847575]  filename_lookup+0x191/0x280
      [ 1428.847580]  vfs_statx+0xc1/0x150
      [ 1428.847585]  __do_sys_newlstat+0x7e/0xd0
      [ 1428.847590]  do_syscall_64+0x73/0x160
      [ 1428.847596]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [ 1428.847648] The buggy address belongs to the object at ffff880194483300
                      which belongs to the cache names_cache of size 4096
      [ 1428.847946] The buggy address is located 576 bytes inside of
                      4096-byte region [ffff880194483300, ffff880194484300)
      [ 1428.848234] The buggy address belongs to the page:
      [ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0
      [ 1428.848606] flags: 0x17fff8000008100(slab|head)
      [ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380
      [ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
      [ 1428.849122] page dumped because: kasan: bad access detected
      
      [ 1428.849305] Memory state around the buggy address:
      [ 1428.849436]  ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 1428.849620]  ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 1428.849985]                                            ^
      [ 1428.850120]  ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 1428.850303]  ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 1428.850498] ==================================================================
      Reported-by: default avatarWen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      4dbe38dc
    • Chao Yu's avatar
      f2fs: fix to do sanity check with node footer and iblocks · e34438c9
      Chao Yu authored
      This patch adds to do sanity check with below fields of inode to
      avoid reported panic.
      - node footer
      - iblocks
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200223
      
      - Overview
      BUG() triggered in f2fs_truncate_inode_blocks() when un-mounting a mounted f2fs image after writing to it
      
      - Reproduce
      
      - POC (poc.c)
      
      static void activity(char *mpoint) {
      
        char *foo_bar_baz;
        int err;
      
        static int buf[8192];
        memset(buf, 0, sizeof(buf));
      
        err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
      
        // open / write / read
        int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777);
        if (fd >= 0) {
          write(fd, (char *)buf, 517);
          write(fd, (char *)buf, sizeof(buf));
          close(fd);
        }
      
      }
      
      int main(int argc, char *argv[]) {
        activity(argv[1]);
        return 0;
      }
      
      - Kernel meesage
      [  552.479723] F2FS-fs (loop0): Mounted with checkpoint version = 2
      [  556.451891] ------------[ cut here ]------------
      [  556.451899] kernel BUG at fs/f2fs/node.c:987!
      [  556.452920] invalid opcode: 0000 [#1] SMP KASAN PTI
      [  556.453936] CPU: 1 PID: 1310 Comm: umount Not tainted 4.18.0-rc1+ #4
      [  556.455213] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  556.457140] RIP: 0010:f2fs_truncate_inode_blocks+0x4a7/0x6f0
      [  556.458280] Code: e8 ae ea ff ff 41 89 c7 c1 e8 1f 84 c0 74 0a 41 83 ff fe 0f 85 35 ff ff ff 81 85 b0 fe ff ff fb 03 00 00 e9 f7 fd ff ff 0f 0b <0f> 0b e8 62 b7 9a 00 48 8b bd a0 fe ff ff e8 56 54 ae ff 48 8b b5
      [  556.462015] RSP: 0018:ffff8801f292f808 EFLAGS: 00010286
      [  556.463068] RAX: ffffed003e73242d RBX: ffff8801f292f958 RCX: ffffffffb88b81bc
      [  556.464479] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8801f3992164
      [  556.465901] RBP: ffff8801f292f980 R08: ffffed003e73242d R09: ffffed003e73242d
      [  556.467311] R10: 0000000000000001 R11: ffffed003e73242c R12: 00000000fffffc64
      [  556.468706] R13: ffff8801f3992000 R14: 0000000000000058 R15: 00000000ffff8801
      [  556.470117] FS:  00007f8029297840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  556.471702] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  556.472838] CR2: 000055f5f57305d8 CR3: 00000001f18b0000 CR4: 00000000000006e0
      [  556.474265] Call Trace:
      [  556.474782]  ? f2fs_alloc_nid_failed+0xf0/0xf0
      [  556.475686]  ? truncate_nodes+0x980/0x980
      [  556.476516]  ? pagecache_get_page+0x21f/0x2f0
      [  556.477412]  ? __asan_loadN+0xf/0x20
      [  556.478153]  ? __get_node_page+0x331/0x5b0
      [  556.478992]  ? reweight_entity+0x1e6/0x3b0
      [  556.479826]  f2fs_truncate_blocks+0x55e/0x740
      [  556.480709]  ? f2fs_truncate_data_blocks+0x20/0x20
      [  556.481689]  ? __radix_tree_lookup+0x34/0x160
      [  556.482630]  ? radix_tree_lookup+0xd/0x10
      [  556.483445]  f2fs_truncate+0xd4/0x1a0
      [  556.484206]  f2fs_evict_inode+0x5ce/0x630
      [  556.485032]  evict+0x16f/0x290
      [  556.485664]  iput+0x280/0x300
      [  556.486300]  dentry_unlink_inode+0x165/0x1e0
      [  556.487169]  __dentry_kill+0x16a/0x260
      [  556.487936]  dentry_kill+0x70/0x250
      [  556.488651]  shrink_dentry_list+0x125/0x260
      [  556.489504]  shrink_dcache_parent+0xc1/0x110
      [  556.490379]  ? shrink_dcache_sb+0x200/0x200
      [  556.491231]  ? bit_wait_timeout+0xc0/0xc0
      [  556.492047]  do_one_tree+0x12/0x40
      [  556.492743]  shrink_dcache_for_umount+0x3f/0xa0
      [  556.493656]  generic_shutdown_super+0x43/0x1c0
      [  556.494561]  kill_block_super+0x52/0x80
      [  556.495341]  kill_f2fs_super+0x62/0x70
      [  556.496105]  deactivate_locked_super+0x6f/0xa0
      [  556.497004]  deactivate_super+0x5e/0x80
      [  556.497785]  cleanup_mnt+0x61/0xa0
      [  556.498492]  __cleanup_mnt+0x12/0x20
      [  556.499218]  task_work_run+0xc8/0xf0
      [  556.499949]  exit_to_usermode_loop+0x125/0x130
      [  556.500846]  do_syscall_64+0x138/0x170
      [  556.501609]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  556.502659] RIP: 0033:0x7f8028b77487
      [  556.503384] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
      [  556.507137] RSP: 002b:00007fff9f2e3598 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
      [  556.508637] RAX: 0000000000000000 RBX: 0000000000ebd030 RCX: 00007f8028b77487
      [  556.510069] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000ec41e0
      [  556.511481] RBP: 0000000000ec41e0 R08: 0000000000000000 R09: 0000000000000014
      [  556.512892] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f802908083c
      [  556.514320] R13: 0000000000000000 R14: 0000000000ebd210 R15: 00007fff9f2e3820
      [  556.515745] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  556.529276] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  556.530340] RIP: 0010:f2fs_truncate_inode_blocks+0x4a7/0x6f0
      [  556.531513] Code: e8 ae ea ff ff 41 89 c7 c1 e8 1f 84 c0 74 0a 41 83 ff fe 0f 85 35 ff ff ff 81 85 b0 fe ff ff fb 03 00 00 e9 f7 fd ff ff 0f 0b <0f> 0b e8 62 b7 9a 00 48 8b bd a0 fe ff ff e8 56 54 ae ff 48 8b b5
      [  556.535330] RSP: 0018:ffff8801f292f808 EFLAGS: 00010286
      [  556.536395] RAX: ffffed003e73242d RBX: ffff8801f292f958 RCX: ffffffffb88b81bc
      [  556.537824] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8801f3992164
      [  556.539290] RBP: ffff8801f292f980 R08: ffffed003e73242d R09: ffffed003e73242d
      [  556.540709] R10: 0000000000000001 R11: ffffed003e73242c R12: 00000000fffffc64
      [  556.542131] R13: ffff8801f3992000 R14: 0000000000000058 R15: 00000000ffff8801
      [  556.543579] FS:  00007f8029297840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  556.545180] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  556.546338] CR2: 000055f5f57305d8 CR3: 00000001f18b0000 CR4: 00000000000006e0
      [  556.547809] ==================================================================
      [  556.549248] BUG: KASAN: stack-out-of-bounds in arch_tlb_gather_mmu+0x52/0x170
      [  556.550672] Write of size 8 at addr ffff8801f292fd10 by task umount/1310
      
      [  556.552338] CPU: 1 PID: 1310 Comm: umount Tainted: G      D           4.18.0-rc1+ #4
      [  556.553886] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  556.555756] Call Trace:
      [  556.556264]  dump_stack+0x7b/0xb5
      [  556.556944]  print_address_description+0x70/0x290
      [  556.557903]  kasan_report+0x291/0x390
      [  556.558649]  ? arch_tlb_gather_mmu+0x52/0x170
      [  556.559537]  __asan_store8+0x57/0x90
      [  556.560268]  arch_tlb_gather_mmu+0x52/0x170
      [  556.561110]  tlb_gather_mmu+0x12/0x40
      [  556.561862]  exit_mmap+0x123/0x2a0
      [  556.562555]  ? __ia32_sys_munmap+0x50/0x50
      [  556.563384]  ? exit_aio+0x98/0x230
      [  556.564079]  ? __x32_compat_sys_io_submit+0x260/0x260
      [  556.565099]  ? taskstats_exit+0x1f4/0x640
      [  556.565925]  ? kasan_check_read+0x11/0x20
      [  556.566739]  ? mm_update_next_owner+0x322/0x380
      [  556.567652]  mmput+0x8b/0x1d0
      [  556.568260]  do_exit+0x43a/0x1390
      [  556.568937]  ? mm_update_next_owner+0x380/0x380
      [  556.569855]  ? deactivate_super+0x5e/0x80
      [  556.570668]  ? cleanup_mnt+0x61/0xa0
      [  556.571395]  ? __cleanup_mnt+0x12/0x20
      [  556.572156]  ? task_work_run+0xc8/0xf0
      [  556.572917]  ? exit_to_usermode_loop+0x125/0x130
      [  556.573861]  rewind_stack_do_exit+0x17/0x20
      [  556.574707] RIP: 0033:0x7f8028b77487
      [  556.575428] Code: Bad RIP value.
      [  556.576106] RSP: 002b:00007fff9f2e3598 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
      [  556.577599] RAX: 0000000000000000 RBX: 0000000000ebd030 RCX: 00007f8028b77487
      [  556.579020] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000ec41e0
      [  556.580422] RBP: 0000000000ec41e0 R08: 0000000000000000 R09: 0000000000000014
      [  556.581833] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f802908083c
      [  556.583252] R13: 0000000000000000 R14: 0000000000ebd210 R15: 00007fff9f2e3820
      
      [  556.584983] The buggy address belongs to the page:
      [  556.585961] page:ffffea0007ca4bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  556.587540] flags: 0x2ffff0000000000()
      [  556.588296] raw: 02ffff0000000000 0000000000000000 dead000000000200 0000000000000000
      [  556.589822] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [  556.591359] page dumped because: kasan: bad access detected
      
      [  556.592786] Memory state around the buggy address:
      [  556.593753]  ffff8801f292fc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  556.595191]  ffff8801f292fc80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
      [  556.596613] >ffff8801f292fd00: 00 00 f3 00 00 00 00 f3 f3 00 00 00 00 f4 f4 f4
      [  556.598044]                          ^
      [  556.598797]  ffff8801f292fd80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
      [  556.600225]  ffff8801f292fe00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4
      [  556.601647] ==================================================================
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/node.c#L987
      		case NODE_DIND_BLOCK:
      			err = truncate_nodes(&dn, nofs, offset[1], 3);
      			cont = 0;
      			break;
      
      		default:
      			BUG(); <---
      		}
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      e34438c9
    • Yunlei He's avatar
      f2fs: Allocate and stat mem used by free nid bitmap more accurately · e15d54d5
      Yunlei He authored
      This patch used f2fs_bitmap_size macro to calculate mem used by
      free nid bitmap, and stat used mem including aligned part.
      Signed-off-by: default avatarYunlei He <heyunlei@huawei.com>
      Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      e15d54d5
    • Chao Yu's avatar
      f2fs: fix to do sanity check with user_block_count · 9dc956b2
      Chao Yu authored
      This patch fixs to do sanity check with user_block_count.
      
      - Overview
      Divide zero in utilization when mount() a corrupted f2fs image
      
      - Reproduce (4.18 upstream kernel)
      
      - Kernel message
      [  564.099503] F2FS-fs (loop0): invalid crc value
      [  564.101991] divide error: 0000 [#1] SMP KASAN PTI
      [  564.103103] CPU: 1 PID: 1298 Comm: f2fs_discard-7: Not tainted 4.18.0-rc1+ #4
      [  564.104584] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  564.106624] RIP: 0010:issue_discard_thread+0x248/0x5c0
      [  564.107692] Code: ff ff 48 8b bd e8 fe ff ff 41 8b 9d 4c 04 00 00 e8 cd b8 ad ff 41 8b 85 50 04 00 00 31 d2 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <48> f7 f3 83 f8 50 7e 16 41 c7 86 7c ff ff ff 01 00 00 00 41 c7 86
      [  564.111686] RSP: 0018:ffff8801f3117dc0 EFLAGS: 00010206
      [  564.112775] RAX: 0000000000000384 RBX: 0000000000000000 RCX: ffffffffb88c1e03
      [  564.114250] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e3aa4850
      [  564.115706] RBP: ffff8801f3117f00 R08: 1ffffffff751a1d0 R09: fffffbfff751a1d0
      [  564.117177] R10: 0000000000000001 R11: fffffbfff751a1d0 R12: 00000000fffffffc
      [  564.118634] R13: ffff8801e3aa4400 R14: ffff8801f3117ed8 R15: ffff8801e2050000
      [  564.120094] FS:  0000000000000000(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  564.121748] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  564.122923] CR2: 000000000202b078 CR3: 00000001f11ac000 CR4: 00000000000006e0
      [  564.124383] Call Trace:
      [  564.124924]  ? __issue_discard_cmd+0x480/0x480
      [  564.125882]  ? __sched_text_start+0x8/0x8
      [  564.126756]  ? __kthread_parkme+0xcb/0x100
      [  564.127620]  ? kthread_blkcg+0x70/0x70
      [  564.128412]  kthread+0x180/0x1d0
      [  564.129105]  ? __issue_discard_cmd+0x480/0x480
      [  564.130029]  ? kthread_associate_blkcg+0x150/0x150
      [  564.131033]  ret_from_fork+0x35/0x40
      [  564.131794] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  564.141798] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  564.142773] RIP: 0010:issue_discard_thread+0x248/0x5c0
      [  564.143885] Code: ff ff 48 8b bd e8 fe ff ff 41 8b 9d 4c 04 00 00 e8 cd b8 ad ff 41 8b 85 50 04 00 00 31 d2 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <48> f7 f3 83 f8 50 7e 16 41 c7 86 7c ff ff ff 01 00 00 00 41 c7 86
      [  564.147776] RSP: 0018:ffff8801f3117dc0 EFLAGS: 00010206
      [  564.148856] RAX: 0000000000000384 RBX: 0000000000000000 RCX: ffffffffb88c1e03
      [  564.150424] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e3aa4850
      [  564.151906] RBP: ffff8801f3117f00 R08: 1ffffffff751a1d0 R09: fffffbfff751a1d0
      [  564.153463] R10: 0000000000000001 R11: fffffbfff751a1d0 R12: 00000000fffffffc
      [  564.154915] R13: ffff8801e3aa4400 R14: ffff8801f3117ed8 R15: ffff8801e2050000
      [  564.156405] FS:  0000000000000000(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  564.158070] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  564.159279] CR2: 000000000202b078 CR3: 00000001f11ac000 CR4: 00000000000006e0
      [  564.161043] ==================================================================
      [  564.162587] BUG: KASAN: stack-out-of-bounds in from_kuid_munged+0x1d/0x50
      [  564.163994] Read of size 4 at addr ffff8801f3117c84 by task f2fs_discard-7:/1298
      
      [  564.165852] CPU: 1 PID: 1298 Comm: f2fs_discard-7: Tainted: G      D           4.18.0-rc1+ #4
      [  564.167593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  564.169522] Call Trace:
      [  564.170057]  dump_stack+0x7b/0xb5
      [  564.170778]  print_address_description+0x70/0x290
      [  564.171765]  kasan_report+0x291/0x390
      [  564.172540]  ? from_kuid_munged+0x1d/0x50
      [  564.173408]  __asan_load4+0x78/0x80
      [  564.174148]  from_kuid_munged+0x1d/0x50
      [  564.174962]  do_notify_parent+0x1f5/0x4f0
      [  564.175808]  ? send_sigqueue+0x390/0x390
      [  564.176639]  ? css_set_move_task+0x152/0x340
      [  564.184197]  do_exit+0x1290/0x1390
      [  564.184950]  ? __issue_discard_cmd+0x480/0x480
      [  564.185884]  ? mm_update_next_owner+0x380/0x380
      [  564.186829]  ? __sched_text_start+0x8/0x8
      [  564.187672]  ? __kthread_parkme+0xcb/0x100
      [  564.188528]  ? kthread_blkcg+0x70/0x70
      [  564.189333]  ? kthread+0x180/0x1d0
      [  564.190052]  ? __issue_discard_cmd+0x480/0x480
      [  564.190983]  rewind_stack_do_exit+0x17/0x20
      
      [  564.192190] The buggy address belongs to the page:
      [  564.193213] page:ffffea0007cc45c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  564.194856] flags: 0x2ffff0000000000()
      [  564.195644] raw: 02ffff0000000000 0000000000000000 dead000000000200 0000000000000000
      [  564.197247] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [  564.198826] page dumped because: kasan: bad access detected
      
      [  564.200299] Memory state around the buggy address:
      [  564.201306]  ffff8801f3117b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  564.202779]  ffff8801f3117c00: 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3
      [  564.204252] >ffff8801f3117c80: f3 f3 f3 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
      [  564.205742]                    ^
      [  564.206424]  ffff8801f3117d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  564.207908]  ffff8801f3117d80: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
      [  564.209389] ==================================================================
      [  564.231795] F2FS-fs (loop0): Mounted with checkpoint version = 2
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.h#L586
      	return div_u64((u64)valid_user_blocks(sbi) * 100,
      					sbi->user_block_count);
      Missing checks on sbi->user_block_count.
      Reported-by: default avatarWen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      9dc956b2
  3. 27 Jul, 2018 4 commits
    • Chao Yu's avatar
      f2fs: fix to do sanity check with extra_attr feature · 76d56d4a
      Chao Yu authored
      If FI_EXTRA_ATTR is set in inode by fuzzing, inode.i_addr[0] will be
      parsed as inode.i_extra_isize, then in __recover_inline_status, inline
      data address will beyond boundary of page, result in accessing invalid
      memory.
      
      So in this condition, during reading inode page, let's do sanity check
      with EXTRA_ATTR feature of fs and extra_attr bit of inode, if they're
      inconsistent, deny to load this inode.
      
      - Overview
      Out-of-bound access in f2fs_iget() when mounting a corrupted f2fs image
      
      - Reproduce
      
      The following message will be got in KASAN build of 4.18 upstream kernel.
      [  819.392227] ==================================================================
      [  819.393901] BUG: KASAN: slab-out-of-bounds in f2fs_iget+0x736/0x1530
      [  819.395329] Read of size 4 at addr ffff8801f099c968 by task mount/1292
      
      [  819.397079] CPU: 1 PID: 1292 Comm: mount Not tainted 4.18.0-rc1+ #4
      [  819.397082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  819.397088] Call Trace:
      [  819.397124]  dump_stack+0x7b/0xb5
      [  819.397154]  print_address_description+0x70/0x290
      [  819.397159]  kasan_report+0x291/0x390
      [  819.397163]  ? f2fs_iget+0x736/0x1530
      [  819.397176]  check_memory_region+0x139/0x190
      [  819.397182]  __asan_loadN+0xf/0x20
      [  819.397185]  f2fs_iget+0x736/0x1530
      [  819.397197]  f2fs_fill_super+0x1b4f/0x2b40
      [  819.397202]  ? f2fs_fill_super+0x1b4f/0x2b40
      [  819.397208]  ? f2fs_commit_super+0x1b0/0x1b0
      [  819.397227]  ? set_blocksize+0x90/0x140
      [  819.397241]  mount_bdev+0x1c5/0x210
      [  819.397245]  ? f2fs_commit_super+0x1b0/0x1b0
      [  819.397252]  f2fs_mount+0x15/0x20
      [  819.397256]  mount_fs+0x60/0x1a0
      [  819.397267]  ? alloc_vfsmnt+0x309/0x360
      [  819.397272]  vfs_kern_mount+0x6b/0x1a0
      [  819.397282]  do_mount+0x34a/0x18c0
      [  819.397300]  ? lockref_put_or_lock+0xcf/0x160
      [  819.397306]  ? copy_mount_string+0x20/0x20
      [  819.397318]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  819.397324]  ? kasan_check_write+0x14/0x20
      [  819.397334]  ? _copy_from_user+0x6a/0x90
      [  819.397353]  ? memdup_user+0x42/0x60
      [  819.397359]  ksys_mount+0x83/0xd0
      [  819.397365]  __x64_sys_mount+0x67/0x80
      [  819.397388]  do_syscall_64+0x78/0x170
      [  819.397403]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  819.397422] RIP: 0033:0x7f54c667cb9a
      [  819.397424] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [  819.397483] RSP: 002b:00007ffd8f46cd08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
      [  819.397496] RAX: ffffffffffffffda RBX: 0000000000dfa030 RCX: 00007f54c667cb9a
      [  819.397498] RDX: 0000000000dfa210 RSI: 0000000000dfbf30 RDI: 0000000000e02ec0
      [  819.397501] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  819.397503] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000000e02ec0
      [  819.397505] R13: 0000000000dfa210 R14: 0000000000000000 R15: 0000000000000003
      
      [  819.397866] Allocated by task 139:
      [  819.398702]  save_stack+0x46/0xd0
      [  819.398705]  kasan_kmalloc+0xad/0xe0
      [  819.398709]  kasan_slab_alloc+0x11/0x20
      [  819.398713]  kmem_cache_alloc+0xd1/0x1e0
      [  819.398717]  dup_fd+0x50/0x4c0
      [  819.398740]  copy_process.part.37+0xbed/0x32e0
      [  819.398744]  _do_fork+0x16e/0x590
      [  819.398748]  __x64_sys_clone+0x69/0x80
      [  819.398752]  do_syscall_64+0x78/0x170
      [  819.398756]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [  819.399097] Freed by task 159:
      [  819.399743]  save_stack+0x46/0xd0
      [  819.399747]  __kasan_slab_free+0x13c/0x1a0
      [  819.399750]  kasan_slab_free+0xe/0x10
      [  819.399754]  kmem_cache_free+0x89/0x1e0
      [  819.399757]  put_files_struct+0x132/0x150
      [  819.399761]  exit_files+0x62/0x70
      [  819.399766]  do_exit+0x47b/0x1390
      [  819.399770]  do_group_exit+0x86/0x130
      [  819.399774]  __x64_sys_exit_group+0x2c/0x30
      [  819.399778]  do_syscall_64+0x78/0x170
      [  819.399782]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [  819.400115] The buggy address belongs to the object at ffff8801f099c680
                      which belongs to the cache files_cache of size 704
      [  819.403234] The buggy address is located 40 bytes to the right of
                      704-byte region [ffff8801f099c680, ffff8801f099c940)
      [  819.405689] The buggy address belongs to the page:
      [  819.406709] page:ffffea0007c26700 count:1 mapcount:0 mapping:ffff8801f69a3340 index:0xffff8801f099d380 compound_mapcount: 0
      [  819.408984] flags: 0x2ffff0000008100(slab|head)
      [  819.409932] raw: 02ffff0000008100 ffffea00077fb600 0000000200000002 ffff8801f69a3340
      [  819.411514] raw: ffff8801f099d380 0000000080130000 00000001ffffffff 0000000000000000
      [  819.413073] page dumped because: kasan: bad access detected
      
      [  819.414539] Memory state around the buggy address:
      [  819.415521]  ffff8801f099c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  819.416981]  ffff8801f099c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  819.418454] >ffff8801f099c900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [  819.419921]                                                           ^
      [  819.421265]  ffff8801f099c980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
      [  819.422745]  ffff8801f099ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  819.424206] ==================================================================
      [  819.425668] Disabling lock debugging due to kernel taint
      [  819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3
      
      The kernel still mounts the image. If you run the following program on the mounted folder mnt,
      
      (poc.c)
      
      static void activity(char *mpoint) {
      
        char *foo_bar_baz;
        int err;
      
        static int buf[8192];
        memset(buf, 0, sizeof(buf));
      
        err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
          int fd = open(foo_bar_baz, O_RDONLY, 0);
        if (fd >= 0) {
            read(fd, (char *)buf, 11);
            close(fd);
        }
      }
      
      int main(int argc, char *argv[]) {
        activity(argv[1]);
        return 0;
      }
      
      You can get kernel crash:
      [  819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3
      [  918.028501] BUG: unable to handle kernel paging request at ffffed0048000d82
      [  918.044020] PGD 23ffee067 P4D 23ffee067 PUD 23fbef067 PMD 0
      [  918.045207] Oops: 0000 [#1] SMP KASAN PTI
      [  918.046048] CPU: 0 PID: 1309 Comm: poc Tainted: G    B             4.18.0-rc1+ #4
      [  918.047573] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  918.049552] RIP: 0010:check_memory_region+0x5e/0x190
      [  918.050565] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0
      [  918.054322] RSP: 0018:ffff8801e3a1f258 EFLAGS: 00010202
      [  918.055400] RAX: ffffed0048000d82 RBX: ffff880240006c11 RCX: ffffffffb8867d14
      [  918.056832] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff880240006c10
      [  918.058253] RBP: ffff8801e3a1f268 R08: 1ffff10048000d82 R09: ffffed0048000d82
      [  918.059717] R10: 0000000000000001 R11: ffffed0048000d82 R12: ffffed0048000d83
      [  918.061159] R13: ffff8801e3a1f390 R14: 0000000000000000 R15: ffff880240006c08
      [  918.062614] FS:  00007fac9732c700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  918.064246] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  918.065412] CR2: ffffed0048000d82 CR3: 00000001df77a000 CR4: 00000000000006f0
      [  918.066882] Call Trace:
      [  918.067410]  __asan_loadN+0xf/0x20
      [  918.068149]  f2fs_find_target_dentry+0xf4/0x270
      [  918.069083]  ? __get_node_page+0x331/0x5b0
      [  918.069925]  f2fs_find_in_inline_dir+0x24b/0x310
      [  918.070881]  ? f2fs_recover_inline_data+0x4c0/0x4c0
      [  918.071905]  ? unwind_next_frame.part.5+0x34f/0x490
      [  918.072901]  ? unwind_dump+0x290/0x290
      [  918.073695]  ? is_bpf_text_address+0xe/0x20
      [  918.074566]  __f2fs_find_entry+0x599/0x670
      [  918.075408]  ? kasan_unpoison_shadow+0x36/0x50
      [  918.076315]  ? kasan_kmalloc+0xad/0xe0
      [  918.077100]  ? memcg_kmem_put_cache+0x55/0xa0
      [  918.077998]  ? f2fs_find_target_dentry+0x270/0x270
      [  918.079006]  ? d_set_d_op+0x30/0x100
      [  918.079749]  ? __d_lookup_rcu+0x69/0x2e0
      [  918.080556]  ? __d_alloc+0x275/0x450
      [  918.081297]  ? kasan_check_write+0x14/0x20
      [  918.082135]  ? memset+0x31/0x40
      [  918.082820]  ? fscrypt_setup_filename+0x1ec/0x4c0
      [  918.083782]  ? d_alloc_parallel+0x5bb/0x8c0
      [  918.084640]  f2fs_find_entry+0xe9/0x110
      [  918.085432]  ? __f2fs_find_entry+0x670/0x670
      [  918.086308]  ? kasan_check_write+0x14/0x20
      [  918.087163]  f2fs_lookup+0x297/0x590
      [  918.087902]  ? f2fs_link+0x2b0/0x2b0
      [  918.088646]  ? legitimize_path.isra.29+0x61/0xa0
      [  918.089589]  __lookup_slow+0x12e/0x240
      [  918.090371]  ? may_delete+0x2b0/0x2b0
      [  918.091123]  ? __nd_alloc_stack+0xa0/0xa0
      [  918.091944]  lookup_slow+0x44/0x60
      [  918.092642]  walk_component+0x3ee/0xa40
      [  918.093428]  ? is_bpf_text_address+0xe/0x20
      [  918.094283]  ? pick_link+0x3e0/0x3e0
      [  918.095047]  ? in_group_p+0xa5/0xe0
      [  918.095771]  ? generic_permission+0x53/0x1e0
      [  918.096666]  ? security_inode_permission+0x1d/0x70
      [  918.097646]  ? inode_permission+0x7a/0x1f0
      [  918.098497]  link_path_walk+0x2a2/0x7b0
      [  918.099298]  ? apparmor_capget+0x3d0/0x3d0
      [  918.100140]  ? walk_component+0xa40/0xa40
      [  918.100958]  ? path_init+0x2e6/0x580
      [  918.101695]  path_openat+0x1bb/0x2160
      [  918.102471]  ? __save_stack_trace+0x92/0x100
      [  918.103352]  ? save_stack+0xb5/0xd0
      [  918.104070]  ? vfs_unlink+0x250/0x250
      [  918.104822]  ? save_stack+0x46/0xd0
      [  918.105538]  ? kasan_slab_alloc+0x11/0x20
      [  918.106370]  ? kmem_cache_alloc+0xd1/0x1e0
      [  918.107213]  ? getname_flags+0x76/0x2c0
      [  918.107997]  ? getname+0x12/0x20
      [  918.108677]  ? do_sys_open+0x14b/0x2c0
      [  918.109450]  ? __x64_sys_open+0x4c/0x60
      [  918.110255]  ? do_syscall_64+0x78/0x170
      [  918.111083]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  918.112148]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  918.113204]  ? f2fs_empty_inline_dir+0x1e0/0x1e0
      [  918.114150]  ? timespec64_trunc+0x5c/0x90
      [  918.114993]  ? wb_io_lists_depopulated+0x1a/0xc0
      [  918.115937]  ? inode_io_list_move_locked+0x102/0x110
      [  918.116949]  do_filp_open+0x12b/0x1d0
      [  918.117709]  ? may_open_dev+0x50/0x50
      [  918.118475]  ? kasan_kmalloc+0xad/0xe0
      [  918.119246]  do_sys_open+0x17c/0x2c0
      [  918.119983]  ? do_sys_open+0x17c/0x2c0
      [  918.120751]  ? filp_open+0x60/0x60
      [  918.121463]  ? task_work_run+0x4d/0xf0
      [  918.122237]  __x64_sys_open+0x4c/0x60
      [  918.123001]  do_syscall_64+0x78/0x170
      [  918.123759]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  918.124802] RIP: 0033:0x7fac96e3e040
      [  918.125537] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 09 27 2d 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 7e e0 01 00 48 89 04 24
      [  918.129341] RSP: 002b:00007fff1b37f848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
      [  918.130870] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fac96e3e040
      [  918.132295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000122d080
      [  918.133748] RBP: 00007fff1b37f9b0 R08: 00007fac9710bbd8 R09: 0000000000000001
      [  918.135209] R10: 000000000000069d R11: 0000000000000246 R12: 0000000000400c20
      [  918.136650] R13: 00007fff1b37fab0 R14: 0000000000000000 R15: 0000000000000000
      [  918.138093] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  918.147924] CR2: ffffed0048000d82
      [  918.148619] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  918.149563] RIP: 0010:check_memory_region+0x5e/0x190
      [  918.150576] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0
      [  918.154360] RSP: 0018:ffff8801e3a1f258 EFLAGS: 00010202
      [  918.155411] RAX: ffffed0048000d82 RBX: ffff880240006c11 RCX: ffffffffb8867d14
      [  918.156833] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff880240006c10
      [  918.158257] RBP: ffff8801e3a1f268 R08: 1ffff10048000d82 R09: ffffed0048000d82
      [  918.159722] R10: 0000000000000001 R11: ffffed0048000d82 R12: ffffed0048000d83
      [  918.161149] R13: ffff8801e3a1f390 R14: 0000000000000000 R15: ffff880240006c08
      [  918.162587] FS:  00007fac9732c700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  918.164203] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  918.165356] CR2: ffffed0048000d82 CR3: 00000001df77a000 CR4: 00000000000006f0
      Reported-by: default avatarWen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      76d56d4a
    • Chao Yu's avatar
      f2fs: fix to correct return value of f2fs_trim_fs · 01f9cf6d
      Chao Yu authored
      We should account trimmed block number from __wait_all_discard_cmd
      in __issue_discard_cmd_range, otherwise trimmed blocks returned
      by f2fs_trim_fs will be wrong, this patch fixes it.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      01f9cf6d
    • Chao Yu's avatar
      f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize · c77ec61c
      Chao Yu authored
      This patch adds to do sanity check with {sit,nat}_ver_bitmap_bytesize
      during mount, in order to avoid accessing across cache boundary with
      this abnormal bitmap size.
      
      - Overview
      buffer overrun in build_sit_info() when mounting a crafted f2fs image
      
      - Reproduce
      
      - Kernel message
      [  548.580867] F2FS-fs (loop0): Invalid log blocks per segment (8201)
      
      [  548.580877] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
      [  548.584979] ==================================================================
      [  548.586568] BUG: KASAN: use-after-free in kmemdup+0x36/0x50
      [  548.587715] Read of size 64 at addr ffff8801e9c265ff by task mount/1295
      
      [  548.589428] CPU: 1 PID: 1295 Comm: mount Not tainted 4.18.0-rc1+ #4
      [  548.589432] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  548.589438] Call Trace:
      [  548.589474]  dump_stack+0x7b/0xb5
      [  548.589487]  print_address_description+0x70/0x290
      [  548.589492]  kasan_report+0x291/0x390
      [  548.589496]  ? kmemdup+0x36/0x50
      [  548.589509]  check_memory_region+0x139/0x190
      [  548.589514]  memcpy+0x23/0x50
      [  548.589518]  kmemdup+0x36/0x50
      [  548.589545]  f2fs_build_segment_manager+0x8fa/0x3410
      [  548.589551]  ? __asan_loadN+0xf/0x20
      [  548.589560]  ? f2fs_sanity_check_ckpt+0x1be/0x240
      [  548.589566]  ? f2fs_flush_sit_entries+0x10c0/0x10c0
      [  548.589587]  ? __put_user_ns+0x40/0x40
      [  548.589604]  ? find_next_bit+0x57/0x90
      [  548.589610]  f2fs_fill_super+0x194b/0x2b40
      [  548.589617]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.589637]  ? set_blocksize+0x90/0x140
      [  548.589651]  mount_bdev+0x1c5/0x210
      [  548.589655]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.589667]  f2fs_mount+0x15/0x20
      [  548.589672]  mount_fs+0x60/0x1a0
      [  548.589683]  ? alloc_vfsmnt+0x309/0x360
      [  548.589688]  vfs_kern_mount+0x6b/0x1a0
      [  548.589699]  do_mount+0x34a/0x18c0
      [  548.589710]  ? lockref_put_or_lock+0xcf/0x160
      [  548.589716]  ? copy_mount_string+0x20/0x20
      [  548.589728]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  548.589734]  ? kasan_check_write+0x14/0x20
      [  548.589740]  ? _copy_from_user+0x6a/0x90
      [  548.589744]  ? memdup_user+0x42/0x60
      [  548.589750]  ksys_mount+0x83/0xd0
      [  548.589755]  __x64_sys_mount+0x67/0x80
      [  548.589781]  do_syscall_64+0x78/0x170
      [  548.589797]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  548.589820] RIP: 0033:0x7f76fc331b9a
      [  548.589821] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [  548.589880] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [  548.589890] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a
      [  548.589892] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0
      [  548.589895] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  548.589897] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0
      [  548.589900] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003
      
      [  548.590242] The buggy address belongs to the page:
      [  548.591243] page:ffffea0007a70980 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  548.592886] flags: 0x2ffff0000000000()
      [  548.593665] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
      [  548.595258] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [  548.603713] page dumped because: kasan: bad access detected
      
      [  548.605203] Memory state around the buggy address:
      [  548.606198]  ffff8801e9c26480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.607676]  ffff8801e9c26500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.609157] >ffff8801e9c26580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.610629]                                                                 ^
      [  548.612088]  ffff8801e9c26600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.613674]  ffff8801e9c26680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      [  548.615141] ==================================================================
      [  548.616613] Disabling lock debugging due to kernel taint
      [  548.622871] WARNING: CPU: 1 PID: 1295 at mm/page_alloc.c:4065 __alloc_pages_slowpath+0xe4a/0x1420
      [  548.622878] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  548.623217] CPU: 1 PID: 1295 Comm: mount Tainted: G    B             4.18.0-rc1+ #4
      [  548.623219] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  548.623226] RIP: 0010:__alloc_pages_slowpath+0xe4a/0x1420
      [  548.623227] Code: ff ff 01 89 85 c8 fe ff ff e9 91 fc ff ff 41 89 c5 e9 5c fc ff ff 0f 0b 89 f8 25 ff ff f7 ff 89 85 8c fe ff ff e9 d5 f2 ff ff <0f> 0b e9 65 f2 ff ff 65 8b 05 38 81 d2 47 f6 c4 01 74 1c 65 48 8b
      [  548.623281] RSP: 0018:ffff8801f28c7678 EFLAGS: 00010246
      [  548.623284] RAX: 0000000000000000 RBX: 00000000006040c0 RCX: ffffffffb82f73b7
      [  548.623287] RDX: 1ffff1003e518eeb RSI: 000000000000000c RDI: 0000000000000000
      [  548.623290] RBP: ffff8801f28c7880 R08: 0000000000000000 R09: ffffed0047fff2c5
      [  548.623292] R10: 0000000000000001 R11: ffffed0047fff2c4 R12: ffff8801e88de040
      [  548.623295] R13: 00000000006040c0 R14: 000000000000000c R15: ffff8801f28c7938
      [  548.623299] FS:  00007f76fca51840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  548.623302] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  548.623304] CR2: 00007f19b9171760 CR3: 00000001ed952000 CR4: 00000000000006e0
      [  548.623317] Call Trace:
      [  548.623325]  ? kasan_check_read+0x11/0x20
      [  548.623330]  ? __zone_watermark_ok+0x92/0x240
      [  548.623336]  ? get_page_from_freelist+0x1c3/0x1d90
      [  548.623347]  ? _raw_spin_lock_irqsave+0x2a/0x60
      [  548.623353]  ? warn_alloc+0x250/0x250
      [  548.623358]  ? save_stack+0x46/0xd0
      [  548.623361]  ? kasan_kmalloc+0xad/0xe0
      [  548.623366]  ? __isolate_free_page+0x2a0/0x2a0
      [  548.623370]  ? mount_fs+0x60/0x1a0
      [  548.623374]  ? vfs_kern_mount+0x6b/0x1a0
      [  548.623378]  ? do_mount+0x34a/0x18c0
      [  548.623383]  ? ksys_mount+0x83/0xd0
      [  548.623387]  ? __x64_sys_mount+0x67/0x80
      [  548.623391]  ? do_syscall_64+0x78/0x170
      [  548.623396]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  548.623401]  __alloc_pages_nodemask+0x3c5/0x400
      [  548.623407]  ? __alloc_pages_slowpath+0x1420/0x1420
      [  548.623412]  ? __mutex_lock_slowpath+0x20/0x20
      [  548.623417]  ? kvmalloc_node+0x31/0x80
      [  548.623424]  alloc_pages_current+0x75/0x110
      [  548.623436]  kmalloc_order+0x24/0x60
      [  548.623442]  kmalloc_order_trace+0x24/0xb0
      [  548.623448]  __kmalloc_track_caller+0x207/0x220
      [  548.623455]  ? f2fs_build_node_manager+0x399/0xbb0
      [  548.623460]  kmemdup+0x20/0x50
      [  548.623465]  f2fs_build_node_manager+0x399/0xbb0
      [  548.623470]  f2fs_fill_super+0x195e/0x2b40
      [  548.623477]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.623481]  ? set_blocksize+0x90/0x140
      [  548.623486]  mount_bdev+0x1c5/0x210
      [  548.623489]  ? f2fs_commit_super+0x1b0/0x1b0
      [  548.623495]  f2fs_mount+0x15/0x20
      [  548.623498]  mount_fs+0x60/0x1a0
      [  548.623503]  ? alloc_vfsmnt+0x309/0x360
      [  548.623508]  vfs_kern_mount+0x6b/0x1a0
      [  548.623513]  do_mount+0x34a/0x18c0
      [  548.623518]  ? lockref_put_or_lock+0xcf/0x160
      [  548.623523]  ? copy_mount_string+0x20/0x20
      [  548.623528]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  548.623533]  ? kasan_check_write+0x14/0x20
      [  548.623537]  ? _copy_from_user+0x6a/0x90
      [  548.623542]  ? memdup_user+0x42/0x60
      [  548.623547]  ksys_mount+0x83/0xd0
      [  548.623552]  __x64_sys_mount+0x67/0x80
      [  548.623557]  do_syscall_64+0x78/0x170
      [  548.623562]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  548.623566] RIP: 0033:0x7f76fc331b9a
      [  548.623567] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [  548.623632] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [  548.623636] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a
      [  548.623639] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0
      [  548.623641] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  548.623643] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0
      [  548.623646] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003
      [  548.623650] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  548.623656] F2FS-fs (loop0): Failed to initialize F2FS node manager
      [  548.627936] F2FS-fs (loop0): Invalid log blocks per segment (8201)
      
      [  548.627940] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
      [  548.635835] F2FS-fs (loop0): Failed to initialize F2FS node manager
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.c#L3578
      
      	sit_i->sit_bitmap = kmemdup(src_bitmap, bitmap_size, GFP_KERNEL);
      
      Buffer overrun happens when doing memcpy. I suspect there is missing (inconsistent) checks on bitmap_size.
      
      Reported by Wen Xu (wen.xu@gatech.edu) from SSLab, Gatech.
      Reported-by: default avatarWen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      c77ec61c
    • Chao Yu's avatar
      f2fs: fix to do sanity check with secs_per_zone · 42bf546c
      Chao Yu authored
      As Wen Xu reported in below link:
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200183
      
      - Overview
      Divide zero in reset_curseg() when mounting a crafted f2fs image
      
      - Reproduce
      
      - Kernel message
      [  588.281510] divide error: 0000 [#1] SMP KASAN PTI
      [  588.282701] CPU: 0 PID: 1293 Comm: mount Not tainted 4.18.0-rc1+ #4
      [  588.284000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  588.286178] RIP: 0010:reset_curseg+0x94/0x1a0
      [  588.298166] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246
      [  588.299360] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b
      [  588.300809] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64
      [  588.305272] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000
      [  588.306822] FS:  00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  588.308456] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  588.309623] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0
      [  588.311085] Call Trace:
      [  588.311637]  f2fs_build_segment_manager+0x103f/0x3410
      [  588.316136]  ? f2fs_commit_super+0x1b0/0x1b0
      [  588.317031]  ? set_blocksize+0x90/0x140
      [  588.319473]  f2fs_mount+0x15/0x20
      [  588.320166]  mount_fs+0x60/0x1a0
      [  588.320847]  ? alloc_vfsmnt+0x309/0x360
      [  588.321647]  vfs_kern_mount+0x6b/0x1a0
      [  588.322432]  do_mount+0x34a/0x18c0
      [  588.323175]  ? strndup_user+0x46/0x70
      [  588.323937]  ? copy_mount_string+0x20/0x20
      [  588.324793]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  588.325702]  ? kasan_check_write+0x14/0x20
      [  588.326562]  ? _copy_from_user+0x6a/0x90
      [  588.327375]  ? memdup_user+0x42/0x60
      [  588.328118]  ksys_mount+0x83/0xd0
      [  588.328808]  __x64_sys_mount+0x67/0x80
      [  588.329607]  do_syscall_64+0x78/0x170
      [  588.330400]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  588.331461] RIP: 0033:0x7fad848e8b9a
      [  588.336022] RSP: 002b:00007ffd7c5b6be8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
      [  588.337547] RAX: ffffffffffffffda RBX: 00000000016f8030 RCX: 00007fad848e8b9a
      [  588.338999] RDX: 00000000016f8210 RSI: 00000000016f9f30 RDI: 0000000001700ec0
      [  588.340442] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  588.341887] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001700ec0
      [  588.343341] R13: 00000000016f8210 R14: 0000000000000000 R15: 0000000000000003
      [  588.354891] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  588.355862] RIP: 0010:reset_curseg+0x94/0x1a0
      [  588.360742] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246
      [  588.361812] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b
      [  588.363485] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64
      [  588.365213] RBP: ffff8801e88d7968 R08: ffffed003c32266f R09: ffffed003c32266f
      [  588.366661] R10: 0000000000000001 R11: ffffed003c32266e R12: ffff8801f0337700
      [  588.368110] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000
      [  588.370057] FS:  00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  588.372099] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  588.373291] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0
      
      - Location
      https://elixir.bootlin.com/linux/latest/source/fs/f2fs/segment.c#L2147
              curseg->zone = GET_ZONE_FROM_SEG(sbi, curseg->segno);
      
      If secs_per_zone is corrupted due to fuzzing test, it will cause divide
      zero operation when using GET_ZONE_FROM_SEG macro, so we should do more
      sanity check with secs_per_zone during mount to avoid this issue.
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      42bf546c