• Chao Yu's avatar
    f2fs: fix to avoid NULL pointer dereference on se->discard_map · 7d20c8ab
    Chao Yu authored
    https://bugzilla.kernel.org/show_bug.cgi?id=200951
    
    These is a NULL pointer dereference issue reported in bugzilla:
    
    Hi,
    in the setup there is a SATA SSD connected to a SATA-to-USB bridge.
    
    The disc is "Samsung SSD 850 PRO 256G" which supports TRIM.
    There are four partitions:
     sda1: FAT  /boot
     sda2: F2FS /
     sda3: F2FS /home
     sda4: F2FS
    
    The bridge is ASMT1153e which uses the "uas" driver.
    There is no TRIM pass-through, so, when mounting it reports:
     mounting with "discard" option, but the device does not support discard
    
    The USB host is USB3.0 and UASP capable. It is the one on RK3399.
    
    Given this everything works fine, except there is no TRIM support.
    
    In order to enable TRIM a new UDEV rule is added [1]:
     /etc/udev/rules.d/10-sata-bridge-trim.rules:
     ACTION=="add|change", ATTRS{idVendor}=="174c", ATTRS{idProduct}=="55aa", SUBSYSTEM=="scsi_disk", ATTR{provisioning_mode}="unmap"
    After reboot any F2FS write hangs forever and dmesg reports:
     Unable to handle kernel NULL pointer dereference
    
    Also tested on a x86_64 system: works fine even with TRIM enabled.
     same disc
     same bridge
     different usb host controller
     different cpu architecture
     not root filesystem
    
    Regards,
      Vicenç.
    
    [1] Post #5 in https://bbs.archlinux.org/viewtopic.php?id=236280
    
     Unable to handle kernel NULL pointer dereference at virtual address 000000000000003e
     Mem abort info:
       ESR = 0x96000004
       Exception class = DABT (current EL), IL = 32 bits
       SET = 0, FnV = 0
       EA = 0, S1PTW = 0
     Data abort info:
       ISV = 0, ISS = 0x00000004
       CM = 0, WnR = 0
     user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000626e3122
     [000000000000003e] pgd=0000000000000000
     Internal error: Oops: 96000004 [#1] SMP
     Modules linked in: overlay snd_soc_hdmi_codec rc_cec dw_hdmi_i2s_audio dw_hdmi_cec snd_soc_simple_card snd_soc_simple_card_utils snd_soc_rockchip_i2s rockchip_rga snd_soc_rockchip_pcm rockchipdrm videobuf2_dma_sg v4l2_mem2mem rtc_rk808 videobuf2_memops analogix_dp videobuf2_v4l2 videobuf2_common dw_hdmi dw_wdt cec rc_core videodev drm_kms_helper media drm rockchip_thermal rockchip_saradc realtek drm_panel_orientation_quirks syscopyarea sysfillrect sysimgblt fb_sys_fops dwmac_rk stmmac_platform stmmac pwm_bl squashfs loop crypto_user gpio_keys hid_kensington
     CPU: 5 PID: 957 Comm: nvim Not tainted 4.19.0-rc1-1-ARCH #1
     Hardware name: Sapphire-RK3399 Board (DT)
     pstate: 00000005 (nzcv daif -PAN -UAO)
     pc : update_sit_entry+0x304/0x4b0
     lr : update_sit_entry+0x108/0x4b0
     sp : ffff00000ca13bd0
     x29: ffff00000ca13bd0 x28: 000000000000003e
     x27: 0000000000000020 x26: 0000000000080000
     x25: 0000000000000048 x24: ffff8000ebb85cf8
     x23: 0000000000000253 x22: 00000000ffffffff
     x21: 00000000000535f2 x20: 00000000ffffffdf
     x19: ffff8000eb9e6800 x18: ffff8000eb9e6be8
     x17: 0000000007ce6926 x16: 000000001c83ffa8
     x15: 0000000000000000 x14: ffff8000f602df90
     x13: 0000000000000006 x12: 0000000000000040
     x11: 0000000000000228 x10: 0000000000000000
     x9 : 0000000000000000 x8 : 0000000000000000
     x7 : 00000000000535f2 x6 : ffff8000ebff3440
     x5 : ffff8000ebff3440 x4 : ffff8000ebe3a6c8
     x3 : 00000000ffffffff x2 : 0000000000000020
     x1 : 0000000000000000 x0 : ffff8000eb9e5800
     Process nvim (pid: 957, stack limit = 0x0000000063a78320)
     Call trace:
      update_sit_entry+0x304/0x4b0
      f2fs_invalidate_blocks+0x98/0x140
      truncate_node+0x90/0x400
      f2fs_remove_inode_page+0xe8/0x340
      f2fs_evict_inode+0x2b0/0x408
      evict+0xe0/0x1e0
      iput+0x160/0x260
      do_unlinkat+0x214/0x298
      __arm64_sys_unlinkat+0x3c/0x68
      el0_svc_handler+0x94/0x118
      el0_svc+0x8/0xc
     Code: f9400800 b9488400 36080140 f9400f01 (387c4820)
     ---[ end trace a0f21a307118c477 ]---
    
    The reason is it is possible to enable discard flag on block queue via
    UDEV, but during mount, f2fs will initialize se->discard_map only if
    this flag is set, once the flag is set after mount, f2fs may dereference
    NULL pointer on se->discard_map.
    
    So this patch does below changes to fix this issue:
    - initialize and update se->discard_map all the time.
    - don't clear DISCARD option if device has no QUEUE_FLAG_DISCARD flag
    during mount.
    - don't issue small discard on zoned block device.
    - introduce some functions to enhance the readability.
    Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
    Tested-by: default avatarVicente Bergas <vicencb@gmail.com>
    Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
    7d20c8ab
file.c 72.1 KB