* [PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent
@ 2018-06-28 10:25 ` Chao Yu
0 siblings, 0 replies; 14+ messages in thread
From: Chao Yu @ 2018-06-28 10:25 UTC (permalink / raw)
To: jaegeuk; +Cc: linux-f2fs-devel, linux-kernel, chao, Chao Yu
If segment type in SSA and SIT is inconsistent, we will encounter below
BUG_ON during GC, to avoid this panic, let's just skip doing GC on such
segment.
The bug is triggered with image reported in below link:
https://bugzilla.kernel.org/show_bug.cgi?id=200223
[ 388.060262] ------------[ cut here ]------------
[ 388.060268] kernel BUG at /home/y00370721/git/devf2fs/gc.c:989!
[ 388.061172] invalid opcode: 0000 [#1] SMP
[ 388.061773] Modules linked in: f2fs(O) bluetooth ecdh_generic xt_tcpudp iptable_filter ip_tables x_tables lp ttm drm_kms_helper drm intel_rapl sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel fb_sys_fops ppdev aes_x86_64 syscopyarea crypto_simd sysfillrect parport_pc joydev sysimgblt glue_helper parport cryptd i2c_piix4 serio_raw mac_hid btrfs hid_generic usbhid hid raid6_pq psmouse pata_acpi floppy
[ 388.064247] CPU: 7 PID: 4151 Comm: f2fs_gc-7:0 Tainted: G O 4.13.0-rc1+ #26
[ 388.065306] Hardware name: Xen HVM domU, BIOS 4.1.2_115-900.260_ 11/06/2015
[ 388.066058] task: ffff880201583b80 task.stack: ffffc90004d7c000
[ 388.069948] RIP: 0010:do_garbage_collect+0xcc8/0xcd0 [f2fs]
[ 388.070766] RSP: 0018:ffffc90004d7fc68 EFLAGS: 00010202
[ 388.071783] RAX: ffff8801ed227000 RBX: 0000000000000001 RCX: ffffea0007b489c0
[ 388.072700] RDX: ffff880000000000 RSI: 0000000000000001 RDI: ffffea0007b489c0
[ 388.073607] RBP: ffffc90004d7fd58 R08: 0000000000000003 R09: ffffea0007b489dc
[ 388.074619] R10: 0000000000000000 R11: 0052782ab317138d R12: 0000000000000018
[ 388.075625] R13: 0000000000000018 R14: ffff880211ceb000 R15: ffff880211ceb000
[ 388.076687] FS: 0000000000000000(0000) GS:ffff880214fc0000(0000) knlGS:0000000000000000
[ 388.083277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 388.084536] CR2: 0000000000e18c60 CR3: 00000001ecf2e000 CR4: 00000000001406e0
[ 388.085748] Call Trace:
[ 388.086690] ? find_next_bit+0xb/0x10
[ 388.088091] f2fs_gc+0x1a8/0x9d0 [f2fs]
[ 388.088888] ? lock_timer_base+0x7d/0xa0
[ 388.090213] ? try_to_del_timer_sync+0x44/0x60
[ 388.091698] gc_thread_func+0x342/0x4b0 [f2fs]
[ 388.092892] ? wait_woken+0x80/0x80
[ 388.094098] kthread+0x109/0x140
[ 388.095010] ? f2fs_gc+0x9d0/0x9d0 [f2fs]
[ 388.096043] ? kthread_park+0x60/0x60
[ 388.097281] ret_from_fork+0x25/0x30
[ 388.098401] Code: ff ff 48 83 e8 01 48 89 44 24 58 e9 27 f8 ff ff 48 83 e8 01 e9 78 fc ff ff 48 8d 78 ff e9 17 fb ff ff 48 83 ef 01 e9 4d f4 ff ff <0f> 0b 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55
[ 388.100864] RIP: do_garbage_collect+0xcc8/0xcd0 [f2fs] RSP: ffffc90004d7fc68
[ 388.101810] ---[ end trace 81c73d6e6b7da61d ]---
Signed-off-by: Chao Yu <yuchao0@huawei.com>
---
fs/f2fs/gc.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index da2a71eb7ee2..f3a0e2f62ce6 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -986,7 +986,12 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi,
goto next;
sum = page_address(sum_page);
- f2fs_bug_on(sbi, type != GET_SUM_TYPE((&sum->footer)));
+ if (type != GET_SUM_TYPE((&sum->footer))) {
+ f2fs_msg(sbi->sb, KERN_ERR, "Inconsistent segment (%u) "
+ "type [%d, %d] in SSA and SIT",
+ segno, type, GET_SUM_TYPE((&sum->footer)));
+ goto next;
+ }
/*
* this is to avoid deadlock:
--
2.18.0.rc1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent
@ 2018-06-28 10:25 ` Chao Yu
0 siblings, 0 replies; 14+ messages in thread
From: Chao Yu @ 2018-06-28 10:25 UTC (permalink / raw)
To: jaegeuk; +Cc: linux-f2fs-devel, linux-kernel, chao, Chao Yu
If segment type in SSA and SIT is inconsistent, we will encounter below
BUG_ON during GC, to avoid this panic, let's just skip doing GC on such
segment.
The bug is triggered with image reported in below link:
https://bugzilla.kernel.org/show_bug.cgi?id=200223
[ 388.060262] ------------[ cut here ]------------
[ 388.060268] kernel BUG at /home/y00370721/git/devf2fs/gc.c:989!
[ 388.061172] invalid opcode: 0000 [#1] SMP
[ 388.061773] Modules linked in: f2fs(O) bluetooth ecdh_generic xt_tcpudp iptable_filter ip_tables x_tables lp ttm drm_kms_helper drm intel_rapl sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel fb_sys_fops ppdev aes_x86_64 syscopyarea crypto_simd sysfillrect parport_pc joydev sysimgblt glue_helper parport cryptd i2c_piix4 serio_raw mac_hid btrfs hid_generic usbhid hid raid6_pq psmouse pata_acpi floppy
[ 388.064247] CPU: 7 PID: 4151 Comm: f2fs_gc-7:0 Tainted: G O 4.13.0-rc1+ #26
[ 388.065306] Hardware name: Xen HVM domU, BIOS 4.1.2_115-900.260_ 11/06/2015
[ 388.066058] task: ffff880201583b80 task.stack: ffffc90004d7c000
[ 388.069948] RIP: 0010:do_garbage_collect+0xcc8/0xcd0 [f2fs]
[ 388.070766] RSP: 0018:ffffc90004d7fc68 EFLAGS: 00010202
[ 388.071783] RAX: ffff8801ed227000 RBX: 0000000000000001 RCX: ffffea0007b489c0
[ 388.072700] RDX: ffff880000000000 RSI: 0000000000000001 RDI: ffffea0007b489c0
[ 388.073607] RBP: ffffc90004d7fd58 R08: 0000000000000003 R09: ffffea0007b489dc
[ 388.074619] R10: 0000000000000000 R11: 0052782ab317138d R12: 0000000000000018
[ 388.075625] R13: 0000000000000018 R14: ffff880211ceb000 R15: ffff880211ceb000
[ 388.076687] FS: 0000000000000000(0000) GS:ffff880214fc0000(0000) knlGS:0000000000000000
[ 388.083277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 388.084536] CR2: 0000000000e18c60 CR3: 00000001ecf2e000 CR4: 00000000001406e0
[ 388.085748] Call Trace:
[ 388.086690] ? find_next_bit+0xb/0x10
[ 388.088091] f2fs_gc+0x1a8/0x9d0 [f2fs]
[ 388.088888] ? lock_timer_base+0x7d/0xa0
[ 388.090213] ? try_to_del_timer_sync+0x44/0x60
[ 388.091698] gc_thread_func+0x342/0x4b0 [f2fs]
[ 388.092892] ? wait_woken+0x80/0x80
[ 388.094098] kthread+0x109/0x140
[ 388.095010] ? f2fs_gc+0x9d0/0x9d0 [f2fs]
[ 388.096043] ? kthread_park+0x60/0x60
[ 388.097281] ret_from_fork+0x25/0x30
[ 388.098401] Code: ff ff 48 83 e8 01 48 89 44 24 58 e9 27 f8 ff ff 48 83 e8 01 e9 78 fc ff ff 48 8d 78 ff e9 17 fb ff ff 48 83 ef 01 e9 4d f4 ff ff <0f> 0b 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55
[ 388.100864] RIP: do_garbage_collect+0xcc8/0xcd0 [f2fs] RSP: ffffc90004d7fc68
[ 388.101810] ---[ end trace 81c73d6e6b7da61d ]---
Signed-off-by: Chao Yu <yuchao0@huawei.com>
---
fs/f2fs/gc.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index da2a71eb7ee2..f3a0e2f62ce6 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -986,7 +986,12 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi,
goto next;
sum = page_address(sum_page);
- f2fs_bug_on(sbi, type != GET_SUM_TYPE((&sum->footer)));
+ if (type != GET_SUM_TYPE((&sum->footer))) {
+ f2fs_msg(sbi->sb, KERN_ERR, "Inconsistent segment (%u) "
+ "type [%d, %d] in SSA and SIT",
+ segno, type, GET_SUM_TYPE((&sum->footer)));
+ goto next;
+ }
/*
* this is to avoid deadlock:
--
2.18.0.rc1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 2/2] f2fs: fix to do sanity check with inline flags
2018-06-28 10:25 ` Chao Yu
@ 2018-06-28 10:25 ` Chao Yu
-1 siblings, 0 replies; 14+ messages in thread
From: Chao Yu @ 2018-06-28 10:25 UTC (permalink / raw)
To: jaegeuk; +Cc: linux-f2fs-devel, linux-kernel, chao, Chao Yu
https://bugzilla.kernel.org/show_bug.cgi?id=200221
- Overview
BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
- Reproduce
- Kernel message
[ 538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
[ 538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
[ 538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
[ 538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
[ 540.970834] ------------[ cut here ]------------
[ 540.970838] kernel BUG at fs/inode.c:512!
[ 540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
[ 540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
[ 540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 540.982913] RIP: 0010:clear_inode+0xc0/0xd0
[ 540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
[ 540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
[ 540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
[ 540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
[ 540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
[ 540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
[ 540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
[ 540.995786] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[ 540.997403] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
[ 541.000015] Call Trace:
[ 541.000554] f2fs_evict_inode+0x253/0x630
[ 541.001381] evict+0x16f/0x290
[ 541.002015] iput+0x280/0x300
[ 541.002654] dentry_unlink_inode+0x165/0x1e0
[ 541.003528] __dentry_kill+0x16a/0x260
[ 541.004300] dentry_kill+0x70/0x250
[ 541.005018] dput+0x154/0x1d0
[ 541.005635] do_one_tree+0x34/0x40
[ 541.006354] shrink_dcache_for_umount+0x3f/0xa0
[ 541.007285] generic_shutdown_super+0x43/0x1c0
[ 541.008192] kill_block_super+0x52/0x80
[ 541.008978] kill_f2fs_super+0x62/0x70
[ 541.009750] deactivate_locked_super+0x6f/0xa0
[ 541.010664] deactivate_super+0x5e/0x80
[ 541.011450] cleanup_mnt+0x61/0xa0
[ 541.012151] __cleanup_mnt+0x12/0x20
[ 541.012893] task_work_run+0xc8/0xf0
[ 541.013635] exit_to_usermode_loop+0x125/0x130
[ 541.014555] do_syscall_64+0x138/0x170
[ 541.015340] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 541.016375] RIP: 0033:0x7f46624bf487
[ 541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
[ 541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
[ 541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
[ 541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
[ 541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
[ 541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
[ 541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[ 541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
[ 541.040392] RIP: 0010:clear_inode+0xc0/0xd0
[ 541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
[ 541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
[ 541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
[ 541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
[ 541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
[ 541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
[ 541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
[ 541.053263] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[ 541.054891] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
[ 541.058506] ==================================================================
[ 541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
[ 541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
[ 541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G D 4.18.0-rc1+ #4
[ 541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 541.066778] Call Trace:
[ 541.067294] dump_stack+0x7b/0xb5
[ 541.067986] print_address_description+0x70/0x290
[ 541.068941] kasan_report+0x291/0x390
[ 541.069692] ? update_stack_state+0x38c/0x3e0
[ 541.070598] __asan_load8+0x54/0x90
[ 541.071315] update_stack_state+0x38c/0x3e0
[ 541.072172] ? __read_once_size_nocheck.constprop.7+0x20/0x20
[ 541.073340] ? vprintk_func+0x27/0x60
[ 541.074096] ? printk+0xa3/0xd3
[ 541.074762] ? __save_stack_trace+0x5e/0x100
[ 541.075634] unwind_next_frame.part.5+0x18e/0x490
[ 541.076594] ? unwind_dump+0x290/0x290
[ 541.077368] ? __show_regs+0x2c4/0x330
[ 541.078142] __unwind_start+0x106/0x190
[ 541.085422] __save_stack_trace+0x5e/0x100
[ 541.086268] ? __save_stack_trace+0x5e/0x100
[ 541.087161] ? unlink_anon_vmas+0xba/0x2c0
[ 541.087997] save_stack_trace+0x1f/0x30
[ 541.088782] save_stack+0x46/0xd0
[ 541.089475] ? __alloc_pages_slowpath+0x1420/0x1420
[ 541.090477] ? flush_tlb_mm_range+0x15e/0x220
[ 541.091364] ? __dec_node_state+0x24/0xb0
[ 541.092180] ? lock_page_memcg+0x85/0xf0
[ 541.092979] ? unlock_page_memcg+0x16/0x80
[ 541.093812] ? page_remove_rmap+0x198/0x520
[ 541.094674] ? mark_page_accessed+0x133/0x200
[ 541.095559] ? _cond_resched+0x1a/0x50
[ 541.096326] ? unmap_page_range+0xcd4/0xe50
[ 541.097179] ? rb_next+0x58/0x80
[ 541.097845] ? rb_next+0x58/0x80
[ 541.098518] __kasan_slab_free+0x13c/0x1a0
[ 541.099352] ? unlink_anon_vmas+0xba/0x2c0
[ 541.100184] kasan_slab_free+0xe/0x10
[ 541.100934] kmem_cache_free+0x89/0x1e0
[ 541.101724] unlink_anon_vmas+0xba/0x2c0
[ 541.102534] free_pgtables+0x101/0x1b0
[ 541.103299] exit_mmap+0x146/0x2a0
[ 541.103996] ? __ia32_sys_munmap+0x50/0x50
[ 541.104829] ? kasan_check_read+0x11/0x20
[ 541.105649] ? mm_update_next_owner+0x322/0x380
[ 541.106578] mmput+0x8b/0x1d0
[ 541.107191] do_exit+0x43a/0x1390
[ 541.107876] ? mm_update_next_owner+0x380/0x380
[ 541.108791] ? deactivate_super+0x5e/0x80
[ 541.109610] ? cleanup_mnt+0x61/0xa0
[ 541.110351] ? __cleanup_mnt+0x12/0x20
[ 541.111115] ? task_work_run+0xc8/0xf0
[ 541.111879] ? exit_to_usermode_loop+0x125/0x130
[ 541.112817] rewind_stack_do_exit+0x17/0x20
[ 541.113666] RIP: 0033:0x7f46624bf487
[ 541.114404] Code: Bad RIP value.
[ 541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
[ 541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
[ 541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
[ 541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
[ 541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
[ 541.124061] The buggy address belongs to the page:
[ 541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[ 541.126651] flags: 0x2ffff0000000000()
[ 541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
[ 541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 541.130516] page dumped because: kasan: bad access detected
[ 541.131954] Memory state around the buggy address:
[ 541.132924] ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
[ 541.134378] ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
[ 541.137253] ^
[ 541.138637] ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 541.140075] ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
[ 541.141509] ==================================================================
- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
BUG_ON(inode->i_data.nrpages);
The root cause is root directory inode is corrupted, it has both
inline_data and inline_dentry flag, and its nlink is zero, so in
->evict(), after dropping all page cache, it grabs page #0 for inline
data truncation, result in panic in later clear_inode() where we will
check inode->i_data.nrpages value.
This patch adds inline flags check in sanity_check_inode, in addition,
do sanity check with root inode's nlink.
Reported-by Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
---
fs/f2fs/inode.c | 20 ++++++++++++++++++++
fs/f2fs/super.c | 3 ++-
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index 54067e456610..4cf0a05cc03e 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
return false;
}
}
+
+ if (f2fs_has_inline_data(inode) &&
+ (!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ f2fs_msg(sbi->sb, KERN_WARNING,
+ "%s: inode (ino=%lx, mode=%u) should not have "
+ "inline_data, run fsck to fix",
+ __func__, inode->i_ino, inode->i_mode);
+ return false;
+ }
+
+ if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ f2fs_msg(sbi->sb, KERN_WARNING,
+ "%s: inode (ino=%lx, mode=%u) should not have "
+ "inline_dentry, run fsck to fix",
+ __func__, inode->i_ino, inode->i_mode);
+ return false;
+ }
+
return true;
}
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 657757635306..7405762d2bc9 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
err = PTR_ERR(root);
goto free_stats;
}
- if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
+ if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
+ !root->i_size || !root->i_nlink) {
iput(root);
err = -EINVAL;
goto free_stats;
--
2.18.0.rc1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 2/2] f2fs: fix to do sanity check with inline flags
@ 2018-06-28 10:25 ` Chao Yu
0 siblings, 0 replies; 14+ messages in thread
From: Chao Yu @ 2018-06-28 10:25 UTC (permalink / raw)
To: jaegeuk; +Cc: linux-kernel, linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=200221
- Overview
BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
- Reproduce
- Kernel message
[ 538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
[ 538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
[ 538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
[ 538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
[ 540.970834] ------------[ cut here ]------------
[ 540.970838] kernel BUG at fs/inode.c:512!
[ 540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
[ 540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
[ 540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 540.982913] RIP: 0010:clear_inode+0xc0/0xd0
[ 540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
[ 540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
[ 540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
[ 540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
[ 540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
[ 540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
[ 540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
[ 540.995786] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[ 540.997403] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
[ 541.000015] Call Trace:
[ 541.000554] f2fs_evict_inode+0x253/0x630
[ 541.001381] evict+0x16f/0x290
[ 541.002015] iput+0x280/0x300
[ 541.002654] dentry_unlink_inode+0x165/0x1e0
[ 541.003528] __dentry_kill+0x16a/0x260
[ 541.004300] dentry_kill+0x70/0x250
[ 541.005018] dput+0x154/0x1d0
[ 541.005635] do_one_tree+0x34/0x40
[ 541.006354] shrink_dcache_for_umount+0x3f/0xa0
[ 541.007285] generic_shutdown_super+0x43/0x1c0
[ 541.008192] kill_block_super+0x52/0x80
[ 541.008978] kill_f2fs_super+0x62/0x70
[ 541.009750] deactivate_locked_super+0x6f/0xa0
[ 541.010664] deactivate_super+0x5e/0x80
[ 541.011450] cleanup_mnt+0x61/0xa0
[ 541.012151] __cleanup_mnt+0x12/0x20
[ 541.012893] task_work_run+0xc8/0xf0
[ 541.013635] exit_to_usermode_loop+0x125/0x130
[ 541.014555] do_syscall_64+0x138/0x170
[ 541.015340] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 541.016375] RIP: 0033:0x7f46624bf487
[ 541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
[ 541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
[ 541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
[ 541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
[ 541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
[ 541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
[ 541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[ 541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
[ 541.040392] RIP: 0010:clear_inode+0xc0/0xd0
[ 541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
[ 541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
[ 541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
[ 541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
[ 541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
[ 541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
[ 541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
[ 541.053263] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[ 541.054891] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
[ 541.058506] ==================================================================
[ 541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
[ 541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
[ 541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G D 4.18.0-rc1+ #4
[ 541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 541.066778] Call Trace:
[ 541.067294] dump_stack+0x7b/0xb5
[ 541.067986] print_address_description+0x70/0x290
[ 541.068941] kasan_report+0x291/0x390
[ 541.069692] ? update_stack_state+0x38c/0x3e0
[ 541.070598] __asan_load8+0x54/0x90
[ 541.071315] update_stack_state+0x38c/0x3e0
[ 541.072172] ? __read_once_size_nocheck.constprop.7+0x20/0x20
[ 541.073340] ? vprintk_func+0x27/0x60
[ 541.074096] ? printk+0xa3/0xd3
[ 541.074762] ? __save_stack_trace+0x5e/0x100
[ 541.075634] unwind_next_frame.part.5+0x18e/0x490
[ 541.076594] ? unwind_dump+0x290/0x290
[ 541.077368] ? __show_regs+0x2c4/0x330
[ 541.078142] __unwind_start+0x106/0x190
[ 541.085422] __save_stack_trace+0x5e/0x100
[ 541.086268] ? __save_stack_trace+0x5e/0x100
[ 541.087161] ? unlink_anon_vmas+0xba/0x2c0
[ 541.087997] save_stack_trace+0x1f/0x30
[ 541.088782] save_stack+0x46/0xd0
[ 541.089475] ? __alloc_pages_slowpath+0x1420/0x1420
[ 541.090477] ? flush_tlb_mm_range+0x15e/0x220
[ 541.091364] ? __dec_node_state+0x24/0xb0
[ 541.092180] ? lock_page_memcg+0x85/0xf0
[ 541.092979] ? unlock_page_memcg+0x16/0x80
[ 541.093812] ? page_remove_rmap+0x198/0x520
[ 541.094674] ? mark_page_accessed+0x133/0x200
[ 541.095559] ? _cond_resched+0x1a/0x50
[ 541.096326] ? unmap_page_range+0xcd4/0xe50
[ 541.097179] ? rb_next+0x58/0x80
[ 541.097845] ? rb_next+0x58/0x80
[ 541.098518] __kasan_slab_free+0x13c/0x1a0
[ 541.099352] ? unlink_anon_vmas+0xba/0x2c0
[ 541.100184] kasan_slab_free+0xe/0x10
[ 541.100934] kmem_cache_free+0x89/0x1e0
[ 541.101724] unlink_anon_vmas+0xba/0x2c0
[ 541.102534] free_pgtables+0x101/0x1b0
[ 541.103299] exit_mmap+0x146/0x2a0
[ 541.103996] ? __ia32_sys_munmap+0x50/0x50
[ 541.104829] ? kasan_check_read+0x11/0x20
[ 541.105649] ? mm_update_next_owner+0x322/0x380
[ 541.106578] mmput+0x8b/0x1d0
[ 541.107191] do_exit+0x43a/0x1390
[ 541.107876] ? mm_update_next_owner+0x380/0x380
[ 541.108791] ? deactivate_super+0x5e/0x80
[ 541.109610] ? cleanup_mnt+0x61/0xa0
[ 541.110351] ? __cleanup_mnt+0x12/0x20
[ 541.111115] ? task_work_run+0xc8/0xf0
[ 541.111879] ? exit_to_usermode_loop+0x125/0x130
[ 541.112817] rewind_stack_do_exit+0x17/0x20
[ 541.113666] RIP: 0033:0x7f46624bf487
[ 541.114404] Code: Bad RIP value.
[ 541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
[ 541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
[ 541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
[ 541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
[ 541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
[ 541.124061] The buggy address belongs to the page:
[ 541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[ 541.126651] flags: 0x2ffff0000000000()
[ 541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
[ 541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 541.130516] page dumped because: kasan: bad access detected
[ 541.131954] Memory state around the buggy address:
[ 541.132924] ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
[ 541.134378] ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
[ 541.137253] ^
[ 541.138637] ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 541.140075] ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
[ 541.141509] ==================================================================
- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
BUG_ON(inode->i_data.nrpages);
The root cause is root directory inode is corrupted, it has both
inline_data and inline_dentry flag, and its nlink is zero, so in
->evict(), after dropping all page cache, it grabs page #0 for inline
data truncation, result in panic in later clear_inode() where we will
check inode->i_data.nrpages value.
This patch adds inline flags check in sanity_check_inode, in addition,
do sanity check with root inode's nlink.
Reported-by Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
---
fs/f2fs/inode.c | 20 ++++++++++++++++++++
fs/f2fs/super.c | 3 ++-
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index 54067e456610..4cf0a05cc03e 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
return false;
}
}
+
+ if (f2fs_has_inline_data(inode) &&
+ (!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ f2fs_msg(sbi->sb, KERN_WARNING,
+ "%s: inode (ino=%lx, mode=%u) should not have "
+ "inline_data, run fsck to fix",
+ __func__, inode->i_ino, inode->i_mode);
+ return false;
+ }
+
+ if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ f2fs_msg(sbi->sb, KERN_WARNING,
+ "%s: inode (ino=%lx, mode=%u) should not have "
+ "inline_dentry, run fsck to fix",
+ __func__, inode->i_ino, inode->i_mode);
+ return false;
+ }
+
return true;
}
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 657757635306..7405762d2bc9 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
err = PTR_ERR(root);
goto free_stats;
}
- if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
+ if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
+ !root->i_size || !root->i_nlink) {
iput(root);
err = -EINVAL;
goto free_stats;
--
2.18.0.rc1
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
^ permalink raw reply related [flat|nested] 14+ messages in thread
* 答复: [PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent
[not found] ` <42661306-96ae-aa03-7eab-20e68ca76b68@huawei.com>
@ 2018-07-04 10:46 ` Liuxue (Alice, Euler Dept seven)
2018-07-04 13:11 ` Chao Yu
0 siblings, 1 reply; 14+ messages in thread
From: Liuxue (Alice, Euler Dept seven) @ 2018-07-04 10:46 UTC (permalink / raw)
To: Yuchao (T); +Cc: linux-f2fs-devel
Subject: [f2fs-dev] [PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent
Date: Thu, 28 Jun 2018 18:25:58 +0800
From: Chao Yu <yuchao0@huawei.com>
To: jaegeuk@kernel.org
CC: linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net
If segment type in SSA and SIT is inconsistent, we will encounter below BUG_ON during GC, to avoid this panic, let's just skip doing GC on such segment.
The bug is triggered with image reported in below link:
https://bugzilla.kernel.org/show_bug.cgi?id=200223
[ 388.060262] ------------[ cut here ]------------ [ 388.060268] kernel BUG at /home/y00370721/git/devf2fs/gc.c:989!
[ 388.061172] invalid opcode: 0000 [#1] SMP [ 388.061773] Modules linked in: f2fs(O) bluetooth ecdh_generic xt_tcpudp iptable_filter ip_tables x_tables lp ttm drm_kms_helper drm intel_rapl sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel fb_sys_fops ppdev aes_x86_64 syscopyarea crypto_simd sysfillrect parport_pc joydev sysimgblt glue_helper parport cryptd i2c_piix4 serio_raw mac_hid btrfs hid_generic usbhid hid raid6_pq psmouse pata_acpi floppy
[ 388.064247] CPU: 7 PID: 4151 Comm: f2fs_gc-7:0 Tainted: G O 4.13.0-rc1+ #26
[ 388.065306] Hardware name: Xen HVM domU, BIOS 4.1.2_115-900.260_ 11/06/2015 [ 388.066058] task: ffff880201583b80 task.stack: ffffc90004d7c000 [ 388.069948] RIP: 0010:do_garbage_collect+0xcc8/0xcd0 [f2fs] [ 388.070766] RSP: 0018:ffffc90004d7fc68 EFLAGS: 00010202 [ 388.071783] RAX: ffff8801ed227000 RBX: 0000000000000001 RCX: ffffea0007b489c0 [ 388.072700] RDX: ffff880000000000 RSI: 0000000000000001 RDI: ffffea0007b489c0 [ 388.073607] RBP: ffffc90004d7fd58 R08: 0000000000000003 R09: ffffea0007b489dc [ 388.074619] R10: 0000000000000000 R11: 0052782ab317138d R12: 0000000000000018 [ 388.075625] R13: 0000000000000018 R14: ffff880211ceb000 R15: ffff880211ceb000 [ 388.076687] FS: 0000000000000000(0000) GS:ffff880214fc0000(0000) knlGS:0000000000000000 [ 388.083277] CS: 0010 DS: 0000 E
S: 0000 CR0: 0000000080050033 [ 388.084536] CR2: 0000000000e18c60 CR3: 00000001ecf2e000 CR4: 00000000001406e0 [ 388.085748] Call Trace:
[ 388.086690] ? find_next_bit+0xb/0x10 [ 388.088091] f2fs_gc+0x1a8/0x9d0 [f2fs] [ 388.088888] ? lock_timer_base+0x7d/0xa0 [ 388.090213] ? try_to_del_timer_sync+0x44/0x60 [ 388.091698] gc_thread_func+0x342/0x4b0 [f2fs] [ 388.092892] ? wait_woken+0x80/0x80 [ 388.094098] kthread+0x109/0x140 [ 388.095010] ? f2fs_gc+0x9d0/0x9d0 [f2fs] [ 388.096043] ? kthread_park+0x60/0x60 [ 388.097281] ret_from_fork+0x25/0x30 [ 388.098401] Code: ff ff 48 83 e8 01 48 89 44 24 58 e9 27 f8 ff ff 48 83 e8 01 e9 78 fc ff ff 48 8d 78 ff e9 17 fb ff ff 48 83 ef 01 e9 4d f4 ff ff <0f> 0b 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 [ 388.100864] RIP: do_garbage_collect+0xcc8/0xcd0 [f2fs] RSP: ffffc90004d7fc68 [ 388.101810] ---[ end trace 81c73d6e6b7da61d ]---
Signed-off-by: Chao Yu <yuchao0@huawei.com>
---
fs/f2fs/gc.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index da2a71eb7ee2..f3a0e2f62ce6 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -986,7 +986,12 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi,
goto next;
sum = page_address(sum_page);
- f2fs_bug_on(sbi, type != GET_SUM_TYPE((&sum->footer)));
+ if (type != GET_SUM_TYPE((&sum->footer))) {
+ f2fs_msg(sbi->sb, KERN_ERR, "Inconsistent segment (%u) "
+ "type [%d, %d] in SSA and SIT",
+ segno, type, GET_SUM_TYPE((&sum->footer)));
SBI_NEED_FSCK may be writed for checking disk.
+ goto next;
+ }
/*
* this is to avoid deadlock:
--
2.18.0.rc1
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: 答复: [PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent
2018-07-04 10:46 ` 答复: [PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent Liuxue (Alice, Euler Dept seven)
@ 2018-07-04 13:11 ` Chao Yu
0 siblings, 0 replies; 14+ messages in thread
From: Chao Yu @ 2018-07-04 13:11 UTC (permalink / raw)
To: Liuxue (Alice, Euler Dept seven), Yuchao (T); +Cc: linux-f2fs-devel
Hi Xue,
On 2018/7/4 18:46, Liuxue (Alice, Euler Dept seven) wrote:
> Subject: [f2fs-dev] [PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent
> Date: Thu, 28 Jun 2018 18:25:58 +0800
> From: Chao Yu <yuchao0@huawei.com>
> To: jaegeuk@kernel.org
> CC: linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net
>
> If segment type in SSA and SIT is inconsistent, we will encounter below BUG_ON during GC, to avoid this panic, let's just skip doing GC on such segment.
>
> The bug is triggered with image reported in below link:
>
> https://bugzilla.kernel.org/show_bug.cgi?id=200223
>
> [ 388.060262] ------------[ cut here ]------------ [ 388.060268] kernel BUG at /home/y00370721/git/devf2fs/gc.c:989!
> [ 388.061172] invalid opcode: 0000 [#1] SMP [ 388.061773] Modules linked in: f2fs(O) bluetooth ecdh_generic xt_tcpudp iptable_filter ip_tables x_tables lp ttm drm_kms_helper drm intel_rapl sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel fb_sys_fops ppdev aes_x86_64 syscopyarea crypto_simd sysfillrect parport_pc joydev sysimgblt glue_helper parport cryptd i2c_piix4 serio_raw mac_hid btrfs hid_generic usbhid hid raid6_pq psmouse pata_acpi floppy
> [ 388.064247] CPU: 7 PID: 4151 Comm: f2fs_gc-7:0 Tainted: G O 4.13.0-rc1+ #26
> [ 388.065306] Hardware name: Xen HVM domU, BIOS 4.1.2_115-900.260_ 11/06/2015 [ 388.066058] task: ffff880201583b80 task.stack: ffffc90004d7c000 [ 388.069948] RIP: 0010:do_garbage_collect+0xcc8/0xcd0 [f2fs] [ 388.070766] RSP: 0018:ffffc90004d7fc68 EFLAGS: 00010202 [ 388.071783] RAX: ffff8801ed227000 RBX: 0000000000000001 RCX: ffffea0007b489c0 [ 388.072700] RDX: ffff880000000000 RSI: 0000000000000001 RDI: ffffea0007b489c0 [ 388.073607] RBP: ffffc90004d7fd58 R08: 0000000000000003 R09: ffffea0007b489dc [ 388.074619] R10: 0000000000000000 R11: 0052782ab317138d R12: 0000000000000018 [ 388.075625] R13: 0000000000000018 R14: ffff880211ceb000 R15: ffff880211ceb000 [ 388.076687] FS: 0000000000000000(0000) GS:ffff880214fc0000(0000) knlGS:0000000000000000 [ 388.083277] CS: 0010 DS: 0000
ES: 0000 CR0: 0000000080050033 [ 388.084536] CR2: 0000000000e18c60 CR3: 00000001ecf2e000 CR4: 00000000001406e0 [ 388.085748] Call Trace:
> [ 388.086690] ? find_next_bit+0xb/0x10 [ 388.088091] f2fs_gc+0x1a8/0x9d0 [f2fs] [ 388.088888] ? lock_timer_base+0x7d/0xa0 [ 388.090213] ? try_to_del_timer_sync+0x44/0x60 [ 388.091698] gc_thread_func+0x342/0x4b0 [f2fs] [ 388.092892] ? wait_woken+0x80/0x80 [ 388.094098] kthread+0x109/0x140 [ 388.095010] ? f2fs_gc+0x9d0/0x9d0 [f2fs] [ 388.096043] ? kthread_park+0x60/0x60 [ 388.097281] ret_from_fork+0x25/0x30 [ 388.098401] Code: ff ff 48 83 e8 01 48 89 44 24 58 e9 27 f8 ff ff 48 83 e8 01 e9 78 fc ff ff 48 8d 78 ff e9 17 fb ff ff 48 83 ef 01 e9 4d f4 ff ff <0f> 0b 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 [ 388.100864] RIP: do_garbage_collect+0xcc8/0xcd0 [f2fs] RSP: ffffc90004d7fc68 [ 388.101810] ---[ end trace 81c73d6e6b7da61d ]---
>
> Signed-off-by: Chao Yu <yuchao0@huawei.com>
> ---
> fs/f2fs/gc.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index da2a71eb7ee2..f3a0e2f62ce6 100644
> --- a/fs/f2fs/gc.c
> +++ b/fs/f2fs/gc.c
> @@ -986,7 +986,12 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi,
> goto next;
> sum = page_address(sum_page);
> - f2fs_bug_on(sbi, type != GET_SUM_TYPE((&sum->footer)));
> + if (type != GET_SUM_TYPE((&sum->footer))) {
> + f2fs_msg(sbi->sb, KERN_ERR, "Inconsistent segment (%u) "
> + "type [%d, %d] in SSA and SIT",
> + segno, type, GET_SUM_TYPE((&sum->footer)));
>
> SBI_NEED_FSCK may be writed for checking disk.
Agreed, let me update the patch. :)
Thanks,
>
>
> + goto next;
> + }
> /*
> * this is to avoid deadlock:
> --
> 2.18.0.rc1
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Linux-f2fs-devel mailing list
> Linux-f2fs-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
>
> .
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Linux-f2fs-devel mailing list
> Linux-f2fs-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] f2fs: fix to do sanity check with inline flags
2018-06-28 10:25 ` Chao Yu
(?)
@ 2018-07-07 1:12 ` Jaegeuk Kim
2018-07-07 1:44 ` Chao Yu
2018-07-15 1:53 ` Chao Yu
-1 siblings, 2 replies; 14+ messages in thread
From: Jaegeuk Kim @ 2018-07-07 1:12 UTC (permalink / raw)
To: Chao Yu; +Cc: linux-f2fs-devel, linux-kernel, chao
Hi Chao,
I'm hitting some messages below during fault injection test. I'll dig in the
issue later, but meanwhile could you review this patch again?
Thanks,
On 06/28, Chao Yu wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=200221
>
> - Overview
> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
>
> - Reproduce
>
> - Kernel message
> [ 538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
> [ 538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
> [ 538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
> [ 538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
> [ 540.970834] ------------[ cut here ]------------
> [ 540.970838] kernel BUG at fs/inode.c:512!
> [ 540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
> [ 540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
> [ 540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> [ 540.982913] RIP: 0010:clear_inode+0xc0/0xd0
> [ 540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> [ 540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> [ 540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> [ 540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> [ 540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> [ 540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> [ 540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> [ 540.995786] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> [ 540.997403] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> [ 541.000015] Call Trace:
> [ 541.000554] f2fs_evict_inode+0x253/0x630
> [ 541.001381] evict+0x16f/0x290
> [ 541.002015] iput+0x280/0x300
> [ 541.002654] dentry_unlink_inode+0x165/0x1e0
> [ 541.003528] __dentry_kill+0x16a/0x260
> [ 541.004300] dentry_kill+0x70/0x250
> [ 541.005018] dput+0x154/0x1d0
> [ 541.005635] do_one_tree+0x34/0x40
> [ 541.006354] shrink_dcache_for_umount+0x3f/0xa0
> [ 541.007285] generic_shutdown_super+0x43/0x1c0
> [ 541.008192] kill_block_super+0x52/0x80
> [ 541.008978] kill_f2fs_super+0x62/0x70
> [ 541.009750] deactivate_locked_super+0x6f/0xa0
> [ 541.010664] deactivate_super+0x5e/0x80
> [ 541.011450] cleanup_mnt+0x61/0xa0
> [ 541.012151] __cleanup_mnt+0x12/0x20
> [ 541.012893] task_work_run+0xc8/0xf0
> [ 541.013635] exit_to_usermode_loop+0x125/0x130
> [ 541.014555] do_syscall_64+0x138/0x170
> [ 541.015340] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 541.016375] RIP: 0033:0x7f46624bf487
> [ 541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
> [ 541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> [ 541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> [ 541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> [ 541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> [ 541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> [ 541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> [ 541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
> [ 541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
> [ 541.040392] RIP: 0010:clear_inode+0xc0/0xd0
> [ 541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> [ 541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> [ 541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> [ 541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> [ 541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> [ 541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> [ 541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> [ 541.053263] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> [ 541.054891] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> [ 541.058506] ==================================================================
> [ 541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
> [ 541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
>
> [ 541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G D 4.18.0-rc1+ #4
> [ 541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> [ 541.066778] Call Trace:
> [ 541.067294] dump_stack+0x7b/0xb5
> [ 541.067986] print_address_description+0x70/0x290
> [ 541.068941] kasan_report+0x291/0x390
> [ 541.069692] ? update_stack_state+0x38c/0x3e0
> [ 541.070598] __asan_load8+0x54/0x90
> [ 541.071315] update_stack_state+0x38c/0x3e0
> [ 541.072172] ? __read_once_size_nocheck.constprop.7+0x20/0x20
> [ 541.073340] ? vprintk_func+0x27/0x60
> [ 541.074096] ? printk+0xa3/0xd3
> [ 541.074762] ? __save_stack_trace+0x5e/0x100
> [ 541.075634] unwind_next_frame.part.5+0x18e/0x490
> [ 541.076594] ? unwind_dump+0x290/0x290
> [ 541.077368] ? __show_regs+0x2c4/0x330
> [ 541.078142] __unwind_start+0x106/0x190
> [ 541.085422] __save_stack_trace+0x5e/0x100
> [ 541.086268] ? __save_stack_trace+0x5e/0x100
> [ 541.087161] ? unlink_anon_vmas+0xba/0x2c0
> [ 541.087997] save_stack_trace+0x1f/0x30
> [ 541.088782] save_stack+0x46/0xd0
> [ 541.089475] ? __alloc_pages_slowpath+0x1420/0x1420
> [ 541.090477] ? flush_tlb_mm_range+0x15e/0x220
> [ 541.091364] ? __dec_node_state+0x24/0xb0
> [ 541.092180] ? lock_page_memcg+0x85/0xf0
> [ 541.092979] ? unlock_page_memcg+0x16/0x80
> [ 541.093812] ? page_remove_rmap+0x198/0x520
> [ 541.094674] ? mark_page_accessed+0x133/0x200
> [ 541.095559] ? _cond_resched+0x1a/0x50
> [ 541.096326] ? unmap_page_range+0xcd4/0xe50
> [ 541.097179] ? rb_next+0x58/0x80
> [ 541.097845] ? rb_next+0x58/0x80
> [ 541.098518] __kasan_slab_free+0x13c/0x1a0
> [ 541.099352] ? unlink_anon_vmas+0xba/0x2c0
> [ 541.100184] kasan_slab_free+0xe/0x10
> [ 541.100934] kmem_cache_free+0x89/0x1e0
> [ 541.101724] unlink_anon_vmas+0xba/0x2c0
> [ 541.102534] free_pgtables+0x101/0x1b0
> [ 541.103299] exit_mmap+0x146/0x2a0
> [ 541.103996] ? __ia32_sys_munmap+0x50/0x50
> [ 541.104829] ? kasan_check_read+0x11/0x20
> [ 541.105649] ? mm_update_next_owner+0x322/0x380
> [ 541.106578] mmput+0x8b/0x1d0
> [ 541.107191] do_exit+0x43a/0x1390
> [ 541.107876] ? mm_update_next_owner+0x380/0x380
> [ 541.108791] ? deactivate_super+0x5e/0x80
> [ 541.109610] ? cleanup_mnt+0x61/0xa0
> [ 541.110351] ? __cleanup_mnt+0x12/0x20
> [ 541.111115] ? task_work_run+0xc8/0xf0
> [ 541.111879] ? exit_to_usermode_loop+0x125/0x130
> [ 541.112817] rewind_stack_do_exit+0x17/0x20
> [ 541.113666] RIP: 0033:0x7f46624bf487
> [ 541.114404] Code: Bad RIP value.
> [ 541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> [ 541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> [ 541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> [ 541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> [ 541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> [ 541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
>
> [ 541.124061] The buggy address belongs to the page:
> [ 541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> [ 541.126651] flags: 0x2ffff0000000000()
> [ 541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
> [ 541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> [ 541.130516] page dumped because: kasan: bad access detected
>
> [ 541.131954] Memory state around the buggy address:
> [ 541.132924] ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
> [ 541.134378] ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
> [ 541.137253] ^
> [ 541.138637] ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 541.140075] ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
> [ 541.141509] ==================================================================
>
> - Location
> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
> BUG_ON(inode->i_data.nrpages);
>
> The root cause is root directory inode is corrupted, it has both
> inline_data and inline_dentry flag, and its nlink is zero, so in
> ->evict(), after dropping all page cache, it grabs page #0 for inline
> data truncation, result in panic in later clear_inode() where we will
> check inode->i_data.nrpages value.
>
> This patch adds inline flags check in sanity_check_inode, in addition,
> do sanity check with root inode's nlink.
>
> Reported-by Wen Xu <wen.xu@gatech.edu>
> Signed-off-by: Chao Yu <yuchao0@huawei.com>
> ---
> fs/f2fs/inode.c | 20 ++++++++++++++++++++
> fs/f2fs/super.c | 3 ++-
> 2 files changed, 22 insertions(+), 1 deletion(-)
>
> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> index 54067e456610..4cf0a05cc03e 100644
> --- a/fs/f2fs/inode.c
> +++ b/fs/f2fs/inode.c
> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
> return false;
> }
> }
> +
> + if (f2fs_has_inline_data(inode) &&
> + (!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
> + set_sbi_flag(sbi, SBI_NEED_FSCK);
> + f2fs_msg(sbi->sb, KERN_WARNING,
> + "%s: inode (ino=%lx, mode=%u) should not have "
> + "inline_data, run fsck to fix",
> + __func__, inode->i_ino, inode->i_mode);
> + return false;
> + }
> +
> + if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
> + set_sbi_flag(sbi, SBI_NEED_FSCK);
> + f2fs_msg(sbi->sb, KERN_WARNING,
> + "%s: inode (ino=%lx, mode=%u) should not have "
> + "inline_dentry, run fsck to fix",
> + __func__, inode->i_ino, inode->i_mode);
> + return false;
> + }
> +
> return true;
> }
>
> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> index 657757635306..7405762d2bc9 100644
> --- a/fs/f2fs/super.c
> +++ b/fs/f2fs/super.c
> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
> err = PTR_ERR(root);
> goto free_stats;
> }
> - if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
> + if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
> + !root->i_size || !root->i_nlink) {
> iput(root);
> err = -EINVAL;
> goto free_stats;
> --
> 2.18.0.rc1
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] f2fs: fix to do sanity check with inline flags
2018-07-07 1:12 ` Jaegeuk Kim
@ 2018-07-07 1:44 ` Chao Yu
2018-07-15 1:53 ` Chao Yu
1 sibling, 0 replies; 14+ messages in thread
From: Chao Yu @ 2018-07-07 1:44 UTC (permalink / raw)
To: Jaegeuk Kim, Chao Yu; +Cc: linux-f2fs-devel, linux-kernel
Hi Jaegeuk,
On 2018/7/7 9:12, Jaegeuk Kim wrote:
> Hi Chao,
>
> I'm hitting some messages below during fault injection test. I'll dig in the
> issue later, but meanwhile could you review this patch again?
Oh, okay, let me check this patch again.
Thanks,
>
> Thanks,
>
> On 06/28, Chao Yu wrote:
>> https://bugzilla.kernel.org/show_bug.cgi?id=200221
>>
>> - Overview
>> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
>>
>> - Reproduce
>>
>> - Kernel message
>> [ 538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
>> [ 538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
>> [ 538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
>> [ 538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
>> [ 540.970834] ------------[ cut here ]------------
>> [ 540.970838] kernel BUG at fs/inode.c:512!
>> [ 540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
>> [ 540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
>> [ 540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> [ 540.982913] RIP: 0010:clear_inode+0xc0/0xd0
>> [ 540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
>> [ 540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
>> [ 540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
>> [ 540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
>> [ 540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
>> [ 540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
>> [ 540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
>> [ 540.995786] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
>> [ 540.997403] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [ 540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
>> [ 541.000015] Call Trace:
>> [ 541.000554] f2fs_evict_inode+0x253/0x630
>> [ 541.001381] evict+0x16f/0x290
>> [ 541.002015] iput+0x280/0x300
>> [ 541.002654] dentry_unlink_inode+0x165/0x1e0
>> [ 541.003528] __dentry_kill+0x16a/0x260
>> [ 541.004300] dentry_kill+0x70/0x250
>> [ 541.005018] dput+0x154/0x1d0
>> [ 541.005635] do_one_tree+0x34/0x40
>> [ 541.006354] shrink_dcache_for_umount+0x3f/0xa0
>> [ 541.007285] generic_shutdown_super+0x43/0x1c0
>> [ 541.008192] kill_block_super+0x52/0x80
>> [ 541.008978] kill_f2fs_super+0x62/0x70
>> [ 541.009750] deactivate_locked_super+0x6f/0xa0
>> [ 541.010664] deactivate_super+0x5e/0x80
>> [ 541.011450] cleanup_mnt+0x61/0xa0
>> [ 541.012151] __cleanup_mnt+0x12/0x20
>> [ 541.012893] task_work_run+0xc8/0xf0
>> [ 541.013635] exit_to_usermode_loop+0x125/0x130
>> [ 541.014555] do_syscall_64+0x138/0x170
>> [ 541.015340] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>> [ 541.016375] RIP: 0033:0x7f46624bf487
>> [ 541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
>> [ 541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
>> [ 541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
>> [ 541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
>> [ 541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
>> [ 541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
>> [ 541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
>> [ 541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
>> [ 541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
>> [ 541.040392] RIP: 0010:clear_inode+0xc0/0xd0
>> [ 541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
>> [ 541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
>> [ 541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
>> [ 541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
>> [ 541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
>> [ 541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
>> [ 541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
>> [ 541.053263] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
>> [ 541.054891] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [ 541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
>> [ 541.058506] ==================================================================
>> [ 541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
>> [ 541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
>>
>> [ 541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G D 4.18.0-rc1+ #4
>> [ 541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> [ 541.066778] Call Trace:
>> [ 541.067294] dump_stack+0x7b/0xb5
>> [ 541.067986] print_address_description+0x70/0x290
>> [ 541.068941] kasan_report+0x291/0x390
>> [ 541.069692] ? update_stack_state+0x38c/0x3e0
>> [ 541.070598] __asan_load8+0x54/0x90
>> [ 541.071315] update_stack_state+0x38c/0x3e0
>> [ 541.072172] ? __read_once_size_nocheck.constprop.7+0x20/0x20
>> [ 541.073340] ? vprintk_func+0x27/0x60
>> [ 541.074096] ? printk+0xa3/0xd3
>> [ 541.074762] ? __save_stack_trace+0x5e/0x100
>> [ 541.075634] unwind_next_frame.part.5+0x18e/0x490
>> [ 541.076594] ? unwind_dump+0x290/0x290
>> [ 541.077368] ? __show_regs+0x2c4/0x330
>> [ 541.078142] __unwind_start+0x106/0x190
>> [ 541.085422] __save_stack_trace+0x5e/0x100
>> [ 541.086268] ? __save_stack_trace+0x5e/0x100
>> [ 541.087161] ? unlink_anon_vmas+0xba/0x2c0
>> [ 541.087997] save_stack_trace+0x1f/0x30
>> [ 541.088782] save_stack+0x46/0xd0
>> [ 541.089475] ? __alloc_pages_slowpath+0x1420/0x1420
>> [ 541.090477] ? flush_tlb_mm_range+0x15e/0x220
>> [ 541.091364] ? __dec_node_state+0x24/0xb0
>> [ 541.092180] ? lock_page_memcg+0x85/0xf0
>> [ 541.092979] ? unlock_page_memcg+0x16/0x80
>> [ 541.093812] ? page_remove_rmap+0x198/0x520
>> [ 541.094674] ? mark_page_accessed+0x133/0x200
>> [ 541.095559] ? _cond_resched+0x1a/0x50
>> [ 541.096326] ? unmap_page_range+0xcd4/0xe50
>> [ 541.097179] ? rb_next+0x58/0x80
>> [ 541.097845] ? rb_next+0x58/0x80
>> [ 541.098518] __kasan_slab_free+0x13c/0x1a0
>> [ 541.099352] ? unlink_anon_vmas+0xba/0x2c0
>> [ 541.100184] kasan_slab_free+0xe/0x10
>> [ 541.100934] kmem_cache_free+0x89/0x1e0
>> [ 541.101724] unlink_anon_vmas+0xba/0x2c0
>> [ 541.102534] free_pgtables+0x101/0x1b0
>> [ 541.103299] exit_mmap+0x146/0x2a0
>> [ 541.103996] ? __ia32_sys_munmap+0x50/0x50
>> [ 541.104829] ? kasan_check_read+0x11/0x20
>> [ 541.105649] ? mm_update_next_owner+0x322/0x380
>> [ 541.106578] mmput+0x8b/0x1d0
>> [ 541.107191] do_exit+0x43a/0x1390
>> [ 541.107876] ? mm_update_next_owner+0x380/0x380
>> [ 541.108791] ? deactivate_super+0x5e/0x80
>> [ 541.109610] ? cleanup_mnt+0x61/0xa0
>> [ 541.110351] ? __cleanup_mnt+0x12/0x20
>> [ 541.111115] ? task_work_run+0xc8/0xf0
>> [ 541.111879] ? exit_to_usermode_loop+0x125/0x130
>> [ 541.112817] rewind_stack_do_exit+0x17/0x20
>> [ 541.113666] RIP: 0033:0x7f46624bf487
>> [ 541.114404] Code: Bad RIP value.
>> [ 541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
>> [ 541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
>> [ 541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
>> [ 541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
>> [ 541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
>> [ 541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
>>
>> [ 541.124061] The buggy address belongs to the page:
>> [ 541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
>> [ 541.126651] flags: 0x2ffff0000000000()
>> [ 541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
>> [ 541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
>> [ 541.130516] page dumped because: kasan: bad access detected
>>
>> [ 541.131954] Memory state around the buggy address:
>> [ 541.132924] ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
>> [ 541.134378] ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> [ 541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
>> [ 541.137253] ^
>> [ 541.138637] ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> [ 541.140075] ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
>> [ 541.141509] ==================================================================
>>
>> - Location
>> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
>> BUG_ON(inode->i_data.nrpages);
>>
>> The root cause is root directory inode is corrupted, it has both
>> inline_data and inline_dentry flag, and its nlink is zero, so in
>> ->evict(), after dropping all page cache, it grabs page #0 for inline
>> data truncation, result in panic in later clear_inode() where we will
>> check inode->i_data.nrpages value.
>>
>> This patch adds inline flags check in sanity_check_inode, in addition,
>> do sanity check with root inode's nlink.
>>
>> Reported-by Wen Xu <wen.xu@gatech.edu>
>> Signed-off-by: Chao Yu <yuchao0@huawei.com>
>> ---
>> fs/f2fs/inode.c | 20 ++++++++++++++++++++
>> fs/f2fs/super.c | 3 ++-
>> 2 files changed, 22 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
>> index 54067e456610..4cf0a05cc03e 100644
>> --- a/fs/f2fs/inode.c
>> +++ b/fs/f2fs/inode.c
>> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
>> return false;
>> }
>> }
>> +
>> + if (f2fs_has_inline_data(inode) &&
>> + (!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
>> + set_sbi_flag(sbi, SBI_NEED_FSCK);
>> + f2fs_msg(sbi->sb, KERN_WARNING,
>> + "%s: inode (ino=%lx, mode=%u) should not have "
>> + "inline_data, run fsck to fix",
>> + __func__, inode->i_ino, inode->i_mode);
>> + return false;
>> + }
>> +
>> + if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
>> + set_sbi_flag(sbi, SBI_NEED_FSCK);
>> + f2fs_msg(sbi->sb, KERN_WARNING,
>> + "%s: inode (ino=%lx, mode=%u) should not have "
>> + "inline_dentry, run fsck to fix",
>> + __func__, inode->i_ino, inode->i_mode);
>> + return false;
>> + }
>> +
>> return true;
>> }
>>
>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>> index 657757635306..7405762d2bc9 100644
>> --- a/fs/f2fs/super.c
>> +++ b/fs/f2fs/super.c
>> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>> err = PTR_ERR(root);
>> goto free_stats;
>> }
>> - if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
>> + if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
>> + !root->i_size || !root->i_nlink) {
>> iput(root);
>> err = -EINVAL;
>> goto free_stats;
>> --
>> 2.18.0.rc1
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] f2fs: fix to do sanity check with inline flags
2018-07-07 1:12 ` Jaegeuk Kim
@ 2018-07-15 1:53 ` Chao Yu
2018-07-15 1:53 ` Chao Yu
1 sibling, 0 replies; 14+ messages in thread
From: Chao Yu @ 2018-07-15 1:53 UTC (permalink / raw)
To: Jaegeuk Kim, Chao Yu; +Cc: linux-f2fs-devel, linux-kernel
Hi Jaegeuk,
On 2018/7/7 9:12, Jaegeuk Kim wrote:
> Hi Chao,
>
> I'm hitting some messages below during fault injection test. I'll dig in the
> issue later, but meanwhile could you review this patch again?
You hit message like below call stack instead of the log I added in
sanity_check_inode(), right?
kernel BUG at fs/inode.c:512!
f2fs_evict_inode+0x253/0x630
evict+0x16f/0x290
iput+0x280/0x300
I can't reproduce this issue with fault injection test, could you still
reproduce this?
Thanks,
>
> Thanks,
>
> On 06/28, Chao Yu wrote:
>> https://bugzilla.kernel.org/show_bug.cgi?id=200221
>>
>> - Overview
>> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
>>
>> - Reproduce
>>
>> - Kernel message
>> [ 538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
>> [ 538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
>> [ 538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
>> [ 538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
>> [ 540.970834] ------------[ cut here ]------------
>> [ 540.970838] kernel BUG at fs/inode.c:512!
>> [ 540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
>> [ 540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
>> [ 540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> [ 540.982913] RIP: 0010:clear_inode+0xc0/0xd0
>> [ 540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
>> [ 540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
>> [ 540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
>> [ 540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
>> [ 540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
>> [ 540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
>> [ 540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
>> [ 540.995786] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
>> [ 540.997403] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [ 540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
>> [ 541.000015] Call Trace:
>> [ 541.000554] f2fs_evict_inode+0x253/0x630
>> [ 541.001381] evict+0x16f/0x290
>> [ 541.002015] iput+0x280/0x300
>> [ 541.002654] dentry_unlink_inode+0x165/0x1e0
>> [ 541.003528] __dentry_kill+0x16a/0x260
>> [ 541.004300] dentry_kill+0x70/0x250
>> [ 541.005018] dput+0x154/0x1d0
>> [ 541.005635] do_one_tree+0x34/0x40
>> [ 541.006354] shrink_dcache_for_umount+0x3f/0xa0
>> [ 541.007285] generic_shutdown_super+0x43/0x1c0
>> [ 541.008192] kill_block_super+0x52/0x80
>> [ 541.008978] kill_f2fs_super+0x62/0x70
>> [ 541.009750] deactivate_locked_super+0x6f/0xa0
>> [ 541.010664] deactivate_super+0x5e/0x80
>> [ 541.011450] cleanup_mnt+0x61/0xa0
>> [ 541.012151] __cleanup_mnt+0x12/0x20
>> [ 541.012893] task_work_run+0xc8/0xf0
>> [ 541.013635] exit_to_usermode_loop+0x125/0x130
>> [ 541.014555] do_syscall_64+0x138/0x170
>> [ 541.015340] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>> [ 541.016375] RIP: 0033:0x7f46624bf487
>> [ 541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
>> [ 541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
>> [ 541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
>> [ 541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
>> [ 541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
>> [ 541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
>> [ 541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
>> [ 541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
>> [ 541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
>> [ 541.040392] RIP: 0010:clear_inode+0xc0/0xd0
>> [ 541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
>> [ 541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
>> [ 541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
>> [ 541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
>> [ 541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
>> [ 541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
>> [ 541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
>> [ 541.053263] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
>> [ 541.054891] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [ 541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
>> [ 541.058506] ==================================================================
>> [ 541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
>> [ 541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
>>
>> [ 541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G D 4.18.0-rc1+ #4
>> [ 541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> [ 541.066778] Call Trace:
>> [ 541.067294] dump_stack+0x7b/0xb5
>> [ 541.067986] print_address_description+0x70/0x290
>> [ 541.068941] kasan_report+0x291/0x390
>> [ 541.069692] ? update_stack_state+0x38c/0x3e0
>> [ 541.070598] __asan_load8+0x54/0x90
>> [ 541.071315] update_stack_state+0x38c/0x3e0
>> [ 541.072172] ? __read_once_size_nocheck.constprop.7+0x20/0x20
>> [ 541.073340] ? vprintk_func+0x27/0x60
>> [ 541.074096] ? printk+0xa3/0xd3
>> [ 541.074762] ? __save_stack_trace+0x5e/0x100
>> [ 541.075634] unwind_next_frame.part.5+0x18e/0x490
>> [ 541.076594] ? unwind_dump+0x290/0x290
>> [ 541.077368] ? __show_regs+0x2c4/0x330
>> [ 541.078142] __unwind_start+0x106/0x190
>> [ 541.085422] __save_stack_trace+0x5e/0x100
>> [ 541.086268] ? __save_stack_trace+0x5e/0x100
>> [ 541.087161] ? unlink_anon_vmas+0xba/0x2c0
>> [ 541.087997] save_stack_trace+0x1f/0x30
>> [ 541.088782] save_stack+0x46/0xd0
>> [ 541.089475] ? __alloc_pages_slowpath+0x1420/0x1420
>> [ 541.090477] ? flush_tlb_mm_range+0x15e/0x220
>> [ 541.091364] ? __dec_node_state+0x24/0xb0
>> [ 541.092180] ? lock_page_memcg+0x85/0xf0
>> [ 541.092979] ? unlock_page_memcg+0x16/0x80
>> [ 541.093812] ? page_remove_rmap+0x198/0x520
>> [ 541.094674] ? mark_page_accessed+0x133/0x200
>> [ 541.095559] ? _cond_resched+0x1a/0x50
>> [ 541.096326] ? unmap_page_range+0xcd4/0xe50
>> [ 541.097179] ? rb_next+0x58/0x80
>> [ 541.097845] ? rb_next+0x58/0x80
>> [ 541.098518] __kasan_slab_free+0x13c/0x1a0
>> [ 541.099352] ? unlink_anon_vmas+0xba/0x2c0
>> [ 541.100184] kasan_slab_free+0xe/0x10
>> [ 541.100934] kmem_cache_free+0x89/0x1e0
>> [ 541.101724] unlink_anon_vmas+0xba/0x2c0
>> [ 541.102534] free_pgtables+0x101/0x1b0
>> [ 541.103299] exit_mmap+0x146/0x2a0
>> [ 541.103996] ? __ia32_sys_munmap+0x50/0x50
>> [ 541.104829] ? kasan_check_read+0x11/0x20
>> [ 541.105649] ? mm_update_next_owner+0x322/0x380
>> [ 541.106578] mmput+0x8b/0x1d0
>> [ 541.107191] do_exit+0x43a/0x1390
>> [ 541.107876] ? mm_update_next_owner+0x380/0x380
>> [ 541.108791] ? deactivate_super+0x5e/0x80
>> [ 541.109610] ? cleanup_mnt+0x61/0xa0
>> [ 541.110351] ? __cleanup_mnt+0x12/0x20
>> [ 541.111115] ? task_work_run+0xc8/0xf0
>> [ 541.111879] ? exit_to_usermode_loop+0x125/0x130
>> [ 541.112817] rewind_stack_do_exit+0x17/0x20
>> [ 541.113666] RIP: 0033:0x7f46624bf487
>> [ 541.114404] Code: Bad RIP value.
>> [ 541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
>> [ 541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
>> [ 541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
>> [ 541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
>> [ 541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
>> [ 541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
>>
>> [ 541.124061] The buggy address belongs to the page:
>> [ 541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
>> [ 541.126651] flags: 0x2ffff0000000000()
>> [ 541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
>> [ 541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
>> [ 541.130516] page dumped because: kasan: bad access detected
>>
>> [ 541.131954] Memory state around the buggy address:
>> [ 541.132924] ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
>> [ 541.134378] ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> [ 541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
>> [ 541.137253] ^
>> [ 541.138637] ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> [ 541.140075] ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
>> [ 541.141509] ==================================================================
>>
>> - Location
>> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
>> BUG_ON(inode->i_data.nrpages);
>>
>> The root cause is root directory inode is corrupted, it has both
>> inline_data and inline_dentry flag, and its nlink is zero, so in
>> ->evict(), after dropping all page cache, it grabs page #0 for inline
>> data truncation, result in panic in later clear_inode() where we will
>> check inode->i_data.nrpages value.
>>
>> This patch adds inline flags check in sanity_check_inode, in addition,
>> do sanity check with root inode's nlink.
>>
>> Reported-by Wen Xu <wen.xu@gatech.edu>
>> Signed-off-by: Chao Yu <yuchao0@huawei.com>
>> ---
>> fs/f2fs/inode.c | 20 ++++++++++++++++++++
>> fs/f2fs/super.c | 3 ++-
>> 2 files changed, 22 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
>> index 54067e456610..4cf0a05cc03e 100644
>> --- a/fs/f2fs/inode.c
>> +++ b/fs/f2fs/inode.c
>> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
>> return false;
>> }
>> }
>> +
>> + if (f2fs_has_inline_data(inode) &&
>> + (!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
>> + set_sbi_flag(sbi, SBI_NEED_FSCK);
>> + f2fs_msg(sbi->sb, KERN_WARNING,
>> + "%s: inode (ino=%lx, mode=%u) should not have "
>> + "inline_data, run fsck to fix",
>> + __func__, inode->i_ino, inode->i_mode);
>> + return false;
>> + }
>> +
>> + if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
>> + set_sbi_flag(sbi, SBI_NEED_FSCK);
>> + f2fs_msg(sbi->sb, KERN_WARNING,
>> + "%s: inode (ino=%lx, mode=%u) should not have "
>> + "inline_dentry, run fsck to fix",
>> + __func__, inode->i_ino, inode->i_mode);
>> + return false;
>> + }
>> +
>> return true;
>> }
>>
>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>> index 657757635306..7405762d2bc9 100644
>> --- a/fs/f2fs/super.c
>> +++ b/fs/f2fs/super.c
>> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>> err = PTR_ERR(root);
>> goto free_stats;
>> }
>> - if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
>> + if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
>> + !root->i_size || !root->i_nlink) {
>> iput(root);
>> err = -EINVAL;
>> goto free_stats;
>> --
>> 2.18.0.rc1
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] f2fs: fix to do sanity check with inline flags
@ 2018-07-15 1:53 ` Chao Yu
0 siblings, 0 replies; 14+ messages in thread
From: Chao Yu @ 2018-07-15 1:53 UTC (permalink / raw)
To: Jaegeuk Kim, Chao Yu; +Cc: linux-kernel, linux-f2fs-devel
Hi Jaegeuk,
On 2018/7/7 9:12, Jaegeuk Kim wrote:
> Hi Chao,
>
> I'm hitting some messages below during fault injection test. I'll dig in the
> issue later, but meanwhile could you review this patch again?
You hit message like below call stack instead of the log I added in
sanity_check_inode(), right?
kernel BUG at fs/inode.c:512!
f2fs_evict_inode+0x253/0x630
evict+0x16f/0x290
iput+0x280/0x300
I can't reproduce this issue with fault injection test, could you still
reproduce this?
Thanks,
>
> Thanks,
>
> On 06/28, Chao Yu wrote:
>> https://bugzilla.kernel.org/show_bug.cgi?id=200221
>>
>> - Overview
>> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
>>
>> - Reproduce
>>
>> - Kernel message
>> [ 538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
>> [ 538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
>> [ 538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
>> [ 538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
>> [ 540.970834] ------------[ cut here ]------------
>> [ 540.970838] kernel BUG at fs/inode.c:512!
>> [ 540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
>> [ 540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
>> [ 540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> [ 540.982913] RIP: 0010:clear_inode+0xc0/0xd0
>> [ 540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
>> [ 540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
>> [ 540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
>> [ 540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
>> [ 540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
>> [ 540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
>> [ 540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
>> [ 540.995786] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
>> [ 540.997403] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [ 540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
>> [ 541.000015] Call Trace:
>> [ 541.000554] f2fs_evict_inode+0x253/0x630
>> [ 541.001381] evict+0x16f/0x290
>> [ 541.002015] iput+0x280/0x300
>> [ 541.002654] dentry_unlink_inode+0x165/0x1e0
>> [ 541.003528] __dentry_kill+0x16a/0x260
>> [ 541.004300] dentry_kill+0x70/0x250
>> [ 541.005018] dput+0x154/0x1d0
>> [ 541.005635] do_one_tree+0x34/0x40
>> [ 541.006354] shrink_dcache_for_umount+0x3f/0xa0
>> [ 541.007285] generic_shutdown_super+0x43/0x1c0
>> [ 541.008192] kill_block_super+0x52/0x80
>> [ 541.008978] kill_f2fs_super+0x62/0x70
>> [ 541.009750] deactivate_locked_super+0x6f/0xa0
>> [ 541.010664] deactivate_super+0x5e/0x80
>> [ 541.011450] cleanup_mnt+0x61/0xa0
>> [ 541.012151] __cleanup_mnt+0x12/0x20
>> [ 541.012893] task_work_run+0xc8/0xf0
>> [ 541.013635] exit_to_usermode_loop+0x125/0x130
>> [ 541.014555] do_syscall_64+0x138/0x170
>> [ 541.015340] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>> [ 541.016375] RIP: 0033:0x7f46624bf487
>> [ 541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
>> [ 541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
>> [ 541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
>> [ 541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
>> [ 541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
>> [ 541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
>> [ 541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
>> [ 541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
>> [ 541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
>> [ 541.040392] RIP: 0010:clear_inode+0xc0/0xd0
>> [ 541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
>> [ 541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
>> [ 541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
>> [ 541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
>> [ 541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
>> [ 541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
>> [ 541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
>> [ 541.053263] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
>> [ 541.054891] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [ 541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
>> [ 541.058506] ==================================================================
>> [ 541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
>> [ 541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
>>
>> [ 541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G D 4.18.0-rc1+ #4
>> [ 541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> [ 541.066778] Call Trace:
>> [ 541.067294] dump_stack+0x7b/0xb5
>> [ 541.067986] print_address_description+0x70/0x290
>> [ 541.068941] kasan_report+0x291/0x390
>> [ 541.069692] ? update_stack_state+0x38c/0x3e0
>> [ 541.070598] __asan_load8+0x54/0x90
>> [ 541.071315] update_stack_state+0x38c/0x3e0
>> [ 541.072172] ? __read_once_size_nocheck.constprop.7+0x20/0x20
>> [ 541.073340] ? vprintk_func+0x27/0x60
>> [ 541.074096] ? printk+0xa3/0xd3
>> [ 541.074762] ? __save_stack_trace+0x5e/0x100
>> [ 541.075634] unwind_next_frame.part.5+0x18e/0x490
>> [ 541.076594] ? unwind_dump+0x290/0x290
>> [ 541.077368] ? __show_regs+0x2c4/0x330
>> [ 541.078142] __unwind_start+0x106/0x190
>> [ 541.085422] __save_stack_trace+0x5e/0x100
>> [ 541.086268] ? __save_stack_trace+0x5e/0x100
>> [ 541.087161] ? unlink_anon_vmas+0xba/0x2c0
>> [ 541.087997] save_stack_trace+0x1f/0x30
>> [ 541.088782] save_stack+0x46/0xd0
>> [ 541.089475] ? __alloc_pages_slowpath+0x1420/0x1420
>> [ 541.090477] ? flush_tlb_mm_range+0x15e/0x220
>> [ 541.091364] ? __dec_node_state+0x24/0xb0
>> [ 541.092180] ? lock_page_memcg+0x85/0xf0
>> [ 541.092979] ? unlock_page_memcg+0x16/0x80
>> [ 541.093812] ? page_remove_rmap+0x198/0x520
>> [ 541.094674] ? mark_page_accessed+0x133/0x200
>> [ 541.095559] ? _cond_resched+0x1a/0x50
>> [ 541.096326] ? unmap_page_range+0xcd4/0xe50
>> [ 541.097179] ? rb_next+0x58/0x80
>> [ 541.097845] ? rb_next+0x58/0x80
>> [ 541.098518] __kasan_slab_free+0x13c/0x1a0
>> [ 541.099352] ? unlink_anon_vmas+0xba/0x2c0
>> [ 541.100184] kasan_slab_free+0xe/0x10
>> [ 541.100934] kmem_cache_free+0x89/0x1e0
>> [ 541.101724] unlink_anon_vmas+0xba/0x2c0
>> [ 541.102534] free_pgtables+0x101/0x1b0
>> [ 541.103299] exit_mmap+0x146/0x2a0
>> [ 541.103996] ? __ia32_sys_munmap+0x50/0x50
>> [ 541.104829] ? kasan_check_read+0x11/0x20
>> [ 541.105649] ? mm_update_next_owner+0x322/0x380
>> [ 541.106578] mmput+0x8b/0x1d0
>> [ 541.107191] do_exit+0x43a/0x1390
>> [ 541.107876] ? mm_update_next_owner+0x380/0x380
>> [ 541.108791] ? deactivate_super+0x5e/0x80
>> [ 541.109610] ? cleanup_mnt+0x61/0xa0
>> [ 541.110351] ? __cleanup_mnt+0x12/0x20
>> [ 541.111115] ? task_work_run+0xc8/0xf0
>> [ 541.111879] ? exit_to_usermode_loop+0x125/0x130
>> [ 541.112817] rewind_stack_do_exit+0x17/0x20
>> [ 541.113666] RIP: 0033:0x7f46624bf487
>> [ 541.114404] Code: Bad RIP value.
>> [ 541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
>> [ 541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
>> [ 541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
>> [ 541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
>> [ 541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
>> [ 541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
>>
>> [ 541.124061] The buggy address belongs to the page:
>> [ 541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
>> [ 541.126651] flags: 0x2ffff0000000000()
>> [ 541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
>> [ 541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
>> [ 541.130516] page dumped because: kasan: bad access detected
>>
>> [ 541.131954] Memory state around the buggy address:
>> [ 541.132924] ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
>> [ 541.134378] ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> [ 541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
>> [ 541.137253] ^
>> [ 541.138637] ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> [ 541.140075] ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
>> [ 541.141509] ==================================================================
>>
>> - Location
>> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
>> BUG_ON(inode->i_data.nrpages);
>>
>> The root cause is root directory inode is corrupted, it has both
>> inline_data and inline_dentry flag, and its nlink is zero, so in
>> ->evict(), after dropping all page cache, it grabs page #0 for inline
>> data truncation, result in panic in later clear_inode() where we will
>> check inode->i_data.nrpages value.
>>
>> This patch adds inline flags check in sanity_check_inode, in addition,
>> do sanity check with root inode's nlink.
>>
>> Reported-by Wen Xu <wen.xu@gatech.edu>
>> Signed-off-by: Chao Yu <yuchao0@huawei.com>
>> ---
>> fs/f2fs/inode.c | 20 ++++++++++++++++++++
>> fs/f2fs/super.c | 3 ++-
>> 2 files changed, 22 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
>> index 54067e456610..4cf0a05cc03e 100644
>> --- a/fs/f2fs/inode.c
>> +++ b/fs/f2fs/inode.c
>> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
>> return false;
>> }
>> }
>> +
>> + if (f2fs_has_inline_data(inode) &&
>> + (!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
>> + set_sbi_flag(sbi, SBI_NEED_FSCK);
>> + f2fs_msg(sbi->sb, KERN_WARNING,
>> + "%s: inode (ino=%lx, mode=%u) should not have "
>> + "inline_data, run fsck to fix",
>> + __func__, inode->i_ino, inode->i_mode);
>> + return false;
>> + }
>> +
>> + if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
>> + set_sbi_flag(sbi, SBI_NEED_FSCK);
>> + f2fs_msg(sbi->sb, KERN_WARNING,
>> + "%s: inode (ino=%lx, mode=%u) should not have "
>> + "inline_dentry, run fsck to fix",
>> + __func__, inode->i_ino, inode->i_mode);
>> + return false;
>> + }
>> +
>> return true;
>> }
>>
>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>> index 657757635306..7405762d2bc9 100644
>> --- a/fs/f2fs/super.c
>> +++ b/fs/f2fs/super.c
>> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>> err = PTR_ERR(root);
>> goto free_stats;
>> }
>> - if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
>> + if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
>> + !root->i_size || !root->i_nlink) {
>> iput(root);
>> err = -EINVAL;
>> goto free_stats;
>> --
>> 2.18.0.rc1
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] f2fs: fix to do sanity check with inline flags
2018-07-15 1:53 ` Chao Yu
@ 2018-07-15 3:06 ` Jaegeuk Kim
-1 siblings, 0 replies; 14+ messages in thread
From: Jaegeuk Kim @ 2018-07-15 3:06 UTC (permalink / raw)
To: Chao Yu; +Cc: Chao Yu, linux-f2fs-devel, linux-kernel
On 07/15, Chao Yu wrote:
> Hi Jaegeuk,
>
> On 2018/7/7 9:12, Jaegeuk Kim wrote:
> > Hi Chao,
> >
> > I'm hitting some messages below during fault injection test. I'll dig in the
> > issue later, but meanwhile could you review this patch again?
>
> You hit message like below call stack instead of the log I added in
> sanity_check_inode(), right?
>
> kernel BUG at fs/inode.c:512!
> f2fs_evict_inode+0x253/0x630
> evict+0x16f/0x290
> iput+0x280/0x300
>
> I can't reproduce this issue with fault injection test, could you still
> reproduce this?
Let me try it again. :)
>
> Thanks,
>
> >
> > Thanks,
> >
> > On 06/28, Chao Yu wrote:
> >> https://bugzilla.kernel.org/show_bug.cgi?id=200221
> >>
> >> - Overview
> >> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
> >>
> >> - Reproduce
> >>
> >> - Kernel message
> >> [ 538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
> >> [ 538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
> >> [ 538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
> >> [ 538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
> >> [ 540.970834] ------------[ cut here ]------------
> >> [ 540.970838] kernel BUG at fs/inode.c:512!
> >> [ 540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
> >> [ 540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
> >> [ 540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> >> [ 540.982913] RIP: 0010:clear_inode+0xc0/0xd0
> >> [ 540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> >> [ 540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> >> [ 540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> >> [ 540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> >> [ 540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> >> [ 540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> >> [ 540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> >> [ 540.995786] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> >> [ 540.997403] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> [ 540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> >> [ 541.000015] Call Trace:
> >> [ 541.000554] f2fs_evict_inode+0x253/0x630
> >> [ 541.001381] evict+0x16f/0x290
> >> [ 541.002015] iput+0x280/0x300
> >> [ 541.002654] dentry_unlink_inode+0x165/0x1e0
> >> [ 541.003528] __dentry_kill+0x16a/0x260
> >> [ 541.004300] dentry_kill+0x70/0x250
> >> [ 541.005018] dput+0x154/0x1d0
> >> [ 541.005635] do_one_tree+0x34/0x40
> >> [ 541.006354] shrink_dcache_for_umount+0x3f/0xa0
> >> [ 541.007285] generic_shutdown_super+0x43/0x1c0
> >> [ 541.008192] kill_block_super+0x52/0x80
> >> [ 541.008978] kill_f2fs_super+0x62/0x70
> >> [ 541.009750] deactivate_locked_super+0x6f/0xa0
> >> [ 541.010664] deactivate_super+0x5e/0x80
> >> [ 541.011450] cleanup_mnt+0x61/0xa0
> >> [ 541.012151] __cleanup_mnt+0x12/0x20
> >> [ 541.012893] task_work_run+0xc8/0xf0
> >> [ 541.013635] exit_to_usermode_loop+0x125/0x130
> >> [ 541.014555] do_syscall_64+0x138/0x170
> >> [ 541.015340] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> >> [ 541.016375] RIP: 0033:0x7f46624bf487
> >> [ 541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
> >> [ 541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> >> [ 541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> >> [ 541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> >> [ 541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> >> [ 541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> >> [ 541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> >> [ 541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
> >> [ 541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
> >> [ 541.040392] RIP: 0010:clear_inode+0xc0/0xd0
> >> [ 541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> >> [ 541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> >> [ 541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> >> [ 541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> >> [ 541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> >> [ 541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> >> [ 541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> >> [ 541.053263] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> >> [ 541.054891] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> [ 541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> >> [ 541.058506] ==================================================================
> >> [ 541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
> >> [ 541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
> >>
> >> [ 541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G D 4.18.0-rc1+ #4
> >> [ 541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> >> [ 541.066778] Call Trace:
> >> [ 541.067294] dump_stack+0x7b/0xb5
> >> [ 541.067986] print_address_description+0x70/0x290
> >> [ 541.068941] kasan_report+0x291/0x390
> >> [ 541.069692] ? update_stack_state+0x38c/0x3e0
> >> [ 541.070598] __asan_load8+0x54/0x90
> >> [ 541.071315] update_stack_state+0x38c/0x3e0
> >> [ 541.072172] ? __read_once_size_nocheck.constprop.7+0x20/0x20
> >> [ 541.073340] ? vprintk_func+0x27/0x60
> >> [ 541.074096] ? printk+0xa3/0xd3
> >> [ 541.074762] ? __save_stack_trace+0x5e/0x100
> >> [ 541.075634] unwind_next_frame.part.5+0x18e/0x490
> >> [ 541.076594] ? unwind_dump+0x290/0x290
> >> [ 541.077368] ? __show_regs+0x2c4/0x330
> >> [ 541.078142] __unwind_start+0x106/0x190
> >> [ 541.085422] __save_stack_trace+0x5e/0x100
> >> [ 541.086268] ? __save_stack_trace+0x5e/0x100
> >> [ 541.087161] ? unlink_anon_vmas+0xba/0x2c0
> >> [ 541.087997] save_stack_trace+0x1f/0x30
> >> [ 541.088782] save_stack+0x46/0xd0
> >> [ 541.089475] ? __alloc_pages_slowpath+0x1420/0x1420
> >> [ 541.090477] ? flush_tlb_mm_range+0x15e/0x220
> >> [ 541.091364] ? __dec_node_state+0x24/0xb0
> >> [ 541.092180] ? lock_page_memcg+0x85/0xf0
> >> [ 541.092979] ? unlock_page_memcg+0x16/0x80
> >> [ 541.093812] ? page_remove_rmap+0x198/0x520
> >> [ 541.094674] ? mark_page_accessed+0x133/0x200
> >> [ 541.095559] ? _cond_resched+0x1a/0x50
> >> [ 541.096326] ? unmap_page_range+0xcd4/0xe50
> >> [ 541.097179] ? rb_next+0x58/0x80
> >> [ 541.097845] ? rb_next+0x58/0x80
> >> [ 541.098518] __kasan_slab_free+0x13c/0x1a0
> >> [ 541.099352] ? unlink_anon_vmas+0xba/0x2c0
> >> [ 541.100184] kasan_slab_free+0xe/0x10
> >> [ 541.100934] kmem_cache_free+0x89/0x1e0
> >> [ 541.101724] unlink_anon_vmas+0xba/0x2c0
> >> [ 541.102534] free_pgtables+0x101/0x1b0
> >> [ 541.103299] exit_mmap+0x146/0x2a0
> >> [ 541.103996] ? __ia32_sys_munmap+0x50/0x50
> >> [ 541.104829] ? kasan_check_read+0x11/0x20
> >> [ 541.105649] ? mm_update_next_owner+0x322/0x380
> >> [ 541.106578] mmput+0x8b/0x1d0
> >> [ 541.107191] do_exit+0x43a/0x1390
> >> [ 541.107876] ? mm_update_next_owner+0x380/0x380
> >> [ 541.108791] ? deactivate_super+0x5e/0x80
> >> [ 541.109610] ? cleanup_mnt+0x61/0xa0
> >> [ 541.110351] ? __cleanup_mnt+0x12/0x20
> >> [ 541.111115] ? task_work_run+0xc8/0xf0
> >> [ 541.111879] ? exit_to_usermode_loop+0x125/0x130
> >> [ 541.112817] rewind_stack_do_exit+0x17/0x20
> >> [ 541.113666] RIP: 0033:0x7f46624bf487
> >> [ 541.114404] Code: Bad RIP value.
> >> [ 541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> >> [ 541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> >> [ 541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> >> [ 541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> >> [ 541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> >> [ 541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> >>
> >> [ 541.124061] The buggy address belongs to the page:
> >> [ 541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> >> [ 541.126651] flags: 0x2ffff0000000000()
> >> [ 541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
> >> [ 541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> >> [ 541.130516] page dumped because: kasan: bad access detected
> >>
> >> [ 541.131954] Memory state around the buggy address:
> >> [ 541.132924] ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
> >> [ 541.134378] ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >> [ 541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
> >> [ 541.137253] ^
> >> [ 541.138637] ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >> [ 541.140075] ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
> >> [ 541.141509] ==================================================================
> >>
> >> - Location
> >> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
> >> BUG_ON(inode->i_data.nrpages);
> >>
> >> The root cause is root directory inode is corrupted, it has both
> >> inline_data and inline_dentry flag, and its nlink is zero, so in
> >> ->evict(), after dropping all page cache, it grabs page #0 for inline
> >> data truncation, result in panic in later clear_inode() where we will
> >> check inode->i_data.nrpages value.
> >>
> >> This patch adds inline flags check in sanity_check_inode, in addition,
> >> do sanity check with root inode's nlink.
> >>
> >> Reported-by Wen Xu <wen.xu@gatech.edu>
> >> Signed-off-by: Chao Yu <yuchao0@huawei.com>
> >> ---
> >> fs/f2fs/inode.c | 20 ++++++++++++++++++++
> >> fs/f2fs/super.c | 3 ++-
> >> 2 files changed, 22 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> >> index 54067e456610..4cf0a05cc03e 100644
> >> --- a/fs/f2fs/inode.c
> >> +++ b/fs/f2fs/inode.c
> >> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
> >> return false;
> >> }
> >> }
> >> +
> >> + if (f2fs_has_inline_data(inode) &&
> >> + (!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
> >> + set_sbi_flag(sbi, SBI_NEED_FSCK);
> >> + f2fs_msg(sbi->sb, KERN_WARNING,
> >> + "%s: inode (ino=%lx, mode=%u) should not have "
> >> + "inline_data, run fsck to fix",
> >> + __func__, inode->i_ino, inode->i_mode);
> >> + return false;
> >> + }
> >> +
> >> + if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
> >> + set_sbi_flag(sbi, SBI_NEED_FSCK);
> >> + f2fs_msg(sbi->sb, KERN_WARNING,
> >> + "%s: inode (ino=%lx, mode=%u) should not have "
> >> + "inline_dentry, run fsck to fix",
> >> + __func__, inode->i_ino, inode->i_mode);
> >> + return false;
> >> + }
> >> +
> >> return true;
> >> }
> >>
> >> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> >> index 657757635306..7405762d2bc9 100644
> >> --- a/fs/f2fs/super.c
> >> +++ b/fs/f2fs/super.c
> >> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
> >> err = PTR_ERR(root);
> >> goto free_stats;
> >> }
> >> - if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
> >> + if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
> >> + !root->i_size || !root->i_nlink) {
> >> iput(root);
> >> err = -EINVAL;
> >> goto free_stats;
> >> --
> >> 2.18.0.rc1
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] f2fs: fix to do sanity check with inline flags
@ 2018-07-15 3:06 ` Jaegeuk Kim
0 siblings, 0 replies; 14+ messages in thread
From: Jaegeuk Kim @ 2018-07-15 3:06 UTC (permalink / raw)
To: Chao Yu; +Cc: linux-kernel, linux-f2fs-devel
On 07/15, Chao Yu wrote:
> Hi Jaegeuk,
>
> On 2018/7/7 9:12, Jaegeuk Kim wrote:
> > Hi Chao,
> >
> > I'm hitting some messages below during fault injection test. I'll dig in the
> > issue later, but meanwhile could you review this patch again?
>
> You hit message like below call stack instead of the log I added in
> sanity_check_inode(), right?
>
> kernel BUG at fs/inode.c:512!
> f2fs_evict_inode+0x253/0x630
> evict+0x16f/0x290
> iput+0x280/0x300
>
> I can't reproduce this issue with fault injection test, could you still
> reproduce this?
Let me try it again. :)
>
> Thanks,
>
> >
> > Thanks,
> >
> > On 06/28, Chao Yu wrote:
> >> https://bugzilla.kernel.org/show_bug.cgi?id=200221
> >>
> >> - Overview
> >> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
> >>
> >> - Reproduce
> >>
> >> - Kernel message
> >> [ 538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
> >> [ 538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
> >> [ 538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
> >> [ 538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
> >> [ 540.970834] ------------[ cut here ]------------
> >> [ 540.970838] kernel BUG at fs/inode.c:512!
> >> [ 540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
> >> [ 540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
> >> [ 540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> >> [ 540.982913] RIP: 0010:clear_inode+0xc0/0xd0
> >> [ 540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> >> [ 540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> >> [ 540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> >> [ 540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> >> [ 540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> >> [ 540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> >> [ 540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> >> [ 540.995786] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> >> [ 540.997403] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> [ 540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> >> [ 541.000015] Call Trace:
> >> [ 541.000554] f2fs_evict_inode+0x253/0x630
> >> [ 541.001381] evict+0x16f/0x290
> >> [ 541.002015] iput+0x280/0x300
> >> [ 541.002654] dentry_unlink_inode+0x165/0x1e0
> >> [ 541.003528] __dentry_kill+0x16a/0x260
> >> [ 541.004300] dentry_kill+0x70/0x250
> >> [ 541.005018] dput+0x154/0x1d0
> >> [ 541.005635] do_one_tree+0x34/0x40
> >> [ 541.006354] shrink_dcache_for_umount+0x3f/0xa0
> >> [ 541.007285] generic_shutdown_super+0x43/0x1c0
> >> [ 541.008192] kill_block_super+0x52/0x80
> >> [ 541.008978] kill_f2fs_super+0x62/0x70
> >> [ 541.009750] deactivate_locked_super+0x6f/0xa0
> >> [ 541.010664] deactivate_super+0x5e/0x80
> >> [ 541.011450] cleanup_mnt+0x61/0xa0
> >> [ 541.012151] __cleanup_mnt+0x12/0x20
> >> [ 541.012893] task_work_run+0xc8/0xf0
> >> [ 541.013635] exit_to_usermode_loop+0x125/0x130
> >> [ 541.014555] do_syscall_64+0x138/0x170
> >> [ 541.015340] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> >> [ 541.016375] RIP: 0033:0x7f46624bf487
> >> [ 541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
> >> [ 541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> >> [ 541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> >> [ 541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> >> [ 541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> >> [ 541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> >> [ 541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> >> [ 541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
> >> [ 541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
> >> [ 541.040392] RIP: 0010:clear_inode+0xc0/0xd0
> >> [ 541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> >> [ 541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> >> [ 541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> >> [ 541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> >> [ 541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> >> [ 541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> >> [ 541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> >> [ 541.053263] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> >> [ 541.054891] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> [ 541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> >> [ 541.058506] ==================================================================
> >> [ 541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
> >> [ 541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
> >>
> >> [ 541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G D 4.18.0-rc1+ #4
> >> [ 541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> >> [ 541.066778] Call Trace:
> >> [ 541.067294] dump_stack+0x7b/0xb5
> >> [ 541.067986] print_address_description+0x70/0x290
> >> [ 541.068941] kasan_report+0x291/0x390
> >> [ 541.069692] ? update_stack_state+0x38c/0x3e0
> >> [ 541.070598] __asan_load8+0x54/0x90
> >> [ 541.071315] update_stack_state+0x38c/0x3e0
> >> [ 541.072172] ? __read_once_size_nocheck.constprop.7+0x20/0x20
> >> [ 541.073340] ? vprintk_func+0x27/0x60
> >> [ 541.074096] ? printk+0xa3/0xd3
> >> [ 541.074762] ? __save_stack_trace+0x5e/0x100
> >> [ 541.075634] unwind_next_frame.part.5+0x18e/0x490
> >> [ 541.076594] ? unwind_dump+0x290/0x290
> >> [ 541.077368] ? __show_regs+0x2c4/0x330
> >> [ 541.078142] __unwind_start+0x106/0x190
> >> [ 541.085422] __save_stack_trace+0x5e/0x100
> >> [ 541.086268] ? __save_stack_trace+0x5e/0x100
> >> [ 541.087161] ? unlink_anon_vmas+0xba/0x2c0
> >> [ 541.087997] save_stack_trace+0x1f/0x30
> >> [ 541.088782] save_stack+0x46/0xd0
> >> [ 541.089475] ? __alloc_pages_slowpath+0x1420/0x1420
> >> [ 541.090477] ? flush_tlb_mm_range+0x15e/0x220
> >> [ 541.091364] ? __dec_node_state+0x24/0xb0
> >> [ 541.092180] ? lock_page_memcg+0x85/0xf0
> >> [ 541.092979] ? unlock_page_memcg+0x16/0x80
> >> [ 541.093812] ? page_remove_rmap+0x198/0x520
> >> [ 541.094674] ? mark_page_accessed+0x133/0x200
> >> [ 541.095559] ? _cond_resched+0x1a/0x50
> >> [ 541.096326] ? unmap_page_range+0xcd4/0xe50
> >> [ 541.097179] ? rb_next+0x58/0x80
> >> [ 541.097845] ? rb_next+0x58/0x80
> >> [ 541.098518] __kasan_slab_free+0x13c/0x1a0
> >> [ 541.099352] ? unlink_anon_vmas+0xba/0x2c0
> >> [ 541.100184] kasan_slab_free+0xe/0x10
> >> [ 541.100934] kmem_cache_free+0x89/0x1e0
> >> [ 541.101724] unlink_anon_vmas+0xba/0x2c0
> >> [ 541.102534] free_pgtables+0x101/0x1b0
> >> [ 541.103299] exit_mmap+0x146/0x2a0
> >> [ 541.103996] ? __ia32_sys_munmap+0x50/0x50
> >> [ 541.104829] ? kasan_check_read+0x11/0x20
> >> [ 541.105649] ? mm_update_next_owner+0x322/0x380
> >> [ 541.106578] mmput+0x8b/0x1d0
> >> [ 541.107191] do_exit+0x43a/0x1390
> >> [ 541.107876] ? mm_update_next_owner+0x380/0x380
> >> [ 541.108791] ? deactivate_super+0x5e/0x80
> >> [ 541.109610] ? cleanup_mnt+0x61/0xa0
> >> [ 541.110351] ? __cleanup_mnt+0x12/0x20
> >> [ 541.111115] ? task_work_run+0xc8/0xf0
> >> [ 541.111879] ? exit_to_usermode_loop+0x125/0x130
> >> [ 541.112817] rewind_stack_do_exit+0x17/0x20
> >> [ 541.113666] RIP: 0033:0x7f46624bf487
> >> [ 541.114404] Code: Bad RIP value.
> >> [ 541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> >> [ 541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> >> [ 541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> >> [ 541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> >> [ 541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> >> [ 541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> >>
> >> [ 541.124061] The buggy address belongs to the page:
> >> [ 541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> >> [ 541.126651] flags: 0x2ffff0000000000()
> >> [ 541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
> >> [ 541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> >> [ 541.130516] page dumped because: kasan: bad access detected
> >>
> >> [ 541.131954] Memory state around the buggy address:
> >> [ 541.132924] ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
> >> [ 541.134378] ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >> [ 541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
> >> [ 541.137253] ^
> >> [ 541.138637] ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >> [ 541.140075] ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
> >> [ 541.141509] ==================================================================
> >>
> >> - Location
> >> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
> >> BUG_ON(inode->i_data.nrpages);
> >>
> >> The root cause is root directory inode is corrupted, it has both
> >> inline_data and inline_dentry flag, and its nlink is zero, so in
> >> ->evict(), after dropping all page cache, it grabs page #0 for inline
> >> data truncation, result in panic in later clear_inode() where we will
> >> check inode->i_data.nrpages value.
> >>
> >> This patch adds inline flags check in sanity_check_inode, in addition,
> >> do sanity check with root inode's nlink.
> >>
> >> Reported-by Wen Xu <wen.xu@gatech.edu>
> >> Signed-off-by: Chao Yu <yuchao0@huawei.com>
> >> ---
> >> fs/f2fs/inode.c | 20 ++++++++++++++++++++
> >> fs/f2fs/super.c | 3 ++-
> >> 2 files changed, 22 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> >> index 54067e456610..4cf0a05cc03e 100644
> >> --- a/fs/f2fs/inode.c
> >> +++ b/fs/f2fs/inode.c
> >> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
> >> return false;
> >> }
> >> }
> >> +
> >> + if (f2fs_has_inline_data(inode) &&
> >> + (!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
> >> + set_sbi_flag(sbi, SBI_NEED_FSCK);
> >> + f2fs_msg(sbi->sb, KERN_WARNING,
> >> + "%s: inode (ino=%lx, mode=%u) should not have "
> >> + "inline_data, run fsck to fix",
> >> + __func__, inode->i_ino, inode->i_mode);
> >> + return false;
> >> + }
> >> +
> >> + if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
> >> + set_sbi_flag(sbi, SBI_NEED_FSCK);
> >> + f2fs_msg(sbi->sb, KERN_WARNING,
> >> + "%s: inode (ino=%lx, mode=%u) should not have "
> >> + "inline_dentry, run fsck to fix",
> >> + __func__, inode->i_ino, inode->i_mode);
> >> + return false;
> >> + }
> >> +
> >> return true;
> >> }
> >>
> >> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> >> index 657757635306..7405762d2bc9 100644
> >> --- a/fs/f2fs/super.c
> >> +++ b/fs/f2fs/super.c
> >> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
> >> err = PTR_ERR(root);
> >> goto free_stats;
> >> }
> >> - if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
> >> + if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
> >> + !root->i_size || !root->i_nlink) {
> >> iput(root);
> >> err = -EINVAL;
> >> goto free_stats;
> >> --
> >> 2.18.0.rc1
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [f2fs-dev] [PATCH 2/2] f2fs: fix to do sanity check with inline flags
2018-07-15 3:06 ` Jaegeuk Kim
@ 2018-07-15 3:45 ` Jaegeuk Kim
-1 siblings, 0 replies; 14+ messages in thread
From: Jaegeuk Kim @ 2018-07-15 3:45 UTC (permalink / raw)
To: Chao Yu; +Cc: linux-kernel, linux-f2fs-devel
On 07/15, Jaegeuk Kim wrote:
> On 07/15, Chao Yu wrote:
> > Hi Jaegeuk,
> >
> > On 2018/7/7 9:12, Jaegeuk Kim wrote:
> > > Hi Chao,
> > >
> > > I'm hitting some messages below during fault injection test. I'll dig in the
> > > issue later, but meanwhile could you review this patch again?
> >
> > You hit message like below call stack instead of the log I added in
> > sanity_check_inode(), right?
> >
> > kernel BUG at fs/inode.c:512!
> > f2fs_evict_inode+0x253/0x630
> > evict+0x16f/0x290
> > iput+0x280/0x300
> >
> > I can't reproduce this issue with fault injection test, could you still
> > reproduce this?
>
> Let me try it again. :)
[ 318.799110] F2FS-fs (nvme0n1): mounting with "discard" option, but the device does not support discard
[ 318.839407] F2FS-fs (nvme0n1): Found nat_bits in checkpoint
[ 318.904204] F2FS-fs (nvme0n1): sanity_check_inode: inode (ino=cc9, mode=41471) should not have inline_data, run fsck to fix
Missing mode?
>
> >
> > Thanks,
> >
> > >
> > > Thanks,
> > >
> > > On 06/28, Chao Yu wrote:
> > >> https://bugzilla.kernel.org/show_bug.cgi?id=200221
> > >>
> > >> - Overview
> > >> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
> > >>
> > >> - Reproduce
> > >>
> > >> - Kernel message
> > >> [ 538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
> > >> [ 538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
> > >> [ 538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
> > >> [ 538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
> > >> [ 540.970834] ------------[ cut here ]------------
> > >> [ 540.970838] kernel BUG at fs/inode.c:512!
> > >> [ 540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
> > >> [ 540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
> > >> [ 540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> > >> [ 540.982913] RIP: 0010:clear_inode+0xc0/0xd0
> > >> [ 540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> > >> [ 540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> > >> [ 540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> > >> [ 540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> > >> [ 540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> > >> [ 540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> > >> [ 540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> > >> [ 540.995786] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> > >> [ 540.997403] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > >> [ 540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> > >> [ 541.000015] Call Trace:
> > >> [ 541.000554] f2fs_evict_inode+0x253/0x630
> > >> [ 541.001381] evict+0x16f/0x290
> > >> [ 541.002015] iput+0x280/0x300
> > >> [ 541.002654] dentry_unlink_inode+0x165/0x1e0
> > >> [ 541.003528] __dentry_kill+0x16a/0x260
> > >> [ 541.004300] dentry_kill+0x70/0x250
> > >> [ 541.005018] dput+0x154/0x1d0
> > >> [ 541.005635] do_one_tree+0x34/0x40
> > >> [ 541.006354] shrink_dcache_for_umount+0x3f/0xa0
> > >> [ 541.007285] generic_shutdown_super+0x43/0x1c0
> > >> [ 541.008192] kill_block_super+0x52/0x80
> > >> [ 541.008978] kill_f2fs_super+0x62/0x70
> > >> [ 541.009750] deactivate_locked_super+0x6f/0xa0
> > >> [ 541.010664] deactivate_super+0x5e/0x80
> > >> [ 541.011450] cleanup_mnt+0x61/0xa0
> > >> [ 541.012151] __cleanup_mnt+0x12/0x20
> > >> [ 541.012893] task_work_run+0xc8/0xf0
> > >> [ 541.013635] exit_to_usermode_loop+0x125/0x130
> > >> [ 541.014555] do_syscall_64+0x138/0x170
> > >> [ 541.015340] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > >> [ 541.016375] RIP: 0033:0x7f46624bf487
> > >> [ 541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
> > >> [ 541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> > >> [ 541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> > >> [ 541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> > >> [ 541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> > >> [ 541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> > >> [ 541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> > >> [ 541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
> > >> [ 541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
> > >> [ 541.040392] RIP: 0010:clear_inode+0xc0/0xd0
> > >> [ 541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> > >> [ 541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> > >> [ 541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> > >> [ 541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> > >> [ 541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> > >> [ 541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> > >> [ 541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> > >> [ 541.053263] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> > >> [ 541.054891] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > >> [ 541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> > >> [ 541.058506] ==================================================================
> > >> [ 541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
> > >> [ 541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
> > >>
> > >> [ 541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G D 4.18.0-rc1+ #4
> > >> [ 541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> > >> [ 541.066778] Call Trace:
> > >> [ 541.067294] dump_stack+0x7b/0xb5
> > >> [ 541.067986] print_address_description+0x70/0x290
> > >> [ 541.068941] kasan_report+0x291/0x390
> > >> [ 541.069692] ? update_stack_state+0x38c/0x3e0
> > >> [ 541.070598] __asan_load8+0x54/0x90
> > >> [ 541.071315] update_stack_state+0x38c/0x3e0
> > >> [ 541.072172] ? __read_once_size_nocheck.constprop.7+0x20/0x20
> > >> [ 541.073340] ? vprintk_func+0x27/0x60
> > >> [ 541.074096] ? printk+0xa3/0xd3
> > >> [ 541.074762] ? __save_stack_trace+0x5e/0x100
> > >> [ 541.075634] unwind_next_frame.part.5+0x18e/0x490
> > >> [ 541.076594] ? unwind_dump+0x290/0x290
> > >> [ 541.077368] ? __show_regs+0x2c4/0x330
> > >> [ 541.078142] __unwind_start+0x106/0x190
> > >> [ 541.085422] __save_stack_trace+0x5e/0x100
> > >> [ 541.086268] ? __save_stack_trace+0x5e/0x100
> > >> [ 541.087161] ? unlink_anon_vmas+0xba/0x2c0
> > >> [ 541.087997] save_stack_trace+0x1f/0x30
> > >> [ 541.088782] save_stack+0x46/0xd0
> > >> [ 541.089475] ? __alloc_pages_slowpath+0x1420/0x1420
> > >> [ 541.090477] ? flush_tlb_mm_range+0x15e/0x220
> > >> [ 541.091364] ? __dec_node_state+0x24/0xb0
> > >> [ 541.092180] ? lock_page_memcg+0x85/0xf0
> > >> [ 541.092979] ? unlock_page_memcg+0x16/0x80
> > >> [ 541.093812] ? page_remove_rmap+0x198/0x520
> > >> [ 541.094674] ? mark_page_accessed+0x133/0x200
> > >> [ 541.095559] ? _cond_resched+0x1a/0x50
> > >> [ 541.096326] ? unmap_page_range+0xcd4/0xe50
> > >> [ 541.097179] ? rb_next+0x58/0x80
> > >> [ 541.097845] ? rb_next+0x58/0x80
> > >> [ 541.098518] __kasan_slab_free+0x13c/0x1a0
> > >> [ 541.099352] ? unlink_anon_vmas+0xba/0x2c0
> > >> [ 541.100184] kasan_slab_free+0xe/0x10
> > >> [ 541.100934] kmem_cache_free+0x89/0x1e0
> > >> [ 541.101724] unlink_anon_vmas+0xba/0x2c0
> > >> [ 541.102534] free_pgtables+0x101/0x1b0
> > >> [ 541.103299] exit_mmap+0x146/0x2a0
> > >> [ 541.103996] ? __ia32_sys_munmap+0x50/0x50
> > >> [ 541.104829] ? kasan_check_read+0x11/0x20
> > >> [ 541.105649] ? mm_update_next_owner+0x322/0x380
> > >> [ 541.106578] mmput+0x8b/0x1d0
> > >> [ 541.107191] do_exit+0x43a/0x1390
> > >> [ 541.107876] ? mm_update_next_owner+0x380/0x380
> > >> [ 541.108791] ? deactivate_super+0x5e/0x80
> > >> [ 541.109610] ? cleanup_mnt+0x61/0xa0
> > >> [ 541.110351] ? __cleanup_mnt+0x12/0x20
> > >> [ 541.111115] ? task_work_run+0xc8/0xf0
> > >> [ 541.111879] ? exit_to_usermode_loop+0x125/0x130
> > >> [ 541.112817] rewind_stack_do_exit+0x17/0x20
> > >> [ 541.113666] RIP: 0033:0x7f46624bf487
> > >> [ 541.114404] Code: Bad RIP value.
> > >> [ 541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> > >> [ 541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> > >> [ 541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> > >> [ 541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> > >> [ 541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> > >> [ 541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> > >>
> > >> [ 541.124061] The buggy address belongs to the page:
> > >> [ 541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> > >> [ 541.126651] flags: 0x2ffff0000000000()
> > >> [ 541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
> > >> [ 541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> > >> [ 541.130516] page dumped because: kasan: bad access detected
> > >>
> > >> [ 541.131954] Memory state around the buggy address:
> > >> [ 541.132924] ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
> > >> [ 541.134378] ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > >> [ 541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
> > >> [ 541.137253] ^
> > >> [ 541.138637] ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > >> [ 541.140075] ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
> > >> [ 541.141509] ==================================================================
> > >>
> > >> - Location
> > >> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
> > >> BUG_ON(inode->i_data.nrpages);
> > >>
> > >> The root cause is root directory inode is corrupted, it has both
> > >> inline_data and inline_dentry flag, and its nlink is zero, so in
> > >> ->evict(), after dropping all page cache, it grabs page #0 for inline
> > >> data truncation, result in panic in later clear_inode() where we will
> > >> check inode->i_data.nrpages value.
> > >>
> > >> This patch adds inline flags check in sanity_check_inode, in addition,
> > >> do sanity check with root inode's nlink.
> > >>
> > >> Reported-by Wen Xu <wen.xu@gatech.edu>
> > >> Signed-off-by: Chao Yu <yuchao0@huawei.com>
> > >> ---
> > >> fs/f2fs/inode.c | 20 ++++++++++++++++++++
> > >> fs/f2fs/super.c | 3 ++-
> > >> 2 files changed, 22 insertions(+), 1 deletion(-)
> > >>
> > >> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> > >> index 54067e456610..4cf0a05cc03e 100644
> > >> --- a/fs/f2fs/inode.c
> > >> +++ b/fs/f2fs/inode.c
> > >> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
> > >> return false;
> > >> }
> > >> }
> > >> +
> > >> + if (f2fs_has_inline_data(inode) &&
> > >> + (!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
> > >> + set_sbi_flag(sbi, SBI_NEED_FSCK);
> > >> + f2fs_msg(sbi->sb, KERN_WARNING,
> > >> + "%s: inode (ino=%lx, mode=%u) should not have "
> > >> + "inline_data, run fsck to fix",
> > >> + __func__, inode->i_ino, inode->i_mode);
> > >> + return false;
> > >> + }
> > >> +
> > >> + if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
> > >> + set_sbi_flag(sbi, SBI_NEED_FSCK);
> > >> + f2fs_msg(sbi->sb, KERN_WARNING,
> > >> + "%s: inode (ino=%lx, mode=%u) should not have "
> > >> + "inline_dentry, run fsck to fix",
> > >> + __func__, inode->i_ino, inode->i_mode);
> > >> + return false;
> > >> + }
> > >> +
> > >> return true;
> > >> }
> > >>
> > >> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> > >> index 657757635306..7405762d2bc9 100644
> > >> --- a/fs/f2fs/super.c
> > >> +++ b/fs/f2fs/super.c
> > >> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
> > >> err = PTR_ERR(root);
> > >> goto free_stats;
> > >> }
> > >> - if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
> > >> + if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
> > >> + !root->i_size || !root->i_nlink) {
> > >> iput(root);
> > >> err = -EINVAL;
> > >> goto free_stats;
> > >> --
> > >> 2.18.0.rc1
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Linux-f2fs-devel mailing list
> Linux-f2fs-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] f2fs: fix to do sanity check with inline flags
@ 2018-07-15 3:45 ` Jaegeuk Kim
0 siblings, 0 replies; 14+ messages in thread
From: Jaegeuk Kim @ 2018-07-15 3:45 UTC (permalink / raw)
To: Chao Yu; +Cc: linux-kernel, linux-f2fs-devel
On 07/15, Jaegeuk Kim wrote:
> On 07/15, Chao Yu wrote:
> > Hi Jaegeuk,
> >
> > On 2018/7/7 9:12, Jaegeuk Kim wrote:
> > > Hi Chao,
> > >
> > > I'm hitting some messages below during fault injection test. I'll dig in the
> > > issue later, but meanwhile could you review this patch again?
> >
> > You hit message like below call stack instead of the log I added in
> > sanity_check_inode(), right?
> >
> > kernel BUG at fs/inode.c:512!
> > f2fs_evict_inode+0x253/0x630
> > evict+0x16f/0x290
> > iput+0x280/0x300
> >
> > I can't reproduce this issue with fault injection test, could you still
> > reproduce this?
>
> Let me try it again. :)
[ 318.799110] F2FS-fs (nvme0n1): mounting with "discard" option, but the device does not support discard
[ 318.839407] F2FS-fs (nvme0n1): Found nat_bits in checkpoint
[ 318.904204] F2FS-fs (nvme0n1): sanity_check_inode: inode (ino=cc9, mode=41471) should not have inline_data, run fsck to fix
Missing mode?
>
> >
> > Thanks,
> >
> > >
> > > Thanks,
> > >
> > > On 06/28, Chao Yu wrote:
> > >> https://bugzilla.kernel.org/show_bug.cgi?id=200221
> > >>
> > >> - Overview
> > >> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
> > >>
> > >> - Reproduce
> > >>
> > >> - Kernel message
> > >> [ 538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
> > >> [ 538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
> > >> [ 538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
> > >> [ 538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
> > >> [ 540.970834] ------------[ cut here ]------------
> > >> [ 540.970838] kernel BUG at fs/inode.c:512!
> > >> [ 540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
> > >> [ 540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
> > >> [ 540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> > >> [ 540.982913] RIP: 0010:clear_inode+0xc0/0xd0
> > >> [ 540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> > >> [ 540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> > >> [ 540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> > >> [ 540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> > >> [ 540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> > >> [ 540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> > >> [ 540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> > >> [ 540.995786] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> > >> [ 540.997403] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > >> [ 540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> > >> [ 541.000015] Call Trace:
> > >> [ 541.000554] f2fs_evict_inode+0x253/0x630
> > >> [ 541.001381] evict+0x16f/0x290
> > >> [ 541.002015] iput+0x280/0x300
> > >> [ 541.002654] dentry_unlink_inode+0x165/0x1e0
> > >> [ 541.003528] __dentry_kill+0x16a/0x260
> > >> [ 541.004300] dentry_kill+0x70/0x250
> > >> [ 541.005018] dput+0x154/0x1d0
> > >> [ 541.005635] do_one_tree+0x34/0x40
> > >> [ 541.006354] shrink_dcache_for_umount+0x3f/0xa0
> > >> [ 541.007285] generic_shutdown_super+0x43/0x1c0
> > >> [ 541.008192] kill_block_super+0x52/0x80
> > >> [ 541.008978] kill_f2fs_super+0x62/0x70
> > >> [ 541.009750] deactivate_locked_super+0x6f/0xa0
> > >> [ 541.010664] deactivate_super+0x5e/0x80
> > >> [ 541.011450] cleanup_mnt+0x61/0xa0
> > >> [ 541.012151] __cleanup_mnt+0x12/0x20
> > >> [ 541.012893] task_work_run+0xc8/0xf0
> > >> [ 541.013635] exit_to_usermode_loop+0x125/0x130
> > >> [ 541.014555] do_syscall_64+0x138/0x170
> > >> [ 541.015340] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > >> [ 541.016375] RIP: 0033:0x7f46624bf487
> > >> [ 541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
> > >> [ 541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> > >> [ 541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> > >> [ 541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> > >> [ 541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> > >> [ 541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> > >> [ 541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> > >> [ 541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
> > >> [ 541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
> > >> [ 541.040392] RIP: 0010:clear_inode+0xc0/0xd0
> > >> [ 541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> > >> [ 541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> > >> [ 541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> > >> [ 541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> > >> [ 541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> > >> [ 541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> > >> [ 541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> > >> [ 541.053263] FS: 00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> > >> [ 541.054891] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > >> [ 541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> > >> [ 541.058506] ==================================================================
> > >> [ 541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
> > >> [ 541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
> > >>
> > >> [ 541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G D 4.18.0-rc1+ #4
> > >> [ 541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> > >> [ 541.066778] Call Trace:
> > >> [ 541.067294] dump_stack+0x7b/0xb5
> > >> [ 541.067986] print_address_description+0x70/0x290
> > >> [ 541.068941] kasan_report+0x291/0x390
> > >> [ 541.069692] ? update_stack_state+0x38c/0x3e0
> > >> [ 541.070598] __asan_load8+0x54/0x90
> > >> [ 541.071315] update_stack_state+0x38c/0x3e0
> > >> [ 541.072172] ? __read_once_size_nocheck.constprop.7+0x20/0x20
> > >> [ 541.073340] ? vprintk_func+0x27/0x60
> > >> [ 541.074096] ? printk+0xa3/0xd3
> > >> [ 541.074762] ? __save_stack_trace+0x5e/0x100
> > >> [ 541.075634] unwind_next_frame.part.5+0x18e/0x490
> > >> [ 541.076594] ? unwind_dump+0x290/0x290
> > >> [ 541.077368] ? __show_regs+0x2c4/0x330
> > >> [ 541.078142] __unwind_start+0x106/0x190
> > >> [ 541.085422] __save_stack_trace+0x5e/0x100
> > >> [ 541.086268] ? __save_stack_trace+0x5e/0x100
> > >> [ 541.087161] ? unlink_anon_vmas+0xba/0x2c0
> > >> [ 541.087997] save_stack_trace+0x1f/0x30
> > >> [ 541.088782] save_stack+0x46/0xd0
> > >> [ 541.089475] ? __alloc_pages_slowpath+0x1420/0x1420
> > >> [ 541.090477] ? flush_tlb_mm_range+0x15e/0x220
> > >> [ 541.091364] ? __dec_node_state+0x24/0xb0
> > >> [ 541.092180] ? lock_page_memcg+0x85/0xf0
> > >> [ 541.092979] ? unlock_page_memcg+0x16/0x80
> > >> [ 541.093812] ? page_remove_rmap+0x198/0x520
> > >> [ 541.094674] ? mark_page_accessed+0x133/0x200
> > >> [ 541.095559] ? _cond_resched+0x1a/0x50
> > >> [ 541.096326] ? unmap_page_range+0xcd4/0xe50
> > >> [ 541.097179] ? rb_next+0x58/0x80
> > >> [ 541.097845] ? rb_next+0x58/0x80
> > >> [ 541.098518] __kasan_slab_free+0x13c/0x1a0
> > >> [ 541.099352] ? unlink_anon_vmas+0xba/0x2c0
> > >> [ 541.100184] kasan_slab_free+0xe/0x10
> > >> [ 541.100934] kmem_cache_free+0x89/0x1e0
> > >> [ 541.101724] unlink_anon_vmas+0xba/0x2c0
> > >> [ 541.102534] free_pgtables+0x101/0x1b0
> > >> [ 541.103299] exit_mmap+0x146/0x2a0
> > >> [ 541.103996] ? __ia32_sys_munmap+0x50/0x50
> > >> [ 541.104829] ? kasan_check_read+0x11/0x20
> > >> [ 541.105649] ? mm_update_next_owner+0x322/0x380
> > >> [ 541.106578] mmput+0x8b/0x1d0
> > >> [ 541.107191] do_exit+0x43a/0x1390
> > >> [ 541.107876] ? mm_update_next_owner+0x380/0x380
> > >> [ 541.108791] ? deactivate_super+0x5e/0x80
> > >> [ 541.109610] ? cleanup_mnt+0x61/0xa0
> > >> [ 541.110351] ? __cleanup_mnt+0x12/0x20
> > >> [ 541.111115] ? task_work_run+0xc8/0xf0
> > >> [ 541.111879] ? exit_to_usermode_loop+0x125/0x130
> > >> [ 541.112817] rewind_stack_do_exit+0x17/0x20
> > >> [ 541.113666] RIP: 0033:0x7f46624bf487
> > >> [ 541.114404] Code: Bad RIP value.
> > >> [ 541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> > >> [ 541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> > >> [ 541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> > >> [ 541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> > >> [ 541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> > >> [ 541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> > >>
> > >> [ 541.124061] The buggy address belongs to the page:
> > >> [ 541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> > >> [ 541.126651] flags: 0x2ffff0000000000()
> > >> [ 541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
> > >> [ 541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> > >> [ 541.130516] page dumped because: kasan: bad access detected
> > >>
> > >> [ 541.131954] Memory state around the buggy address:
> > >> [ 541.132924] ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
> > >> [ 541.134378] ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > >> [ 541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
> > >> [ 541.137253] ^
> > >> [ 541.138637] ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > >> [ 541.140075] ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
> > >> [ 541.141509] ==================================================================
> > >>
> > >> - Location
> > >> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
> > >> BUG_ON(inode->i_data.nrpages);
> > >>
> > >> The root cause is root directory inode is corrupted, it has both
> > >> inline_data and inline_dentry flag, and its nlink is zero, so in
> > >> ->evict(), after dropping all page cache, it grabs page #0 for inline
> > >> data truncation, result in panic in later clear_inode() where we will
> > >> check inode->i_data.nrpages value.
> > >>
> > >> This patch adds inline flags check in sanity_check_inode, in addition,
> > >> do sanity check with root inode's nlink.
> > >>
> > >> Reported-by Wen Xu <wen.xu@gatech.edu>
> > >> Signed-off-by: Chao Yu <yuchao0@huawei.com>
> > >> ---
> > >> fs/f2fs/inode.c | 20 ++++++++++++++++++++
> > >> fs/f2fs/super.c | 3 ++-
> > >> 2 files changed, 22 insertions(+), 1 deletion(-)
> > >>
> > >> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> > >> index 54067e456610..4cf0a05cc03e 100644
> > >> --- a/fs/f2fs/inode.c
> > >> +++ b/fs/f2fs/inode.c
> > >> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
> > >> return false;
> > >> }
> > >> }
> > >> +
> > >> + if (f2fs_has_inline_data(inode) &&
> > >> + (!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
> > >> + set_sbi_flag(sbi, SBI_NEED_FSCK);
> > >> + f2fs_msg(sbi->sb, KERN_WARNING,
> > >> + "%s: inode (ino=%lx, mode=%u) should not have "
> > >> + "inline_data, run fsck to fix",
> > >> + __func__, inode->i_ino, inode->i_mode);
> > >> + return false;
> > >> + }
> > >> +
> > >> + if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
> > >> + set_sbi_flag(sbi, SBI_NEED_FSCK);
> > >> + f2fs_msg(sbi->sb, KERN_WARNING,
> > >> + "%s: inode (ino=%lx, mode=%u) should not have "
> > >> + "inline_dentry, run fsck to fix",
> > >> + __func__, inode->i_ino, inode->i_mode);
> > >> + return false;
> > >> + }
> > >> +
> > >> return true;
> > >> }
> > >>
> > >> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> > >> index 657757635306..7405762d2bc9 100644
> > >> --- a/fs/f2fs/super.c
> > >> +++ b/fs/f2fs/super.c
> > >> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
> > >> err = PTR_ERR(root);
> > >> goto free_stats;
> > >> }
> > >> - if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
> > >> + if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
> > >> + !root->i_size || !root->i_nlink) {
> > >> iput(root);
> > >> err = -EINVAL;
> > >> goto free_stats;
> > >> --
> > >> 2.18.0.rc1
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Linux-f2fs-devel mailing list
> Linux-f2fs-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2018-07-15 3:48 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-28 10:25 [PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent Chao Yu
2018-06-28 10:25 ` Chao Yu
2018-06-28 10:25 ` [PATCH 2/2] f2fs: fix to do sanity check with inline flags Chao Yu
2018-06-28 10:25 ` Chao Yu
2018-07-07 1:12 ` Jaegeuk Kim
2018-07-07 1:44 ` Chao Yu
2018-07-15 1:53 ` Chao Yu
2018-07-15 1:53 ` Chao Yu
2018-07-15 3:06 ` Jaegeuk Kim
2018-07-15 3:06 ` Jaegeuk Kim
2018-07-15 3:45 ` [f2fs-dev] " Jaegeuk Kim
2018-07-15 3:45 ` Jaegeuk Kim
[not found] ` <42661306-96ae-aa03-7eab-20e68ca76b68@huawei.com>
2018-07-04 10:46 ` 答复: [PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent Liuxue (Alice, Euler Dept seven)
2018-07-04 13:11 ` Chao Yu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.