[PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent

[PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent

[Chao Yu]

If segment type in SSA and SIT is inconsistent, we will encounter below
BUG_ON during GC, to avoid this panic, let's just skip doing GC on such
segment.

The bug is triggered with image reported in below link:

https://bugzilla.kernel.org/show_bug.cgi?id=200223

[  388.060262] ------------[ cut here ]------------
[  388.060268] kernel BUG at /home/y00370721/git/devf2fs/gc.c:989!
[  388.061172] invalid opcode: 0000 [#1] SMP
[  388.061773] Modules linked in: f2fs(O) bluetooth ecdh_generic xt_tcpudp iptable_filter ip_tables x_tables lp ttm drm_kms_helper drm intel_rapl sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel fb_sys_fops ppdev aes_x86_64 syscopyarea crypto_simd sysfillrect parport_pc joydev sysimgblt glue_helper parport cryptd i2c_piix4 serio_raw mac_hid btrfs hid_generic usbhid hid raid6_pq psmouse pata_acpi floppy
[  388.064247] CPU: 7 PID: 4151 Comm: f2fs_gc-7:0 Tainted: G           O    4.13.0-rc1+ #26
[  388.065306] Hardware name: Xen HVM domU, BIOS 4.1.2_115-900.260_ 11/06/2015
[  388.066058] task: ffff880201583b80 task.stack: ffffc90004d7c000
[  388.069948] RIP: 0010:do_garbage_collect+0xcc8/0xcd0 [f2fs]
[  388.070766] RSP: 0018:ffffc90004d7fc68 EFLAGS: 00010202
[  388.071783] RAX: ffff8801ed227000 RBX: 0000000000000001 RCX: ffffea0007b489c0
[  388.072700] RDX: ffff880000000000 RSI: 0000000000000001 RDI: ffffea0007b489c0
[  388.073607] RBP: ffffc90004d7fd58 R08: 0000000000000003 R09: ffffea0007b489dc
[  388.074619] R10: 0000000000000000 R11: 0052782ab317138d R12: 0000000000000018
[  388.075625] R13: 0000000000000018 R14: ffff880211ceb000 R15: ffff880211ceb000
[  388.076687] FS:  0000000000000000(0000) GS:ffff880214fc0000(0000) knlGS:0000000000000000
[  388.083277] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  388.084536] CR2: 0000000000e18c60 CR3: 00000001ecf2e000 CR4: 00000000001406e0
[  388.085748] Call Trace:
[  388.086690]  ? find_next_bit+0xb/0x10
[  388.088091]  f2fs_gc+0x1a8/0x9d0 [f2fs]
[  388.088888]  ? lock_timer_base+0x7d/0xa0
[  388.090213]  ? try_to_del_timer_sync+0x44/0x60
[  388.091698]  gc_thread_func+0x342/0x4b0 [f2fs]
[  388.092892]  ? wait_woken+0x80/0x80
[  388.094098]  kthread+0x109/0x140
[  388.095010]  ? f2fs_gc+0x9d0/0x9d0 [f2fs]
[  388.096043]  ? kthread_park+0x60/0x60
[  388.097281]  ret_from_fork+0x25/0x30
[  388.098401] Code: ff ff 48 83 e8 01 48 89 44 24 58 e9 27 f8 ff ff 48 83 e8 01 e9 78 fc ff ff 48 8d 78 ff e9 17 fb ff ff 48 83 ef 01 e9 4d f4 ff ff <0f> 0b 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55
[  388.100864] RIP: do_garbage_collect+0xcc8/0xcd0 [f2fs] RSP: ffffc90004d7fc68
[  388.101810] ---[ end trace 81c73d6e6b7da61d ]---

Signed-off-by: Chao Yu <yuchao0@huawei.com>
---
 fs/f2fs/gc.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index da2a71eb7ee2..f3a0e2f62ce6 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -986,7 +986,12 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi,
 			goto next;
 
 		sum = page_address(sum_page);
-		f2fs_bug_on(sbi, type != GET_SUM_TYPE((&sum->footer)));
+		if (type != GET_SUM_TYPE((&sum->footer))) {
+			f2fs_msg(sbi->sb, KERN_ERR, "Inconsistent segment (%u) "
+				"type [%d, %d] in SSA and SIT",
+				segno, type, GET_SUM_TYPE((&sum->footer)));
+			goto next;
+		}
 
 		/*
 		 * this is to avoid deadlock:
-- 
2.18.0.rc1

[PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent

[Chao Yu]

If segment type in SSA and SIT is inconsistent, we will encounter below
BUG_ON during GC, to avoid this panic, let's just skip doing GC on such
segment.

The bug is triggered with image reported in below link:

https://bugzilla.kernel.org/show_bug.cgi?id=200223

[  388.060262] ------------[ cut here ]------------
[  388.060268] kernel BUG at /home/y00370721/git/devf2fs/gc.c:989!
[  388.061172] invalid opcode: 0000 [#1] SMP
[  388.061773] Modules linked in: f2fs(O) bluetooth ecdh_generic xt_tcpudp iptable_filter ip_tables x_tables lp ttm drm_kms_helper drm intel_rapl sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel fb_sys_fops ppdev aes_x86_64 syscopyarea crypto_simd sysfillrect parport_pc joydev sysimgblt glue_helper parport cryptd i2c_piix4 serio_raw mac_hid btrfs hid_generic usbhid hid raid6_pq psmouse pata_acpi floppy
[  388.064247] CPU: 7 PID: 4151 Comm: f2fs_gc-7:0 Tainted: G           O    4.13.0-rc1+ #26
[  388.065306] Hardware name: Xen HVM domU, BIOS 4.1.2_115-900.260_ 11/06/2015
[  388.066058] task: ffff880201583b80 task.stack: ffffc90004d7c000
[  388.069948] RIP: 0010:do_garbage_collect+0xcc8/0xcd0 [f2fs]
[  388.070766] RSP: 0018:ffffc90004d7fc68 EFLAGS: 00010202
[  388.071783] RAX: ffff8801ed227000 RBX: 0000000000000001 RCX: ffffea0007b489c0
[  388.072700] RDX: ffff880000000000 RSI: 0000000000000001 RDI: ffffea0007b489c0
[  388.073607] RBP: ffffc90004d7fd58 R08: 0000000000000003 R09: ffffea0007b489dc
[  388.074619] R10: 0000000000000000 R11: 0052782ab317138d R12: 0000000000000018
[  388.075625] R13: 0000000000000018 R14: ffff880211ceb000 R15: ffff880211ceb000
[  388.076687] FS:  0000000000000000(0000) GS:ffff880214fc0000(0000) knlGS:0000000000000000
[  388.083277] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  388.084536] CR2: 0000000000e18c60 CR3: 00000001ecf2e000 CR4: 00000000001406e0
[  388.085748] Call Trace:
[  388.086690]  ? find_next_bit+0xb/0x10
[  388.088091]  f2fs_gc+0x1a8/0x9d0 [f2fs]
[  388.088888]  ? lock_timer_base+0x7d/0xa0
[  388.090213]  ? try_to_del_timer_sync+0x44/0x60
[  388.091698]  gc_thread_func+0x342/0x4b0 [f2fs]
[  388.092892]  ? wait_woken+0x80/0x80
[  388.094098]  kthread+0x109/0x140
[  388.095010]  ? f2fs_gc+0x9d0/0x9d0 [f2fs]
[  388.096043]  ? kthread_park+0x60/0x60
[  388.097281]  ret_from_fork+0x25/0x30
[  388.098401] Code: ff ff 48 83 e8 01 48 89 44 24 58 e9 27 f8 ff ff 48 83 e8 01 e9 78 fc ff ff 48 8d 78 ff e9 17 fb ff ff 48 83 ef 01 e9 4d f4 ff ff <0f> 0b 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55
[  388.100864] RIP: do_garbage_collect+0xcc8/0xcd0 [f2fs] RSP: ffffc90004d7fc68
[  388.101810] ---[ end trace 81c73d6e6b7da61d ]---

Signed-off-by: Chao Yu <yuchao0@huawei.com>
---
 fs/f2fs/gc.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index da2a71eb7ee2..f3a0e2f62ce6 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -986,7 +986,12 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi,
 			goto next;
 
 		sum = page_address(sum_page);
-		f2fs_bug_on(sbi, type != GET_SUM_TYPE((&sum->footer)));
+		if (type != GET_SUM_TYPE((&sum->footer))) {
+			f2fs_msg(sbi->sb, KERN_ERR, "Inconsistent segment (%u) "
+				"type [%d, %d] in SSA and SIT",
+				segno, type, GET_SUM_TYPE((&sum->footer)));
+			goto next;
+		}
 
 		/*
 		 * this is to avoid deadlock:
-- 
2.18.0.rc1

[PATCH 2/2] f2fs: fix to do sanity check with inline flags

[Chao Yu]

https://bugzilla.kernel.org/show_bug.cgi?id=200221

- Overview
BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image

- Reproduce

- Kernel message
[  538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
[  538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
[  538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
[  538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
[  540.970834] ------------[ cut here ]------------
[  540.970838] kernel BUG at fs/inode.c:512!
[  540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
[  540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
[  540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  540.982913] RIP: 0010:clear_inode+0xc0/0xd0
[  540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
[  540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
[  540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
[  540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
[  540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
[  540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
[  540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
[  540.995786] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  540.997403] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
[  541.000015] Call Trace:
[  541.000554]  f2fs_evict_inode+0x253/0x630
[  541.001381]  evict+0x16f/0x290
[  541.002015]  iput+0x280/0x300
[  541.002654]  dentry_unlink_inode+0x165/0x1e0
[  541.003528]  __dentry_kill+0x16a/0x260
[  541.004300]  dentry_kill+0x70/0x250
[  541.005018]  dput+0x154/0x1d0
[  541.005635]  do_one_tree+0x34/0x40
[  541.006354]  shrink_dcache_for_umount+0x3f/0xa0
[  541.007285]  generic_shutdown_super+0x43/0x1c0
[  541.008192]  kill_block_super+0x52/0x80
[  541.008978]  kill_f2fs_super+0x62/0x70
[  541.009750]  deactivate_locked_super+0x6f/0xa0
[  541.010664]  deactivate_super+0x5e/0x80
[  541.011450]  cleanup_mnt+0x61/0xa0
[  541.012151]  __cleanup_mnt+0x12/0x20
[  541.012893]  task_work_run+0xc8/0xf0
[  541.013635]  exit_to_usermode_loop+0x125/0x130
[  541.014555]  do_syscall_64+0x138/0x170
[  541.015340]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  541.016375] RIP: 0033:0x7f46624bf487
[  541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
[  541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[  541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
[  541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
[  541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
[  541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
[  541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
[  541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[  541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
[  541.040392] RIP: 0010:clear_inode+0xc0/0xd0
[  541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
[  541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
[  541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
[  541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
[  541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
[  541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
[  541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
[  541.053263] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  541.054891] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
[  541.058506] ==================================================================
[  541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
[  541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305

[  541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G      D           4.18.0-rc1+ #4
[  541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  541.066778] Call Trace:
[  541.067294]  dump_stack+0x7b/0xb5
[  541.067986]  print_address_description+0x70/0x290
[  541.068941]  kasan_report+0x291/0x390
[  541.069692]  ? update_stack_state+0x38c/0x3e0
[  541.070598]  __asan_load8+0x54/0x90
[  541.071315]  update_stack_state+0x38c/0x3e0
[  541.072172]  ? __read_once_size_nocheck.constprop.7+0x20/0x20
[  541.073340]  ? vprintk_func+0x27/0x60
[  541.074096]  ? printk+0xa3/0xd3
[  541.074762]  ? __save_stack_trace+0x5e/0x100
[  541.075634]  unwind_next_frame.part.5+0x18e/0x490
[  541.076594]  ? unwind_dump+0x290/0x290
[  541.077368]  ? __show_regs+0x2c4/0x330
[  541.078142]  __unwind_start+0x106/0x190
[  541.085422]  __save_stack_trace+0x5e/0x100
[  541.086268]  ? __save_stack_trace+0x5e/0x100
[  541.087161]  ? unlink_anon_vmas+0xba/0x2c0
[  541.087997]  save_stack_trace+0x1f/0x30
[  541.088782]  save_stack+0x46/0xd0
[  541.089475]  ? __alloc_pages_slowpath+0x1420/0x1420
[  541.090477]  ? flush_tlb_mm_range+0x15e/0x220
[  541.091364]  ? __dec_node_state+0x24/0xb0
[  541.092180]  ? lock_page_memcg+0x85/0xf0
[  541.092979]  ? unlock_page_memcg+0x16/0x80
[  541.093812]  ? page_remove_rmap+0x198/0x520
[  541.094674]  ? mark_page_accessed+0x133/0x200
[  541.095559]  ? _cond_resched+0x1a/0x50
[  541.096326]  ? unmap_page_range+0xcd4/0xe50
[  541.097179]  ? rb_next+0x58/0x80
[  541.097845]  ? rb_next+0x58/0x80
[  541.098518]  __kasan_slab_free+0x13c/0x1a0
[  541.099352]  ? unlink_anon_vmas+0xba/0x2c0
[  541.100184]  kasan_slab_free+0xe/0x10
[  541.100934]  kmem_cache_free+0x89/0x1e0
[  541.101724]  unlink_anon_vmas+0xba/0x2c0
[  541.102534]  free_pgtables+0x101/0x1b0
[  541.103299]  exit_mmap+0x146/0x2a0
[  541.103996]  ? __ia32_sys_munmap+0x50/0x50
[  541.104829]  ? kasan_check_read+0x11/0x20
[  541.105649]  ? mm_update_next_owner+0x322/0x380
[  541.106578]  mmput+0x8b/0x1d0
[  541.107191]  do_exit+0x43a/0x1390
[  541.107876]  ? mm_update_next_owner+0x380/0x380
[  541.108791]  ? deactivate_super+0x5e/0x80
[  541.109610]  ? cleanup_mnt+0x61/0xa0
[  541.110351]  ? __cleanup_mnt+0x12/0x20
[  541.111115]  ? task_work_run+0xc8/0xf0
[  541.111879]  ? exit_to_usermode_loop+0x125/0x130
[  541.112817]  rewind_stack_do_exit+0x17/0x20
[  541.113666] RIP: 0033:0x7f46624bf487
[  541.114404] Code: Bad RIP value.
[  541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[  541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
[  541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
[  541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
[  541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
[  541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30

[  541.124061] The buggy address belongs to the page:
[  541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[  541.126651] flags: 0x2ffff0000000000()
[  541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
[  541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[  541.130516] page dumped because: kasan: bad access detected

[  541.131954] Memory state around the buggy address:
[  541.132924]  ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
[  541.134378]  ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
[  541.137253]                                                              ^
[  541.138637]  ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  541.140075]  ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
[  541.141509] ==================================================================

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
	BUG_ON(inode->i_data.nrpages);

The root cause is root directory inode is corrupted, it has both
inline_data and inline_dentry flag, and its nlink is zero, so in
->evict(), after dropping all page cache, it grabs page #0 for inline
data truncation, result in panic in later clear_inode() where we will
check inode->i_data.nrpages value.

This patch adds inline flags check in sanity_check_inode, in addition,
do sanity check with root inode's nlink.

Reported-by Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
---
 fs/f2fs/inode.c | 20 ++++++++++++++++++++
 fs/f2fs/super.c |  3 ++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index 54067e456610..4cf0a05cc03e 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
 			return false;
 		}
 	}
+
+	if (f2fs_has_inline_data(inode) &&
+			(!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
+		set_sbi_flag(sbi, SBI_NEED_FSCK);
+		f2fs_msg(sbi->sb, KERN_WARNING,
+			"%s: inode (ino=%lx, mode=%u) should not have "
+			"inline_data, run fsck to fix",
+			__func__, inode->i_ino, inode->i_mode);
+		return false;
+	}
+
+	if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
+		set_sbi_flag(sbi, SBI_NEED_FSCK);
+		f2fs_msg(sbi->sb, KERN_WARNING,
+			"%s: inode (ino=%lx, mode=%u) should not have "
+			"inline_dentry, run fsck to fix",
+			__func__, inode->i_ino, inode->i_mode);
+		return false;
+	}
+
 	return true;
 }
 
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 657757635306..7405762d2bc9 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
 		err = PTR_ERR(root);
 		goto free_stats;
 	}
-	if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
+	if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
+			!root->i_size || !root->i_nlink) {
 		iput(root);
 		err = -EINVAL;
 		goto free_stats;
-- 
2.18.0.rc1

[PATCH 2/2] f2fs: fix to do sanity check with inline flags

[Chao Yu]

https://bugzilla.kernel.org/show_bug.cgi?id=200221

- Overview
BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image

- Reproduce

- Kernel message
[  538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
[  538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
[  538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
[  538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
[  540.970834] ------------[ cut here ]------------
[  540.970838] kernel BUG at fs/inode.c:512!
[  540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
[  540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
[  540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  540.982913] RIP: 0010:clear_inode+0xc0/0xd0
[  540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
[  540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
[  540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
[  540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
[  540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
[  540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
[  540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
[  540.995786] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  540.997403] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
[  541.000015] Call Trace:
[  541.000554]  f2fs_evict_inode+0x253/0x630
[  541.001381]  evict+0x16f/0x290
[  541.002015]  iput+0x280/0x300
[  541.002654]  dentry_unlink_inode+0x165/0x1e0
[  541.003528]  __dentry_kill+0x16a/0x260
[  541.004300]  dentry_kill+0x70/0x250
[  541.005018]  dput+0x154/0x1d0
[  541.005635]  do_one_tree+0x34/0x40
[  541.006354]  shrink_dcache_for_umount+0x3f/0xa0
[  541.007285]  generic_shutdown_super+0x43/0x1c0
[  541.008192]  kill_block_super+0x52/0x80
[  541.008978]  kill_f2fs_super+0x62/0x70
[  541.009750]  deactivate_locked_super+0x6f/0xa0
[  541.010664]  deactivate_super+0x5e/0x80
[  541.011450]  cleanup_mnt+0x61/0xa0
[  541.012151]  __cleanup_mnt+0x12/0x20
[  541.012893]  task_work_run+0xc8/0xf0
[  541.013635]  exit_to_usermode_loop+0x125/0x130
[  541.014555]  do_syscall_64+0x138/0x170
[  541.015340]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  541.016375] RIP: 0033:0x7f46624bf487
[  541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
[  541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[  541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
[  541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
[  541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
[  541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
[  541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
[  541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[  541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
[  541.040392] RIP: 0010:clear_inode+0xc0/0xd0
[  541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
[  541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
[  541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
[  541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
[  541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
[  541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
[  541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
[  541.053263] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  541.054891] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
[  541.058506] ==================================================================
[  541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
[  541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305

[  541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G      D           4.18.0-rc1+ #4
[  541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  541.066778] Call Trace:
[  541.067294]  dump_stack+0x7b/0xb5
[  541.067986]  print_address_description+0x70/0x290
[  541.068941]  kasan_report+0x291/0x390
[  541.069692]  ? update_stack_state+0x38c/0x3e0
[  541.070598]  __asan_load8+0x54/0x90
[  541.071315]  update_stack_state+0x38c/0x3e0
[  541.072172]  ? __read_once_size_nocheck.constprop.7+0x20/0x20
[  541.073340]  ? vprintk_func+0x27/0x60
[  541.074096]  ? printk+0xa3/0xd3
[  541.074762]  ? __save_stack_trace+0x5e/0x100
[  541.075634]  unwind_next_frame.part.5+0x18e/0x490
[  541.076594]  ? unwind_dump+0x290/0x290
[  541.077368]  ? __show_regs+0x2c4/0x330
[  541.078142]  __unwind_start+0x106/0x190
[  541.085422]  __save_stack_trace+0x5e/0x100
[  541.086268]  ? __save_stack_trace+0x5e/0x100
[  541.087161]  ? unlink_anon_vmas+0xba/0x2c0
[  541.087997]  save_stack_trace+0x1f/0x30
[  541.088782]  save_stack+0x46/0xd0
[  541.089475]  ? __alloc_pages_slowpath+0x1420/0x1420
[  541.090477]  ? flush_tlb_mm_range+0x15e/0x220
[  541.091364]  ? __dec_node_state+0x24/0xb0
[  541.092180]  ? lock_page_memcg+0x85/0xf0
[  541.092979]  ? unlock_page_memcg+0x16/0x80
[  541.093812]  ? page_remove_rmap+0x198/0x520
[  541.094674]  ? mark_page_accessed+0x133/0x200
[  541.095559]  ? _cond_resched+0x1a/0x50
[  541.096326]  ? unmap_page_range+0xcd4/0xe50
[  541.097179]  ? rb_next+0x58/0x80
[  541.097845]  ? rb_next+0x58/0x80
[  541.098518]  __kasan_slab_free+0x13c/0x1a0
[  541.099352]  ? unlink_anon_vmas+0xba/0x2c0
[  541.100184]  kasan_slab_free+0xe/0x10
[  541.100934]  kmem_cache_free+0x89/0x1e0
[  541.101724]  unlink_anon_vmas+0xba/0x2c0
[  541.102534]  free_pgtables+0x101/0x1b0
[  541.103299]  exit_mmap+0x146/0x2a0
[  541.103996]  ? __ia32_sys_munmap+0x50/0x50
[  541.104829]  ? kasan_check_read+0x11/0x20
[  541.105649]  ? mm_update_next_owner+0x322/0x380
[  541.106578]  mmput+0x8b/0x1d0
[  541.107191]  do_exit+0x43a/0x1390
[  541.107876]  ? mm_update_next_owner+0x380/0x380
[  541.108791]  ? deactivate_super+0x5e/0x80
[  541.109610]  ? cleanup_mnt+0x61/0xa0
[  541.110351]  ? __cleanup_mnt+0x12/0x20
[  541.111115]  ? task_work_run+0xc8/0xf0
[  541.111879]  ? exit_to_usermode_loop+0x125/0x130
[  541.112817]  rewind_stack_do_exit+0x17/0x20
[  541.113666] RIP: 0033:0x7f46624bf487
[  541.114404] Code: Bad RIP value.
[  541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[  541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
[  541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
[  541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
[  541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
[  541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30

[  541.124061] The buggy address belongs to the page:
[  541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[  541.126651] flags: 0x2ffff0000000000()
[  541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
[  541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[  541.130516] page dumped because: kasan: bad access detected

[  541.131954] Memory state around the buggy address:
[  541.132924]  ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
[  541.134378]  ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
[  541.137253]                                                              ^
[  541.138637]  ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  541.140075]  ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
[  541.141509] ==================================================================

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
	BUG_ON(inode->i_data.nrpages);

The root cause is root directory inode is corrupted, it has both
inline_data and inline_dentry flag, and its nlink is zero, so in
->evict(), after dropping all page cache, it grabs page #0 for inline
data truncation, result in panic in later clear_inode() where we will
check inode->i_data.nrpages value.

This patch adds inline flags check in sanity_check_inode, in addition,
do sanity check with root inode's nlink.

Reported-by Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
---
 fs/f2fs/inode.c | 20 ++++++++++++++++++++
 fs/f2fs/super.c |  3 ++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index 54067e456610..4cf0a05cc03e 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
 			return false;
 		}
 	}
+
+	if (f2fs_has_inline_data(inode) &&
+			(!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
+		set_sbi_flag(sbi, SBI_NEED_FSCK);
+		f2fs_msg(sbi->sb, KERN_WARNING,
+			"%s: inode (ino=%lx, mode=%u) should not have "
+			"inline_data, run fsck to fix",
+			__func__, inode->i_ino, inode->i_mode);
+		return false;
+	}
+
+	if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
+		set_sbi_flag(sbi, SBI_NEED_FSCK);
+		f2fs_msg(sbi->sb, KERN_WARNING,
+			"%s: inode (ino=%lx, mode=%u) should not have "
+			"inline_dentry, run fsck to fix",
+			__func__, inode->i_ino, inode->i_mode);
+		return false;
+	}
+
 	return true;
 }
 
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 657757635306..7405762d2bc9 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
 		err = PTR_ERR(root);
 		goto free_stats;
 	}
-	if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
+	if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
+			!root->i_size || !root->i_nlink) {
 		iput(root);
 		err = -EINVAL;
 		goto free_stats;
-- 
2.18.0.rc1


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

答复: [PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent

[Liuxue (Alice, Euler Dept seven)]

Subject: [f2fs-dev] [PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent
Date: Thu, 28 Jun 2018 18:25:58 +0800
From: Chao Yu <yuchao0@huawei.com>
To: jaegeuk@kernel.org
CC: linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net

If segment type in SSA and SIT is inconsistent, we will encounter below BUG_ON during GC, to avoid this panic, let's just skip doing GC on such segment.

The bug is triggered with image reported in below link:

https://bugzilla.kernel.org/show_bug.cgi?id=200223

[  388.060262] ------------[ cut here ]------------ [  388.060268] kernel BUG at /home/y00370721/git/devf2fs/gc.c:989!
[  388.061172] invalid opcode: 0000 [#1] SMP [  388.061773] Modules linked in: f2fs(O) bluetooth ecdh_generic xt_tcpudp iptable_filter ip_tables x_tables lp ttm drm_kms_helper drm intel_rapl sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel fb_sys_fops ppdev aes_x86_64 syscopyarea crypto_simd sysfillrect parport_pc joydev sysimgblt glue_helper parport cryptd i2c_piix4 serio_raw mac_hid btrfs hid_generic usbhid hid raid6_pq psmouse pata_acpi floppy
[  388.064247] CPU: 7 PID: 4151 Comm: f2fs_gc-7:0 Tainted: G           O    4.13.0-rc1+ #26
[  388.065306] Hardware name: Xen HVM domU, BIOS 4.1.2_115-900.260_ 11/06/2015 [  388.066058] task: ffff880201583b80 task.stack: ffffc90004d7c000 [  388.069948] RIP: 0010:do_garbage_collect+0xcc8/0xcd0 [f2fs] [  388.070766] RSP: 0018:ffffc90004d7fc68 EFLAGS: 00010202 [  388.071783] RAX: ffff8801ed227000 RBX: 0000000000000001 RCX: ffffea0007b489c0 [  388.072700] RDX: ffff880000000000 RSI: 0000000000000001 RDI: ffffea0007b489c0 [  388.073607] RBP: ffffc90004d7fd58 R08: 0000000000000003 R09: ffffea0007b489dc [  388.074619] R10: 0000000000000000 R11: 0052782ab317138d R12: 0000000000000018 [  388.075625] R13: 0000000000000018 R14: ffff880211ceb000 R15: ffff880211ceb000 [  388.076687] FS:  0000000000000000(0000) GS:ffff880214fc0000(0000) knlGS:0000000000000000 [  388.083277] CS:  0010 DS: 0000 E
 S: 0000 CR0: 0000000080050033 [  388.084536] CR2: 0000000000e18c60 CR3: 00000001ecf2e000 CR4: 00000000001406e0 [  388.085748] Call Trace:
[  388.086690]  ? find_next_bit+0xb/0x10 [  388.088091]  f2fs_gc+0x1a8/0x9d0 [f2fs] [  388.088888]  ? lock_timer_base+0x7d/0xa0 [  388.090213]  ? try_to_del_timer_sync+0x44/0x60 [  388.091698]  gc_thread_func+0x342/0x4b0 [f2fs] [  388.092892]  ? wait_woken+0x80/0x80 [  388.094098]  kthread+0x109/0x140 [  388.095010]  ? f2fs_gc+0x9d0/0x9d0 [f2fs] [  388.096043]  ? kthread_park+0x60/0x60 [  388.097281]  ret_from_fork+0x25/0x30 [  388.098401] Code: ff ff 48 83 e8 01 48 89 44 24 58 e9 27 f8 ff ff 48 83 e8 01 e9 78 fc ff ff 48 8d 78 ff e9 17 fb ff ff 48 83 ef 01 e9 4d f4 ff ff <0f> 0b 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 [  388.100864] RIP: do_garbage_collect+0xcc8/0xcd0 [f2fs] RSP: ffffc90004d7fc68 [  388.101810] ---[ end trace 81c73d6e6b7da61d ]---

Signed-off-by: Chao Yu <yuchao0@huawei.com>
---
 fs/f2fs/gc.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index da2a71eb7ee2..f3a0e2f62ce6 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -986,7 +986,12 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi,
 			goto next;
  		sum = page_address(sum_page);
-		f2fs_bug_on(sbi, type != GET_SUM_TYPE((&sum->footer)));
+		if (type != GET_SUM_TYPE((&sum->footer))) {
+			f2fs_msg(sbi->sb, KERN_ERR, "Inconsistent segment (%u) "
+				"type [%d, %d] in SSA and SIT",
+				segno, type, GET_SUM_TYPE((&sum->footer)));

SBI_NEED_FSCK may be writed for checking disk.


+			goto next;
+		}
  		/*
 		 * this is to avoid deadlock:
--
2.18.0.rc1


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Re: 答复: [PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent

[Chao Yu]

Hi Xue,

On 2018/7/4 18:46, Liuxue (Alice, Euler Dept seven) wrote:
> Subject: [f2fs-dev] [PATCH 1/2] f2fs: fix to skip GC if type in SSA and SIT is inconsistent
> Date: Thu, 28 Jun 2018 18:25:58 +0800
> From: Chao Yu <yuchao0@huawei.com>
> To: jaegeuk@kernel.org
> CC: linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net
> 
> If segment type in SSA and SIT is inconsistent, we will encounter below BUG_ON during GC, to avoid this panic, let's just skip doing GC on such segment.
> 
> The bug is triggered with image reported in below link:
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=200223
> 
> [  388.060262] ------------[ cut here ]------------ [  388.060268] kernel BUG at /home/y00370721/git/devf2fs/gc.c:989!
> [  388.061172] invalid opcode: 0000 [#1] SMP [  388.061773] Modules linked in: f2fs(O) bluetooth ecdh_generic xt_tcpudp iptable_filter ip_tables x_tables lp ttm drm_kms_helper drm intel_rapl sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel fb_sys_fops ppdev aes_x86_64 syscopyarea crypto_simd sysfillrect parport_pc joydev sysimgblt glue_helper parport cryptd i2c_piix4 serio_raw mac_hid btrfs hid_generic usbhid hid raid6_pq psmouse pata_acpi floppy
> [  388.064247] CPU: 7 PID: 4151 Comm: f2fs_gc-7:0 Tainted: G           O    4.13.0-rc1+ #26
> [  388.065306] Hardware name: Xen HVM domU, BIOS 4.1.2_115-900.260_ 11/06/2015 [  388.066058] task: ffff880201583b80 task.stack: ffffc90004d7c000 [  388.069948] RIP: 0010:do_garbage_collect+0xcc8/0xcd0 [f2fs] [  388.070766] RSP: 0018:ffffc90004d7fc68 EFLAGS: 00010202 [  388.071783] RAX: ffff8801ed227000 RBX: 0000000000000001 RCX: ffffea0007b489c0 [  388.072700] RDX: ffff880000000000 RSI: 0000000000000001 RDI: ffffea0007b489c0 [  388.073607] RBP: ffffc90004d7fd58 R08: 0000000000000003 R09: ffffea0007b489dc [  388.074619] R10: 0000000000000000 R11: 0052782ab317138d R12: 0000000000000018 [  388.075625] R13: 0000000000000018 R14: ffff880211ceb000 R15: ffff880211ceb000 [  388.076687] FS:  0000000000000000(0000) GS:ffff880214fc0000(0000) knlGS:0000000000000000 [  388.083277] CS:  0010 DS: 0000
  ES: 0000 CR0: 0000000080050033 [  388.084536] CR2: 0000000000e18c60 CR3: 00000001ecf2e000 CR4: 00000000001406e0 [  388.085748] Call Trace:
> [  388.086690]  ? find_next_bit+0xb/0x10 [  388.088091]  f2fs_gc+0x1a8/0x9d0 [f2fs] [  388.088888]  ? lock_timer_base+0x7d/0xa0 [  388.090213]  ? try_to_del_timer_sync+0x44/0x60 [  388.091698]  gc_thread_func+0x342/0x4b0 [f2fs] [  388.092892]  ? wait_woken+0x80/0x80 [  388.094098]  kthread+0x109/0x140 [  388.095010]  ? f2fs_gc+0x9d0/0x9d0 [f2fs] [  388.096043]  ? kthread_park+0x60/0x60 [  388.097281]  ret_from_fork+0x25/0x30 [  388.098401] Code: ff ff 48 83 e8 01 48 89 44 24 58 e9 27 f8 ff ff 48 83 e8 01 e9 78 fc ff ff 48 8d 78 ff e9 17 fb ff ff 48 83 ef 01 e9 4d f4 ff ff <0f> 0b 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 [  388.100864] RIP: do_garbage_collect+0xcc8/0xcd0 [f2fs] RSP: ffffc90004d7fc68 [  388.101810] ---[ end trace 81c73d6e6b7da61d ]---
> 
> Signed-off-by: Chao Yu <yuchao0@huawei.com>
> ---
>  fs/f2fs/gc.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index da2a71eb7ee2..f3a0e2f62ce6 100644
> --- a/fs/f2fs/gc.c
> +++ b/fs/f2fs/gc.c
> @@ -986,7 +986,12 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi,
>  			goto next;
>   		sum = page_address(sum_page);
> -		f2fs_bug_on(sbi, type != GET_SUM_TYPE((&sum->footer)));
> +		if (type != GET_SUM_TYPE((&sum->footer))) {
> +			f2fs_msg(sbi->sb, KERN_ERR, "Inconsistent segment (%u) "
> +				"type [%d, %d] in SSA and SIT",
> +				segno, type, GET_SUM_TYPE((&sum->footer)));
> 
> SBI_NEED_FSCK may be writed for checking disk.

Agreed, let me update the patch. :)

Thanks,

> 
> 
> +			goto next;
> +		}
>   		/*
>  		 * this is to avoid deadlock:
> --
> 2.18.0.rc1
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Linux-f2fs-devel mailing list
> Linux-f2fs-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
> 
> .
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Linux-f2fs-devel mailing list
> Linux-f2fs-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
> 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Re: [PATCH 2/2] f2fs: fix to do sanity check with inline flags

[Jaegeuk Kim]

Hi Chao,

I'm hitting some messages below during fault injection test. I'll dig in the
issue later, but meanwhile could you review this patch again?

Thanks,

On 06/28, Chao Yu wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=200221
> 
> - Overview
> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
> 
> - Reproduce
> 
> - Kernel message
> [  538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
> [  538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
> [  538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
> [  538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
> [  540.970834] ------------[ cut here ]------------
> [  540.970838] kernel BUG at fs/inode.c:512!
> [  540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
> [  540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
> [  540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> [  540.982913] RIP: 0010:clear_inode+0xc0/0xd0
> [  540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> [  540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> [  540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> [  540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> [  540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> [  540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> [  540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> [  540.995786] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> [  540.997403] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> [  541.000015] Call Trace:
> [  541.000554]  f2fs_evict_inode+0x253/0x630
> [  541.001381]  evict+0x16f/0x290
> [  541.002015]  iput+0x280/0x300
> [  541.002654]  dentry_unlink_inode+0x165/0x1e0
> [  541.003528]  __dentry_kill+0x16a/0x260
> [  541.004300]  dentry_kill+0x70/0x250
> [  541.005018]  dput+0x154/0x1d0
> [  541.005635]  do_one_tree+0x34/0x40
> [  541.006354]  shrink_dcache_for_umount+0x3f/0xa0
> [  541.007285]  generic_shutdown_super+0x43/0x1c0
> [  541.008192]  kill_block_super+0x52/0x80
> [  541.008978]  kill_f2fs_super+0x62/0x70
> [  541.009750]  deactivate_locked_super+0x6f/0xa0
> [  541.010664]  deactivate_super+0x5e/0x80
> [  541.011450]  cleanup_mnt+0x61/0xa0
> [  541.012151]  __cleanup_mnt+0x12/0x20
> [  541.012893]  task_work_run+0xc8/0xf0
> [  541.013635]  exit_to_usermode_loop+0x125/0x130
> [  541.014555]  do_syscall_64+0x138/0x170
> [  541.015340]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [  541.016375] RIP: 0033:0x7f46624bf487
> [  541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
> [  541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> [  541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> [  541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> [  541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> [  541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> [  541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> [  541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
> [  541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
> [  541.040392] RIP: 0010:clear_inode+0xc0/0xd0
> [  541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> [  541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> [  541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> [  541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> [  541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> [  541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> [  541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> [  541.053263] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> [  541.054891] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> [  541.058506] ==================================================================
> [  541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
> [  541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
> 
> [  541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G      D           4.18.0-rc1+ #4
> [  541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> [  541.066778] Call Trace:
> [  541.067294]  dump_stack+0x7b/0xb5
> [  541.067986]  print_address_description+0x70/0x290
> [  541.068941]  kasan_report+0x291/0x390
> [  541.069692]  ? update_stack_state+0x38c/0x3e0
> [  541.070598]  __asan_load8+0x54/0x90
> [  541.071315]  update_stack_state+0x38c/0x3e0
> [  541.072172]  ? __read_once_size_nocheck.constprop.7+0x20/0x20
> [  541.073340]  ? vprintk_func+0x27/0x60
> [  541.074096]  ? printk+0xa3/0xd3
> [  541.074762]  ? __save_stack_trace+0x5e/0x100
> [  541.075634]  unwind_next_frame.part.5+0x18e/0x490
> [  541.076594]  ? unwind_dump+0x290/0x290
> [  541.077368]  ? __show_regs+0x2c4/0x330
> [  541.078142]  __unwind_start+0x106/0x190
> [  541.085422]  __save_stack_trace+0x5e/0x100
> [  541.086268]  ? __save_stack_trace+0x5e/0x100
> [  541.087161]  ? unlink_anon_vmas+0xba/0x2c0
> [  541.087997]  save_stack_trace+0x1f/0x30
> [  541.088782]  save_stack+0x46/0xd0
> [  541.089475]  ? __alloc_pages_slowpath+0x1420/0x1420
> [  541.090477]  ? flush_tlb_mm_range+0x15e/0x220
> [  541.091364]  ? __dec_node_state+0x24/0xb0
> [  541.092180]  ? lock_page_memcg+0x85/0xf0
> [  541.092979]  ? unlock_page_memcg+0x16/0x80
> [  541.093812]  ? page_remove_rmap+0x198/0x520
> [  541.094674]  ? mark_page_accessed+0x133/0x200
> [  541.095559]  ? _cond_resched+0x1a/0x50
> [  541.096326]  ? unmap_page_range+0xcd4/0xe50
> [  541.097179]  ? rb_next+0x58/0x80
> [  541.097845]  ? rb_next+0x58/0x80
> [  541.098518]  __kasan_slab_free+0x13c/0x1a0
> [  541.099352]  ? unlink_anon_vmas+0xba/0x2c0
> [  541.100184]  kasan_slab_free+0xe/0x10
> [  541.100934]  kmem_cache_free+0x89/0x1e0
> [  541.101724]  unlink_anon_vmas+0xba/0x2c0
> [  541.102534]  free_pgtables+0x101/0x1b0
> [  541.103299]  exit_mmap+0x146/0x2a0
> [  541.103996]  ? __ia32_sys_munmap+0x50/0x50
> [  541.104829]  ? kasan_check_read+0x11/0x20
> [  541.105649]  ? mm_update_next_owner+0x322/0x380
> [  541.106578]  mmput+0x8b/0x1d0
> [  541.107191]  do_exit+0x43a/0x1390
> [  541.107876]  ? mm_update_next_owner+0x380/0x380
> [  541.108791]  ? deactivate_super+0x5e/0x80
> [  541.109610]  ? cleanup_mnt+0x61/0xa0
> [  541.110351]  ? __cleanup_mnt+0x12/0x20
> [  541.111115]  ? task_work_run+0xc8/0xf0
> [  541.111879]  ? exit_to_usermode_loop+0x125/0x130
> [  541.112817]  rewind_stack_do_exit+0x17/0x20
> [  541.113666] RIP: 0033:0x7f46624bf487
> [  541.114404] Code: Bad RIP value.
> [  541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> [  541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> [  541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> [  541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> [  541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> [  541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> 
> [  541.124061] The buggy address belongs to the page:
> [  541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> [  541.126651] flags: 0x2ffff0000000000()
> [  541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
> [  541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> [  541.130516] page dumped because: kasan: bad access detected
> 
> [  541.131954] Memory state around the buggy address:
> [  541.132924]  ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
> [  541.134378]  ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
> [  541.137253]                                                              ^
> [  541.138637]  ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  541.140075]  ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
> [  541.141509] ==================================================================
> 
> - Location
> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
> 	BUG_ON(inode->i_data.nrpages);
> 
> The root cause is root directory inode is corrupted, it has both
> inline_data and inline_dentry flag, and its nlink is zero, so in
> ->evict(), after dropping all page cache, it grabs page #0 for inline
> data truncation, result in panic in later clear_inode() where we will
> check inode->i_data.nrpages value.
> 
> This patch adds inline flags check in sanity_check_inode, in addition,
> do sanity check with root inode's nlink.
> 
> Reported-by Wen Xu <wen.xu@gatech.edu>
> Signed-off-by: Chao Yu <yuchao0@huawei.com>
> ---
>  fs/f2fs/inode.c | 20 ++++++++++++++++++++
>  fs/f2fs/super.c |  3 ++-
>  2 files changed, 22 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> index 54067e456610..4cf0a05cc03e 100644
> --- a/fs/f2fs/inode.c
> +++ b/fs/f2fs/inode.c
> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
>  			return false;
>  		}
>  	}
> +
> +	if (f2fs_has_inline_data(inode) &&
> +			(!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
> +		f2fs_msg(sbi->sb, KERN_WARNING,
> +			"%s: inode (ino=%lx, mode=%u) should not have "
> +			"inline_data, run fsck to fix",
> +			__func__, inode->i_ino, inode->i_mode);
> +		return false;
> +	}
> +
> +	if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
> +		f2fs_msg(sbi->sb, KERN_WARNING,
> +			"%s: inode (ino=%lx, mode=%u) should not have "
> +			"inline_dentry, run fsck to fix",
> +			__func__, inode->i_ino, inode->i_mode);
> +		return false;
> +	}
> +
>  	return true;
>  }
>  
> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> index 657757635306..7405762d2bc9 100644
> --- a/fs/f2fs/super.c
> +++ b/fs/f2fs/super.c
> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>  		err = PTR_ERR(root);
>  		goto free_stats;
>  	}
> -	if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
> +	if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
> +			!root->i_size || !root->i_nlink) {
>  		iput(root);
>  		err = -EINVAL;
>  		goto free_stats;
> -- 
> 2.18.0.rc1

Re: [PATCH 2/2] f2fs: fix to do sanity check with inline flags

[Chao Yu]

Hi Jaegeuk,

On 2018/7/7 9:12, Jaegeuk Kim wrote:
> Hi Chao,
> 
> I'm hitting some messages below during fault injection test. I'll dig in the
> issue later, but meanwhile could you review this patch again?

Oh, okay, let me check this patch again.

Thanks,

> 
> Thanks,
> 
> On 06/28, Chao Yu wrote:
>> https://bugzilla.kernel.org/show_bug.cgi?id=200221
>>
>> - Overview
>> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
>>
>> - Reproduce
>>
>> - Kernel message
>> [  538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
>> [  538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
>> [  538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
>> [  538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
>> [  540.970834] ------------[ cut here ]------------
>> [  540.970838] kernel BUG at fs/inode.c:512!
>> [  540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
>> [  540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
>> [  540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> [  540.982913] RIP: 0010:clear_inode+0xc0/0xd0
>> [  540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
>> [  540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
>> [  540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
>> [  540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
>> [  540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
>> [  540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
>> [  540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
>> [  540.995786] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
>> [  540.997403] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [  540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
>> [  541.000015] Call Trace:
>> [  541.000554]  f2fs_evict_inode+0x253/0x630
>> [  541.001381]  evict+0x16f/0x290
>> [  541.002015]  iput+0x280/0x300
>> [  541.002654]  dentry_unlink_inode+0x165/0x1e0
>> [  541.003528]  __dentry_kill+0x16a/0x260
>> [  541.004300]  dentry_kill+0x70/0x250
>> [  541.005018]  dput+0x154/0x1d0
>> [  541.005635]  do_one_tree+0x34/0x40
>> [  541.006354]  shrink_dcache_for_umount+0x3f/0xa0
>> [  541.007285]  generic_shutdown_super+0x43/0x1c0
>> [  541.008192]  kill_block_super+0x52/0x80
>> [  541.008978]  kill_f2fs_super+0x62/0x70
>> [  541.009750]  deactivate_locked_super+0x6f/0xa0
>> [  541.010664]  deactivate_super+0x5e/0x80
>> [  541.011450]  cleanup_mnt+0x61/0xa0
>> [  541.012151]  __cleanup_mnt+0x12/0x20
>> [  541.012893]  task_work_run+0xc8/0xf0
>> [  541.013635]  exit_to_usermode_loop+0x125/0x130
>> [  541.014555]  do_syscall_64+0x138/0x170
>> [  541.015340]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
>> [  541.016375] RIP: 0033:0x7f46624bf487
>> [  541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
>> [  541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
>> [  541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
>> [  541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
>> [  541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
>> [  541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
>> [  541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
>> [  541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
>> [  541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
>> [  541.040392] RIP: 0010:clear_inode+0xc0/0xd0
>> [  541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
>> [  541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
>> [  541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
>> [  541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
>> [  541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
>> [  541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
>> [  541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
>> [  541.053263] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
>> [  541.054891] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [  541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
>> [  541.058506] ==================================================================
>> [  541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
>> [  541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
>>
>> [  541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G      D           4.18.0-rc1+ #4
>> [  541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> [  541.066778] Call Trace:
>> [  541.067294]  dump_stack+0x7b/0xb5
>> [  541.067986]  print_address_description+0x70/0x290
>> [  541.068941]  kasan_report+0x291/0x390
>> [  541.069692]  ? update_stack_state+0x38c/0x3e0
>> [  541.070598]  __asan_load8+0x54/0x90
>> [  541.071315]  update_stack_state+0x38c/0x3e0
>> [  541.072172]  ? __read_once_size_nocheck.constprop.7+0x20/0x20
>> [  541.073340]  ? vprintk_func+0x27/0x60
>> [  541.074096]  ? printk+0xa3/0xd3
>> [  541.074762]  ? __save_stack_trace+0x5e/0x100
>> [  541.075634]  unwind_next_frame.part.5+0x18e/0x490
>> [  541.076594]  ? unwind_dump+0x290/0x290
>> [  541.077368]  ? __show_regs+0x2c4/0x330
>> [  541.078142]  __unwind_start+0x106/0x190
>> [  541.085422]  __save_stack_trace+0x5e/0x100
>> [  541.086268]  ? __save_stack_trace+0x5e/0x100
>> [  541.087161]  ? unlink_anon_vmas+0xba/0x2c0
>> [  541.087997]  save_stack_trace+0x1f/0x30
>> [  541.088782]  save_stack+0x46/0xd0
>> [  541.089475]  ? __alloc_pages_slowpath+0x1420/0x1420
>> [  541.090477]  ? flush_tlb_mm_range+0x15e/0x220
>> [  541.091364]  ? __dec_node_state+0x24/0xb0
>> [  541.092180]  ? lock_page_memcg+0x85/0xf0
>> [  541.092979]  ? unlock_page_memcg+0x16/0x80
>> [  541.093812]  ? page_remove_rmap+0x198/0x520
>> [  541.094674]  ? mark_page_accessed+0x133/0x200
>> [  541.095559]  ? _cond_resched+0x1a/0x50
>> [  541.096326]  ? unmap_page_range+0xcd4/0xe50
>> [  541.097179]  ? rb_next+0x58/0x80
>> [  541.097845]  ? rb_next+0x58/0x80
>> [  541.098518]  __kasan_slab_free+0x13c/0x1a0
>> [  541.099352]  ? unlink_anon_vmas+0xba/0x2c0
>> [  541.100184]  kasan_slab_free+0xe/0x10
>> [  541.100934]  kmem_cache_free+0x89/0x1e0
>> [  541.101724]  unlink_anon_vmas+0xba/0x2c0
>> [  541.102534]  free_pgtables+0x101/0x1b0
>> [  541.103299]  exit_mmap+0x146/0x2a0
>> [  541.103996]  ? __ia32_sys_munmap+0x50/0x50
>> [  541.104829]  ? kasan_check_read+0x11/0x20
>> [  541.105649]  ? mm_update_next_owner+0x322/0x380
>> [  541.106578]  mmput+0x8b/0x1d0
>> [  541.107191]  do_exit+0x43a/0x1390
>> [  541.107876]  ? mm_update_next_owner+0x380/0x380
>> [  541.108791]  ? deactivate_super+0x5e/0x80
>> [  541.109610]  ? cleanup_mnt+0x61/0xa0
>> [  541.110351]  ? __cleanup_mnt+0x12/0x20
>> [  541.111115]  ? task_work_run+0xc8/0xf0
>> [  541.111879]  ? exit_to_usermode_loop+0x125/0x130
>> [  541.112817]  rewind_stack_do_exit+0x17/0x20
>> [  541.113666] RIP: 0033:0x7f46624bf487
>> [  541.114404] Code: Bad RIP value.
>> [  541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
>> [  541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
>> [  541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
>> [  541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
>> [  541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
>> [  541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
>>
>> [  541.124061] The buggy address belongs to the page:
>> [  541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
>> [  541.126651] flags: 0x2ffff0000000000()
>> [  541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
>> [  541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
>> [  541.130516] page dumped because: kasan: bad access detected
>>
>> [  541.131954] Memory state around the buggy address:
>> [  541.132924]  ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
>> [  541.134378]  ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> [  541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
>> [  541.137253]                                                              ^
>> [  541.138637]  ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> [  541.140075]  ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
>> [  541.141509] ==================================================================
>>
>> - Location
>> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
>> 	BUG_ON(inode->i_data.nrpages);
>>
>> The root cause is root directory inode is corrupted, it has both
>> inline_data and inline_dentry flag, and its nlink is zero, so in
>> ->evict(), after dropping all page cache, it grabs page #0 for inline
>> data truncation, result in panic in later clear_inode() where we will
>> check inode->i_data.nrpages value.
>>
>> This patch adds inline flags check in sanity_check_inode, in addition,
>> do sanity check with root inode's nlink.
>>
>> Reported-by Wen Xu <wen.xu@gatech.edu>
>> Signed-off-by: Chao Yu <yuchao0@huawei.com>
>> ---
>>  fs/f2fs/inode.c | 20 ++++++++++++++++++++
>>  fs/f2fs/super.c |  3 ++-
>>  2 files changed, 22 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
>> index 54067e456610..4cf0a05cc03e 100644
>> --- a/fs/f2fs/inode.c
>> +++ b/fs/f2fs/inode.c
>> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
>>  			return false;
>>  		}
>>  	}
>> +
>> +	if (f2fs_has_inline_data(inode) &&
>> +			(!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
>> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
>> +		f2fs_msg(sbi->sb, KERN_WARNING,
>> +			"%s: inode (ino=%lx, mode=%u) should not have "
>> +			"inline_data, run fsck to fix",
>> +			__func__, inode->i_ino, inode->i_mode);
>> +		return false;
>> +	}
>> +
>> +	if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
>> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
>> +		f2fs_msg(sbi->sb, KERN_WARNING,
>> +			"%s: inode (ino=%lx, mode=%u) should not have "
>> +			"inline_dentry, run fsck to fix",
>> +			__func__, inode->i_ino, inode->i_mode);
>> +		return false;
>> +	}
>> +
>>  	return true;
>>  }
>>  
>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>> index 657757635306..7405762d2bc9 100644
>> --- a/fs/f2fs/super.c
>> +++ b/fs/f2fs/super.c
>> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>  		err = PTR_ERR(root);
>>  		goto free_stats;
>>  	}
>> -	if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
>> +	if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
>> +			!root->i_size || !root->i_nlink) {
>>  		iput(root);
>>  		err = -EINVAL;
>>  		goto free_stats;
>> -- 
>> 2.18.0.rc1

Re: [PATCH 2/2] f2fs: fix to do sanity check with inline flags

[Chao Yu]

Hi Jaegeuk,

On 2018/7/7 9:12, Jaegeuk Kim wrote:
> Hi Chao,
> 
> I'm hitting some messages below during fault injection test. I'll dig in the
> issue later, but meanwhile could you review this patch again?

You hit message like below call stack instead of the log I added in
sanity_check_inode(), right?

kernel BUG at fs/inode.c:512!
f2fs_evict_inode+0x253/0x630
evict+0x16f/0x290
iput+0x280/0x300

I can't reproduce this issue with fault injection test, could you still
reproduce this?

Thanks,

> 
> Thanks,
> 
> On 06/28, Chao Yu wrote:
>> https://bugzilla.kernel.org/show_bug.cgi?id=200221
>>
>> - Overview
>> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
>>
>> - Reproduce
>>
>> - Kernel message
>> [  538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
>> [  538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
>> [  538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
>> [  538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
>> [  540.970834] ------------[ cut here ]------------
>> [  540.970838] kernel BUG at fs/inode.c:512!
>> [  540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
>> [  540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
>> [  540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> [  540.982913] RIP: 0010:clear_inode+0xc0/0xd0
>> [  540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
>> [  540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
>> [  540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
>> [  540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
>> [  540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
>> [  540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
>> [  540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
>> [  540.995786] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
>> [  540.997403] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [  540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
>> [  541.000015] Call Trace:
>> [  541.000554]  f2fs_evict_inode+0x253/0x630
>> [  541.001381]  evict+0x16f/0x290
>> [  541.002015]  iput+0x280/0x300
>> [  541.002654]  dentry_unlink_inode+0x165/0x1e0
>> [  541.003528]  __dentry_kill+0x16a/0x260
>> [  541.004300]  dentry_kill+0x70/0x250
>> [  541.005018]  dput+0x154/0x1d0
>> [  541.005635]  do_one_tree+0x34/0x40
>> [  541.006354]  shrink_dcache_for_umount+0x3f/0xa0
>> [  541.007285]  generic_shutdown_super+0x43/0x1c0
>> [  541.008192]  kill_block_super+0x52/0x80
>> [  541.008978]  kill_f2fs_super+0x62/0x70
>> [  541.009750]  deactivate_locked_super+0x6f/0xa0
>> [  541.010664]  deactivate_super+0x5e/0x80
>> [  541.011450]  cleanup_mnt+0x61/0xa0
>> [  541.012151]  __cleanup_mnt+0x12/0x20
>> [  541.012893]  task_work_run+0xc8/0xf0
>> [  541.013635]  exit_to_usermode_loop+0x125/0x130
>> [  541.014555]  do_syscall_64+0x138/0x170
>> [  541.015340]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
>> [  541.016375] RIP: 0033:0x7f46624bf487
>> [  541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
>> [  541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
>> [  541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
>> [  541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
>> [  541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
>> [  541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
>> [  541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
>> [  541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
>> [  541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
>> [  541.040392] RIP: 0010:clear_inode+0xc0/0xd0
>> [  541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
>> [  541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
>> [  541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
>> [  541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
>> [  541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
>> [  541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
>> [  541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
>> [  541.053263] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
>> [  541.054891] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [  541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
>> [  541.058506] ==================================================================
>> [  541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
>> [  541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
>>
>> [  541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G      D           4.18.0-rc1+ #4
>> [  541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> [  541.066778] Call Trace:
>> [  541.067294]  dump_stack+0x7b/0xb5
>> [  541.067986]  print_address_description+0x70/0x290
>> [  541.068941]  kasan_report+0x291/0x390
>> [  541.069692]  ? update_stack_state+0x38c/0x3e0
>> [  541.070598]  __asan_load8+0x54/0x90
>> [  541.071315]  update_stack_state+0x38c/0x3e0
>> [  541.072172]  ? __read_once_size_nocheck.constprop.7+0x20/0x20
>> [  541.073340]  ? vprintk_func+0x27/0x60
>> [  541.074096]  ? printk+0xa3/0xd3
>> [  541.074762]  ? __save_stack_trace+0x5e/0x100
>> [  541.075634]  unwind_next_frame.part.5+0x18e/0x490
>> [  541.076594]  ? unwind_dump+0x290/0x290
>> [  541.077368]  ? __show_regs+0x2c4/0x330
>> [  541.078142]  __unwind_start+0x106/0x190
>> [  541.085422]  __save_stack_trace+0x5e/0x100
>> [  541.086268]  ? __save_stack_trace+0x5e/0x100
>> [  541.087161]  ? unlink_anon_vmas+0xba/0x2c0
>> [  541.087997]  save_stack_trace+0x1f/0x30
>> [  541.088782]  save_stack+0x46/0xd0
>> [  541.089475]  ? __alloc_pages_slowpath+0x1420/0x1420
>> [  541.090477]  ? flush_tlb_mm_range+0x15e/0x220
>> [  541.091364]  ? __dec_node_state+0x24/0xb0
>> [  541.092180]  ? lock_page_memcg+0x85/0xf0
>> [  541.092979]  ? unlock_page_memcg+0x16/0x80
>> [  541.093812]  ? page_remove_rmap+0x198/0x520
>> [  541.094674]  ? mark_page_accessed+0x133/0x200
>> [  541.095559]  ? _cond_resched+0x1a/0x50
>> [  541.096326]  ? unmap_page_range+0xcd4/0xe50
>> [  541.097179]  ? rb_next+0x58/0x80
>> [  541.097845]  ? rb_next+0x58/0x80
>> [  541.098518]  __kasan_slab_free+0x13c/0x1a0
>> [  541.099352]  ? unlink_anon_vmas+0xba/0x2c0
>> [  541.100184]  kasan_slab_free+0xe/0x10
>> [  541.100934]  kmem_cache_free+0x89/0x1e0
>> [  541.101724]  unlink_anon_vmas+0xba/0x2c0
>> [  541.102534]  free_pgtables+0x101/0x1b0
>> [  541.103299]  exit_mmap+0x146/0x2a0
>> [  541.103996]  ? __ia32_sys_munmap+0x50/0x50
>> [  541.104829]  ? kasan_check_read+0x11/0x20
>> [  541.105649]  ? mm_update_next_owner+0x322/0x380
>> [  541.106578]  mmput+0x8b/0x1d0
>> [  541.107191]  do_exit+0x43a/0x1390
>> [  541.107876]  ? mm_update_next_owner+0x380/0x380
>> [  541.108791]  ? deactivate_super+0x5e/0x80
>> [  541.109610]  ? cleanup_mnt+0x61/0xa0
>> [  541.110351]  ? __cleanup_mnt+0x12/0x20
>> [  541.111115]  ? task_work_run+0xc8/0xf0
>> [  541.111879]  ? exit_to_usermode_loop+0x125/0x130
>> [  541.112817]  rewind_stack_do_exit+0x17/0x20
>> [  541.113666] RIP: 0033:0x7f46624bf487
>> [  541.114404] Code: Bad RIP value.
>> [  541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
>> [  541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
>> [  541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
>> [  541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
>> [  541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
>> [  541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
>>
>> [  541.124061] The buggy address belongs to the page:
>> [  541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
>> [  541.126651] flags: 0x2ffff0000000000()
>> [  541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
>> [  541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
>> [  541.130516] page dumped because: kasan: bad access detected
>>
>> [  541.131954] Memory state around the buggy address:
>> [  541.132924]  ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
>> [  541.134378]  ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> [  541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
>> [  541.137253]                                                              ^
>> [  541.138637]  ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> [  541.140075]  ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
>> [  541.141509] ==================================================================
>>
>> - Location
>> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
>> 	BUG_ON(inode->i_data.nrpages);
>>
>> The root cause is root directory inode is corrupted, it has both
>> inline_data and inline_dentry flag, and its nlink is zero, so in
>> ->evict(), after dropping all page cache, it grabs page #0 for inline
>> data truncation, result in panic in later clear_inode() where we will
>> check inode->i_data.nrpages value.
>>
>> This patch adds inline flags check in sanity_check_inode, in addition,
>> do sanity check with root inode's nlink.
>>
>> Reported-by Wen Xu <wen.xu@gatech.edu>
>> Signed-off-by: Chao Yu <yuchao0@huawei.com>
>> ---
>>  fs/f2fs/inode.c | 20 ++++++++++++++++++++
>>  fs/f2fs/super.c |  3 ++-
>>  2 files changed, 22 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
>> index 54067e456610..4cf0a05cc03e 100644
>> --- a/fs/f2fs/inode.c
>> +++ b/fs/f2fs/inode.c
>> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
>>  			return false;
>>  		}
>>  	}
>> +
>> +	if (f2fs_has_inline_data(inode) &&
>> +			(!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
>> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
>> +		f2fs_msg(sbi->sb, KERN_WARNING,
>> +			"%s: inode (ino=%lx, mode=%u) should not have "
>> +			"inline_data, run fsck to fix",
>> +			__func__, inode->i_ino, inode->i_mode);
>> +		return false;
>> +	}
>> +
>> +	if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
>> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
>> +		f2fs_msg(sbi->sb, KERN_WARNING,
>> +			"%s: inode (ino=%lx, mode=%u) should not have "
>> +			"inline_dentry, run fsck to fix",
>> +			__func__, inode->i_ino, inode->i_mode);
>> +		return false;
>> +	}
>> +
>>  	return true;
>>  }
>>  
>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>> index 657757635306..7405762d2bc9 100644
>> --- a/fs/f2fs/super.c
>> +++ b/fs/f2fs/super.c
>> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>  		err = PTR_ERR(root);
>>  		goto free_stats;
>>  	}
>> -	if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
>> +	if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
>> +			!root->i_size || !root->i_nlink) {
>>  		iput(root);
>>  		err = -EINVAL;
>>  		goto free_stats;
>> -- 
>> 2.18.0.rc1

Re: [PATCH 2/2] f2fs: fix to do sanity check with inline flags

[Chao Yu]

Hi Jaegeuk,

On 2018/7/7 9:12, Jaegeuk Kim wrote:
> Hi Chao,
> 
> I'm hitting some messages below during fault injection test. I'll dig in the
> issue later, but meanwhile could you review this patch again?

You hit message like below call stack instead of the log I added in
sanity_check_inode(), right?

kernel BUG at fs/inode.c:512!
f2fs_evict_inode+0x253/0x630
evict+0x16f/0x290
iput+0x280/0x300

I can't reproduce this issue with fault injection test, could you still
reproduce this?

Thanks,

> 
> Thanks,
> 
> On 06/28, Chao Yu wrote:
>> https://bugzilla.kernel.org/show_bug.cgi?id=200221
>>
>> - Overview
>> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
>>
>> - Reproduce
>>
>> - Kernel message
>> [  538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
>> [  538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
>> [  538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
>> [  538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
>> [  540.970834] ------------[ cut here ]------------
>> [  540.970838] kernel BUG at fs/inode.c:512!
>> [  540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
>> [  540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
>> [  540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> [  540.982913] RIP: 0010:clear_inode+0xc0/0xd0
>> [  540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
>> [  540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
>> [  540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
>> [  540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
>> [  540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
>> [  540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
>> [  540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
>> [  540.995786] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
>> [  540.997403] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [  540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
>> [  541.000015] Call Trace:
>> [  541.000554]  f2fs_evict_inode+0x253/0x630
>> [  541.001381]  evict+0x16f/0x290
>> [  541.002015]  iput+0x280/0x300
>> [  541.002654]  dentry_unlink_inode+0x165/0x1e0
>> [  541.003528]  __dentry_kill+0x16a/0x260
>> [  541.004300]  dentry_kill+0x70/0x250
>> [  541.005018]  dput+0x154/0x1d0
>> [  541.005635]  do_one_tree+0x34/0x40
>> [  541.006354]  shrink_dcache_for_umount+0x3f/0xa0
>> [  541.007285]  generic_shutdown_super+0x43/0x1c0
>> [  541.008192]  kill_block_super+0x52/0x80
>> [  541.008978]  kill_f2fs_super+0x62/0x70
>> [  541.009750]  deactivate_locked_super+0x6f/0xa0
>> [  541.010664]  deactivate_super+0x5e/0x80
>> [  541.011450]  cleanup_mnt+0x61/0xa0
>> [  541.012151]  __cleanup_mnt+0x12/0x20
>> [  541.012893]  task_work_run+0xc8/0xf0
>> [  541.013635]  exit_to_usermode_loop+0x125/0x130
>> [  541.014555]  do_syscall_64+0x138/0x170
>> [  541.015340]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
>> [  541.016375] RIP: 0033:0x7f46624bf487
>> [  541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
>> [  541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
>> [  541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
>> [  541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
>> [  541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
>> [  541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
>> [  541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
>> [  541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
>> [  541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
>> [  541.040392] RIP: 0010:clear_inode+0xc0/0xd0
>> [  541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
>> [  541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
>> [  541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
>> [  541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
>> [  541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
>> [  541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
>> [  541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
>> [  541.053263] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
>> [  541.054891] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [  541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
>> [  541.058506] ==================================================================
>> [  541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
>> [  541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
>>
>> [  541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G      D           4.18.0-rc1+ #4
>> [  541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> [  541.066778] Call Trace:
>> [  541.067294]  dump_stack+0x7b/0xb5
>> [  541.067986]  print_address_description+0x70/0x290
>> [  541.068941]  kasan_report+0x291/0x390
>> [  541.069692]  ? update_stack_state+0x38c/0x3e0
>> [  541.070598]  __asan_load8+0x54/0x90
>> [  541.071315]  update_stack_state+0x38c/0x3e0
>> [  541.072172]  ? __read_once_size_nocheck.constprop.7+0x20/0x20
>> [  541.073340]  ? vprintk_func+0x27/0x60
>> [  541.074096]  ? printk+0xa3/0xd3
>> [  541.074762]  ? __save_stack_trace+0x5e/0x100
>> [  541.075634]  unwind_next_frame.part.5+0x18e/0x490
>> [  541.076594]  ? unwind_dump+0x290/0x290
>> [  541.077368]  ? __show_regs+0x2c4/0x330
>> [  541.078142]  __unwind_start+0x106/0x190
>> [  541.085422]  __save_stack_trace+0x5e/0x100
>> [  541.086268]  ? __save_stack_trace+0x5e/0x100
>> [  541.087161]  ? unlink_anon_vmas+0xba/0x2c0
>> [  541.087997]  save_stack_trace+0x1f/0x30
>> [  541.088782]  save_stack+0x46/0xd0
>> [  541.089475]  ? __alloc_pages_slowpath+0x1420/0x1420
>> [  541.090477]  ? flush_tlb_mm_range+0x15e/0x220
>> [  541.091364]  ? __dec_node_state+0x24/0xb0
>> [  541.092180]  ? lock_page_memcg+0x85/0xf0
>> [  541.092979]  ? unlock_page_memcg+0x16/0x80
>> [  541.093812]  ? page_remove_rmap+0x198/0x520
>> [  541.094674]  ? mark_page_accessed+0x133/0x200
>> [  541.095559]  ? _cond_resched+0x1a/0x50
>> [  541.096326]  ? unmap_page_range+0xcd4/0xe50
>> [  541.097179]  ? rb_next+0x58/0x80
>> [  541.097845]  ? rb_next+0x58/0x80
>> [  541.098518]  __kasan_slab_free+0x13c/0x1a0
>> [  541.099352]  ? unlink_anon_vmas+0xba/0x2c0
>> [  541.100184]  kasan_slab_free+0xe/0x10
>> [  541.100934]  kmem_cache_free+0x89/0x1e0
>> [  541.101724]  unlink_anon_vmas+0xba/0x2c0
>> [  541.102534]  free_pgtables+0x101/0x1b0
>> [  541.103299]  exit_mmap+0x146/0x2a0
>> [  541.103996]  ? __ia32_sys_munmap+0x50/0x50
>> [  541.104829]  ? kasan_check_read+0x11/0x20
>> [  541.105649]  ? mm_update_next_owner+0x322/0x380
>> [  541.106578]  mmput+0x8b/0x1d0
>> [  541.107191]  do_exit+0x43a/0x1390
>> [  541.107876]  ? mm_update_next_owner+0x380/0x380
>> [  541.108791]  ? deactivate_super+0x5e/0x80
>> [  541.109610]  ? cleanup_mnt+0x61/0xa0
>> [  541.110351]  ? __cleanup_mnt+0x12/0x20
>> [  541.111115]  ? task_work_run+0xc8/0xf0
>> [  541.111879]  ? exit_to_usermode_loop+0x125/0x130
>> [  541.112817]  rewind_stack_do_exit+0x17/0x20
>> [  541.113666] RIP: 0033:0x7f46624bf487
>> [  541.114404] Code: Bad RIP value.
>> [  541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
>> [  541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
>> [  541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
>> [  541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
>> [  541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
>> [  541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
>>
>> [  541.124061] The buggy address belongs to the page:
>> [  541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
>> [  541.126651] flags: 0x2ffff0000000000()
>> [  541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
>> [  541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
>> [  541.130516] page dumped because: kasan: bad access detected
>>
>> [  541.131954] Memory state around the buggy address:
>> [  541.132924]  ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
>> [  541.134378]  ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> [  541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
>> [  541.137253]                                                              ^
>> [  541.138637]  ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> [  541.140075]  ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
>> [  541.141509] ==================================================================
>>
>> - Location
>> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
>> 	BUG_ON(inode->i_data.nrpages);
>>
>> The root cause is root directory inode is corrupted, it has both
>> inline_data and inline_dentry flag, and its nlink is zero, so in
>> ->evict(), after dropping all page cache, it grabs page #0 for inline
>> data truncation, result in panic in later clear_inode() where we will
>> check inode->i_data.nrpages value.
>>
>> This patch adds inline flags check in sanity_check_inode, in addition,
>> do sanity check with root inode's nlink.
>>
>> Reported-by Wen Xu <wen.xu@gatech.edu>
>> Signed-off-by: Chao Yu <yuchao0@huawei.com>
>> ---
>>  fs/f2fs/inode.c | 20 ++++++++++++++++++++
>>  fs/f2fs/super.c |  3 ++-
>>  2 files changed, 22 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
>> index 54067e456610..4cf0a05cc03e 100644
>> --- a/fs/f2fs/inode.c
>> +++ b/fs/f2fs/inode.c
>> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
>>  			return false;
>>  		}
>>  	}
>> +
>> +	if (f2fs_has_inline_data(inode) &&
>> +			(!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
>> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
>> +		f2fs_msg(sbi->sb, KERN_WARNING,
>> +			"%s: inode (ino=%lx, mode=%u) should not have "
>> +			"inline_data, run fsck to fix",
>> +			__func__, inode->i_ino, inode->i_mode);
>> +		return false;
>> +	}
>> +
>> +	if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
>> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
>> +		f2fs_msg(sbi->sb, KERN_WARNING,
>> +			"%s: inode (ino=%lx, mode=%u) should not have "
>> +			"inline_dentry, run fsck to fix",
>> +			__func__, inode->i_ino, inode->i_mode);
>> +		return false;
>> +	}
>> +
>>  	return true;
>>  }
>>  
>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>> index 657757635306..7405762d2bc9 100644
>> --- a/fs/f2fs/super.c
>> +++ b/fs/f2fs/super.c
>> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>  		err = PTR_ERR(root);
>>  		goto free_stats;
>>  	}
>> -	if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
>> +	if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
>> +			!root->i_size || !root->i_nlink) {
>>  		iput(root);
>>  		err = -EINVAL;
>>  		goto free_stats;
>> -- 
>> 2.18.0.rc1

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Re: [PATCH 2/2] f2fs: fix to do sanity check with inline flags

[Jaegeuk Kim]

On 07/15, Chao Yu wrote:
> Hi Jaegeuk,
> 
> On 2018/7/7 9:12, Jaegeuk Kim wrote:
> > Hi Chao,
> > 
> > I'm hitting some messages below during fault injection test. I'll dig in the
> > issue later, but meanwhile could you review this patch again?
> 
> You hit message like below call stack instead of the log I added in
> sanity_check_inode(), right?
> 
> kernel BUG at fs/inode.c:512!
> f2fs_evict_inode+0x253/0x630
> evict+0x16f/0x290
> iput+0x280/0x300
> 
> I can't reproduce this issue with fault injection test, could you still
> reproduce this?

Let me try it again. :)

> 
> Thanks,
> 
> > 
> > Thanks,
> > 
> > On 06/28, Chao Yu wrote:
> >> https://bugzilla.kernel.org/show_bug.cgi?id=200221
> >>
> >> - Overview
> >> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
> >>
> >> - Reproduce
> >>
> >> - Kernel message
> >> [  538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
> >> [  538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
> >> [  538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
> >> [  538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
> >> [  540.970834] ------------[ cut here ]------------
> >> [  540.970838] kernel BUG at fs/inode.c:512!
> >> [  540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
> >> [  540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
> >> [  540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> >> [  540.982913] RIP: 0010:clear_inode+0xc0/0xd0
> >> [  540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> >> [  540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> >> [  540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> >> [  540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> >> [  540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> >> [  540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> >> [  540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> >> [  540.995786] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> >> [  540.997403] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> [  540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> >> [  541.000015] Call Trace:
> >> [  541.000554]  f2fs_evict_inode+0x253/0x630
> >> [  541.001381]  evict+0x16f/0x290
> >> [  541.002015]  iput+0x280/0x300
> >> [  541.002654]  dentry_unlink_inode+0x165/0x1e0
> >> [  541.003528]  __dentry_kill+0x16a/0x260
> >> [  541.004300]  dentry_kill+0x70/0x250
> >> [  541.005018]  dput+0x154/0x1d0
> >> [  541.005635]  do_one_tree+0x34/0x40
> >> [  541.006354]  shrink_dcache_for_umount+0x3f/0xa0
> >> [  541.007285]  generic_shutdown_super+0x43/0x1c0
> >> [  541.008192]  kill_block_super+0x52/0x80
> >> [  541.008978]  kill_f2fs_super+0x62/0x70
> >> [  541.009750]  deactivate_locked_super+0x6f/0xa0
> >> [  541.010664]  deactivate_super+0x5e/0x80
> >> [  541.011450]  cleanup_mnt+0x61/0xa0
> >> [  541.012151]  __cleanup_mnt+0x12/0x20
> >> [  541.012893]  task_work_run+0xc8/0xf0
> >> [  541.013635]  exit_to_usermode_loop+0x125/0x130
> >> [  541.014555]  do_syscall_64+0x138/0x170
> >> [  541.015340]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> >> [  541.016375] RIP: 0033:0x7f46624bf487
> >> [  541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
> >> [  541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> >> [  541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> >> [  541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> >> [  541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> >> [  541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> >> [  541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> >> [  541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
> >> [  541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
> >> [  541.040392] RIP: 0010:clear_inode+0xc0/0xd0
> >> [  541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> >> [  541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> >> [  541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> >> [  541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> >> [  541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> >> [  541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> >> [  541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> >> [  541.053263] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> >> [  541.054891] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> [  541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> >> [  541.058506] ==================================================================
> >> [  541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
> >> [  541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
> >>
> >> [  541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G      D           4.18.0-rc1+ #4
> >> [  541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> >> [  541.066778] Call Trace:
> >> [  541.067294]  dump_stack+0x7b/0xb5
> >> [  541.067986]  print_address_description+0x70/0x290
> >> [  541.068941]  kasan_report+0x291/0x390
> >> [  541.069692]  ? update_stack_state+0x38c/0x3e0
> >> [  541.070598]  __asan_load8+0x54/0x90
> >> [  541.071315]  update_stack_state+0x38c/0x3e0
> >> [  541.072172]  ? __read_once_size_nocheck.constprop.7+0x20/0x20
> >> [  541.073340]  ? vprintk_func+0x27/0x60
> >> [  541.074096]  ? printk+0xa3/0xd3
> >> [  541.074762]  ? __save_stack_trace+0x5e/0x100
> >> [  541.075634]  unwind_next_frame.part.5+0x18e/0x490
> >> [  541.076594]  ? unwind_dump+0x290/0x290
> >> [  541.077368]  ? __show_regs+0x2c4/0x330
> >> [  541.078142]  __unwind_start+0x106/0x190
> >> [  541.085422]  __save_stack_trace+0x5e/0x100
> >> [  541.086268]  ? __save_stack_trace+0x5e/0x100
> >> [  541.087161]  ? unlink_anon_vmas+0xba/0x2c0
> >> [  541.087997]  save_stack_trace+0x1f/0x30
> >> [  541.088782]  save_stack+0x46/0xd0
> >> [  541.089475]  ? __alloc_pages_slowpath+0x1420/0x1420
> >> [  541.090477]  ? flush_tlb_mm_range+0x15e/0x220
> >> [  541.091364]  ? __dec_node_state+0x24/0xb0
> >> [  541.092180]  ? lock_page_memcg+0x85/0xf0
> >> [  541.092979]  ? unlock_page_memcg+0x16/0x80
> >> [  541.093812]  ? page_remove_rmap+0x198/0x520
> >> [  541.094674]  ? mark_page_accessed+0x133/0x200
> >> [  541.095559]  ? _cond_resched+0x1a/0x50
> >> [  541.096326]  ? unmap_page_range+0xcd4/0xe50
> >> [  541.097179]  ? rb_next+0x58/0x80
> >> [  541.097845]  ? rb_next+0x58/0x80
> >> [  541.098518]  __kasan_slab_free+0x13c/0x1a0
> >> [  541.099352]  ? unlink_anon_vmas+0xba/0x2c0
> >> [  541.100184]  kasan_slab_free+0xe/0x10
> >> [  541.100934]  kmem_cache_free+0x89/0x1e0
> >> [  541.101724]  unlink_anon_vmas+0xba/0x2c0
> >> [  541.102534]  free_pgtables+0x101/0x1b0
> >> [  541.103299]  exit_mmap+0x146/0x2a0
> >> [  541.103996]  ? __ia32_sys_munmap+0x50/0x50
> >> [  541.104829]  ? kasan_check_read+0x11/0x20
> >> [  541.105649]  ? mm_update_next_owner+0x322/0x380
> >> [  541.106578]  mmput+0x8b/0x1d0
> >> [  541.107191]  do_exit+0x43a/0x1390
> >> [  541.107876]  ? mm_update_next_owner+0x380/0x380
> >> [  541.108791]  ? deactivate_super+0x5e/0x80
> >> [  541.109610]  ? cleanup_mnt+0x61/0xa0
> >> [  541.110351]  ? __cleanup_mnt+0x12/0x20
> >> [  541.111115]  ? task_work_run+0xc8/0xf0
> >> [  541.111879]  ? exit_to_usermode_loop+0x125/0x130
> >> [  541.112817]  rewind_stack_do_exit+0x17/0x20
> >> [  541.113666] RIP: 0033:0x7f46624bf487
> >> [  541.114404] Code: Bad RIP value.
> >> [  541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> >> [  541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> >> [  541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> >> [  541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> >> [  541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> >> [  541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> >>
> >> [  541.124061] The buggy address belongs to the page:
> >> [  541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> >> [  541.126651] flags: 0x2ffff0000000000()
> >> [  541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
> >> [  541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> >> [  541.130516] page dumped because: kasan: bad access detected
> >>
> >> [  541.131954] Memory state around the buggy address:
> >> [  541.132924]  ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
> >> [  541.134378]  ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >> [  541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
> >> [  541.137253]                                                              ^
> >> [  541.138637]  ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >> [  541.140075]  ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
> >> [  541.141509] ==================================================================
> >>
> >> - Location
> >> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
> >> 	BUG_ON(inode->i_data.nrpages);
> >>
> >> The root cause is root directory inode is corrupted, it has both
> >> inline_data and inline_dentry flag, and its nlink is zero, so in
> >> ->evict(), after dropping all page cache, it grabs page #0 for inline
> >> data truncation, result in panic in later clear_inode() where we will
> >> check inode->i_data.nrpages value.
> >>
> >> This patch adds inline flags check in sanity_check_inode, in addition,
> >> do sanity check with root inode's nlink.
> >>
> >> Reported-by Wen Xu <wen.xu@gatech.edu>
> >> Signed-off-by: Chao Yu <yuchao0@huawei.com>
> >> ---
> >>  fs/f2fs/inode.c | 20 ++++++++++++++++++++
> >>  fs/f2fs/super.c |  3 ++-
> >>  2 files changed, 22 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> >> index 54067e456610..4cf0a05cc03e 100644
> >> --- a/fs/f2fs/inode.c
> >> +++ b/fs/f2fs/inode.c
> >> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
> >>  			return false;
> >>  		}
> >>  	}
> >> +
> >> +	if (f2fs_has_inline_data(inode) &&
> >> +			(!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
> >> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
> >> +		f2fs_msg(sbi->sb, KERN_WARNING,
> >> +			"%s: inode (ino=%lx, mode=%u) should not have "
> >> +			"inline_data, run fsck to fix",
> >> +			__func__, inode->i_ino, inode->i_mode);
> >> +		return false;
> >> +	}
> >> +
> >> +	if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
> >> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
> >> +		f2fs_msg(sbi->sb, KERN_WARNING,
> >> +			"%s: inode (ino=%lx, mode=%u) should not have "
> >> +			"inline_dentry, run fsck to fix",
> >> +			__func__, inode->i_ino, inode->i_mode);
> >> +		return false;
> >> +	}
> >> +
> >>  	return true;
> >>  }
> >>  
> >> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> >> index 657757635306..7405762d2bc9 100644
> >> --- a/fs/f2fs/super.c
> >> +++ b/fs/f2fs/super.c
> >> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
> >>  		err = PTR_ERR(root);
> >>  		goto free_stats;
> >>  	}
> >> -	if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
> >> +	if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
> >> +			!root->i_size || !root->i_nlink) {
> >>  		iput(root);
> >>  		err = -EINVAL;
> >>  		goto free_stats;
> >> -- 
> >> 2.18.0.rc1

Re: [PATCH 2/2] f2fs: fix to do sanity check with inline flags

[Jaegeuk Kim]

On 07/15, Chao Yu wrote:
> Hi Jaegeuk,
> 
> On 2018/7/7 9:12, Jaegeuk Kim wrote:
> > Hi Chao,
> > 
> > I'm hitting some messages below during fault injection test. I'll dig in the
> > issue later, but meanwhile could you review this patch again?
> 
> You hit message like below call stack instead of the log I added in
> sanity_check_inode(), right?
> 
> kernel BUG at fs/inode.c:512!
> f2fs_evict_inode+0x253/0x630
> evict+0x16f/0x290
> iput+0x280/0x300
> 
> I can't reproduce this issue with fault injection test, could you still
> reproduce this?

Let me try it again. :)

> 
> Thanks,
> 
> > 
> > Thanks,
> > 
> > On 06/28, Chao Yu wrote:
> >> https://bugzilla.kernel.org/show_bug.cgi?id=200221
> >>
> >> - Overview
> >> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
> >>
> >> - Reproduce
> >>
> >> - Kernel message
> >> [  538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
> >> [  538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
> >> [  538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
> >> [  538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
> >> [  540.970834] ------------[ cut here ]------------
> >> [  540.970838] kernel BUG at fs/inode.c:512!
> >> [  540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
> >> [  540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
> >> [  540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> >> [  540.982913] RIP: 0010:clear_inode+0xc0/0xd0
> >> [  540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> >> [  540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> >> [  540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> >> [  540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> >> [  540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> >> [  540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> >> [  540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> >> [  540.995786] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> >> [  540.997403] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> [  540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> >> [  541.000015] Call Trace:
> >> [  541.000554]  f2fs_evict_inode+0x253/0x630
> >> [  541.001381]  evict+0x16f/0x290
> >> [  541.002015]  iput+0x280/0x300
> >> [  541.002654]  dentry_unlink_inode+0x165/0x1e0
> >> [  541.003528]  __dentry_kill+0x16a/0x260
> >> [  541.004300]  dentry_kill+0x70/0x250
> >> [  541.005018]  dput+0x154/0x1d0
> >> [  541.005635]  do_one_tree+0x34/0x40
> >> [  541.006354]  shrink_dcache_for_umount+0x3f/0xa0
> >> [  541.007285]  generic_shutdown_super+0x43/0x1c0
> >> [  541.008192]  kill_block_super+0x52/0x80
> >> [  541.008978]  kill_f2fs_super+0x62/0x70
> >> [  541.009750]  deactivate_locked_super+0x6f/0xa0
> >> [  541.010664]  deactivate_super+0x5e/0x80
> >> [  541.011450]  cleanup_mnt+0x61/0xa0
> >> [  541.012151]  __cleanup_mnt+0x12/0x20
> >> [  541.012893]  task_work_run+0xc8/0xf0
> >> [  541.013635]  exit_to_usermode_loop+0x125/0x130
> >> [  541.014555]  do_syscall_64+0x138/0x170
> >> [  541.015340]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> >> [  541.016375] RIP: 0033:0x7f46624bf487
> >> [  541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
> >> [  541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> >> [  541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> >> [  541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> >> [  541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> >> [  541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> >> [  541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> >> [  541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
> >> [  541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
> >> [  541.040392] RIP: 0010:clear_inode+0xc0/0xd0
> >> [  541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> >> [  541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> >> [  541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> >> [  541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> >> [  541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> >> [  541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> >> [  541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> >> [  541.053263] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> >> [  541.054891] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> [  541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> >> [  541.058506] ==================================================================
> >> [  541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
> >> [  541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
> >>
> >> [  541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G      D           4.18.0-rc1+ #4
> >> [  541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> >> [  541.066778] Call Trace:
> >> [  541.067294]  dump_stack+0x7b/0xb5
> >> [  541.067986]  print_address_description+0x70/0x290
> >> [  541.068941]  kasan_report+0x291/0x390
> >> [  541.069692]  ? update_stack_state+0x38c/0x3e0
> >> [  541.070598]  __asan_load8+0x54/0x90
> >> [  541.071315]  update_stack_state+0x38c/0x3e0
> >> [  541.072172]  ? __read_once_size_nocheck.constprop.7+0x20/0x20
> >> [  541.073340]  ? vprintk_func+0x27/0x60
> >> [  541.074096]  ? printk+0xa3/0xd3
> >> [  541.074762]  ? __save_stack_trace+0x5e/0x100
> >> [  541.075634]  unwind_next_frame.part.5+0x18e/0x490
> >> [  541.076594]  ? unwind_dump+0x290/0x290
> >> [  541.077368]  ? __show_regs+0x2c4/0x330
> >> [  541.078142]  __unwind_start+0x106/0x190
> >> [  541.085422]  __save_stack_trace+0x5e/0x100
> >> [  541.086268]  ? __save_stack_trace+0x5e/0x100
> >> [  541.087161]  ? unlink_anon_vmas+0xba/0x2c0
> >> [  541.087997]  save_stack_trace+0x1f/0x30
> >> [  541.088782]  save_stack+0x46/0xd0
> >> [  541.089475]  ? __alloc_pages_slowpath+0x1420/0x1420
> >> [  541.090477]  ? flush_tlb_mm_range+0x15e/0x220
> >> [  541.091364]  ? __dec_node_state+0x24/0xb0
> >> [  541.092180]  ? lock_page_memcg+0x85/0xf0
> >> [  541.092979]  ? unlock_page_memcg+0x16/0x80
> >> [  541.093812]  ? page_remove_rmap+0x198/0x520
> >> [  541.094674]  ? mark_page_accessed+0x133/0x200
> >> [  541.095559]  ? _cond_resched+0x1a/0x50
> >> [  541.096326]  ? unmap_page_range+0xcd4/0xe50
> >> [  541.097179]  ? rb_next+0x58/0x80
> >> [  541.097845]  ? rb_next+0x58/0x80
> >> [  541.098518]  __kasan_slab_free+0x13c/0x1a0
> >> [  541.099352]  ? unlink_anon_vmas+0xba/0x2c0
> >> [  541.100184]  kasan_slab_free+0xe/0x10
> >> [  541.100934]  kmem_cache_free+0x89/0x1e0
> >> [  541.101724]  unlink_anon_vmas+0xba/0x2c0
> >> [  541.102534]  free_pgtables+0x101/0x1b0
> >> [  541.103299]  exit_mmap+0x146/0x2a0
> >> [  541.103996]  ? __ia32_sys_munmap+0x50/0x50
> >> [  541.104829]  ? kasan_check_read+0x11/0x20
> >> [  541.105649]  ? mm_update_next_owner+0x322/0x380
> >> [  541.106578]  mmput+0x8b/0x1d0
> >> [  541.107191]  do_exit+0x43a/0x1390
> >> [  541.107876]  ? mm_update_next_owner+0x380/0x380
> >> [  541.108791]  ? deactivate_super+0x5e/0x80
> >> [  541.109610]  ? cleanup_mnt+0x61/0xa0
> >> [  541.110351]  ? __cleanup_mnt+0x12/0x20
> >> [  541.111115]  ? task_work_run+0xc8/0xf0
> >> [  541.111879]  ? exit_to_usermode_loop+0x125/0x130
> >> [  541.112817]  rewind_stack_do_exit+0x17/0x20
> >> [  541.113666] RIP: 0033:0x7f46624bf487
> >> [  541.114404] Code: Bad RIP value.
> >> [  541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> >> [  541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> >> [  541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> >> [  541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> >> [  541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> >> [  541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> >>
> >> [  541.124061] The buggy address belongs to the page:
> >> [  541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> >> [  541.126651] flags: 0x2ffff0000000000()
> >> [  541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
> >> [  541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> >> [  541.130516] page dumped because: kasan: bad access detected
> >>
> >> [  541.131954] Memory state around the buggy address:
> >> [  541.132924]  ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
> >> [  541.134378]  ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >> [  541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
> >> [  541.137253]                                                              ^
> >> [  541.138637]  ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >> [  541.140075]  ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
> >> [  541.141509] ==================================================================
> >>
> >> - Location
> >> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
> >> 	BUG_ON(inode->i_data.nrpages);
> >>
> >> The root cause is root directory inode is corrupted, it has both
> >> inline_data and inline_dentry flag, and its nlink is zero, so in
> >> ->evict(), after dropping all page cache, it grabs page #0 for inline
> >> data truncation, result in panic in later clear_inode() where we will
> >> check inode->i_data.nrpages value.
> >>
> >> This patch adds inline flags check in sanity_check_inode, in addition,
> >> do sanity check with root inode's nlink.
> >>
> >> Reported-by Wen Xu <wen.xu@gatech.edu>
> >> Signed-off-by: Chao Yu <yuchao0@huawei.com>
> >> ---
> >>  fs/f2fs/inode.c | 20 ++++++++++++++++++++
> >>  fs/f2fs/super.c |  3 ++-
> >>  2 files changed, 22 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> >> index 54067e456610..4cf0a05cc03e 100644
> >> --- a/fs/f2fs/inode.c
> >> +++ b/fs/f2fs/inode.c
> >> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
> >>  			return false;
> >>  		}
> >>  	}
> >> +
> >> +	if (f2fs_has_inline_data(inode) &&
> >> +			(!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
> >> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
> >> +		f2fs_msg(sbi->sb, KERN_WARNING,
> >> +			"%s: inode (ino=%lx, mode=%u) should not have "
> >> +			"inline_data, run fsck to fix",
> >> +			__func__, inode->i_ino, inode->i_mode);
> >> +		return false;
> >> +	}
> >> +
> >> +	if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
> >> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
> >> +		f2fs_msg(sbi->sb, KERN_WARNING,
> >> +			"%s: inode (ino=%lx, mode=%u) should not have "
> >> +			"inline_dentry, run fsck to fix",
> >> +			__func__, inode->i_ino, inode->i_mode);
> >> +		return false;
> >> +	}
> >> +
> >>  	return true;
> >>  }
> >>  
> >> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> >> index 657757635306..7405762d2bc9 100644
> >> --- a/fs/f2fs/super.c
> >> +++ b/fs/f2fs/super.c
> >> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
> >>  		err = PTR_ERR(root);
> >>  		goto free_stats;
> >>  	}
> >> -	if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
> >> +	if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
> >> +			!root->i_size || !root->i_nlink) {
> >>  		iput(root);
> >>  		err = -EINVAL;
> >>  		goto free_stats;
> >> -- 
> >> 2.18.0.rc1

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Re: [f2fs-dev] [PATCH 2/2] f2fs: fix to do sanity check with inline flags

[Jaegeuk Kim]

On 07/15, Jaegeuk Kim wrote:
> On 07/15, Chao Yu wrote:
> > Hi Jaegeuk,
> > 
> > On 2018/7/7 9:12, Jaegeuk Kim wrote:
> > > Hi Chao,
> > > 
> > > I'm hitting some messages below during fault injection test. I'll dig in the
> > > issue later, but meanwhile could you review this patch again?
> > 
> > You hit message like below call stack instead of the log I added in
> > sanity_check_inode(), right?
> > 
> > kernel BUG at fs/inode.c:512!
> > f2fs_evict_inode+0x253/0x630
> > evict+0x16f/0x290
> > iput+0x280/0x300
> > 
> > I can't reproduce this issue with fault injection test, could you still
> > reproduce this?
> 
> Let me try it again. :)

[  318.799110] F2FS-fs (nvme0n1): mounting with "discard" option, but the device does not support discard
[  318.839407] F2FS-fs (nvme0n1): Found nat_bits in checkpoint
[  318.904204] F2FS-fs (nvme0n1): sanity_check_inode: inode (ino=cc9, mode=41471) should not have inline_data, run fsck to fix

Missing mode?

> 
> > 
> > Thanks,
> > 
> > > 
> > > Thanks,
> > > 
> > > On 06/28, Chao Yu wrote:
> > >> https://bugzilla.kernel.org/show_bug.cgi?id=200221
> > >>
> > >> - Overview
> > >> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
> > >>
> > >> - Reproduce
> > >>
> > >> - Kernel message
> > >> [  538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
> > >> [  538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
> > >> [  538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
> > >> [  538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
> > >> [  540.970834] ------------[ cut here ]------------
> > >> [  540.970838] kernel BUG at fs/inode.c:512!
> > >> [  540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
> > >> [  540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
> > >> [  540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> > >> [  540.982913] RIP: 0010:clear_inode+0xc0/0xd0
> > >> [  540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> > >> [  540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> > >> [  540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> > >> [  540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> > >> [  540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> > >> [  540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> > >> [  540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> > >> [  540.995786] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> > >> [  540.997403] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > >> [  540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> > >> [  541.000015] Call Trace:
> > >> [  541.000554]  f2fs_evict_inode+0x253/0x630
> > >> [  541.001381]  evict+0x16f/0x290
> > >> [  541.002015]  iput+0x280/0x300
> > >> [  541.002654]  dentry_unlink_inode+0x165/0x1e0
> > >> [  541.003528]  __dentry_kill+0x16a/0x260
> > >> [  541.004300]  dentry_kill+0x70/0x250
> > >> [  541.005018]  dput+0x154/0x1d0
> > >> [  541.005635]  do_one_tree+0x34/0x40
> > >> [  541.006354]  shrink_dcache_for_umount+0x3f/0xa0
> > >> [  541.007285]  generic_shutdown_super+0x43/0x1c0
> > >> [  541.008192]  kill_block_super+0x52/0x80
> > >> [  541.008978]  kill_f2fs_super+0x62/0x70
> > >> [  541.009750]  deactivate_locked_super+0x6f/0xa0
> > >> [  541.010664]  deactivate_super+0x5e/0x80
> > >> [  541.011450]  cleanup_mnt+0x61/0xa0
> > >> [  541.012151]  __cleanup_mnt+0x12/0x20
> > >> [  541.012893]  task_work_run+0xc8/0xf0
> > >> [  541.013635]  exit_to_usermode_loop+0x125/0x130
> > >> [  541.014555]  do_syscall_64+0x138/0x170
> > >> [  541.015340]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > >> [  541.016375] RIP: 0033:0x7f46624bf487
> > >> [  541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
> > >> [  541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> > >> [  541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> > >> [  541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> > >> [  541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> > >> [  541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> > >> [  541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> > >> [  541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
> > >> [  541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
> > >> [  541.040392] RIP: 0010:clear_inode+0xc0/0xd0
> > >> [  541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> > >> [  541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> > >> [  541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> > >> [  541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> > >> [  541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> > >> [  541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> > >> [  541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> > >> [  541.053263] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> > >> [  541.054891] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > >> [  541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> > >> [  541.058506] ==================================================================
> > >> [  541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
> > >> [  541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
> > >>
> > >> [  541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G      D           4.18.0-rc1+ #4
> > >> [  541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> > >> [  541.066778] Call Trace:
> > >> [  541.067294]  dump_stack+0x7b/0xb5
> > >> [  541.067986]  print_address_description+0x70/0x290
> > >> [  541.068941]  kasan_report+0x291/0x390
> > >> [  541.069692]  ? update_stack_state+0x38c/0x3e0
> > >> [  541.070598]  __asan_load8+0x54/0x90
> > >> [  541.071315]  update_stack_state+0x38c/0x3e0
> > >> [  541.072172]  ? __read_once_size_nocheck.constprop.7+0x20/0x20
> > >> [  541.073340]  ? vprintk_func+0x27/0x60
> > >> [  541.074096]  ? printk+0xa3/0xd3
> > >> [  541.074762]  ? __save_stack_trace+0x5e/0x100
> > >> [  541.075634]  unwind_next_frame.part.5+0x18e/0x490
> > >> [  541.076594]  ? unwind_dump+0x290/0x290
> > >> [  541.077368]  ? __show_regs+0x2c4/0x330
> > >> [  541.078142]  __unwind_start+0x106/0x190
> > >> [  541.085422]  __save_stack_trace+0x5e/0x100
> > >> [  541.086268]  ? __save_stack_trace+0x5e/0x100
> > >> [  541.087161]  ? unlink_anon_vmas+0xba/0x2c0
> > >> [  541.087997]  save_stack_trace+0x1f/0x30
> > >> [  541.088782]  save_stack+0x46/0xd0
> > >> [  541.089475]  ? __alloc_pages_slowpath+0x1420/0x1420
> > >> [  541.090477]  ? flush_tlb_mm_range+0x15e/0x220
> > >> [  541.091364]  ? __dec_node_state+0x24/0xb0
> > >> [  541.092180]  ? lock_page_memcg+0x85/0xf0
> > >> [  541.092979]  ? unlock_page_memcg+0x16/0x80
> > >> [  541.093812]  ? page_remove_rmap+0x198/0x520
> > >> [  541.094674]  ? mark_page_accessed+0x133/0x200
> > >> [  541.095559]  ? _cond_resched+0x1a/0x50
> > >> [  541.096326]  ? unmap_page_range+0xcd4/0xe50
> > >> [  541.097179]  ? rb_next+0x58/0x80
> > >> [  541.097845]  ? rb_next+0x58/0x80
> > >> [  541.098518]  __kasan_slab_free+0x13c/0x1a0
> > >> [  541.099352]  ? unlink_anon_vmas+0xba/0x2c0
> > >> [  541.100184]  kasan_slab_free+0xe/0x10
> > >> [  541.100934]  kmem_cache_free+0x89/0x1e0
> > >> [  541.101724]  unlink_anon_vmas+0xba/0x2c0
> > >> [  541.102534]  free_pgtables+0x101/0x1b0
> > >> [  541.103299]  exit_mmap+0x146/0x2a0
> > >> [  541.103996]  ? __ia32_sys_munmap+0x50/0x50
> > >> [  541.104829]  ? kasan_check_read+0x11/0x20
> > >> [  541.105649]  ? mm_update_next_owner+0x322/0x380
> > >> [  541.106578]  mmput+0x8b/0x1d0
> > >> [  541.107191]  do_exit+0x43a/0x1390
> > >> [  541.107876]  ? mm_update_next_owner+0x380/0x380
> > >> [  541.108791]  ? deactivate_super+0x5e/0x80
> > >> [  541.109610]  ? cleanup_mnt+0x61/0xa0
> > >> [  541.110351]  ? __cleanup_mnt+0x12/0x20
> > >> [  541.111115]  ? task_work_run+0xc8/0xf0
> > >> [  541.111879]  ? exit_to_usermode_loop+0x125/0x130
> > >> [  541.112817]  rewind_stack_do_exit+0x17/0x20
> > >> [  541.113666] RIP: 0033:0x7f46624bf487
> > >> [  541.114404] Code: Bad RIP value.
> > >> [  541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> > >> [  541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> > >> [  541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> > >> [  541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> > >> [  541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> > >> [  541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> > >>
> > >> [  541.124061] The buggy address belongs to the page:
> > >> [  541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> > >> [  541.126651] flags: 0x2ffff0000000000()
> > >> [  541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
> > >> [  541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> > >> [  541.130516] page dumped because: kasan: bad access detected
> > >>
> > >> [  541.131954] Memory state around the buggy address:
> > >> [  541.132924]  ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
> > >> [  541.134378]  ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > >> [  541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
> > >> [  541.137253]                                                              ^
> > >> [  541.138637]  ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > >> [  541.140075]  ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
> > >> [  541.141509] ==================================================================
> > >>
> > >> - Location
> > >> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
> > >> 	BUG_ON(inode->i_data.nrpages);
> > >>
> > >> The root cause is root directory inode is corrupted, it has both
> > >> inline_data and inline_dentry flag, and its nlink is zero, so in
> > >> ->evict(), after dropping all page cache, it grabs page #0 for inline
> > >> data truncation, result in panic in later clear_inode() where we will
> > >> check inode->i_data.nrpages value.
> > >>
> > >> This patch adds inline flags check in sanity_check_inode, in addition,
> > >> do sanity check with root inode's nlink.
> > >>
> > >> Reported-by Wen Xu <wen.xu@gatech.edu>
> > >> Signed-off-by: Chao Yu <yuchao0@huawei.com>
> > >> ---
> > >>  fs/f2fs/inode.c | 20 ++++++++++++++++++++
> > >>  fs/f2fs/super.c |  3 ++-
> > >>  2 files changed, 22 insertions(+), 1 deletion(-)
> > >>
> > >> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> > >> index 54067e456610..4cf0a05cc03e 100644
> > >> --- a/fs/f2fs/inode.c
> > >> +++ b/fs/f2fs/inode.c
> > >> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
> > >>  			return false;
> > >>  		}
> > >>  	}
> > >> +
> > >> +	if (f2fs_has_inline_data(inode) &&
> > >> +			(!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
> > >> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
> > >> +		f2fs_msg(sbi->sb, KERN_WARNING,
> > >> +			"%s: inode (ino=%lx, mode=%u) should not have "
> > >> +			"inline_data, run fsck to fix",
> > >> +			__func__, inode->i_ino, inode->i_mode);
> > >> +		return false;
> > >> +	}
> > >> +
> > >> +	if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
> > >> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
> > >> +		f2fs_msg(sbi->sb, KERN_WARNING,
> > >> +			"%s: inode (ino=%lx, mode=%u) should not have "
> > >> +			"inline_dentry, run fsck to fix",
> > >> +			__func__, inode->i_ino, inode->i_mode);
> > >> +		return false;
> > >> +	}
> > >> +
> > >>  	return true;
> > >>  }
> > >>  
> > >> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> > >> index 657757635306..7405762d2bc9 100644
> > >> --- a/fs/f2fs/super.c
> > >> +++ b/fs/f2fs/super.c
> > >> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
> > >>  		err = PTR_ERR(root);
> > >>  		goto free_stats;
> > >>  	}
> > >> -	if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
> > >> +	if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
> > >> +			!root->i_size || !root->i_nlink) {
> > >>  		iput(root);
> > >>  		err = -EINVAL;
> > >>  		goto free_stats;
> > >> -- 
> > >> 2.18.0.rc1
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Linux-f2fs-devel mailing list
> Linux-f2fs-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Re: [PATCH 2/2] f2fs: fix to do sanity check with inline flags

[Jaegeuk Kim]

On 07/15, Jaegeuk Kim wrote:
> On 07/15, Chao Yu wrote:
> > Hi Jaegeuk,
> > 
> > On 2018/7/7 9:12, Jaegeuk Kim wrote:
> > > Hi Chao,
> > > 
> > > I'm hitting some messages below during fault injection test. I'll dig in the
> > > issue later, but meanwhile could you review this patch again?
> > 
> > You hit message like below call stack instead of the log I added in
> > sanity_check_inode(), right?
> > 
> > kernel BUG at fs/inode.c:512!
> > f2fs_evict_inode+0x253/0x630
> > evict+0x16f/0x290
> > iput+0x280/0x300
> > 
> > I can't reproduce this issue with fault injection test, could you still
> > reproduce this?
> 
> Let me try it again. :)

[  318.799110] F2FS-fs (nvme0n1): mounting with "discard" option, but the device does not support discard
[  318.839407] F2FS-fs (nvme0n1): Found nat_bits in checkpoint
[  318.904204] F2FS-fs (nvme0n1): sanity_check_inode: inode (ino=cc9, mode=41471) should not have inline_data, run fsck to fix

Missing mode?

> 
> > 
> > Thanks,
> > 
> > > 
> > > Thanks,
> > > 
> > > On 06/28, Chao Yu wrote:
> > >> https://bugzilla.kernel.org/show_bug.cgi?id=200221
> > >>
> > >> - Overview
> > >> BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
> > >>
> > >> - Reproduce
> > >>
> > >> - Kernel message
> > >> [  538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
> > >> [  538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
> > >> [  538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
> > >> [  538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
> > >> [  540.970834] ------------[ cut here ]------------
> > >> [  540.970838] kernel BUG at fs/inode.c:512!
> > >> [  540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
> > >> [  540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
> > >> [  540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> > >> [  540.982913] RIP: 0010:clear_inode+0xc0/0xd0
> > >> [  540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> > >> [  540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> > >> [  540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> > >> [  540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> > >> [  540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> > >> [  540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> > >> [  540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> > >> [  540.995786] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> > >> [  540.997403] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > >> [  540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> > >> [  541.000015] Call Trace:
> > >> [  541.000554]  f2fs_evict_inode+0x253/0x630
> > >> [  541.001381]  evict+0x16f/0x290
> > >> [  541.002015]  iput+0x280/0x300
> > >> [  541.002654]  dentry_unlink_inode+0x165/0x1e0
> > >> [  541.003528]  __dentry_kill+0x16a/0x260
> > >> [  541.004300]  dentry_kill+0x70/0x250
> > >> [  541.005018]  dput+0x154/0x1d0
> > >> [  541.005635]  do_one_tree+0x34/0x40
> > >> [  541.006354]  shrink_dcache_for_umount+0x3f/0xa0
> > >> [  541.007285]  generic_shutdown_super+0x43/0x1c0
> > >> [  541.008192]  kill_block_super+0x52/0x80
> > >> [  541.008978]  kill_f2fs_super+0x62/0x70
> > >> [  541.009750]  deactivate_locked_super+0x6f/0xa0
> > >> [  541.010664]  deactivate_super+0x5e/0x80
> > >> [  541.011450]  cleanup_mnt+0x61/0xa0
> > >> [  541.012151]  __cleanup_mnt+0x12/0x20
> > >> [  541.012893]  task_work_run+0xc8/0xf0
> > >> [  541.013635]  exit_to_usermode_loop+0x125/0x130
> > >> [  541.014555]  do_syscall_64+0x138/0x170
> > >> [  541.015340]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > >> [  541.016375] RIP: 0033:0x7f46624bf487
> > >> [  541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
> > >> [  541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> > >> [  541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> > >> [  541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> > >> [  541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> > >> [  541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> > >> [  541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> > >> [  541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
> > >> [  541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
> > >> [  541.040392] RIP: 0010:clear_inode+0xc0/0xd0
> > >> [  541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
> > >> [  541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
> > >> [  541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
> > >> [  541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
> > >> [  541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
> > >> [  541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
> > >> [  541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
> > >> [  541.053263] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
> > >> [  541.054891] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > >> [  541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
> > >> [  541.058506] ==================================================================
> > >> [  541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
> > >> [  541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
> > >>
> > >> [  541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G      D           4.18.0-rc1+ #4
> > >> [  541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> > >> [  541.066778] Call Trace:
> > >> [  541.067294]  dump_stack+0x7b/0xb5
> > >> [  541.067986]  print_address_description+0x70/0x290
> > >> [  541.068941]  kasan_report+0x291/0x390
> > >> [  541.069692]  ? update_stack_state+0x38c/0x3e0
> > >> [  541.070598]  __asan_load8+0x54/0x90
> > >> [  541.071315]  update_stack_state+0x38c/0x3e0
> > >> [  541.072172]  ? __read_once_size_nocheck.constprop.7+0x20/0x20
> > >> [  541.073340]  ? vprintk_func+0x27/0x60
> > >> [  541.074096]  ? printk+0xa3/0xd3
> > >> [  541.074762]  ? __save_stack_trace+0x5e/0x100
> > >> [  541.075634]  unwind_next_frame.part.5+0x18e/0x490
> > >> [  541.076594]  ? unwind_dump+0x290/0x290
> > >> [  541.077368]  ? __show_regs+0x2c4/0x330
> > >> [  541.078142]  __unwind_start+0x106/0x190
> > >> [  541.085422]  __save_stack_trace+0x5e/0x100
> > >> [  541.086268]  ? __save_stack_trace+0x5e/0x100
> > >> [  541.087161]  ? unlink_anon_vmas+0xba/0x2c0
> > >> [  541.087997]  save_stack_trace+0x1f/0x30
> > >> [  541.088782]  save_stack+0x46/0xd0
> > >> [  541.089475]  ? __alloc_pages_slowpath+0x1420/0x1420
> > >> [  541.090477]  ? flush_tlb_mm_range+0x15e/0x220
> > >> [  541.091364]  ? __dec_node_state+0x24/0xb0
> > >> [  541.092180]  ? lock_page_memcg+0x85/0xf0
> > >> [  541.092979]  ? unlock_page_memcg+0x16/0x80
> > >> [  541.093812]  ? page_remove_rmap+0x198/0x520
> > >> [  541.094674]  ? mark_page_accessed+0x133/0x200
> > >> [  541.095559]  ? _cond_resched+0x1a/0x50
> > >> [  541.096326]  ? unmap_page_range+0xcd4/0xe50
> > >> [  541.097179]  ? rb_next+0x58/0x80
> > >> [  541.097845]  ? rb_next+0x58/0x80
> > >> [  541.098518]  __kasan_slab_free+0x13c/0x1a0
> > >> [  541.099352]  ? unlink_anon_vmas+0xba/0x2c0
> > >> [  541.100184]  kasan_slab_free+0xe/0x10
> > >> [  541.100934]  kmem_cache_free+0x89/0x1e0
> > >> [  541.101724]  unlink_anon_vmas+0xba/0x2c0
> > >> [  541.102534]  free_pgtables+0x101/0x1b0
> > >> [  541.103299]  exit_mmap+0x146/0x2a0
> > >> [  541.103996]  ? __ia32_sys_munmap+0x50/0x50
> > >> [  541.104829]  ? kasan_check_read+0x11/0x20
> > >> [  541.105649]  ? mm_update_next_owner+0x322/0x380
> > >> [  541.106578]  mmput+0x8b/0x1d0
> > >> [  541.107191]  do_exit+0x43a/0x1390
> > >> [  541.107876]  ? mm_update_next_owner+0x380/0x380
> > >> [  541.108791]  ? deactivate_super+0x5e/0x80
> > >> [  541.109610]  ? cleanup_mnt+0x61/0xa0
> > >> [  541.110351]  ? __cleanup_mnt+0x12/0x20
> > >> [  541.111115]  ? task_work_run+0xc8/0xf0
> > >> [  541.111879]  ? exit_to_usermode_loop+0x125/0x130
> > >> [  541.112817]  rewind_stack_do_exit+0x17/0x20
> > >> [  541.113666] RIP: 0033:0x7f46624bf487
> > >> [  541.114404] Code: Bad RIP value.
> > >> [  541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> > >> [  541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
> > >> [  541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
> > >> [  541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
> > >> [  541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
> > >> [  541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
> > >>
> > >> [  541.124061] The buggy address belongs to the page:
> > >> [  541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> > >> [  541.126651] flags: 0x2ffff0000000000()
> > >> [  541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
> > >> [  541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> > >> [  541.130516] page dumped because: kasan: bad access detected
> > >>
> > >> [  541.131954] Memory state around the buggy address:
> > >> [  541.132924]  ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
> > >> [  541.134378]  ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > >> [  541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
> > >> [  541.137253]                                                              ^
> > >> [  541.138637]  ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > >> [  541.140075]  ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
> > >> [  541.141509] ==================================================================
> > >>
> > >> - Location
> > >> https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
> > >> 	BUG_ON(inode->i_data.nrpages);
> > >>
> > >> The root cause is root directory inode is corrupted, it has both
> > >> inline_data and inline_dentry flag, and its nlink is zero, so in
> > >> ->evict(), after dropping all page cache, it grabs page #0 for inline
> > >> data truncation, result in panic in later clear_inode() where we will
> > >> check inode->i_data.nrpages value.
> > >>
> > >> This patch adds inline flags check in sanity_check_inode, in addition,
> > >> do sanity check with root inode's nlink.
> > >>
> > >> Reported-by Wen Xu <wen.xu@gatech.edu>
> > >> Signed-off-by: Chao Yu <yuchao0@huawei.com>
> > >> ---
> > >>  fs/f2fs/inode.c | 20 ++++++++++++++++++++
> > >>  fs/f2fs/super.c |  3 ++-
> > >>  2 files changed, 22 insertions(+), 1 deletion(-)
> > >>
> > >> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> > >> index 54067e456610..4cf0a05cc03e 100644
> > >> --- a/fs/f2fs/inode.c
> > >> +++ b/fs/f2fs/inode.c
> > >> @@ -224,6 +224,26 @@ static bool sanity_check_inode(struct inode *inode)
> > >>  			return false;
> > >>  		}
> > >>  	}
> > >> +
> > >> +	if (f2fs_has_inline_data(inode) &&
> > >> +			(!S_ISREG(inode->i_mode) || !S_ISLNK(inode->i_mode))) {
> > >> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
> > >> +		f2fs_msg(sbi->sb, KERN_WARNING,
> > >> +			"%s: inode (ino=%lx, mode=%u) should not have "
> > >> +			"inline_data, run fsck to fix",
> > >> +			__func__, inode->i_ino, inode->i_mode);
> > >> +		return false;
> > >> +	}
> > >> +
> > >> +	if (f2fs_has_inline_dentry(inode) && !S_ISDIR(inode->i_mode)) {
> > >> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
> > >> +		f2fs_msg(sbi->sb, KERN_WARNING,
> > >> +			"%s: inode (ino=%lx, mode=%u) should not have "
> > >> +			"inline_dentry, run fsck to fix",
> > >> +			__func__, inode->i_ino, inode->i_mode);
> > >> +		return false;
> > >> +	}
> > >> +
> > >>  	return true;
> > >>  }
> > >>  
> > >> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> > >> index 657757635306..7405762d2bc9 100644
> > >> --- a/fs/f2fs/super.c
> > >> +++ b/fs/f2fs/super.c
> > >> @@ -2942,7 +2942,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
> > >>  		err = PTR_ERR(root);
> > >>  		goto free_stats;
> > >>  	}
> > >> -	if (!S_ISDIR(root->i_mode) || !root->i_blocks || !root->i_size) {
> > >> +	if (!S_ISDIR(root->i_mode) || !root->i_blocks ||
> > >> +			!root->i_size || !root->i_nlink) {
> > >>  		iput(root);
> > >>  		err = -EINVAL;
> > >>  		goto free_stats;
> > >> -- 
> > >> 2.18.0.rc1
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Linux-f2fs-devel mailing list
> Linux-f2fs-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot