f2fs get_dnode_of_data oops

f2fs get_dnode_of_data oops

[Tommi Rantala]

Hello,

Hit this oops while fuzzing v3.17-rc3-176-g2b12164 with Trinity.

Tommi


BUG: unable to handle kernel paging request at ffff8804338717a8
IP: [<ffffffff81779039>] get_dnode_of_data+0x3a9/0x440
PGD 4594067 PUD 0
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
CPU: 0 PID: 4719 Comm: trinity-c3 Not tainted 3.17.0-rc3+ #33
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff880015630000 ti: ffff88000724c000 task.ti: ffff88000724c000
RIP: 0010:[<ffffffff81779039>]  [<ffffffff81779039>]
get_dnode_of_data+0x3a9/0x440
RSP: 0018:ffff88000724fe08  EFLAGS: 00010246
RAX: ffff880033874000 RBX: 00000000000000f8 RCX: 00000000fffff590
RDX: ffff880033874168 RSI: ffff88000724fd98 RDI: ffff88000724fef0
RBP: ffff88000724feb8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: ffffffff83b33f90 R12: fffffffffffff590
R13: 0000000000000000 R14: ffffea0000ce1d00 R15: ffff8800209f8000
FS:  00007f2bd22dc700(0000) GS:ffff88003fa00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffff8804338717a8 CR3: 00000000346c0000 CR4: 00000000000006f0
DR0: 000000000185d000 DR1: 000000000185d000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 00000000000b0602
Stack:
 ffff88000724fef0 ffff88000724fe30 ffff880036c18000 0000000000000004
 ffff8800209f80f0 00000002fffff590 ffffffff81189f1d ffff8800fffff590
 0000000000000246 ffffffff00000000 ffffffff81189ce0 ffffffff000000f8
Call Trace:
 [<ffffffff81189f1d>] ? trace_hardirqs_on+0xd/0x10
 [<ffffffff81189ce0>] ? mark_held_locks+0x90/0xa0
 [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
 [<ffffffff81763417>] f2fs_llseek+0xf7/0x420
 [<ffffffff8127e4d5>] SyS_lseek+0x65/0xa0
 [<ffffffff8259b229>] system_call_fastpath+0x16/0x1b
Code: ba 00 00 00 00 00 88 ff ff 48 c1 f8 06 48 c1 e0 0c 48 01 d0 8b
98 ec 0f 00 00 39 98 e8 0f 00 00 48 8d 90 68 01 00 00 48 0f 45 d0 <8b>
04 8a 89 47 24 31 c0 eb 75 41 bc e4 ff ff ff 4d 85 f6 74 19
RIP  [<ffffffff81779039>] get_dnode_of_data+0x3a9/0x440
 RSP <ffff88000724fe08>
CR2: ffff8804338717a8
---[ end trace bed7b35d1c48e9c3 ]---

Re: f2fs get_dnode_of_data oops

[Tommi Rantala]

2014-09-07 22:14 GMT+03:00 Tommi Rantala <tt.rantala@gmail.com>:
> Hello,
>
> Hit this oops while fuzzing v3.17-rc3-176-g2b12164 with Trinity.
>
> Tommi
>
>
> BUG: unable to handle kernel paging request at ffff8804338717a8
> IP: [<ffffffff81779039>] get_dnode_of_data+0x3a9/0x440
> PGD 4594067 PUD 0
> Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
> CPU: 0 PID: 4719 Comm: trinity-c3 Not tainted 3.17.0-rc3+ #33
> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> task: ffff880015630000 ti: ffff88000724c000 task.ti: ffff88000724c000
> RIP: 0010:[<ffffffff81779039>]  [<ffffffff81779039>]
> get_dnode_of_data+0x3a9/0x440
> RSP: 0018:ffff88000724fe08  EFLAGS: 00010246
> RAX: ffff880033874000 RBX: 00000000000000f8 RCX: 00000000fffff590
> RDX: ffff880033874168 RSI: ffff88000724fd98 RDI: ffff88000724fef0
> RBP: ffff88000724feb8 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: ffffffff83b33f90 R12: fffffffffffff590
> R13: 0000000000000000 R14: ffffea0000ce1d00 R15: ffff8800209f8000
> FS:  00007f2bd22dc700(0000) GS:ffff88003fa00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> CR2: ffff8804338717a8 CR3: 00000000346c0000 CR4: 00000000000006f0
> DR0: 000000000185d000 DR1: 000000000185d000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 00000000000b0602
> Stack:
>  ffff88000724fef0 ffff88000724fe30 ffff880036c18000 0000000000000004
>  ffff8800209f80f0 00000002fffff590 ffffffff81189f1d ffff8800fffff590
>  0000000000000246 ffffffff00000000 ffffffff81189ce0 ffffffff000000f8
> Call Trace:
>  [<ffffffff81189f1d>] ? trace_hardirqs_on+0xd/0x10
>  [<ffffffff81189ce0>] ? mark_held_locks+0x90/0xa0
>  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
>  [<ffffffff81763417>] f2fs_llseek+0xf7/0x420
>  [<ffffffff8127e4d5>] SyS_lseek+0x65/0xa0
>  [<ffffffff8259b229>] system_call_fastpath+0x16/0x1b
> Code: ba 00 00 00 00 00 88 ff ff 48 c1 f8 06 48 c1 e0 0c 48 01 d0 8b
> 98 ec 0f 00 00 39 98 e8 0f 00 00 48 8d 90 68 01 00 00 48 0f 45 d0 <8b>
> 04 8a 89 47 24 31 c0 eb 75 41 bc e4 ff ff ff 4d 85 f6 74 19
> RIP  [<ffffffff81779039>] get_dnode_of_data+0x3a9/0x440
>  RSP <ffff88000724fe08>
> CR2: ffff8804338717a8
> ---[ end trace bed7b35d1c48e9c3 ]---

If it helps, here is the location of the crash:

(gdb) list *0xffffffff81779039
0xffffffff81779039 is in get_dnode_of_data (fs/f2fs/f2fs.h:950).
945     {
946             struct f2fs_node *raw_node;
947             __le32 *addr_array;
948             raw_node = F2FS_NODE(node_page);
949             addr_array = blkaddr_in_node(raw_node);
950             return le32_to_cpu(addr_array[offset]);
951     }
952
953     static inline int f2fs_test_bit(unsigned int nr, char *addr)
954     {
(gdb)

Tommi

Re: f2fs get_dnode_of_data oops

[Jaegeuk Kim]

Hi,

Thank you for the report.
Could you share a little bit more information about the file accessing
f2fs_llseek?
E.g., file size, file offset, file allocation information, or dump of that file.

Thanks,

On Sun, Sep 07, 2014 at 10:20:44PM +0300, Tommi Rantala wrote:
> 2014-09-07 22:14 GMT+03:00 Tommi Rantala <tt.rantala@gmail.com>:
> > Hello,
> >
> > Hit this oops while fuzzing v3.17-rc3-176-g2b12164 with Trinity.
> >
> > Tommi
> >
> >
> > BUG: unable to handle kernel paging request at ffff8804338717a8
> > IP: [<ffffffff81779039>] get_dnode_of_data+0x3a9/0x440
> > PGD 4594067 PUD 0
> > Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
> > CPU: 0 PID: 4719 Comm: trinity-c3 Not tainted 3.17.0-rc3+ #33
> > Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> > task: ffff880015630000 ti: ffff88000724c000 task.ti: ffff88000724c000
> > RIP: 0010:[<ffffffff81779039>]  [<ffffffff81779039>]
> > get_dnode_of_data+0x3a9/0x440
> > RSP: 0018:ffff88000724fe08  EFLAGS: 00010246
> > RAX: ffff880033874000 RBX: 00000000000000f8 RCX: 00000000fffff590
> > RDX: ffff880033874168 RSI: ffff88000724fd98 RDI: ffff88000724fef0
> > RBP: ffff88000724feb8 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000001 R11: ffffffff83b33f90 R12: fffffffffffff590
> > R13: 0000000000000000 R14: ffffea0000ce1d00 R15: ffff8800209f8000
> > FS:  00007f2bd22dc700(0000) GS:ffff88003fa00000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> > CR2: ffff8804338717a8 CR3: 00000000346c0000 CR4: 00000000000006f0
> > DR0: 000000000185d000 DR1: 000000000185d000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 00000000000b0602
> > Stack:
> >  ffff88000724fef0 ffff88000724fe30 ffff880036c18000 0000000000000004
> >  ffff8800209f80f0 00000002fffff590 ffffffff81189f1d ffff8800fffff590
> >  0000000000000246 ffffffff00000000 ffffffff81189ce0 ffffffff000000f8
> > Call Trace:
> >  [<ffffffff81189f1d>] ? trace_hardirqs_on+0xd/0x10
> >  [<ffffffff81189ce0>] ? mark_held_locks+0x90/0xa0
> >  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
> >  [<ffffffff81763417>] f2fs_llseek+0xf7/0x420
> >  [<ffffffff8127e4d5>] SyS_lseek+0x65/0xa0
> >  [<ffffffff8259b229>] system_call_fastpath+0x16/0x1b
> > Code: ba 00 00 00 00 00 88 ff ff 48 c1 f8 06 48 c1 e0 0c 48 01 d0 8b
> > 98 ec 0f 00 00 39 98 e8 0f 00 00 48 8d 90 68 01 00 00 48 0f 45 d0 <8b>
> > 04 8a 89 47 24 31 c0 eb 75 41 bc e4 ff ff ff 4d 85 f6 74 19
> > RIP  [<ffffffff81779039>] get_dnode_of_data+0x3a9/0x440
> >  RSP <ffff88000724fe08>
> > CR2: ffff8804338717a8
> > ---[ end trace bed7b35d1c48e9c3 ]---
> 
> If it helps, here is the location of the crash:
> 
> (gdb) list *0xffffffff81779039
> 0xffffffff81779039 is in get_dnode_of_data (fs/f2fs/f2fs.h:950).
> 945     {
> 946             struct f2fs_node *raw_node;
> 947             __le32 *addr_array;
> 948             raw_node = F2FS_NODE(node_page);
> 949             addr_array = blkaddr_in_node(raw_node);
> 950             return le32_to_cpu(addr_array[offset]);
> 951     }
> 952
> 953     static inline int f2fs_test_bit(unsigned int nr, char *addr)
> 954     {
> (gdb)
> 
> Tommi

Re: f2fs get_dnode_of_data oops

[Tommi Rantala]

2014-09-08 7:20 GMT+03:00 Jaegeuk Kim <jaegeuk@kernel.org>:
> Hi,
>
> Thank you for the report.
> Could you share a little bit more information about the file accessing
> f2fs_llseek?
> E.g., file size, file offset, file allocation information, or dump of that file.

Hi,

I can reproduce the bug with the following.
-17595150933902 is just something I saw trinity passing to lseek().

#define _GNU_SOURCE

#include <fcntl.h>
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

int main(int argc, char **argv)
{
        int fd;

        if (argc < 2) {
                printf("give filename\n");
                return 1;
        }

        fd = open(argv[1], O_RDONLY);
        if (fd < 0) {
                perror("open");
                return 1;
        }

        lseek(fd, -17595150933902LL, SEEK_DATA);

        return 0;
}

{ttrantal@arkki ~}> touch /f2fs/x ; ./a.out /f2fs/x
[   73.437182] BUG: unable to handle kernel paging request at ffff88043368e340
[   73.438035] IP: [<ffffffff817792d9>] get_dnode_of_data+0x3a9/0x440
[   73.438035] PGD 4595067 PUD 0
[   73.438035] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
[   73.438035] CPU: 0 PID: 2933 Comm: a.out Not tainted 3.17.0-rc4+ #37
[   73.438035] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   73.438035] task: ffff88003755cac0 ti: ffff880022734000 task.ti:
ffff880022734000
[   73.438035] RIP: 0010:[<ffffffff817792d9>]  [<ffffffff817792d9>]
get_dnode_of_data+0x3a9/0x440
[   73.438035] RSP: 0018:ffff880022737e08  EFLAGS: 00010246
[   73.438035] RAX: ffff880033951000 RBX: 000000000000010b RCX: 00000000fff4f476
[   73.438035] RDX: ffff880033951168 RSI: 000000111932488f RDI: ffff880022737ef0
[   73.438035] RBP: ffff880022737eb8 R08: 0000000000000148 R09: 0000000000000000
[   73.438035] R10: 0000000000008b86 R11: 0000000000000001 R12: fffffffefff4f476
[   73.438035] R13: 0000000000000000 R14: ffffea0000ce5440 R15: ffff880021c28000
[   73.438035] FS:  00007fefc2f08700(0000) GS:ffff88003fa00000(0000)
knlGS:0000000000000000
[   73.438035] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[   73.438035] CR2: ffff88043368e340 CR3: 0000000032d6b000 CR4: 00000000000006f0
[   73.438035] Stack:
[   73.438035]  ffff880022737ef0 ffffffff81228d7c ffff88003d9fe7b0
ffff880022737eb8
[   73.438035]  ffffffff81763164 00000002ffffffff 0000000000000000
00000000fff4f476
[   73.438035]  0000000000000246 ffffffff00000000 ffffffff8259bd47
ffffffff0000010b
[   73.438035] Call Trace:
[   73.438035]  [<ffffffff81228d7c>] ? pagevec_lookup_tag+0x1c/0x30
[   73.438035]  [<ffffffff81763164>] ? __get_first_dirty_index+0x44/0x90
[   73.438035]  [<ffffffff8259bd47>] ? _raw_spin_unlock_irq+0x27/0x40
[   73.438035]  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
[   73.438035]  [<ffffffff817636b7>] f2fs_llseek+0xf7/0x420
[   73.438035]  [<ffffffff8127e735>] SyS_lseek+0x65/0xa0
[   73.438035]  [<ffffffff8259caa9>] system_call_fastpath+0x16/0x1b
[   73.438035] Code: ba 00 00 00 00 00 88 ff ff 48 c1 f8 06 48 c1 e0
0c 48 01 d0 8b 98 ec 0f 00 00 39 98 e8 0f 00 00 48 8d 90 68 01 00 00
48 0f 45 d0 <8b> 04 8a 89 47 24 31 c0 eb 75 41 bc e4 ff ff ff 4d 85 f6
74 19
[   73.438035] RIP  [<ffffffff817792d9>] get_dnode_of_data+0x3a9/0x440
[   73.438035]  RSP <ffff880022737e08>
[   73.438035] CR2: ffff88043368e340
[   73.438035] ---[ end trace e94f7065a7961f54 ]---

Re: f2fs get_dnode_of_data oops

[Tommi Rantala]

2014-09-08 7:20 GMT+03:00 Jaegeuk Kim <jaegeuk@kernel.org>:
> Hi,
>
> Thank you for the report.
> Could you share a little bit more information about the file accessing
> f2fs_llseek?
> E.g., file size, file offset, file allocation information, or dump of that file.

Hi,

I can reproduce the bug with the following.
-17595150933902 is just something I saw trinity passing to lseek().

#define _GNU_SOURCE

#include <fcntl.h>
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

int main(int argc, char **argv)
{
        int fd;

        if (argc < 2) {
                printf("give filename\n");
                return 1;
        }

        fd = open(argv[1], O_RDONLY);
        if (fd < 0) {
                perror("open");
                return 1;
        }

        lseek(fd, -17595150933902LL, SEEK_DATA);

        return 0;
}

{ttrantal@arkki ~}> touch /f2fs/x ; ./a.out /f2fs/x
[   73.437182] BUG: unable to handle kernel paging request at ffff88043368e340
[   73.438035] IP: [<ffffffff817792d9>] get_dnode_of_data+0x3a9/0x440
[   73.438035] PGD 4595067 PUD 0
[   73.438035] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
[   73.438035] CPU: 0 PID: 2933 Comm: a.out Not tainted 3.17.0-rc4+ #37
[   73.438035] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   73.438035] task: ffff88003755cac0 ti: ffff880022734000 task.ti:
ffff880022734000
[   73.438035] RIP: 0010:[<ffffffff817792d9>]  [<ffffffff817792d9>]
get_dnode_of_data+0x3a9/0x440
[   73.438035] RSP: 0018:ffff880022737e08  EFLAGS: 00010246
[   73.438035] RAX: ffff880033951000 RBX: 000000000000010b RCX: 00000000fff4f476
[   73.438035] RDX: ffff880033951168 RSI: 000000111932488f RDI: ffff880022737ef0
[   73.438035] RBP: ffff880022737eb8 R08: 0000000000000148 R09: 0000000000000000
[   73.438035] R10: 0000000000008b86 R11: 0000000000000001 R12: fffffffefff4f476
[   73.438035] R13: 0000000000000000 R14: ffffea0000ce5440 R15: ffff880021c28000
[   73.438035] FS:  00007fefc2f08700(0000) GS:ffff88003fa00000(0000)
knlGS:0000000000000000
[   73.438035] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[   73.438035] CR2: ffff88043368e340 CR3: 0000000032d6b000 CR4: 00000000000006f0
[   73.438035] Stack:
[   73.438035]  ffff880022737ef0 ffffffff81228d7c ffff88003d9fe7b0
ffff880022737eb8
[   73.438035]  ffffffff81763164 00000002ffffffff 0000000000000000
00000000fff4f476
[   73.438035]  0000000000000246 ffffffff00000000 ffffffff8259bd47
ffffffff0000010b
[   73.438035] Call Trace:
[   73.438035]  [<ffffffff81228d7c>] ? pagevec_lookup_tag+0x1c/0x30
[   73.438035]  [<ffffffff81763164>] ? __get_first_dirty_index+0x44/0x90
[   73.438035]  [<ffffffff8259bd47>] ? _raw_spin_unlock_irq+0x27/0x40
[   73.438035]  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
[   73.438035]  [<ffffffff817636b7>] f2fs_llseek+0xf7/0x420
[   73.438035]  [<ffffffff8127e735>] SyS_lseek+0x65/0xa0
[   73.438035]  [<ffffffff8259caa9>] system_call_fastpath+0x16/0x1b
[   73.438035] Code: ba 00 00 00 00 00 88 ff ff 48 c1 f8 06 48 c1 e0
0c 48 01 d0 8b 98 ec 0f 00 00 39 98 e8 0f 00 00 48 8d 90 68 01 00 00
48 0f 45 d0 <8b> 04 8a 89 47 24 31 c0 eb 75 41 bc e4 ff ff ff 4d 85 f6
74 19
[   73.438035] RIP  [<ffffffff817792d9>] get_dnode_of_data+0x3a9/0x440
[   73.438035]  RSP <ffff880022737e08>
[   73.438035] CR2: ffff88043368e340
[   73.438035] ---[ end trace e94f7065a7961f54 ]---

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk

Re: f2fs get_dnode_of_data oops

[Jaegeuk Kim]

Hi Tommi,

This patch should resolve this bug.
Thanks a lot. :)

>From ee24677b9917583f50f16b6f59771439f91b890c Mon Sep 17 00:00:00 2001
From: Jaegeuk Kim <jaegeuk@kernel.org>
Date: Mon, 8 Sep 2014 10:59:43 -0700
Subject: [PATCH] f2fs: fix negative value for lseek offset

If application throws negative value of lseek with SEEK_DATA|SEEK_HOLE,
previous f2fs went into BUG_ON in get_dnode_of_data, which was reported
by Tommi Rantala.

He could make a simple code to detect this having:
	lseek(fd, -17595150933902LL, SEEK_DATA);

This patch should resolve that bug.

Reported-by: Tommi Rentala <tt.rantala@gmail.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fs/f2fs/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index 9f0ea3d..c9a1295 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -281,7 +281,7 @@ static loff_t f2fs_seek_block(struct file *file, loff_t offset, int whence)
 	mutex_lock(&inode->i_mutex);
 
 	isize = i_size_read(inode);
-	if (offset >= isize)
+	if (offset >= isize || offset < 0)
 		goto fail;
 
 	/* handle inline data case */
-- 
1.8.5.2 (Apple Git-48)

Re: f2fs get_dnode_of_data oops

[Jaegeuk Kim]

Hi Tommi,

This patch should resolve this bug.
Thanks a lot. :)

>From ee24677b9917583f50f16b6f59771439f91b890c Mon Sep 17 00:00:00 2001
From: Jaegeuk Kim <jaegeuk@kernel.org>
Date: Mon, 8 Sep 2014 10:59:43 -0700
Subject: [PATCH] f2fs: fix negative value for lseek offset

If application throws negative value of lseek with SEEK_DATA|SEEK_HOLE,
previous f2fs went into BUG_ON in get_dnode_of_data, which was reported
by Tommi Rantala.

He could make a simple code to detect this having:
	lseek(fd, -17595150933902LL, SEEK_DATA);

This patch should resolve that bug.

Reported-by: Tommi Rentala <tt.rantala@gmail.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fs/f2fs/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index 9f0ea3d..c9a1295 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -281,7 +281,7 @@ static loff_t f2fs_seek_block(struct file *file, loff_t offset, int whence)
 	mutex_lock(&inode->i_mutex);
 
 	isize = i_size_read(inode);
-	if (offset >= isize)
+	if (offset >= isize || offset < 0)
 		goto fail;
 
 	/* handle inline data case */
-- 
1.8.5.2 (Apple Git-48)


------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk

Re: f2fs get_dnode_of_data oops

[Jaegeuk Kim]

Hi Tommi,

This patch should resolve this bug.
Thanks a lot. :)

From ee24677b9917583f50f16b6f59771439f91b890c Mon Sep 17 00:00:00 2001
From: Jaegeuk Kim <jaegeuk@kernel.org>
Date: Mon, 8 Sep 2014 10:59:43 -0700
Subject: [PATCH] f2fs: fix negative value for lseek offset

If application throws negative value of lseek with SEEK_DATA|SEEK_HOLE,
previous f2fs went into BUG_ON in get_dnode_of_data, which was reported
by Tommi Rantala.

He could make a simple code to detect this having:
	lseek(fd, -17595150933902LL, SEEK_DATA);

This patch should resolve that bug.

Reported-by: Tommi Rentala <tt.rantala@gmail.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fs/f2fs/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index 9f0ea3d..c9a1295 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -281,7 +281,7 @@ static loff_t f2fs_seek_block(struct file *file, loff_t offset, int whence)
 	mutex_lock(&inode->i_mutex);
 
 	isize = i_size_read(inode);
-	if (offset >= isize)
+	if (offset >= isize || offset < 0)
 		goto fail;
 
 	/* handle inline data case */
-- 
1.8.5.2 (Apple Git-48)


------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk

RE: [f2fs-dev] f2fs get_dnode_of_data oops

[Chao Yu]

Hi Jaegeuk,

Looks good to me!

One nitpick, how about judging this condition before we lock ->i_mutex to
avoid unneeded lock contention and invoking of i_size_read()?

Thanks,
Yu

> -----Original Message-----
> From: Jaegeuk Kim [mailto:jaegeuk@kernel.org]
> Sent: Tuesday, September 09, 2014 12:42 PM
> To: Tommi Rantala
> Cc: Dave Jones; trinity@vger.kernel.org; LKML; linux-f2fs-devel@lists.sourceforge.net
> Subject: Re: [f2fs-dev] f2fs get_dnode_of_data oops
> 
> Hi Tommi,
> 
> This patch should resolve this bug.
> Thanks a lot. :)
> 
> >From ee24677b9917583f50f16b6f59771439f91b890c Mon Sep 17 00:00:00 2001
> From: Jaegeuk Kim <jaegeuk@kernel.org>
> Date: Mon, 8 Sep 2014 10:59:43 -0700
> Subject: [PATCH] f2fs: fix negative value for lseek offset
> 
> If application throws negative value of lseek with SEEK_DATA|SEEK_HOLE,
> previous f2fs went into BUG_ON in get_dnode_of_data, which was reported
> by Tommi Rantala.
> 
> He could make a simple code to detect this having:
> 	lseek(fd, -17595150933902LL, SEEK_DATA);
> 
> This patch should resolve that bug.
> 
> Reported-by: Tommi Rentala <tt.rantala@gmail.com>
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> ---
>  fs/f2fs/file.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
> index 9f0ea3d..c9a1295 100644
> --- a/fs/f2fs/file.c
> +++ b/fs/f2fs/file.c
> @@ -281,7 +281,7 @@ static loff_t f2fs_seek_block(struct file *file, loff_t offset, int whence)
>  	mutex_lock(&inode->i_mutex);
> 
>  	isize = i_size_read(inode);
> -	if (offset >= isize)
> +	if (offset >= isize || offset < 0)
>  		goto fail;
> 
>  	/* handle inline data case */
> --
> 1.8.5.2 (Apple Git-48)
> 
> 
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce.
> Perforce version control. Predictably reliable.
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> _______________________________________________
> Linux-f2fs-devel mailing list
> Linux-f2fs-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Re: f2fs get_dnode_of_data oops

[Tommi Rantala]

2014-09-09 7:41 GMT+03:00 Jaegeuk Kim <jaegeuk@kernel.org>:
> Hi Tommi,
>
> This patch should resolve this bug.
> Thanks a lot. :)
>
> From ee24677b9917583f50f16b6f59771439f91b890c Mon Sep 17 00:00:00 2001
> From: Jaegeuk Kim <jaegeuk@kernel.org>
> Date: Mon, 8 Sep 2014 10:59:43 -0700
> Subject: [PATCH] f2fs: fix negative value for lseek offset
>

Thanks, with this patch applied, I could not reproduce the lseek oops,
but now I hit the following:


[  720.673788] ------------[ cut here ]------------
[  720.674011] kernel BUG at fs/f2fs/node.c:1229!
[  720.674011] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
[  720.674011] CPU: 0 PID: 5298 Comm: trinity-c15 Not tainted 3.17.0-rc4+ #38
[  720.674011] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  720.674011] task: ffff88002c468000 ti: ffff88002c470000 task.ti:
ffff88002c470000
[  720.674011] RIP: 0010:[<ffffffff81776681>]  [<ffffffff81776681>]
f2fs_write_node_page+0x171/0x290
[  720.674011] RSP: 0018:ffff88002c473cb0  EFLAGS: 00010206
[  720.674011] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00006173c0
[  720.674011] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffffea00006173c0
[  720.674011] RBP: ffff88002c473cf8 R08: 0000000000000000 R09: 0000000000000000
[  720.674011] R10: 0000000000000001 R11: ffff8800185cf000 R12: ffffea00006173c0
[  720.674011] R13: ffff8800399d4520 R14: ffff88002c473e68 R15: ffff8800185cf000
[  720.674011] FS:  00007fb4b61d4700(0000) GS:ffff88003fa00000(0000)
knlGS:0000000000000000
[  720.674011] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  720.674011] CR2: 0000000000000008 CR3: 000000002c450000 CR4: 00000000000006f0
[  720.674011] DR0: 0000000001ee3000 DR1: 00000000019d3000 DR2: 0000000000000000
[  720.674011] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[  720.674011] Stack:
[  720.674011]  ffffffff81189e75 0000041100000001 ffff880037cb10a8
ffff88002c473cd8
[  720.674011]  ffff880000000000 0000160000000000 ffff88002c473d58
0000000000000000
[  720.674011]  0000000000000001 ffff88002c473df0 ffffffff81778745
0000000000000000
[  720.674011] Call Trace:
[  720.674011]  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
[  720.674011]  [<ffffffff81778745>] sync_node_pages+0x415/0x5f0
[  720.674011]  [<ffffffff812b2790>] ? SyS_tee+0x390/0x390
[  720.674011]  [<ffffffff8176f52d>] write_checkpoint+0x21d/0xeb0
[  720.674011]  [<ffffffff81189ce0>] ? mark_held_locks+0x90/0xa0
[  720.674011]  [<ffffffff82597685>] ? mutex_lock_nested+0x435/0x4b0
[  720.674011]  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
[  720.674011]  [<ffffffff812b2790>] ? SyS_tee+0x390/0x390
[  720.674011]  [<ffffffff81769680>] f2fs_sync_fs+0x100/0x180
[  720.674011]  [<ffffffff812b27ab>] sync_fs_one_sb+0x1b/0x20
[  720.674011]  [<ffffffff8128198f>] iterate_supers+0x7f/0xe0
[  720.674011]  [<ffffffff812b2a00>] sys_sync+0x50/0x90
[  720.674011]  [<ffffffff8259cae9>] system_call_fastpath+0x16/0x1b
[  720.674011] Code: 63 00 00 48 b8 00 00 00 00 00 16 00 00 4c 01 e0
48 c1 f8 06 48 c1 e0 0c 49 01 c7 41 8b 9f e8 0f 00 00 89 d8 49 39 44
24 10 74 07 <0f> 0b 0f 1f 44 00 00 48 8d 55 c8 89 de 4c 89 ef e8 3a fb
ff ff
[  720.674011] RIP  [<ffffffff81776681>] f2fs_write_node_page+0x171/0x290
[  720.674011]  RSP <ffff88002c473cb0>
[  720.674011] ------------[ cut here ]------------
[  720.674011] kernel BUG at arch/x86/mm/pageattr.c:216!
[  720.674011] invalid opcode: 0000 [#2] SMP DEBUG_PAGEALLOC
[  720.674011] CPU: 0 PID: 5298 Comm: trinity-c15 Not tainted 3.17.0-rc4+ #38
[  720.674011] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  720.674011] task: ffff88002c468000 ti: ffff88002c470000 task.ti:
ffff88002c470000
[  720.674011] RIP: 0010:[<ffffffff810b0fe0>]  [<ffffffff810b0fe0>]
change_page_attr_set_clr+0x250/0x430
[  720.674011] RSP: 0018:ffff88002c4730b8  EFLAGS: 00010046
[  720.674011] RAX: 0000000000000046 RBX: 0000000000000000 RCX: 0000000000000010
[  720.674011] RDX: 0000000000004600 RSI: 0000000000000000 RDI: 0000000080000000
[  720.674011] RBP: ffff88002c473148 R08: 0000000000000001 R09: ffff880000000000
[  720.674011] R10: ffff880034780738 R11: ffff88000e526610 R12: 0000000000000000
[  720.674011] R13: 0000000000000010 R14: 0000000000000004 R15: 0000000000000005
[  720.674011] FS:  00007fb4b61d4700(0000) GS:ffff88003fa00000(0000)
knlGS:0000000000000000
[  720.674011] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  720.674011] CR2: 0000000000000008 CR3: 000000002c450000 CR4: 00000000000006f0
[  720.674011] DR0: 0000000001ee3000 DR1: 00000000019d3000 DR2: 0000000000000000
[  720.674011] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[  720.674011] Stack:
[  720.674011]  0000000000000000 0000000000000000 0000000000000000
ffffffff00000200
[  720.674011]  ffff880000000001 0000000000000000 0000000000000000
0000000000000010
[  720.674011]  0000000000000000 0000000500000001 0000000000005d4d
0000020000000000
[  720.674011] Call Trace:
[  720.674011]  [<ffffffff810b1396>] _set_pages_array+0x86/0x130
[  720.674011]  [<ffffffff810b1a3e>] set_pages_array_wc+0xe/0x10
[  720.674011]  [<ffffffff81965487>] ttm_set_pages_caching+0x47/0x70
[  720.674011]  [<ffffffff819655f3>] ttm_alloc_new_pages.isra.4+0xf3/0x190
[  720.674011]  [<ffffffff81965ff5>] ttm_pool_populate+0x1b5/0x490
[  720.674011]  [<ffffffff81ae0c59>] cirrus_ttm_tt_populate+0x9/0x10
[  720.674011]  [<ffffffff81961a03>] ttm_bo_move_memcpy+0x183/0x640
[  720.674011]  [<ffffffff81ae0ba3>] cirrus_bo_move+0x13/0x20
[  720.674011]  [<ffffffff8195f081>] ttm_bo_handle_move_mem+0x251/0x590
[  720.674011]  [<ffffffff8196029c>] ? ttm_bo_mem_space+0xbc/0x310
[  720.674011]  [<ffffffff8196093d>] ttm_bo_validate+0x1bd/0x2c0
[  720.674011]  [<ffffffff81ae128c>] cirrus_bo_push_sysram+0x8c/0xd0
[  720.674011]  [<ffffffff81adf609>]
cirrus_crtc_do_set_base.isra.7.constprop.9+0x89/0x3e0
[  720.674011]  [<ffffffff81adfde1>] cirrus_crtc_mode_set+0x481/0x4b0
[  720.674011]  [<ffffffff819326f9>] drm_crtc_helper_set_mode+0x299/0x530
[  720.674011]  [<ffffffff819330ab>] drm_crtc_helper_set_config+0x71b/0xa60
[  720.674011]  [<ffffffff8194d82d>] drm_mode_set_config_internal+0x3d/0x100
[  720.674011]  [<ffffffff8193b3c3>] drm_fb_helper_pan_display+0x93/0xe0
[  720.674011]  [<ffffffff81884034>] fb_pan_display+0x104/0x170
[  720.674011]  [<ffffffff818807fb>] bit_update_start+0x1b/0x50
[  720.674011]  [<ffffffff8187f1ba>] fbcon_switch+0x50a/0x530
[  720.674011]  [<ffffffff8190e979>] redraw_screen+0x129/0x250
[  720.674011]  [<ffffffff81884566>] ? fb_blank+0x66/0xa0
[  720.674011]  [<ffffffff8187d75f>] fbcon_blank+0x20f/0x2d0
[  720.674011]  [<ffffffff8259bbbd>] ? _raw_spin_lock_irqsave+0x7d/0x90
[  720.674011]  [<ffffffff81189f3f>] ? trace_hardirqs_off_caller+0x1f/0xd0
[  720.674011]  [<ffffffff8118a25d>] ? trace_hardirqs_off+0xd/0x10
[  720.674011]  [<ffffffff8259bd3b>] ? _raw_spin_unlock_irqrestore+0x3b/0x60
[  720.674011]  [<ffffffff811a7951>] ? mod_timer+0x221/0x2a0
[  720.674011]  [<ffffffff819109a8>] do_unblank_screen+0x108/0x1e0
[  720.674011]  [<ffffffff81910a8b>] unblank_screen+0xb/0x10
[  720.674011]  [<ffffffff81834399>] bust_spinlocks+0x19/0x30
[  720.674011]  [<ffffffff8106e307>] oops_end+0x37/0x150
[  720.674011]  [<ffffffff8106e565>] die+0x55/0x60
[  720.674011]  [<ffffffff8106acc3>] do_trap+0x63/0x150
[  720.674011]  [<ffffffff8106ae83>] do_error_trap+0xd3/0xf0
[  720.674011]  [<ffffffff81776681>] ? f2fs_write_node_page+0x171/0x290
[  720.674011]  [<ffffffff81832fbd>] ? trace_hardirqs_off_thunk+0x3a/0x3c
[  720.674011]  [<ffffffff8106b24b>] do_invalid_op+0x1b/0x20
[  720.674011]  [<ffffffff8259e53e>] invalid_op+0x1e/0x30
[  720.674011]  [<ffffffff81776681>] ? f2fs_write_node_page+0x171/0x290
[  720.674011]  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
[  720.674011]  [<ffffffff81778745>] sync_node_pages+0x415/0x5f0
[  720.674011]  [<ffffffff812b2790>] ? SyS_tee+0x390/0x390
[  720.674011]  [<ffffffff8176f52d>] write_checkpoint+0x21d/0xeb0
[  720.674011]  [<ffffffff81189ce0>] ? mark_held_locks+0x90/0xa0
[  720.674011]  [<ffffffff82597685>] ? mutex_lock_nested+0x435/0x4b0
[  720.674011]  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
[  720.674011]  [<ffffffff812b2790>] ? SyS_tee+0x390/0x390
[  720.674011]  [<ffffffff81769680>] f2fs_sync_fs+0x100/0x180
[  720.674011]  [<ffffffff812b27ab>] sync_fs_one_sb+0x1b/0x20
[  720.674011]  [<ffffffff8128198f>] iterate_supers+0x7f/0xe0
[  720.674011]  [<ffffffff812b2a00>] sys_sync+0x50/0x90
[  720.674011]  [<ffffffff8259cae9>] system_call_fastpath+0x16/0x1b
[  720.674011] Code: e6 06 0f 84 f3 00 00 00 85 c9 41 0f 95 c4 81 7d
88 ff 03 00 00 0f 9f c0 41 21 c4 41 0f b6 f4 9c 58 0f 1f 44 00 00 f6
c4 02 75 08 <0f> 0b 66 0f 1f 44 00 00 ba 01 00 00 00 48 c7 c7 d0 f2 0a
81 89
[  720.674011] RIP  [<ffffffff810b0fe0>] change_page_attr_set_clr+0x250/0x430
[  720.674011]  RSP <ffff88002c4730b8>
[  720.674011] ---[ end trace 7dd145ad962d6c6d ]---

Re: f2fs get_dnode_of_data oops

[Tommi Rantala]

2014-09-09 7:41 GMT+03:00 Jaegeuk Kim <jaegeuk@kernel.org>:
> Hi Tommi,
>
> This patch should resolve this bug.
> Thanks a lot. :)
>
> From ee24677b9917583f50f16b6f59771439f91b890c Mon Sep 17 00:00:00 2001
> From: Jaegeuk Kim <jaegeuk@kernel.org>
> Date: Mon, 8 Sep 2014 10:59:43 -0700
> Subject: [PATCH] f2fs: fix negative value for lseek offset
>

Thanks, with this patch applied, I could not reproduce the lseek oops,
but now I hit the following:


[  720.673788] ------------[ cut here ]------------
[  720.674011] kernel BUG at fs/f2fs/node.c:1229!
[  720.674011] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
[  720.674011] CPU: 0 PID: 5298 Comm: trinity-c15 Not tainted 3.17.0-rc4+ #38
[  720.674011] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  720.674011] task: ffff88002c468000 ti: ffff88002c470000 task.ti:
ffff88002c470000
[  720.674011] RIP: 0010:[<ffffffff81776681>]  [<ffffffff81776681>]
f2fs_write_node_page+0x171/0x290
[  720.674011] RSP: 0018:ffff88002c473cb0  EFLAGS: 00010206
[  720.674011] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00006173c0
[  720.674011] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffffea00006173c0
[  720.674011] RBP: ffff88002c473cf8 R08: 0000000000000000 R09: 0000000000000000
[  720.674011] R10: 0000000000000001 R11: ffff8800185cf000 R12: ffffea00006173c0
[  720.674011] R13: ffff8800399d4520 R14: ffff88002c473e68 R15: ffff8800185cf000
[  720.674011] FS:  00007fb4b61d4700(0000) GS:ffff88003fa00000(0000)
knlGS:0000000000000000
[  720.674011] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  720.674011] CR2: 0000000000000008 CR3: 000000002c450000 CR4: 00000000000006f0
[  720.674011] DR0: 0000000001ee3000 DR1: 00000000019d3000 DR2: 0000000000000000
[  720.674011] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[  720.674011] Stack:
[  720.674011]  ffffffff81189e75 0000041100000001 ffff880037cb10a8
ffff88002c473cd8
[  720.674011]  ffff880000000000 0000160000000000 ffff88002c473d58
0000000000000000
[  720.674011]  0000000000000001 ffff88002c473df0 ffffffff81778745
0000000000000000
[  720.674011] Call Trace:
[  720.674011]  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
[  720.674011]  [<ffffffff81778745>] sync_node_pages+0x415/0x5f0
[  720.674011]  [<ffffffff812b2790>] ? SyS_tee+0x390/0x390
[  720.674011]  [<ffffffff8176f52d>] write_checkpoint+0x21d/0xeb0
[  720.674011]  [<ffffffff81189ce0>] ? mark_held_locks+0x90/0xa0
[  720.674011]  [<ffffffff82597685>] ? mutex_lock_nested+0x435/0x4b0
[  720.674011]  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
[  720.674011]  [<ffffffff812b2790>] ? SyS_tee+0x390/0x390
[  720.674011]  [<ffffffff81769680>] f2fs_sync_fs+0x100/0x180
[  720.674011]  [<ffffffff812b27ab>] sync_fs_one_sb+0x1b/0x20
[  720.674011]  [<ffffffff8128198f>] iterate_supers+0x7f/0xe0
[  720.674011]  [<ffffffff812b2a00>] sys_sync+0x50/0x90
[  720.674011]  [<ffffffff8259cae9>] system_call_fastpath+0x16/0x1b
[  720.674011] Code: 63 00 00 48 b8 00 00 00 00 00 16 00 00 4c 01 e0
48 c1 f8 06 48 c1 e0 0c 49 01 c7 41 8b 9f e8 0f 00 00 89 d8 49 39 44
24 10 74 07 <0f> 0b 0f 1f 44 00 00 48 8d 55 c8 89 de 4c 89 ef e8 3a fb
ff ff
[  720.674011] RIP  [<ffffffff81776681>] f2fs_write_node_page+0x171/0x290
[  720.674011]  RSP <ffff88002c473cb0>
[  720.674011] ------------[ cut here ]------------
[  720.674011] kernel BUG at arch/x86/mm/pageattr.c:216!
[  720.674011] invalid opcode: 0000 [#2] SMP DEBUG_PAGEALLOC
[  720.674011] CPU: 0 PID: 5298 Comm: trinity-c15 Not tainted 3.17.0-rc4+ #38
[  720.674011] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  720.674011] task: ffff88002c468000 ti: ffff88002c470000 task.ti:
ffff88002c470000
[  720.674011] RIP: 0010:[<ffffffff810b0fe0>]  [<ffffffff810b0fe0>]
change_page_attr_set_clr+0x250/0x430
[  720.674011] RSP: 0018:ffff88002c4730b8  EFLAGS: 00010046
[  720.674011] RAX: 0000000000000046 RBX: 0000000000000000 RCX: 0000000000000010
[  720.674011] RDX: 0000000000004600 RSI: 0000000000000000 RDI: 0000000080000000
[  720.674011] RBP: ffff88002c473148 R08: 0000000000000001 R09: ffff880000000000
[  720.674011] R10: ffff880034780738 R11: ffff88000e526610 R12: 0000000000000000
[  720.674011] R13: 0000000000000010 R14: 0000000000000004 R15: 0000000000000005
[  720.674011] FS:  00007fb4b61d4700(0000) GS:ffff88003fa00000(0000)
knlGS:0000000000000000
[  720.674011] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  720.674011] CR2: 0000000000000008 CR3: 000000002c450000 CR4: 00000000000006f0
[  720.674011] DR0: 0000000001ee3000 DR1: 00000000019d3000 DR2: 0000000000000000
[  720.674011] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[  720.674011] Stack:
[  720.674011]  0000000000000000 0000000000000000 0000000000000000
ffffffff00000200
[  720.674011]  ffff880000000001 0000000000000000 0000000000000000
0000000000000010
[  720.674011]  0000000000000000 0000000500000001 0000000000005d4d
0000020000000000
[  720.674011] Call Trace:
[  720.674011]  [<ffffffff810b1396>] _set_pages_array+0x86/0x130
[  720.674011]  [<ffffffff810b1a3e>] set_pages_array_wc+0xe/0x10
[  720.674011]  [<ffffffff81965487>] ttm_set_pages_caching+0x47/0x70
[  720.674011]  [<ffffffff819655f3>] ttm_alloc_new_pages.isra.4+0xf3/0x190
[  720.674011]  [<ffffffff81965ff5>] ttm_pool_populate+0x1b5/0x490
[  720.674011]  [<ffffffff81ae0c59>] cirrus_ttm_tt_populate+0x9/0x10
[  720.674011]  [<ffffffff81961a03>] ttm_bo_move_memcpy+0x183/0x640
[  720.674011]  [<ffffffff81ae0ba3>] cirrus_bo_move+0x13/0x20
[  720.674011]  [<ffffffff8195f081>] ttm_bo_handle_move_mem+0x251/0x590
[  720.674011]  [<ffffffff8196029c>] ? ttm_bo_mem_space+0xbc/0x310
[  720.674011]  [<ffffffff8196093d>] ttm_bo_validate+0x1bd/0x2c0
[  720.674011]  [<ffffffff81ae128c>] cirrus_bo_push_sysram+0x8c/0xd0
[  720.674011]  [<ffffffff81adf609>]
cirrus_crtc_do_set_base.isra.7.constprop.9+0x89/0x3e0
[  720.674011]  [<ffffffff81adfde1>] cirrus_crtc_mode_set+0x481/0x4b0
[  720.674011]  [<ffffffff819326f9>] drm_crtc_helper_set_mode+0x299/0x530
[  720.674011]  [<ffffffff819330ab>] drm_crtc_helper_set_config+0x71b/0xa60
[  720.674011]  [<ffffffff8194d82d>] drm_mode_set_config_internal+0x3d/0x100
[  720.674011]  [<ffffffff8193b3c3>] drm_fb_helper_pan_display+0x93/0xe0
[  720.674011]  [<ffffffff81884034>] fb_pan_display+0x104/0x170
[  720.674011]  [<ffffffff818807fb>] bit_update_start+0x1b/0x50
[  720.674011]  [<ffffffff8187f1ba>] fbcon_switch+0x50a/0x530
[  720.674011]  [<ffffffff8190e979>] redraw_screen+0x129/0x250
[  720.674011]  [<ffffffff81884566>] ? fb_blank+0x66/0xa0
[  720.674011]  [<ffffffff8187d75f>] fbcon_blank+0x20f/0x2d0
[  720.674011]  [<ffffffff8259bbbd>] ? _raw_spin_lock_irqsave+0x7d/0x90
[  720.674011]  [<ffffffff81189f3f>] ? trace_hardirqs_off_caller+0x1f/0xd0
[  720.674011]  [<ffffffff8118a25d>] ? trace_hardirqs_off+0xd/0x10
[  720.674011]  [<ffffffff8259bd3b>] ? _raw_spin_unlock_irqrestore+0x3b/0x60
[  720.674011]  [<ffffffff811a7951>] ? mod_timer+0x221/0x2a0
[  720.674011]  [<ffffffff819109a8>] do_unblank_screen+0x108/0x1e0
[  720.674011]  [<ffffffff81910a8b>] unblank_screen+0xb/0x10
[  720.674011]  [<ffffffff81834399>] bust_spinlocks+0x19/0x30
[  720.674011]  [<ffffffff8106e307>] oops_end+0x37/0x150
[  720.674011]  [<ffffffff8106e565>] die+0x55/0x60
[  720.674011]  [<ffffffff8106acc3>] do_trap+0x63/0x150
[  720.674011]  [<ffffffff8106ae83>] do_error_trap+0xd3/0xf0
[  720.674011]  [<ffffffff81776681>] ? f2fs_write_node_page+0x171/0x290
[  720.674011]  [<ffffffff81832fbd>] ? trace_hardirqs_off_thunk+0x3a/0x3c
[  720.674011]  [<ffffffff8106b24b>] do_invalid_op+0x1b/0x20
[  720.674011]  [<ffffffff8259e53e>] invalid_op+0x1e/0x30
[  720.674011]  [<ffffffff81776681>] ? f2fs_write_node_page+0x171/0x290
[  720.674011]  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
[  720.674011]  [<ffffffff81778745>] sync_node_pages+0x415/0x5f0
[  720.674011]  [<ffffffff812b2790>] ? SyS_tee+0x390/0x390
[  720.674011]  [<ffffffff8176f52d>] write_checkpoint+0x21d/0xeb0
[  720.674011]  [<ffffffff81189ce0>] ? mark_held_locks+0x90/0xa0
[  720.674011]  [<ffffffff82597685>] ? mutex_lock_nested+0x435/0x4b0
[  720.674011]  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
[  720.674011]  [<ffffffff812b2790>] ? SyS_tee+0x390/0x390
[  720.674011]  [<ffffffff81769680>] f2fs_sync_fs+0x100/0x180
[  720.674011]  [<ffffffff812b27ab>] sync_fs_one_sb+0x1b/0x20
[  720.674011]  [<ffffffff8128198f>] iterate_supers+0x7f/0xe0
[  720.674011]  [<ffffffff812b2a00>] sys_sync+0x50/0x90
[  720.674011]  [<ffffffff8259cae9>] system_call_fastpath+0x16/0x1b
[  720.674011] Code: e6 06 0f 84 f3 00 00 00 85 c9 41 0f 95 c4 81 7d
88 ff 03 00 00 0f 9f c0 41 21 c4 41 0f b6 f4 9c 58 0f 1f 44 00 00 f6
c4 02 75 08 <0f> 0b 66 0f 1f 44 00 00 ba 01 00 00 00 48 c7 c7 d0 f2 0a
81 89
[  720.674011] RIP  [<ffffffff810b0fe0>] change_page_attr_set_clr+0x250/0x430
[  720.674011]  RSP <ffff88002c4730b8>
[  720.674011] ---[ end trace 7dd145ad962d6c6d ]---

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk

Re: [f2fs-dev] f2fs get_dnode_of_data oops

[Jaegeuk Kim]

On Tue, Sep 09, 2014 at 04:10:00PM +0800, Chao Yu wrote:
> Hi Jaegeuk,
> 
> Looks good to me!
> 
> One nitpick, how about judging this condition before we lock ->i_mutex to
> avoid unneeded lock contention and invoking of i_size_read()?

Agreed.

>From 0b4c5afde9b57c08b55d26725d228d5314cfc57a Mon Sep 17 00:00:00 2001
From: Jaegeuk Kim <jaegeuk@kernel.org>
Date: Mon, 8 Sep 2014 10:59:43 -0700
Subject: [PATCH] f2fs: fix negative value for lseek offset

If application throws negative value of lseek with SEEK_DATA|SEEK_HOLE,
previous f2fs went into BUG_ON in get_dnode_of_data, which was reported
by Tommi Rantala.

He could make a simple code to detect this having:
	lseek(fd, -17595150933902LL, SEEK_DATA);

This patch should resolve that bug.

Reported-by: Tommi Rentala <tt.rantala@gmail.com>
[Jaegeuk Kim: relocate the condition as suggested by Chao]
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fs/f2fs/file.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index 9f0ea3d..5cde363 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -353,6 +353,8 @@ static loff_t f2fs_llseek(struct file *file, loff_t offset, int whence)
 						maxbytes, i_size_read(inode));
 	case SEEK_DATA:
 	case SEEK_HOLE:
+		if (offset < 0)
+			return -ENXIO;
 		return f2fs_seek_block(file, offset, whence);
 	}
 
-- 
1.8.5.2 (Apple Git-48)

Re: [f2fs-dev] f2fs get_dnode_of_data oops

[Jaegeuk Kim]

On Tue, Sep 09, 2014 at 04:10:00PM +0800, Chao Yu wrote:
> Hi Jaegeuk,
> 
> Looks good to me!
> 
> One nitpick, how about judging this condition before we lock ->i_mutex to
> avoid unneeded lock contention and invoking of i_size_read()?

Agreed.

From 0b4c5afde9b57c08b55d26725d228d5314cfc57a Mon Sep 17 00:00:00 2001
From: Jaegeuk Kim <jaegeuk@kernel.org>
Date: Mon, 8 Sep 2014 10:59:43 -0700
Subject: [PATCH] f2fs: fix negative value for lseek offset

If application throws negative value of lseek with SEEK_DATA|SEEK_HOLE,
previous f2fs went into BUG_ON in get_dnode_of_data, which was reported
by Tommi Rantala.

He could make a simple code to detect this having:
	lseek(fd, -17595150933902LL, SEEK_DATA);

This patch should resolve that bug.

Reported-by: Tommi Rentala <tt.rantala@gmail.com>
[Jaegeuk Kim: relocate the condition as suggested by Chao]
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fs/f2fs/file.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index 9f0ea3d..5cde363 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -353,6 +353,8 @@ static loff_t f2fs_llseek(struct file *file, loff_t offset, int whence)
 						maxbytes, i_size_read(inode));
 	case SEEK_DATA:
 	case SEEK_HOLE:
+		if (offset < 0)
+			return -ENXIO;
 		return f2fs_seek_block(file, offset, whence);
 	}
 
-- 
1.8.5.2 (Apple Git-48)

Re: f2fs get_dnode_of_data oops

[Jaegeuk Kim]

Hi,

On Tue, Sep 09, 2014 at 09:24:18PM +0300, Tommi Rantala wrote:
> 2014-09-09 7:41 GMT+03:00 Jaegeuk Kim <jaegeuk@kernel.org>:
> > Hi Tommi,
> >
> > This patch should resolve this bug.
> > Thanks a lot. :)
> >
> > From ee24677b9917583f50f16b6f59771439f91b890c Mon Sep 17 00:00:00 2001
> > From: Jaegeuk Kim <jaegeuk@kernel.org>
> > Date: Mon, 8 Sep 2014 10:59:43 -0700
> > Subject: [PATCH] f2fs: fix negative value for lseek offset
> >
> 
> Thanks, with this patch applied, I could not reproduce the lseek oops,
> but now I hit the following:

Hmm.
Could you share a little bit more information?
Is it reproducible?
What are the page->index and nid_of_node(page)?

Thanks,

> 
> 
> [  720.673788] ------------[ cut here ]------------
> [  720.674011] kernel BUG at fs/f2fs/node.c:1229!
> [  720.674011] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
> [  720.674011] CPU: 0 PID: 5298 Comm: trinity-c15 Not tainted 3.17.0-rc4+ #38
> [  720.674011] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> [  720.674011] task: ffff88002c468000 ti: ffff88002c470000 task.ti:
> ffff88002c470000
> [  720.674011] RIP: 0010:[<ffffffff81776681>]  [<ffffffff81776681>]
> f2fs_write_node_page+0x171/0x290
> [  720.674011] RSP: 0018:ffff88002c473cb0  EFLAGS: 00010206
> [  720.674011] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00006173c0
> [  720.674011] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffffea00006173c0
> [  720.674011] RBP: ffff88002c473cf8 R08: 0000000000000000 R09: 0000000000000000
> [  720.674011] R10: 0000000000000001 R11: ffff8800185cf000 R12: ffffea00006173c0
> [  720.674011] R13: ffff8800399d4520 R14: ffff88002c473e68 R15: ffff8800185cf000
> [  720.674011] FS:  00007fb4b61d4700(0000) GS:ffff88003fa00000(0000)
> knlGS:0000000000000000
> [  720.674011] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> [  720.674011] CR2: 0000000000000008 CR3: 000000002c450000 CR4: 00000000000006f0
> [  720.674011] DR0: 0000000001ee3000 DR1: 00000000019d3000 DR2: 0000000000000000
> [  720.674011] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
> [  720.674011] Stack:
> [  720.674011]  ffffffff81189e75 0000041100000001 ffff880037cb10a8
> ffff88002c473cd8
> [  720.674011]  ffff880000000000 0000160000000000 ffff88002c473d58
> 0000000000000000
> [  720.674011]  0000000000000001 ffff88002c473df0 ffffffff81778745
> 0000000000000000
> [  720.674011] Call Trace:
> [  720.674011]  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
> [  720.674011]  [<ffffffff81778745>] sync_node_pages+0x415/0x5f0
> [  720.674011]  [<ffffffff812b2790>] ? SyS_tee+0x390/0x390
> [  720.674011]  [<ffffffff8176f52d>] write_checkpoint+0x21d/0xeb0
> [  720.674011]  [<ffffffff81189ce0>] ? mark_held_locks+0x90/0xa0
> [  720.674011]  [<ffffffff82597685>] ? mutex_lock_nested+0x435/0x4b0
> [  720.674011]  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
> [  720.674011]  [<ffffffff812b2790>] ? SyS_tee+0x390/0x390
> [  720.674011]  [<ffffffff81769680>] f2fs_sync_fs+0x100/0x180
> [  720.674011]  [<ffffffff812b27ab>] sync_fs_one_sb+0x1b/0x20
> [  720.674011]  [<ffffffff8128198f>] iterate_supers+0x7f/0xe0
> [  720.674011]  [<ffffffff812b2a00>] sys_sync+0x50/0x90
> [  720.674011]  [<ffffffff8259cae9>] system_call_fastpath+0x16/0x1b
> [  720.674011] Code: 63 00 00 48 b8 00 00 00 00 00 16 00 00 4c 01 e0
> 48 c1 f8 06 48 c1 e0 0c 49 01 c7 41 8b 9f e8 0f 00 00 89 d8 49 39 44
> 24 10 74 07 <0f> 0b 0f 1f 44 00 00 48 8d 55 c8 89 de 4c 89 ef e8 3a fb
> ff ff
> [  720.674011] RIP  [<ffffffff81776681>] f2fs_write_node_page+0x171/0x290
> [  720.674011]  RSP <ffff88002c473cb0>
> [  720.674011] ------------[ cut here ]------------
> [  720.674011] kernel BUG at arch/x86/mm/pageattr.c:216!
> [  720.674011] invalid opcode: 0000 [#2] SMP DEBUG_PAGEALLOC
> [  720.674011] CPU: 0 PID: 5298 Comm: trinity-c15 Not tainted 3.17.0-rc4+ #38
> [  720.674011] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> [  720.674011] task: ffff88002c468000 ti: ffff88002c470000 task.ti:
> ffff88002c470000
> [  720.674011] RIP: 0010:[<ffffffff810b0fe0>]  [<ffffffff810b0fe0>]
> change_page_attr_set_clr+0x250/0x430
> [  720.674011] RSP: 0018:ffff88002c4730b8  EFLAGS: 00010046
> [  720.674011] RAX: 0000000000000046 RBX: 0000000000000000 RCX: 0000000000000010
> [  720.674011] RDX: 0000000000004600 RSI: 0000000000000000 RDI: 0000000080000000
> [  720.674011] RBP: ffff88002c473148 R08: 0000000000000001 R09: ffff880000000000
> [  720.674011] R10: ffff880034780738 R11: ffff88000e526610 R12: 0000000000000000
> [  720.674011] R13: 0000000000000010 R14: 0000000000000004 R15: 0000000000000005
> [  720.674011] FS:  00007fb4b61d4700(0000) GS:ffff88003fa00000(0000)
> knlGS:0000000000000000
> [  720.674011] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> [  720.674011] CR2: 0000000000000008 CR3: 000000002c450000 CR4: 00000000000006f0
> [  720.674011] DR0: 0000000001ee3000 DR1: 00000000019d3000 DR2: 0000000000000000
> [  720.674011] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
> [  720.674011] Stack:
> [  720.674011]  0000000000000000 0000000000000000 0000000000000000
> ffffffff00000200
> [  720.674011]  ffff880000000001 0000000000000000 0000000000000000
> 0000000000000010
> [  720.674011]  0000000000000000 0000000500000001 0000000000005d4d
> 0000020000000000
> [  720.674011] Call Trace:
> [  720.674011]  [<ffffffff810b1396>] _set_pages_array+0x86/0x130
> [  720.674011]  [<ffffffff810b1a3e>] set_pages_array_wc+0xe/0x10
> [  720.674011]  [<ffffffff81965487>] ttm_set_pages_caching+0x47/0x70
> [  720.674011]  [<ffffffff819655f3>] ttm_alloc_new_pages.isra.4+0xf3/0x190
> [  720.674011]  [<ffffffff81965ff5>] ttm_pool_populate+0x1b5/0x490
> [  720.674011]  [<ffffffff81ae0c59>] cirrus_ttm_tt_populate+0x9/0x10
> [  720.674011]  [<ffffffff81961a03>] ttm_bo_move_memcpy+0x183/0x640
> [  720.674011]  [<ffffffff81ae0ba3>] cirrus_bo_move+0x13/0x20
> [  720.674011]  [<ffffffff8195f081>] ttm_bo_handle_move_mem+0x251/0x590
> [  720.674011]  [<ffffffff8196029c>] ? ttm_bo_mem_space+0xbc/0x310
> [  720.674011]  [<ffffffff8196093d>] ttm_bo_validate+0x1bd/0x2c0
> [  720.674011]  [<ffffffff81ae128c>] cirrus_bo_push_sysram+0x8c/0xd0
> [  720.674011]  [<ffffffff81adf609>]
> cirrus_crtc_do_set_base.isra.7.constprop.9+0x89/0x3e0
> [  720.674011]  [<ffffffff81adfde1>] cirrus_crtc_mode_set+0x481/0x4b0
> [  720.674011]  [<ffffffff819326f9>] drm_crtc_helper_set_mode+0x299/0x530
> [  720.674011]  [<ffffffff819330ab>] drm_crtc_helper_set_config+0x71b/0xa60
> [  720.674011]  [<ffffffff8194d82d>] drm_mode_set_config_internal+0x3d/0x100
> [  720.674011]  [<ffffffff8193b3c3>] drm_fb_helper_pan_display+0x93/0xe0
> [  720.674011]  [<ffffffff81884034>] fb_pan_display+0x104/0x170
> [  720.674011]  [<ffffffff818807fb>] bit_update_start+0x1b/0x50
> [  720.674011]  [<ffffffff8187f1ba>] fbcon_switch+0x50a/0x530
> [  720.674011]  [<ffffffff8190e979>] redraw_screen+0x129/0x250
> [  720.674011]  [<ffffffff81884566>] ? fb_blank+0x66/0xa0
> [  720.674011]  [<ffffffff8187d75f>] fbcon_blank+0x20f/0x2d0
> [  720.674011]  [<ffffffff8259bbbd>] ? _raw_spin_lock_irqsave+0x7d/0x90
> [  720.674011]  [<ffffffff81189f3f>] ? trace_hardirqs_off_caller+0x1f/0xd0
> [  720.674011]  [<ffffffff8118a25d>] ? trace_hardirqs_off+0xd/0x10
> [  720.674011]  [<ffffffff8259bd3b>] ? _raw_spin_unlock_irqrestore+0x3b/0x60
> [  720.674011]  [<ffffffff811a7951>] ? mod_timer+0x221/0x2a0
> [  720.674011]  [<ffffffff819109a8>] do_unblank_screen+0x108/0x1e0
> [  720.674011]  [<ffffffff81910a8b>] unblank_screen+0xb/0x10
> [  720.674011]  [<ffffffff81834399>] bust_spinlocks+0x19/0x30
> [  720.674011]  [<ffffffff8106e307>] oops_end+0x37/0x150
> [  720.674011]  [<ffffffff8106e565>] die+0x55/0x60
> [  720.674011]  [<ffffffff8106acc3>] do_trap+0x63/0x150
> [  720.674011]  [<ffffffff8106ae83>] do_error_trap+0xd3/0xf0
> [  720.674011]  [<ffffffff81776681>] ? f2fs_write_node_page+0x171/0x290
> [  720.674011]  [<ffffffff81832fbd>] ? trace_hardirqs_off_thunk+0x3a/0x3c
> [  720.674011]  [<ffffffff8106b24b>] do_invalid_op+0x1b/0x20
> [  720.674011]  [<ffffffff8259e53e>] invalid_op+0x1e/0x30
> [  720.674011]  [<ffffffff81776681>] ? f2fs_write_node_page+0x171/0x290
> [  720.674011]  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
> [  720.674011]  [<ffffffff81778745>] sync_node_pages+0x415/0x5f0
> [  720.674011]  [<ffffffff812b2790>] ? SyS_tee+0x390/0x390
> [  720.674011]  [<ffffffff8176f52d>] write_checkpoint+0x21d/0xeb0
> [  720.674011]  [<ffffffff81189ce0>] ? mark_held_locks+0x90/0xa0
> [  720.674011]  [<ffffffff82597685>] ? mutex_lock_nested+0x435/0x4b0
> [  720.674011]  [<ffffffff81189e75>] ? trace_hardirqs_on_caller+0x185/0x220
> [  720.674011]  [<ffffffff812b2790>] ? SyS_tee+0x390/0x390
> [  720.674011]  [<ffffffff81769680>] f2fs_sync_fs+0x100/0x180
> [  720.674011]  [<ffffffff812b27ab>] sync_fs_one_sb+0x1b/0x20
> [  720.674011]  [<ffffffff8128198f>] iterate_supers+0x7f/0xe0
> [  720.674011]  [<ffffffff812b2a00>] sys_sync+0x50/0x90
> [  720.674011]  [<ffffffff8259cae9>] system_call_fastpath+0x16/0x1b
> [  720.674011] Code: e6 06 0f 84 f3 00 00 00 85 c9 41 0f 95 c4 81 7d
> 88 ff 03 00 00 0f 9f c0 41 21 c4 41 0f b6 f4 9c 58 0f 1f 44 00 00 f6
> c4 02 75 08 <0f> 0b 66 0f 1f 44 00 00 ba 01 00 00 00 48 c7 c7 d0 f2 0a
> 81 89
> [  720.674011] RIP  [<ffffffff810b0fe0>] change_page_attr_set_clr+0x250/0x430
> [  720.674011]  RSP <ffff88002c4730b8>
> [  720.674011] ---[ end trace 7dd145ad962d6c6d ]---