[f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super

[f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super

[Jack Qiu]

The root cause is shrink_dcache_sb after sbi has been freed.
So call shrink_dcache_sb before free sbi and other resources.

==================================================================
BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729

PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
4.19.195-00002-g67dceea04431-dirty #31
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
04/01/2014
Call Trace:
 dump_stack+0xe5/0x14b
 ? f2fs_evict_inode+0x31c/0xde5
 print_address_description+0x6c/0x237
 ? f2fs_evict_inode+0x31c/0xde5
 kasan_report.cold+0x88/0x2a3
 f2fs_evict_inode+0x31c/0xde5
 ? full_proxy_open.cold+0x12/0x12
 evict+0x2cd/0x5f0
 iput+0x3d9/0x6f0
 dentry_unlink_inode+0x273/0x330
 __dentry_kill+0x340/0x5e0
 dentry_kill+0xb7/0x740
 shrink_dentry_list+0x256/0x660
 shrink_dcache_sb+0x11f/0x1d0
 ? shrink_dentry_list+0x660/0x660
 ? __kasan_slab_free+0x144/0x180
 f2fs_fill_super+0x2a34/0x4a80
 ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
 ? wait_for_completion+0x3c0/0x3c0
 ? set_blocksize+0x230/0x2b0
 mount_bdev+0x2c1/0x370
 ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
 mount_fs+0x4c/0x1c0
 vfs_kern_mount.part.0+0x60/0x3d0
 do_mount+0x367/0x2570
 ? kasan_unpoison_shadow+0x33/0x40
 ? copy_mount_string+0x40/0x40
 ? kmem_cache_alloc_trace+0x13f/0x2b0
 ? _copy_from_user+0x94/0x100
 ? copy_mount_options+0x1f1/0x2e0
 ksys_mount+0xa0/0x100
 __x64_sys_mount+0xbf/0x160
 do_syscall_64+0xc2/0x190
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x47938e
Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00

Allocated by task 8729:
 kasan_kmalloc+0xc2/0xe0
 kmem_cache_alloc_trace+0x13f/0x2b0
 f2fs_fill_super+0x124/0x4a80
 mount_bdev+0x2c1/0x370
 mount_fs+0x4c/0x1c0
 vfs_kern_mount.part.0+0x60/0x3d0
 do_mount+0x367/0x2570
 ksys_mount+0xa0/0x100
 __x64_sys_mount+0xbf/0x160
 do_syscall_64+0xc2/0x190
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8729:
 __kasan_slab_free+0x12f/0x180
 kfree+0xfa/0x2a0
 f2fs_fill_super+0x2a00/0x4a80
 mount_bdev+0x2c1/0x370
 mount_fs+0x4c/0x1c0
 vfs_kern_mount.part.0+0x60/0x3d0
 do_mount+0x367/0x2570
 ksys_mount+0xa0/0x100
 __x64_sys_mount+0xbf/0x160
 do_syscall_64+0xc2/0x190
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Signed-off-by: Jack Qiu <jack.qiu@huawei.com>
---
 fs/f2fs/super.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 8fecd3050ccd..b041625e06ce 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
 free_compress_inode:
 	f2fs_destroy_compress_inode(sbi);
 free_root_inode:
+	if (retry_cnt > 0 && skip_recovery)
+		shrink_dcache_sb(sb);
 	dput(sb->s_root);
 	sb->s_root = NULL;
 free_node_inode:
@@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
 	/* give only one another chance */
 	if (retry_cnt > 0 && skip_recovery) {
 		retry_cnt--;
-		shrink_dcache_sb(sb);
 		goto try_onemore;
 	}
 	return err;
--
2.17.1



_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super

[Chao Yu]

On 2021/7/22 12:41, Jack Qiu wrote:
> The root cause is shrink_dcache_sb after sbi has been freed.
> So call shrink_dcache_sb before free sbi and other resources.
> 
> ==================================================================
> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729
> 
> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
> 4.19.195-00002-g67dceea04431-dirty #31

Does this bug below to 4.19.195?

> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
> 04/01/2014
> Call Trace:
>   dump_stack+0xe5/0x14b
>   ? f2fs_evict_inode+0x31c/0xde5
>   print_address_description+0x6c/0x237
>   ? f2fs_evict_inode+0x31c/0xde5
>   kasan_report.cold+0x88/0x2a3
>   f2fs_evict_inode+0x31c/0xde5
>   ? full_proxy_open.cold+0x12/0x12
>   evict+0x2cd/0x5f0
>   iput+0x3d9/0x6f0
>   dentry_unlink_inode+0x273/0x330
>   __dentry_kill+0x340/0x5e0
>   dentry_kill+0xb7/0x740
>   shrink_dentry_list+0x256/0x660
>   shrink_dcache_sb+0x11f/0x1d0
>   ? shrink_dentry_list+0x660/0x660
>   ? __kasan_slab_free+0x144/0x180
>   f2fs_fill_super+0x2a34/0x4a80
>   ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>   ? wait_for_completion+0x3c0/0x3c0
>   ? set_blocksize+0x230/0x2b0
>   mount_bdev+0x2c1/0x370
>   ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>   mount_fs+0x4c/0x1c0
>   vfs_kern_mount.part.0+0x60/0x3d0
>   do_mount+0x367/0x2570
>   ? kasan_unpoison_shadow+0x33/0x40
>   ? copy_mount_string+0x40/0x40
>   ? kmem_cache_alloc_trace+0x13f/0x2b0
>   ? _copy_from_user+0x94/0x100
>   ? copy_mount_options+0x1f1/0x2e0
>   ksys_mount+0xa0/0x100
>   __x64_sys_mount+0xbf/0x160
>   do_syscall_64+0xc2/0x190
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x47938e
> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00
> 
> Allocated by task 8729:
>   kasan_kmalloc+0xc2/0xe0
>   kmem_cache_alloc_trace+0x13f/0x2b0
>   f2fs_fill_super+0x124/0x4a80
>   mount_bdev+0x2c1/0x370
>   mount_fs+0x4c/0x1c0
>   vfs_kern_mount.part.0+0x60/0x3d0
>   do_mount+0x367/0x2570
>   ksys_mount+0xa0/0x100
>   __x64_sys_mount+0xbf/0x160
>   do_syscall_64+0xc2/0x190
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> Freed by task 8729:
>   __kasan_slab_free+0x12f/0x180
>   kfree+0xfa/0x2a0
>   f2fs_fill_super+0x2a00/0x4a80
>   mount_bdev+0x2c1/0x370
>   mount_fs+0x4c/0x1c0
>   vfs_kern_mount.part.0+0x60/0x3d0
>   do_mount+0x367/0x2570
>   ksys_mount+0xa0/0x100
>   __x64_sys_mount+0xbf/0x160
>   do_syscall_64+0xc2/0x190
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> Signed-off-by: Jack Qiu <jack.qiu@huawei.com>
> ---
>   fs/f2fs/super.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> index 8fecd3050ccd..b041625e06ce 100644
> --- a/fs/f2fs/super.c
> +++ b/fs/f2fs/super.c
> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>   free_compress_inode:
>   	f2fs_destroy_compress_inode(sbi);
>   free_root_inode:
> +	if (retry_cnt > 0 && skip_recovery)
> +		shrink_dcache_sb(sb);

Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(),
could you please check whether this can fix the issue?

Thanks,

>   	dput(sb->s_root);
>   	sb->s_root = NULL;
>   free_node_inode:
> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>   	/* give only one another chance */
>   	if (retry_cnt > 0 && skip_recovery) {
>   		retry_cnt--;
> -		shrink_dcache_sb(sb);
>   		goto try_onemore;
>   	}
>   	return err;
> --
> 2.17.1
> 


_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super

[Jack Qiu]

On 2021/7/22 22:05, Chao Yu wrote:
> On 2021/7/22 12:41, Jack Qiu wrote:
>> The root cause is shrink_dcache_sb after sbi has been freed.
>> So call shrink_dcache_sb before free sbi and other resources.
>>
>> ==================================================================
>> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
>> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729
>>
>> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
>> 4.19.195-00002-g67dceea04431-dirty #31
> 
> Does this bug below to 4.19.195?
> 
Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug.

git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2
v3.17-rc4~27^2~17

@@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
        brelse(raw_super_buf);
 free_sbi:
        kfree(sbi);    ---  free sbi
+
+       /* give only one another chance */
+       if (retry) {
+               retry = !retry;
+               shrink_dcache_sb(sb); --- call f2fs_evict_inode(root inode), it will access sbi
+               goto try_onemore;
+       }
        return err;
 }

>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
>> 04/01/2014
>> Call Trace:
>>   dump_stack+0xe5/0x14b
>>   ? f2fs_evict_inode+0x31c/0xde5
>>   print_address_description+0x6c/0x237
>>   ? f2fs_evict_inode+0x31c/0xde5
>>   kasan_report.cold+0x88/0x2a3
>>   f2fs_evict_inode+0x31c/0xde5
>>   ? full_proxy_open.cold+0x12/0x12
>>   evict+0x2cd/0x5f0
>>   iput+0x3d9/0x6f0
>>   dentry_unlink_inode+0x273/0x330
>>   __dentry_kill+0x340/0x5e0
>>   dentry_kill+0xb7/0x740
>>   shrink_dentry_list+0x256/0x660
>>   shrink_dcache_sb+0x11f/0x1d0
>>   ? shrink_dentry_list+0x660/0x660
>>   ? __kasan_slab_free+0x144/0x180
>>   f2fs_fill_super+0x2a34/0x4a80
>>   ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>   ? wait_for_completion+0x3c0/0x3c0
>>   ? set_blocksize+0x230/0x2b0
>>   mount_bdev+0x2c1/0x370
>>   ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>   mount_fs+0x4c/0x1c0
>>   vfs_kern_mount.part.0+0x60/0x3d0
>>   do_mount+0x367/0x2570
>>   ? kasan_unpoison_shadow+0x33/0x40
>>   ? copy_mount_string+0x40/0x40
>>   ? kmem_cache_alloc_trace+0x13f/0x2b0
>>   ? _copy_from_user+0x94/0x100
>>   ? copy_mount_options+0x1f1/0x2e0
>>   ksys_mount+0xa0/0x100
>>   __x64_sys_mount+0xbf/0x160
>>   do_syscall_64+0xc2/0x190
>>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> RIP: 0033:0x47938e
>> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
>> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
>> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
>> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
>> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
>> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00
>>
>> Allocated by task 8729:
>>   kasan_kmalloc+0xc2/0xe0
>>   kmem_cache_alloc_trace+0x13f/0x2b0
>>   f2fs_fill_super+0x124/0x4a80
>>   mount_bdev+0x2c1/0x370
>>   mount_fs+0x4c/0x1c0
>>   vfs_kern_mount.part.0+0x60/0x3d0
>>   do_mount+0x367/0x2570
>>   ksys_mount+0xa0/0x100
>>   __x64_sys_mount+0xbf/0x160
>>   do_syscall_64+0xc2/0x190
>>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> Freed by task 8729:
>>   __kasan_slab_free+0x12f/0x180
>>   kfree+0xfa/0x2a0
>>   f2fs_fill_super+0x2a00/0x4a80
>>   mount_bdev+0x2c1/0x370
>>   mount_fs+0x4c/0x1c0
>>   vfs_kern_mount.part.0+0x60/0x3d0
>>   do_mount+0x367/0x2570
>>   ksys_mount+0xa0/0x100
>>   __x64_sys_mount+0xbf/0x160
>>   do_syscall_64+0xc2/0x190
>>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> Signed-off-by: Jack Qiu <jack.qiu@huawei.com>
>> ---
>>   fs/f2fs/super.c | 3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>> index 8fecd3050ccd..b041625e06ce 100644
>> --- a/fs/f2fs/super.c
>> +++ b/fs/f2fs/super.c
>> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>   free_compress_inode:
>>       f2fs_destroy_compress_inode(sbi);
>>   free_root_inode:
>> +    if (retry_cnt > 0 && skip_recovery)
>> +        shrink_dcache_sb(sb);
> 
> Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(),
Can not find *evict_inodes*, could you please elaborate more detail?
> could you please check whether this can fix the issue?
I have run the test more than 1 day w/ this patch, it will fail in 1 hour before.
I believe this patch can fix *this* issue. But I'm not quite familiar with shrink_dcache_sb,
maybe I miss other scenario. If you have other comment, please let me know.

Thanks,
> 
> Thanks,
> 
>>       dput(sb->s_root);
>>       sb->s_root = NULL;
>>   free_node_inode:
>> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>       /* give only one another chance */
>>       if (retry_cnt > 0 && skip_recovery) {
>>           retry_cnt--;
>> -        shrink_dcache_sb(sb);
>>           goto try_onemore;
>>       }
>>       return err;
>> -- 
>> 2.17.1
>>
> .



_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super

[Chao Yu]

On 2021/7/23 10:41, Jack Qiu wrote:
> On 2021/7/22 22:05, Chao Yu wrote:
>> On 2021/7/22 12:41, Jack Qiu wrote:
>>> The root cause is shrink_dcache_sb after sbi has been freed.
>>> So call shrink_dcache_sb before free sbi and other resources.
>>>
>>> ==================================================================
>>> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
>>> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729
>>>
>>> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
>>> 4.19.195-00002-g67dceea04431-dirty #31
>>
>> Does this bug below to 4.19.195?

I mean whether this bug exists in mainline? Not sure, I just doubt maybe
we have fixed this issue, but forgot to backport it to 4.19 stable kernel.

>>
> Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug.
> 
> git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2
> v3.17-rc4~27^2~17
> 
> @@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>          brelse(raw_super_buf);
>   free_sbi:
>          kfree(sbi);    ---  free sbi
> +
> +       /* give only one another chance */
> +       if (retry) {
> +               retry = !retry;
> +               shrink_dcache_sb(sb); --- call f2fs_evict_inode(root inode), it will access sbi
> +               goto try_onemore;
> +       }
>          return err;
>   }
> 
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>>> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
>>> 04/01/2014
>>> Call Trace:
>>>    dump_stack+0xe5/0x14b
>>>    ? f2fs_evict_inode+0x31c/0xde5
>>>    print_address_description+0x6c/0x237
>>>    ? f2fs_evict_inode+0x31c/0xde5
>>>    kasan_report.cold+0x88/0x2a3
>>>    f2fs_evict_inode+0x31c/0xde5
>>>    ? full_proxy_open.cold+0x12/0x12
>>>    evict+0x2cd/0x5f0
>>>    iput+0x3d9/0x6f0
>>>    dentry_unlink_inode+0x273/0x330
>>>    __dentry_kill+0x340/0x5e0
>>>    dentry_kill+0xb7/0x740
>>>    shrink_dentry_list+0x256/0x660
>>>    shrink_dcache_sb+0x11f/0x1d0
>>>    ? shrink_dentry_list+0x660/0x660
>>>    ? __kasan_slab_free+0x144/0x180
>>>    f2fs_fill_super+0x2a34/0x4a80
>>>    ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>    ? wait_for_completion+0x3c0/0x3c0
>>>    ? set_blocksize+0x230/0x2b0
>>>    mount_bdev+0x2c1/0x370
>>>    ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>    mount_fs+0x4c/0x1c0
>>>    vfs_kern_mount.part.0+0x60/0x3d0
>>>    do_mount+0x367/0x2570
>>>    ? kasan_unpoison_shadow+0x33/0x40
>>>    ? copy_mount_string+0x40/0x40
>>>    ? kmem_cache_alloc_trace+0x13f/0x2b0
>>>    ? _copy_from_user+0x94/0x100
>>>    ? copy_mount_options+0x1f1/0x2e0
>>>    ksys_mount+0xa0/0x100
>>>    __x64_sys_mount+0xbf/0x160
>>>    do_syscall_64+0xc2/0x190
>>>    entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>> RIP: 0033:0x47938e
>>> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
>>> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
>>> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
>>> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
>>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
>>> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
>>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
>>> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00
>>>
>>> Allocated by task 8729:
>>>    kasan_kmalloc+0xc2/0xe0
>>>    kmem_cache_alloc_trace+0x13f/0x2b0
>>>    f2fs_fill_super+0x124/0x4a80
>>>    mount_bdev+0x2c1/0x370
>>>    mount_fs+0x4c/0x1c0
>>>    vfs_kern_mount.part.0+0x60/0x3d0
>>>    do_mount+0x367/0x2570
>>>    ksys_mount+0xa0/0x100
>>>    __x64_sys_mount+0xbf/0x160
>>>    do_syscall_64+0xc2/0x190
>>>    entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>
>>> Freed by task 8729:
>>>    __kasan_slab_free+0x12f/0x180
>>>    kfree+0xfa/0x2a0
>>>    f2fs_fill_super+0x2a00/0x4a80
>>>    mount_bdev+0x2c1/0x370
>>>    mount_fs+0x4c/0x1c0
>>>    vfs_kern_mount.part.0+0x60/0x3d0
>>>    do_mount+0x367/0x2570
>>>    ksys_mount+0xa0/0x100
>>>    __x64_sys_mount+0xbf/0x160
>>>    do_syscall_64+0xc2/0x190
>>>    entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>
>>> Signed-off-by: Jack Qiu <jack.qiu@huawei.com>
>>> ---
>>>    fs/f2fs/super.c | 3 ++-
>>>    1 file changed, 2 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>>> index 8fecd3050ccd..b041625e06ce 100644
>>> --- a/fs/f2fs/super.c
>>> +++ b/fs/f2fs/super.c
>>> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>    free_compress_inode:
>>>        f2fs_destroy_compress_inode(sbi);
>>>    free_root_inode:
>>> +    if (retry_cnt > 0 && skip_recovery)
>>> +        shrink_dcache_sb(sb);
>>
>> Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(),
> Can not find *evict_inodes*, could you please elaborate more detail?

Could you please check whether below patch can fix this issue?

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=812a95977fd2f0d1f220c716a98

Thanks,

>> could you please check whether this can fix the issue?
> I have run the test more than 1 day w/ this patch, it will fail in 1 hour before.
> I believe this patch can fix *this* issue. But I'm not quite familiar with shrink_dcache_sb,
> maybe I miss other scenario. If you have other comment, please let me know.
> 
> Thanks,
>>
>> Thanks,
>>
>>>        dput(sb->s_root);
>>>        sb->s_root = NULL;
>>>    free_node_inode:
>>> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>        /* give only one another chance */
>>>        if (retry_cnt > 0 && skip_recovery) {
>>>            retry_cnt--;
>>> -        shrink_dcache_sb(sb);
>>>            goto try_onemore;
>>>        }
>>>        return err;
>>> -- 
>>> 2.17.1
>>>
>> .
> 


_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super

[Jack Qiu]

On 2021/7/23 10:51, Chao Yu wrote:
> On 2021/7/23 10:41, Jack Qiu wrote:
>> On 2021/7/22 22:05, Chao Yu wrote:
>>> On 2021/7/22 12:41, Jack Qiu wrote:
>>>> The root cause is shrink_dcache_sb after sbi has been freed.
>>>> So call shrink_dcache_sb before free sbi and other resources.
>>>>
>>>> ==================================================================
>>>> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
>>>> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729
>>>>
>>>> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
>>>> 4.19.195-00002-g67dceea04431-dirty #31
>>>
>>> Does this bug below to 4.19.195?
> 
> I mean whether this bug exists in mainline? Not sure, I just doubt maybe
> we have fixed this issue, but forgot to backport it to 4.19 stable kernel.
> 
Got it.
>>>
>> Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug.
>>
>> git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2
>> v3.17-rc4~27^2~17
>>
>> @@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>          brelse(raw_super_buf);
>>   free_sbi:
>>          kfree(sbi);    ---  free sbi
>> +
>> +       /* give only one another chance */
>> +       if (retry) {
>> +               retry = !retry;
>> +               shrink_dcache_sb(sb); --- call f2fs_evict_inode(root inode), it will access sbi
>> +               goto try_onemore;
>> +       }
>>          return err;
>>   }
>>
>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>>>> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
>>>> 04/01/2014
>>>> Call Trace:
>>>>    dump_stack+0xe5/0x14b
>>>>    ? f2fs_evict_inode+0x31c/0xde5
>>>>    print_address_description+0x6c/0x237
>>>>    ? f2fs_evict_inode+0x31c/0xde5
>>>>    kasan_report.cold+0x88/0x2a3
>>>>    f2fs_evict_inode+0x31c/0xde5
>>>>    ? full_proxy_open.cold+0x12/0x12
>>>>    evict+0x2cd/0x5f0
>>>>    iput+0x3d9/0x6f0
>>>>    dentry_unlink_inode+0x273/0x330
>>>>    __dentry_kill+0x340/0x5e0
>>>>    dentry_kill+0xb7/0x740
>>>>    shrink_dentry_list+0x256/0x660
>>>>    shrink_dcache_sb+0x11f/0x1d0
>>>>    ? shrink_dentry_list+0x660/0x660
>>>>    ? __kasan_slab_free+0x144/0x180
>>>>    f2fs_fill_super+0x2a34/0x4a80
>>>>    ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>>    ? wait_for_completion+0x3c0/0x3c0
>>>>    ? set_blocksize+0x230/0x2b0
>>>>    mount_bdev+0x2c1/0x370
>>>>    ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>>    mount_fs+0x4c/0x1c0
>>>>    vfs_kern_mount.part.0+0x60/0x3d0
>>>>    do_mount+0x367/0x2570
>>>>    ? kasan_unpoison_shadow+0x33/0x40
>>>>    ? copy_mount_string+0x40/0x40
>>>>    ? kmem_cache_alloc_trace+0x13f/0x2b0
>>>>    ? _copy_from_user+0x94/0x100
>>>>    ? copy_mount_options+0x1f1/0x2e0
>>>>    ksys_mount+0xa0/0x100
>>>>    __x64_sys_mount+0xbf/0x160
>>>>    do_syscall_64+0xc2/0x190
>>>>    entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>> RIP: 0033:0x47938e
>>>> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
>>>> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
>>>> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
>>>> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>>> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
>>>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
>>>> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
>>>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
>>>> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00
>>>>
>>>> Allocated by task 8729:
>>>>    kasan_kmalloc+0xc2/0xe0
>>>>    kmem_cache_alloc_trace+0x13f/0x2b0
>>>>    f2fs_fill_super+0x124/0x4a80
>>>>    mount_bdev+0x2c1/0x370
>>>>    mount_fs+0x4c/0x1c0
>>>>    vfs_kern_mount.part.0+0x60/0x3d0
>>>>    do_mount+0x367/0x2570
>>>>    ksys_mount+0xa0/0x100
>>>>    __x64_sys_mount+0xbf/0x160
>>>>    do_syscall_64+0xc2/0x190
>>>>    entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>
>>>> Freed by task 8729:
>>>>    __kasan_slab_free+0x12f/0x180
>>>>    kfree+0xfa/0x2a0
>>>>    f2fs_fill_super+0x2a00/0x4a80
>>>>    mount_bdev+0x2c1/0x370
>>>>    mount_fs+0x4c/0x1c0
>>>>    vfs_kern_mount.part.0+0x60/0x3d0
>>>>    do_mount+0x367/0x2570
>>>>    ksys_mount+0xa0/0x100
>>>>    __x64_sys_mount+0xbf/0x160
>>>>    do_syscall_64+0xc2/0x190
>>>>    entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>
>>>> Signed-off-by: Jack Qiu <jack.qiu@huawei.com>
>>>> ---
>>>>    fs/f2fs/super.c | 3 ++-
>>>>    1 file changed, 2 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>>>> index 8fecd3050ccd..b041625e06ce 100644
>>>> --- a/fs/f2fs/super.c
>>>> +++ b/fs/f2fs/super.c
>>>> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>>    free_compress_inode:
>>>>        f2fs_destroy_compress_inode(sbi);
>>>>    free_root_inode:
>>>> +    if (retry_cnt > 0 && skip_recovery)
>>>> +        shrink_dcache_sb(sb);
>>>
>>> Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(),
>> Can not find *evict_inodes*, could you please elaborate more detail?
> 
> Could you please check whether below patch can fix this issue?
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=812a95977fd2f0d1f220c716a98
> 
> Thanks,
> 
I will test it.

Thansk,
>>> could you please check whether this can fix the issue?
>> I have run the test more than 1 day w/ this patch, it will fail in 1 hour before.
>> I believe this patch can fix *this* issue. But I'm not quite familiar with shrink_dcache_sb,
>> maybe I miss other scenario. If you have other comment, please let me know.
>>
>> Thanks,
>>>
>>> Thanks,
>>>
>>>>        dput(sb->s_root);
>>>>        sb->s_root = NULL;
>>>>    free_node_inode:
>>>> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>>        /* give only one another chance */
>>>>        if (retry_cnt > 0 && skip_recovery) {
>>>>            retry_cnt--;
>>>> -        shrink_dcache_sb(sb);
>>>>            goto try_onemore;
>>>>        }
>>>>        return err;
>>>> -- 
>>>> 2.17.1
>>>>
>>> .
>>
> .



_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super

[Chao Yu]

On 2021/7/23 11:27, Jack Qiu wrote:
> On 2021/7/23 10:51, Chao Yu wrote:
>> On 2021/7/23 10:41, Jack Qiu wrote:
>>> On 2021/7/22 22:05, Chao Yu wrote:
>>>> On 2021/7/22 12:41, Jack Qiu wrote:
>>>>> The root cause is shrink_dcache_sb after sbi has been freed.
>>>>> So call shrink_dcache_sb before free sbi and other resources.
>>>>>
>>>>> ==================================================================
>>>>> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
>>>>> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729
>>>>>
>>>>> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
>>>>> 4.19.195-00002-g67dceea04431-dirty #31
>>>>
>>>> Does this bug below to 4.19.195?
>>
>> I mean whether this bug exists in mainline? Not sure, I just doubt maybe
>> we have fixed this issue, but forgot to backport it to 4.19 stable kernel.
>>
> Got it.
>>>>
>>> Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug.
>>>
>>> git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2
>>> v3.17-rc4~27^2~17
>>>
>>> @@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>           brelse(raw_super_buf);
>>>    free_sbi:
>>>           kfree(sbi);    ---  free sbi
>>> +
>>> +       /* give only one another chance */
>>> +       if (retry) {
>>> +               retry = !retry;
>>> +               shrink_dcache_sb(sb); --- call f2fs_evict_inode(root inode), it will access sbi
>>> +               goto try_onemore;
>>> +       }
>>>           return err;
>>>    }
>>>
>>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>>>>> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
>>>>> 04/01/2014
>>>>> Call Trace:
>>>>>     dump_stack+0xe5/0x14b
>>>>>     ? f2fs_evict_inode+0x31c/0xde5
>>>>>     print_address_description+0x6c/0x237
>>>>>     ? f2fs_evict_inode+0x31c/0xde5
>>>>>     kasan_report.cold+0x88/0x2a3
>>>>>     f2fs_evict_inode+0x31c/0xde5
>>>>>     ? full_proxy_open.cold+0x12/0x12
>>>>>     evict+0x2cd/0x5f0
>>>>>     iput+0x3d9/0x6f0
>>>>>     dentry_unlink_inode+0x273/0x330
>>>>>     __dentry_kill+0x340/0x5e0
>>>>>     dentry_kill+0xb7/0x740
>>>>>     shrink_dentry_list+0x256/0x660
>>>>>     shrink_dcache_sb+0x11f/0x1d0
>>>>>     ? shrink_dentry_list+0x660/0x660
>>>>>     ? __kasan_slab_free+0x144/0x180
>>>>>     f2fs_fill_super+0x2a34/0x4a80
>>>>>     ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>>>     ? wait_for_completion+0x3c0/0x3c0
>>>>>     ? set_blocksize+0x230/0x2b0
>>>>>     mount_bdev+0x2c1/0x370
>>>>>     ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>>>     mount_fs+0x4c/0x1c0
>>>>>     vfs_kern_mount.part.0+0x60/0x3d0
>>>>>     do_mount+0x367/0x2570
>>>>>     ? kasan_unpoison_shadow+0x33/0x40
>>>>>     ? copy_mount_string+0x40/0x40
>>>>>     ? kmem_cache_alloc_trace+0x13f/0x2b0
>>>>>     ? _copy_from_user+0x94/0x100
>>>>>     ? copy_mount_options+0x1f1/0x2e0
>>>>>     ksys_mount+0xa0/0x100
>>>>>     __x64_sys_mount+0xbf/0x160
>>>>>     do_syscall_64+0xc2/0x190
>>>>>     entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>> RIP: 0033:0x47938e
>>>>> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
>>>>> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
>>>>> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
>>>>> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>>>> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
>>>>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
>>>>> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
>>>>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
>>>>> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00
>>>>>
>>>>> Allocated by task 8729:
>>>>>     kasan_kmalloc+0xc2/0xe0
>>>>>     kmem_cache_alloc_trace+0x13f/0x2b0
>>>>>     f2fs_fill_super+0x124/0x4a80
>>>>>     mount_bdev+0x2c1/0x370
>>>>>     mount_fs+0x4c/0x1c0
>>>>>     vfs_kern_mount.part.0+0x60/0x3d0
>>>>>     do_mount+0x367/0x2570
>>>>>     ksys_mount+0xa0/0x100
>>>>>     __x64_sys_mount+0xbf/0x160
>>>>>     do_syscall_64+0xc2/0x190
>>>>>     entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>>
>>>>> Freed by task 8729:
>>>>>     __kasan_slab_free+0x12f/0x180
>>>>>     kfree+0xfa/0x2a0
>>>>>     f2fs_fill_super+0x2a00/0x4a80
>>>>>     mount_bdev+0x2c1/0x370
>>>>>     mount_fs+0x4c/0x1c0
>>>>>     vfs_kern_mount.part.0+0x60/0x3d0
>>>>>     do_mount+0x367/0x2570
>>>>>     ksys_mount+0xa0/0x100
>>>>>     __x64_sys_mount+0xbf/0x160
>>>>>     do_syscall_64+0xc2/0x190
>>>>>     entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>>
>>>>> Signed-off-by: Jack Qiu <jack.qiu@huawei.com>
>>>>> ---
>>>>>     fs/f2fs/super.c | 3 ++-
>>>>>     1 file changed, 2 insertions(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>>>>> index 8fecd3050ccd..b041625e06ce 100644
>>>>> --- a/fs/f2fs/super.c
>>>>> +++ b/fs/f2fs/super.c
>>>>> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>>>     free_compress_inode:
>>>>>         f2fs_destroy_compress_inode(sbi);
>>>>>     free_root_inode:
>>>>> +    if (retry_cnt > 0 && skip_recovery)
>>>>> +        shrink_dcache_sb(sb);
>>>>
>>>> Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(),
>>> Can not find *evict_inodes*, could you please elaborate more detail?
>>
>> Could you please check whether below patch can fix this issue?
>>
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=812a95977fd2f0d1f220c716a98
>>
>> Thanks,
>>
> I will test it.

Could you please test on 5.14-rc1 first?

Thanks,

> 
> Thansk,
>>>> could you please check whether this can fix the issue?
>>> I have run the test more than 1 day w/ this patch, it will fail in 1 hour before.
>>> I believe this patch can fix *this* issue. But I'm not quite familiar with shrink_dcache_sb,
>>> maybe I miss other scenario. If you have other comment, please let me know.
>>>
>>> Thanks,
>>>>
>>>> Thanks,
>>>>
>>>>>         dput(sb->s_root);
>>>>>         sb->s_root = NULL;
>>>>>     free_node_inode:
>>>>> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>>>         /* give only one another chance */
>>>>>         if (retry_cnt > 0 && skip_recovery) {
>>>>>             retry_cnt--;
>>>>> -        shrink_dcache_sb(sb);
>>>>>             goto try_onemore;
>>>>>         }
>>>>>         return err;
>>>>> -- 
>>>>> 2.17.1
>>>>>
>>>> .
>>>
>> .
> 


_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super

[Jack Qiu]

On 2021/7/23 11:29, Chao Yu wrote:
> On 2021/7/23 11:27, Jack Qiu wrote:
>> On 2021/7/23 10:51, Chao Yu wrote:
>>> On 2021/7/23 10:41, Jack Qiu wrote:
>>>> On 2021/7/22 22:05, Chao Yu wrote:
>>>>> On 2021/7/22 12:41, Jack Qiu wrote:
>>>>>> The root cause is shrink_dcache_sb after sbi has been freed.
>>>>>> So call shrink_dcache_sb before free sbi and other resources.
>>>>>>
>>>>>> ==================================================================
>>>>>> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
>>>>>> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729
>>>>>>
>>>>>> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
>>>>>> 4.19.195-00002-g67dceea04431-dirty #31
>>>>>
>>>>> Does this bug below to 4.19.195?
>>>
>>> I mean whether this bug exists in mainline? Not sure, I just doubt maybe
>>> we have fixed this issue, but forgot to backport it to 4.19 stable kernel.
>>>
>> Got it.
>>>>>
>>>> Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug.
>>>>
>>>> git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2
>>>> v3.17-rc4~27^2~17
>>>>
>>>> @@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>>           brelse(raw_super_buf);
>>>>    free_sbi:
>>>>           kfree(sbi);    ---  free sbi
>>>> +
>>>> +       /* give only one another chance */
>>>> +       if (retry) {
>>>> +               retry = !retry;
>>>> +               shrink_dcache_sb(sb); --- call f2fs_evict_inode(root inode), it will access sbi
>>>> +               goto try_onemore;
>>>> +       }
>>>>           return err;
>>>>    }
>>>>
>>>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>>>>>> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
>>>>>> 04/01/2014
>>>>>> Call Trace:
>>>>>>     dump_stack+0xe5/0x14b
>>>>>>     ? f2fs_evict_inode+0x31c/0xde5
>>>>>>     print_address_description+0x6c/0x237
>>>>>>     ? f2fs_evict_inode+0x31c/0xde5
>>>>>>     kasan_report.cold+0x88/0x2a3
>>>>>>     f2fs_evict_inode+0x31c/0xde5
>>>>>>     ? full_proxy_open.cold+0x12/0x12
>>>>>>     evict+0x2cd/0x5f0
>>>>>>     iput+0x3d9/0x6f0
>>>>>>     dentry_unlink_inode+0x273/0x330
>>>>>>     __dentry_kill+0x340/0x5e0
>>>>>>     dentry_kill+0xb7/0x740
>>>>>>     shrink_dentry_list+0x256/0x660
>>>>>>     shrink_dcache_sb+0x11f/0x1d0
>>>>>>     ? shrink_dentry_list+0x660/0x660
>>>>>>     ? __kasan_slab_free+0x144/0x180
>>>>>>     f2fs_fill_super+0x2a34/0x4a80
>>>>>>     ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>>>>     ? wait_for_completion+0x3c0/0x3c0
>>>>>>     ? set_blocksize+0x230/0x2b0
>>>>>>     mount_bdev+0x2c1/0x370
>>>>>>     ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>>>>     mount_fs+0x4c/0x1c0
>>>>>>     vfs_kern_mount.part.0+0x60/0x3d0
>>>>>>     do_mount+0x367/0x2570
>>>>>>     ? kasan_unpoison_shadow+0x33/0x40
>>>>>>     ? copy_mount_string+0x40/0x40
>>>>>>     ? kmem_cache_alloc_trace+0x13f/0x2b0
>>>>>>     ? _copy_from_user+0x94/0x100
>>>>>>     ? copy_mount_options+0x1f1/0x2e0
>>>>>>     ksys_mount+0xa0/0x100
>>>>>>     __x64_sys_mount+0xbf/0x160
>>>>>>     do_syscall_64+0xc2/0x190
>>>>>>     entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>>> RIP: 0033:0x47938e
>>>>>> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
>>>>>> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
>>>>>> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
>>>>>> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>>>>> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
>>>>>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
>>>>>> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
>>>>>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
>>>>>> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00
>>>>>>
>>>>>> Allocated by task 8729:
>>>>>>     kasan_kmalloc+0xc2/0xe0
>>>>>>     kmem_cache_alloc_trace+0x13f/0x2b0
>>>>>>     f2fs_fill_super+0x124/0x4a80
>>>>>>     mount_bdev+0x2c1/0x370
>>>>>>     mount_fs+0x4c/0x1c0
>>>>>>     vfs_kern_mount.part.0+0x60/0x3d0
>>>>>>     do_mount+0x367/0x2570
>>>>>>     ksys_mount+0xa0/0x100
>>>>>>     __x64_sys_mount+0xbf/0x160
>>>>>>     do_syscall_64+0xc2/0x190
>>>>>>     entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>>>
>>>>>> Freed by task 8729:
>>>>>>     __kasan_slab_free+0x12f/0x180
>>>>>>     kfree+0xfa/0x2a0
>>>>>>     f2fs_fill_super+0x2a00/0x4a80
>>>>>>     mount_bdev+0x2c1/0x370
>>>>>>     mount_fs+0x4c/0x1c0
>>>>>>     vfs_kern_mount.part.0+0x60/0x3d0
>>>>>>     do_mount+0x367/0x2570
>>>>>>     ksys_mount+0xa0/0x100
>>>>>>     __x64_sys_mount+0xbf/0x160
>>>>>>     do_syscall_64+0xc2/0x190
>>>>>>     entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>>>
>>>>>> Signed-off-by: Jack Qiu <jack.qiu@huawei.com>
>>>>>> ---
>>>>>>     fs/f2fs/super.c | 3 ++-
>>>>>>     1 file changed, 2 insertions(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>>>>>> index 8fecd3050ccd..b041625e06ce 100644
>>>>>> --- a/fs/f2fs/super.c
>>>>>> +++ b/fs/f2fs/super.c
>>>>>> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>>>>     free_compress_inode:
>>>>>>         f2fs_destroy_compress_inode(sbi);
>>>>>>     free_root_inode:
>>>>>> +    if (retry_cnt > 0 && skip_recovery)
>>>>>> +        shrink_dcache_sb(sb);
>>>>>
>>>>> Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(),
>>>> Can not find *evict_inodes*, could you please elaborate more detail?
>>>
>>> Could you please check whether below patch can fix this issue?
>>>
>>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=812a95977fd2f0d1f220c716a98
>>>
>>> Thanks,
>>>
>> I will test it.
> 
> Could you please test on 5.14-rc1 first?
> 
> Thanks,
> 
Ok.
>>
>> Thansk,
>>>>> could you please check whether this can fix the issue?
>>>> I have run the test more than 1 day w/ this patch, it will fail in 1 hour before.
>>>> I believe this patch can fix *this* issue. But I'm not quite familiar with shrink_dcache_sb,
>>>> maybe I miss other scenario. If you have other comment, please let me know.
>>>>
>>>> Thanks,
>>>>>
>>>>> Thanks,
>>>>>
>>>>>>         dput(sb->s_root);
>>>>>>         sb->s_root = NULL;
>>>>>>     free_node_inode:
>>>>>> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>>>>         /* give only one another chance */
>>>>>>         if (retry_cnt > 0 && skip_recovery) {
>>>>>>             retry_cnt--;
>>>>>> -        shrink_dcache_sb(sb);
>>>>>>             goto try_onemore;
>>>>>>         }
>>>>>>         return err;
>>>>>> -- 
>>>>>> 2.17.1
>>>>>>
>>>>> .
>>>>
>>> .
>>
> .



_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel