* [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super
@ 2021-07-22 4:41 Jack Qiu
2021-07-22 14:05 ` Chao Yu
0 siblings, 1 reply; 7+ messages in thread
From: Jack Qiu @ 2021-07-22 4:41 UTC (permalink / raw)
To: chao, jaegeuk; +Cc: linux-f2fs-devel
The root cause is shrink_dcache_sb after sbi has been freed.
So call shrink_dcache_sb before free sbi and other resources.
==================================================================
BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729
PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
4.19.195-00002-g67dceea04431-dirty #31
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
04/01/2014
Call Trace:
dump_stack+0xe5/0x14b
? f2fs_evict_inode+0x31c/0xde5
print_address_description+0x6c/0x237
? f2fs_evict_inode+0x31c/0xde5
kasan_report.cold+0x88/0x2a3
f2fs_evict_inode+0x31c/0xde5
? full_proxy_open.cold+0x12/0x12
evict+0x2cd/0x5f0
iput+0x3d9/0x6f0
dentry_unlink_inode+0x273/0x330
__dentry_kill+0x340/0x5e0
dentry_kill+0xb7/0x740
shrink_dentry_list+0x256/0x660
shrink_dcache_sb+0x11f/0x1d0
? shrink_dentry_list+0x660/0x660
? __kasan_slab_free+0x144/0x180
f2fs_fill_super+0x2a34/0x4a80
? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
? wait_for_completion+0x3c0/0x3c0
? set_blocksize+0x230/0x2b0
mount_bdev+0x2c1/0x370
? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
mount_fs+0x4c/0x1c0
vfs_kern_mount.part.0+0x60/0x3d0
do_mount+0x367/0x2570
? kasan_unpoison_shadow+0x33/0x40
? copy_mount_string+0x40/0x40
? kmem_cache_alloc_trace+0x13f/0x2b0
? _copy_from_user+0x94/0x100
? copy_mount_options+0x1f1/0x2e0
ksys_mount+0xa0/0x100
__x64_sys_mount+0xbf/0x160
do_syscall_64+0xc2/0x190
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x47938e
Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00
Allocated by task 8729:
kasan_kmalloc+0xc2/0xe0
kmem_cache_alloc_trace+0x13f/0x2b0
f2fs_fill_super+0x124/0x4a80
mount_bdev+0x2c1/0x370
mount_fs+0x4c/0x1c0
vfs_kern_mount.part.0+0x60/0x3d0
do_mount+0x367/0x2570
ksys_mount+0xa0/0x100
__x64_sys_mount+0xbf/0x160
do_syscall_64+0xc2/0x190
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8729:
__kasan_slab_free+0x12f/0x180
kfree+0xfa/0x2a0
f2fs_fill_super+0x2a00/0x4a80
mount_bdev+0x2c1/0x370
mount_fs+0x4c/0x1c0
vfs_kern_mount.part.0+0x60/0x3d0
do_mount+0x367/0x2570
ksys_mount+0xa0/0x100
__x64_sys_mount+0xbf/0x160
do_syscall_64+0xc2/0x190
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Signed-off-by: Jack Qiu <jack.qiu@huawei.com>
---
fs/f2fs/super.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 8fecd3050ccd..b041625e06ce 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
free_compress_inode:
f2fs_destroy_compress_inode(sbi);
free_root_inode:
+ if (retry_cnt > 0 && skip_recovery)
+ shrink_dcache_sb(sb);
dput(sb->s_root);
sb->s_root = NULL;
free_node_inode:
@@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
/* give only one another chance */
if (retry_cnt > 0 && skip_recovery) {
retry_cnt--;
- shrink_dcache_sb(sb);
goto try_onemore;
}
return err;
--
2.17.1
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super
2021-07-22 4:41 [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super Jack Qiu
@ 2021-07-22 14:05 ` Chao Yu
2021-07-23 2:41 ` Jack Qiu
0 siblings, 1 reply; 7+ messages in thread
From: Chao Yu @ 2021-07-22 14:05 UTC (permalink / raw)
To: Jack Qiu, jaegeuk; +Cc: linux-f2fs-devel
On 2021/7/22 12:41, Jack Qiu wrote:
> The root cause is shrink_dcache_sb after sbi has been freed.
> So call shrink_dcache_sb before free sbi and other resources.
>
> ==================================================================
> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729
>
> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
> 4.19.195-00002-g67dceea04431-dirty #31
Does this bug below to 4.19.195?
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
> 04/01/2014
> Call Trace:
> dump_stack+0xe5/0x14b
> ? f2fs_evict_inode+0x31c/0xde5
> print_address_description+0x6c/0x237
> ? f2fs_evict_inode+0x31c/0xde5
> kasan_report.cold+0x88/0x2a3
> f2fs_evict_inode+0x31c/0xde5
> ? full_proxy_open.cold+0x12/0x12
> evict+0x2cd/0x5f0
> iput+0x3d9/0x6f0
> dentry_unlink_inode+0x273/0x330
> __dentry_kill+0x340/0x5e0
> dentry_kill+0xb7/0x740
> shrink_dentry_list+0x256/0x660
> shrink_dcache_sb+0x11f/0x1d0
> ? shrink_dentry_list+0x660/0x660
> ? __kasan_slab_free+0x144/0x180
> f2fs_fill_super+0x2a34/0x4a80
> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
> ? wait_for_completion+0x3c0/0x3c0
> ? set_blocksize+0x230/0x2b0
> mount_bdev+0x2c1/0x370
> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
> mount_fs+0x4c/0x1c0
> vfs_kern_mount.part.0+0x60/0x3d0
> do_mount+0x367/0x2570
> ? kasan_unpoison_shadow+0x33/0x40
> ? copy_mount_string+0x40/0x40
> ? kmem_cache_alloc_trace+0x13f/0x2b0
> ? _copy_from_user+0x94/0x100
> ? copy_mount_options+0x1f1/0x2e0
> ksys_mount+0xa0/0x100
> __x64_sys_mount+0xbf/0x160
> do_syscall_64+0xc2/0x190
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x47938e
> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00
>
> Allocated by task 8729:
> kasan_kmalloc+0xc2/0xe0
> kmem_cache_alloc_trace+0x13f/0x2b0
> f2fs_fill_super+0x124/0x4a80
> mount_bdev+0x2c1/0x370
> mount_fs+0x4c/0x1c0
> vfs_kern_mount.part.0+0x60/0x3d0
> do_mount+0x367/0x2570
> ksys_mount+0xa0/0x100
> __x64_sys_mount+0xbf/0x160
> do_syscall_64+0xc2/0x190
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Freed by task 8729:
> __kasan_slab_free+0x12f/0x180
> kfree+0xfa/0x2a0
> f2fs_fill_super+0x2a00/0x4a80
> mount_bdev+0x2c1/0x370
> mount_fs+0x4c/0x1c0
> vfs_kern_mount.part.0+0x60/0x3d0
> do_mount+0x367/0x2570
> ksys_mount+0xa0/0x100
> __x64_sys_mount+0xbf/0x160
> do_syscall_64+0xc2/0x190
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Signed-off-by: Jack Qiu <jack.qiu@huawei.com>
> ---
> fs/f2fs/super.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> index 8fecd3050ccd..b041625e06ce 100644
> --- a/fs/f2fs/super.c
> +++ b/fs/f2fs/super.c
> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
> free_compress_inode:
> f2fs_destroy_compress_inode(sbi);
> free_root_inode:
> + if (retry_cnt > 0 && skip_recovery)
> + shrink_dcache_sb(sb);
Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(),
could you please check whether this can fix the issue?
Thanks,
> dput(sb->s_root);
> sb->s_root = NULL;
> free_node_inode:
> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
> /* give only one another chance */
> if (retry_cnt > 0 && skip_recovery) {
> retry_cnt--;
> - shrink_dcache_sb(sb);
> goto try_onemore;
> }
> return err;
> --
> 2.17.1
>
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super
2021-07-22 14:05 ` Chao Yu
@ 2021-07-23 2:41 ` Jack Qiu
2021-07-23 2:51 ` Chao Yu
0 siblings, 1 reply; 7+ messages in thread
From: Jack Qiu @ 2021-07-23 2:41 UTC (permalink / raw)
To: Chao Yu, jaegeuk; +Cc: linux-f2fs-devel
On 2021/7/22 22:05, Chao Yu wrote:
> On 2021/7/22 12:41, Jack Qiu wrote:
>> The root cause is shrink_dcache_sb after sbi has been freed.
>> So call shrink_dcache_sb before free sbi and other resources.
>>
>> ==================================================================
>> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
>> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729
>>
>> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
>> 4.19.195-00002-g67dceea04431-dirty #31
>
> Does this bug below to 4.19.195?
>
Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug.
git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2
v3.17-rc4~27^2~17
@@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
brelse(raw_super_buf);
free_sbi:
kfree(sbi); --- free sbi
+
+ /* give only one another chance */
+ if (retry) {
+ retry = !retry;
+ shrink_dcache_sb(sb); --- call f2fs_evict_inode(root inode), it will access sbi
+ goto try_onemore;
+ }
return err;
}
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
>> 04/01/2014
>> Call Trace:
>> dump_stack+0xe5/0x14b
>> ? f2fs_evict_inode+0x31c/0xde5
>> print_address_description+0x6c/0x237
>> ? f2fs_evict_inode+0x31c/0xde5
>> kasan_report.cold+0x88/0x2a3
>> f2fs_evict_inode+0x31c/0xde5
>> ? full_proxy_open.cold+0x12/0x12
>> evict+0x2cd/0x5f0
>> iput+0x3d9/0x6f0
>> dentry_unlink_inode+0x273/0x330
>> __dentry_kill+0x340/0x5e0
>> dentry_kill+0xb7/0x740
>> shrink_dentry_list+0x256/0x660
>> shrink_dcache_sb+0x11f/0x1d0
>> ? shrink_dentry_list+0x660/0x660
>> ? __kasan_slab_free+0x144/0x180
>> f2fs_fill_super+0x2a34/0x4a80
>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>> ? wait_for_completion+0x3c0/0x3c0
>> ? set_blocksize+0x230/0x2b0
>> mount_bdev+0x2c1/0x370
>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>> mount_fs+0x4c/0x1c0
>> vfs_kern_mount.part.0+0x60/0x3d0
>> do_mount+0x367/0x2570
>> ? kasan_unpoison_shadow+0x33/0x40
>> ? copy_mount_string+0x40/0x40
>> ? kmem_cache_alloc_trace+0x13f/0x2b0
>> ? _copy_from_user+0x94/0x100
>> ? copy_mount_options+0x1f1/0x2e0
>> ksys_mount+0xa0/0x100
>> __x64_sys_mount+0xbf/0x160
>> do_syscall_64+0xc2/0x190
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> RIP: 0033:0x47938e
>> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
>> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
>> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
>> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
>> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
>> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00
>>
>> Allocated by task 8729:
>> kasan_kmalloc+0xc2/0xe0
>> kmem_cache_alloc_trace+0x13f/0x2b0
>> f2fs_fill_super+0x124/0x4a80
>> mount_bdev+0x2c1/0x370
>> mount_fs+0x4c/0x1c0
>> vfs_kern_mount.part.0+0x60/0x3d0
>> do_mount+0x367/0x2570
>> ksys_mount+0xa0/0x100
>> __x64_sys_mount+0xbf/0x160
>> do_syscall_64+0xc2/0x190
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> Freed by task 8729:
>> __kasan_slab_free+0x12f/0x180
>> kfree+0xfa/0x2a0
>> f2fs_fill_super+0x2a00/0x4a80
>> mount_bdev+0x2c1/0x370
>> mount_fs+0x4c/0x1c0
>> vfs_kern_mount.part.0+0x60/0x3d0
>> do_mount+0x367/0x2570
>> ksys_mount+0xa0/0x100
>> __x64_sys_mount+0xbf/0x160
>> do_syscall_64+0xc2/0x190
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> Signed-off-by: Jack Qiu <jack.qiu@huawei.com>
>> ---
>> fs/f2fs/super.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>> index 8fecd3050ccd..b041625e06ce 100644
>> --- a/fs/f2fs/super.c
>> +++ b/fs/f2fs/super.c
>> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>> free_compress_inode:
>> f2fs_destroy_compress_inode(sbi);
>> free_root_inode:
>> + if (retry_cnt > 0 && skip_recovery)
>> + shrink_dcache_sb(sb);
>
> Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(),
Can not find *evict_inodes*, could you please elaborate more detail?
> could you please check whether this can fix the issue?
I have run the test more than 1 day w/ this patch, it will fail in 1 hour before.
I believe this patch can fix *this* issue. But I'm not quite familiar with shrink_dcache_sb,
maybe I miss other scenario. If you have other comment, please let me know.
Thanks,
>
> Thanks,
>
>> dput(sb->s_root);
>> sb->s_root = NULL;
>> free_node_inode:
>> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>> /* give only one another chance */
>> if (retry_cnt > 0 && skip_recovery) {
>> retry_cnt--;
>> - shrink_dcache_sb(sb);
>> goto try_onemore;
>> }
>> return err;
>> --
>> 2.17.1
>>
> .
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super
2021-07-23 2:41 ` Jack Qiu
@ 2021-07-23 2:51 ` Chao Yu
2021-07-23 3:27 ` Jack Qiu
0 siblings, 1 reply; 7+ messages in thread
From: Chao Yu @ 2021-07-23 2:51 UTC (permalink / raw)
To: Jack Qiu, jaegeuk; +Cc: linux-f2fs-devel
On 2021/7/23 10:41, Jack Qiu wrote:
> On 2021/7/22 22:05, Chao Yu wrote:
>> On 2021/7/22 12:41, Jack Qiu wrote:
>>> The root cause is shrink_dcache_sb after sbi has been freed.
>>> So call shrink_dcache_sb before free sbi and other resources.
>>>
>>> ==================================================================
>>> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
>>> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729
>>>
>>> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
>>> 4.19.195-00002-g67dceea04431-dirty #31
>>
>> Does this bug below to 4.19.195?
I mean whether this bug exists in mainline? Not sure, I just doubt maybe
we have fixed this issue, but forgot to backport it to 4.19 stable kernel.
>>
> Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug.
>
> git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2
> v3.17-rc4~27^2~17
>
> @@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
> brelse(raw_super_buf);
> free_sbi:
> kfree(sbi); --- free sbi
> +
> + /* give only one another chance */
> + if (retry) {
> + retry = !retry;
> + shrink_dcache_sb(sb); --- call f2fs_evict_inode(root inode), it will access sbi
> + goto try_onemore;
> + }
> return err;
> }
>
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>>> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
>>> 04/01/2014
>>> Call Trace:
>>> dump_stack+0xe5/0x14b
>>> ? f2fs_evict_inode+0x31c/0xde5
>>> print_address_description+0x6c/0x237
>>> ? f2fs_evict_inode+0x31c/0xde5
>>> kasan_report.cold+0x88/0x2a3
>>> f2fs_evict_inode+0x31c/0xde5
>>> ? full_proxy_open.cold+0x12/0x12
>>> evict+0x2cd/0x5f0
>>> iput+0x3d9/0x6f0
>>> dentry_unlink_inode+0x273/0x330
>>> __dentry_kill+0x340/0x5e0
>>> dentry_kill+0xb7/0x740
>>> shrink_dentry_list+0x256/0x660
>>> shrink_dcache_sb+0x11f/0x1d0
>>> ? shrink_dentry_list+0x660/0x660
>>> ? __kasan_slab_free+0x144/0x180
>>> f2fs_fill_super+0x2a34/0x4a80
>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>> ? wait_for_completion+0x3c0/0x3c0
>>> ? set_blocksize+0x230/0x2b0
>>> mount_bdev+0x2c1/0x370
>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>> mount_fs+0x4c/0x1c0
>>> vfs_kern_mount.part.0+0x60/0x3d0
>>> do_mount+0x367/0x2570
>>> ? kasan_unpoison_shadow+0x33/0x40
>>> ? copy_mount_string+0x40/0x40
>>> ? kmem_cache_alloc_trace+0x13f/0x2b0
>>> ? _copy_from_user+0x94/0x100
>>> ? copy_mount_options+0x1f1/0x2e0
>>> ksys_mount+0xa0/0x100
>>> __x64_sys_mount+0xbf/0x160
>>> do_syscall_64+0xc2/0x190
>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>> RIP: 0033:0x47938e
>>> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
>>> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
>>> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
>>> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
>>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
>>> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
>>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
>>> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00
>>>
>>> Allocated by task 8729:
>>> kasan_kmalloc+0xc2/0xe0
>>> kmem_cache_alloc_trace+0x13f/0x2b0
>>> f2fs_fill_super+0x124/0x4a80
>>> mount_bdev+0x2c1/0x370
>>> mount_fs+0x4c/0x1c0
>>> vfs_kern_mount.part.0+0x60/0x3d0
>>> do_mount+0x367/0x2570
>>> ksys_mount+0xa0/0x100
>>> __x64_sys_mount+0xbf/0x160
>>> do_syscall_64+0xc2/0x190
>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>
>>> Freed by task 8729:
>>> __kasan_slab_free+0x12f/0x180
>>> kfree+0xfa/0x2a0
>>> f2fs_fill_super+0x2a00/0x4a80
>>> mount_bdev+0x2c1/0x370
>>> mount_fs+0x4c/0x1c0
>>> vfs_kern_mount.part.0+0x60/0x3d0
>>> do_mount+0x367/0x2570
>>> ksys_mount+0xa0/0x100
>>> __x64_sys_mount+0xbf/0x160
>>> do_syscall_64+0xc2/0x190
>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>
>>> Signed-off-by: Jack Qiu <jack.qiu@huawei.com>
>>> ---
>>> fs/f2fs/super.c | 3 ++-
>>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>>> index 8fecd3050ccd..b041625e06ce 100644
>>> --- a/fs/f2fs/super.c
>>> +++ b/fs/f2fs/super.c
>>> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>> free_compress_inode:
>>> f2fs_destroy_compress_inode(sbi);
>>> free_root_inode:
>>> + if (retry_cnt > 0 && skip_recovery)
>>> + shrink_dcache_sb(sb);
>>
>> Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(),
> Can not find *evict_inodes*, could you please elaborate more detail?
Could you please check whether below patch can fix this issue?
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=812a95977fd2f0d1f220c716a98
Thanks,
>> could you please check whether this can fix the issue?
> I have run the test more than 1 day w/ this patch, it will fail in 1 hour before.
> I believe this patch can fix *this* issue. But I'm not quite familiar with shrink_dcache_sb,
> maybe I miss other scenario. If you have other comment, please let me know.
>
> Thanks,
>>
>> Thanks,
>>
>>> dput(sb->s_root);
>>> sb->s_root = NULL;
>>> free_node_inode:
>>> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>> /* give only one another chance */
>>> if (retry_cnt > 0 && skip_recovery) {
>>> retry_cnt--;
>>> - shrink_dcache_sb(sb);
>>> goto try_onemore;
>>> }
>>> return err;
>>> --
>>> 2.17.1
>>>
>> .
>
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super
2021-07-23 2:51 ` Chao Yu
@ 2021-07-23 3:27 ` Jack Qiu
2021-07-23 3:29 ` Chao Yu
0 siblings, 1 reply; 7+ messages in thread
From: Jack Qiu @ 2021-07-23 3:27 UTC (permalink / raw)
To: Chao Yu, jaegeuk; +Cc: linux-f2fs-devel
On 2021/7/23 10:51, Chao Yu wrote:
> On 2021/7/23 10:41, Jack Qiu wrote:
>> On 2021/7/22 22:05, Chao Yu wrote:
>>> On 2021/7/22 12:41, Jack Qiu wrote:
>>>> The root cause is shrink_dcache_sb after sbi has been freed.
>>>> So call shrink_dcache_sb before free sbi and other resources.
>>>>
>>>> ==================================================================
>>>> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
>>>> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729
>>>>
>>>> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
>>>> 4.19.195-00002-g67dceea04431-dirty #31
>>>
>>> Does this bug below to 4.19.195?
>
> I mean whether this bug exists in mainline? Not sure, I just doubt maybe
> we have fixed this issue, but forgot to backport it to 4.19 stable kernel.
>
Got it.
>>>
>> Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug.
>>
>> git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2
>> v3.17-rc4~27^2~17
>>
>> @@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>> brelse(raw_super_buf);
>> free_sbi:
>> kfree(sbi); --- free sbi
>> +
>> + /* give only one another chance */
>> + if (retry) {
>> + retry = !retry;
>> + shrink_dcache_sb(sb); --- call f2fs_evict_inode(root inode), it will access sbi
>> + goto try_onemore;
>> + }
>> return err;
>> }
>>
>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>>>> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
>>>> 04/01/2014
>>>> Call Trace:
>>>> dump_stack+0xe5/0x14b
>>>> ? f2fs_evict_inode+0x31c/0xde5
>>>> print_address_description+0x6c/0x237
>>>> ? f2fs_evict_inode+0x31c/0xde5
>>>> kasan_report.cold+0x88/0x2a3
>>>> f2fs_evict_inode+0x31c/0xde5
>>>> ? full_proxy_open.cold+0x12/0x12
>>>> evict+0x2cd/0x5f0
>>>> iput+0x3d9/0x6f0
>>>> dentry_unlink_inode+0x273/0x330
>>>> __dentry_kill+0x340/0x5e0
>>>> dentry_kill+0xb7/0x740
>>>> shrink_dentry_list+0x256/0x660
>>>> shrink_dcache_sb+0x11f/0x1d0
>>>> ? shrink_dentry_list+0x660/0x660
>>>> ? __kasan_slab_free+0x144/0x180
>>>> f2fs_fill_super+0x2a34/0x4a80
>>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>> ? wait_for_completion+0x3c0/0x3c0
>>>> ? set_blocksize+0x230/0x2b0
>>>> mount_bdev+0x2c1/0x370
>>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>> mount_fs+0x4c/0x1c0
>>>> vfs_kern_mount.part.0+0x60/0x3d0
>>>> do_mount+0x367/0x2570
>>>> ? kasan_unpoison_shadow+0x33/0x40
>>>> ? copy_mount_string+0x40/0x40
>>>> ? kmem_cache_alloc_trace+0x13f/0x2b0
>>>> ? _copy_from_user+0x94/0x100
>>>> ? copy_mount_options+0x1f1/0x2e0
>>>> ksys_mount+0xa0/0x100
>>>> __x64_sys_mount+0xbf/0x160
>>>> do_syscall_64+0xc2/0x190
>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>> RIP: 0033:0x47938e
>>>> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
>>>> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
>>>> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
>>>> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>>> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
>>>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
>>>> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
>>>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
>>>> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00
>>>>
>>>> Allocated by task 8729:
>>>> kasan_kmalloc+0xc2/0xe0
>>>> kmem_cache_alloc_trace+0x13f/0x2b0
>>>> f2fs_fill_super+0x124/0x4a80
>>>> mount_bdev+0x2c1/0x370
>>>> mount_fs+0x4c/0x1c0
>>>> vfs_kern_mount.part.0+0x60/0x3d0
>>>> do_mount+0x367/0x2570
>>>> ksys_mount+0xa0/0x100
>>>> __x64_sys_mount+0xbf/0x160
>>>> do_syscall_64+0xc2/0x190
>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>
>>>> Freed by task 8729:
>>>> __kasan_slab_free+0x12f/0x180
>>>> kfree+0xfa/0x2a0
>>>> f2fs_fill_super+0x2a00/0x4a80
>>>> mount_bdev+0x2c1/0x370
>>>> mount_fs+0x4c/0x1c0
>>>> vfs_kern_mount.part.0+0x60/0x3d0
>>>> do_mount+0x367/0x2570
>>>> ksys_mount+0xa0/0x100
>>>> __x64_sys_mount+0xbf/0x160
>>>> do_syscall_64+0xc2/0x190
>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>
>>>> Signed-off-by: Jack Qiu <jack.qiu@huawei.com>
>>>> ---
>>>> fs/f2fs/super.c | 3 ++-
>>>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>>>> index 8fecd3050ccd..b041625e06ce 100644
>>>> --- a/fs/f2fs/super.c
>>>> +++ b/fs/f2fs/super.c
>>>> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>> free_compress_inode:
>>>> f2fs_destroy_compress_inode(sbi);
>>>> free_root_inode:
>>>> + if (retry_cnt > 0 && skip_recovery)
>>>> + shrink_dcache_sb(sb);
>>>
>>> Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(),
>> Can not find *evict_inodes*, could you please elaborate more detail?
>
> Could you please check whether below patch can fix this issue?
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=812a95977fd2f0d1f220c716a98
>
> Thanks,
>
I will test it.
Thansk,
>>> could you please check whether this can fix the issue?
>> I have run the test more than 1 day w/ this patch, it will fail in 1 hour before.
>> I believe this patch can fix *this* issue. But I'm not quite familiar with shrink_dcache_sb,
>> maybe I miss other scenario. If you have other comment, please let me know.
>>
>> Thanks,
>>>
>>> Thanks,
>>>
>>>> dput(sb->s_root);
>>>> sb->s_root = NULL;
>>>> free_node_inode:
>>>> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>> /* give only one another chance */
>>>> if (retry_cnt > 0 && skip_recovery) {
>>>> retry_cnt--;
>>>> - shrink_dcache_sb(sb);
>>>> goto try_onemore;
>>>> }
>>>> return err;
>>>> --
>>>> 2.17.1
>>>>
>>> .
>>
> .
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super
2021-07-23 3:27 ` Jack Qiu
@ 2021-07-23 3:29 ` Chao Yu
2021-07-23 3:45 ` Jack Qiu
0 siblings, 1 reply; 7+ messages in thread
From: Chao Yu @ 2021-07-23 3:29 UTC (permalink / raw)
To: Jack Qiu, jaegeuk; +Cc: linux-f2fs-devel
On 2021/7/23 11:27, Jack Qiu wrote:
> On 2021/7/23 10:51, Chao Yu wrote:
>> On 2021/7/23 10:41, Jack Qiu wrote:
>>> On 2021/7/22 22:05, Chao Yu wrote:
>>>> On 2021/7/22 12:41, Jack Qiu wrote:
>>>>> The root cause is shrink_dcache_sb after sbi has been freed.
>>>>> So call shrink_dcache_sb before free sbi and other resources.
>>>>>
>>>>> ==================================================================
>>>>> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
>>>>> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729
>>>>>
>>>>> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
>>>>> 4.19.195-00002-g67dceea04431-dirty #31
>>>>
>>>> Does this bug below to 4.19.195?
>>
>> I mean whether this bug exists in mainline? Not sure, I just doubt maybe
>> we have fixed this issue, but forgot to backport it to 4.19 stable kernel.
>>
> Got it.
>>>>
>>> Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug.
>>>
>>> git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2
>>> v3.17-rc4~27^2~17
>>>
>>> @@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>> brelse(raw_super_buf);
>>> free_sbi:
>>> kfree(sbi); --- free sbi
>>> +
>>> + /* give only one another chance */
>>> + if (retry) {
>>> + retry = !retry;
>>> + shrink_dcache_sb(sb); --- call f2fs_evict_inode(root inode), it will access sbi
>>> + goto try_onemore;
>>> + }
>>> return err;
>>> }
>>>
>>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>>>>> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
>>>>> 04/01/2014
>>>>> Call Trace:
>>>>> dump_stack+0xe5/0x14b
>>>>> ? f2fs_evict_inode+0x31c/0xde5
>>>>> print_address_description+0x6c/0x237
>>>>> ? f2fs_evict_inode+0x31c/0xde5
>>>>> kasan_report.cold+0x88/0x2a3
>>>>> f2fs_evict_inode+0x31c/0xde5
>>>>> ? full_proxy_open.cold+0x12/0x12
>>>>> evict+0x2cd/0x5f0
>>>>> iput+0x3d9/0x6f0
>>>>> dentry_unlink_inode+0x273/0x330
>>>>> __dentry_kill+0x340/0x5e0
>>>>> dentry_kill+0xb7/0x740
>>>>> shrink_dentry_list+0x256/0x660
>>>>> shrink_dcache_sb+0x11f/0x1d0
>>>>> ? shrink_dentry_list+0x660/0x660
>>>>> ? __kasan_slab_free+0x144/0x180
>>>>> f2fs_fill_super+0x2a34/0x4a80
>>>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>>> ? wait_for_completion+0x3c0/0x3c0
>>>>> ? set_blocksize+0x230/0x2b0
>>>>> mount_bdev+0x2c1/0x370
>>>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>>> mount_fs+0x4c/0x1c0
>>>>> vfs_kern_mount.part.0+0x60/0x3d0
>>>>> do_mount+0x367/0x2570
>>>>> ? kasan_unpoison_shadow+0x33/0x40
>>>>> ? copy_mount_string+0x40/0x40
>>>>> ? kmem_cache_alloc_trace+0x13f/0x2b0
>>>>> ? _copy_from_user+0x94/0x100
>>>>> ? copy_mount_options+0x1f1/0x2e0
>>>>> ksys_mount+0xa0/0x100
>>>>> __x64_sys_mount+0xbf/0x160
>>>>> do_syscall_64+0xc2/0x190
>>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>> RIP: 0033:0x47938e
>>>>> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
>>>>> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
>>>>> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
>>>>> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>>>> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
>>>>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
>>>>> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
>>>>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
>>>>> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00
>>>>>
>>>>> Allocated by task 8729:
>>>>> kasan_kmalloc+0xc2/0xe0
>>>>> kmem_cache_alloc_trace+0x13f/0x2b0
>>>>> f2fs_fill_super+0x124/0x4a80
>>>>> mount_bdev+0x2c1/0x370
>>>>> mount_fs+0x4c/0x1c0
>>>>> vfs_kern_mount.part.0+0x60/0x3d0
>>>>> do_mount+0x367/0x2570
>>>>> ksys_mount+0xa0/0x100
>>>>> __x64_sys_mount+0xbf/0x160
>>>>> do_syscall_64+0xc2/0x190
>>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>>
>>>>> Freed by task 8729:
>>>>> __kasan_slab_free+0x12f/0x180
>>>>> kfree+0xfa/0x2a0
>>>>> f2fs_fill_super+0x2a00/0x4a80
>>>>> mount_bdev+0x2c1/0x370
>>>>> mount_fs+0x4c/0x1c0
>>>>> vfs_kern_mount.part.0+0x60/0x3d0
>>>>> do_mount+0x367/0x2570
>>>>> ksys_mount+0xa0/0x100
>>>>> __x64_sys_mount+0xbf/0x160
>>>>> do_syscall_64+0xc2/0x190
>>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>>
>>>>> Signed-off-by: Jack Qiu <jack.qiu@huawei.com>
>>>>> ---
>>>>> fs/f2fs/super.c | 3 ++-
>>>>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>>>>> index 8fecd3050ccd..b041625e06ce 100644
>>>>> --- a/fs/f2fs/super.c
>>>>> +++ b/fs/f2fs/super.c
>>>>> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>>> free_compress_inode:
>>>>> f2fs_destroy_compress_inode(sbi);
>>>>> free_root_inode:
>>>>> + if (retry_cnt > 0 && skip_recovery)
>>>>> + shrink_dcache_sb(sb);
>>>>
>>>> Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(),
>>> Can not find *evict_inodes*, could you please elaborate more detail?
>>
>> Could you please check whether below patch can fix this issue?
>>
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=812a95977fd2f0d1f220c716a98
>>
>> Thanks,
>>
> I will test it.
Could you please test on 5.14-rc1 first?
Thanks,
>
> Thansk,
>>>> could you please check whether this can fix the issue?
>>> I have run the test more than 1 day w/ this patch, it will fail in 1 hour before.
>>> I believe this patch can fix *this* issue. But I'm not quite familiar with shrink_dcache_sb,
>>> maybe I miss other scenario. If you have other comment, please let me know.
>>>
>>> Thanks,
>>>>
>>>> Thanks,
>>>>
>>>>> dput(sb->s_root);
>>>>> sb->s_root = NULL;
>>>>> free_node_inode:
>>>>> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>>> /* give only one another chance */
>>>>> if (retry_cnt > 0 && skip_recovery) {
>>>>> retry_cnt--;
>>>>> - shrink_dcache_sb(sb);
>>>>> goto try_onemore;
>>>>> }
>>>>> return err;
>>>>> --
>>>>> 2.17.1
>>>>>
>>>> .
>>>
>> .
>
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super
2021-07-23 3:29 ` Chao Yu
@ 2021-07-23 3:45 ` Jack Qiu
0 siblings, 0 replies; 7+ messages in thread
From: Jack Qiu @ 2021-07-23 3:45 UTC (permalink / raw)
To: Chao Yu, jaegeuk; +Cc: linux-f2fs-devel
On 2021/7/23 11:29, Chao Yu wrote:
> On 2021/7/23 11:27, Jack Qiu wrote:
>> On 2021/7/23 10:51, Chao Yu wrote:
>>> On 2021/7/23 10:41, Jack Qiu wrote:
>>>> On 2021/7/22 22:05, Chao Yu wrote:
>>>>> On 2021/7/22 12:41, Jack Qiu wrote:
>>>>>> The root cause is shrink_dcache_sb after sbi has been freed.
>>>>>> So call shrink_dcache_sb before free sbi and other resources.
>>>>>>
>>>>>> ==================================================================
>>>>>> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
>>>>>> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729
>>>>>>
>>>>>> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
>>>>>> 4.19.195-00002-g67dceea04431-dirty #31
>>>>>
>>>>> Does this bug below to 4.19.195?
>>>
>>> I mean whether this bug exists in mainline? Not sure, I just doubt maybe
>>> we have fixed this issue, but forgot to backport it to 4.19 stable kernel.
>>>
>> Got it.
>>>>>
>>>> Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug.
>>>>
>>>> git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2
>>>> v3.17-rc4~27^2~17
>>>>
>>>> @@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>> brelse(raw_super_buf);
>>>> free_sbi:
>>>> kfree(sbi); --- free sbi
>>>> +
>>>> + /* give only one another chance */
>>>> + if (retry) {
>>>> + retry = !retry;
>>>> + shrink_dcache_sb(sb); --- call f2fs_evict_inode(root inode), it will access sbi
>>>> + goto try_onemore;
>>>> + }
>>>> return err;
>>>> }
>>>>
>>>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>>>>>> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
>>>>>> 04/01/2014
>>>>>> Call Trace:
>>>>>> dump_stack+0xe5/0x14b
>>>>>> ? f2fs_evict_inode+0x31c/0xde5
>>>>>> print_address_description+0x6c/0x237
>>>>>> ? f2fs_evict_inode+0x31c/0xde5
>>>>>> kasan_report.cold+0x88/0x2a3
>>>>>> f2fs_evict_inode+0x31c/0xde5
>>>>>> ? full_proxy_open.cold+0x12/0x12
>>>>>> evict+0x2cd/0x5f0
>>>>>> iput+0x3d9/0x6f0
>>>>>> dentry_unlink_inode+0x273/0x330
>>>>>> __dentry_kill+0x340/0x5e0
>>>>>> dentry_kill+0xb7/0x740
>>>>>> shrink_dentry_list+0x256/0x660
>>>>>> shrink_dcache_sb+0x11f/0x1d0
>>>>>> ? shrink_dentry_list+0x660/0x660
>>>>>> ? __kasan_slab_free+0x144/0x180
>>>>>> f2fs_fill_super+0x2a34/0x4a80
>>>>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>>>> ? wait_for_completion+0x3c0/0x3c0
>>>>>> ? set_blocksize+0x230/0x2b0
>>>>>> mount_bdev+0x2c1/0x370
>>>>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>>>> mount_fs+0x4c/0x1c0
>>>>>> vfs_kern_mount.part.0+0x60/0x3d0
>>>>>> do_mount+0x367/0x2570
>>>>>> ? kasan_unpoison_shadow+0x33/0x40
>>>>>> ? copy_mount_string+0x40/0x40
>>>>>> ? kmem_cache_alloc_trace+0x13f/0x2b0
>>>>>> ? _copy_from_user+0x94/0x100
>>>>>> ? copy_mount_options+0x1f1/0x2e0
>>>>>> ksys_mount+0xa0/0x100
>>>>>> __x64_sys_mount+0xbf/0x160
>>>>>> do_syscall_64+0xc2/0x190
>>>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>>> RIP: 0033:0x47938e
>>>>>> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
>>>>>> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
>>>>>> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
>>>>>> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>>>>> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
>>>>>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
>>>>>> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
>>>>>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
>>>>>> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00
>>>>>>
>>>>>> Allocated by task 8729:
>>>>>> kasan_kmalloc+0xc2/0xe0
>>>>>> kmem_cache_alloc_trace+0x13f/0x2b0
>>>>>> f2fs_fill_super+0x124/0x4a80
>>>>>> mount_bdev+0x2c1/0x370
>>>>>> mount_fs+0x4c/0x1c0
>>>>>> vfs_kern_mount.part.0+0x60/0x3d0
>>>>>> do_mount+0x367/0x2570
>>>>>> ksys_mount+0xa0/0x100
>>>>>> __x64_sys_mount+0xbf/0x160
>>>>>> do_syscall_64+0xc2/0x190
>>>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>>>
>>>>>> Freed by task 8729:
>>>>>> __kasan_slab_free+0x12f/0x180
>>>>>> kfree+0xfa/0x2a0
>>>>>> f2fs_fill_super+0x2a00/0x4a80
>>>>>> mount_bdev+0x2c1/0x370
>>>>>> mount_fs+0x4c/0x1c0
>>>>>> vfs_kern_mount.part.0+0x60/0x3d0
>>>>>> do_mount+0x367/0x2570
>>>>>> ksys_mount+0xa0/0x100
>>>>>> __x64_sys_mount+0xbf/0x160
>>>>>> do_syscall_64+0xc2/0x190
>>>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>>>
>>>>>> Signed-off-by: Jack Qiu <jack.qiu@huawei.com>
>>>>>> ---
>>>>>> fs/f2fs/super.c | 3 ++-
>>>>>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>>>>>> index 8fecd3050ccd..b041625e06ce 100644
>>>>>> --- a/fs/f2fs/super.c
>>>>>> +++ b/fs/f2fs/super.c
>>>>>> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>>>> free_compress_inode:
>>>>>> f2fs_destroy_compress_inode(sbi);
>>>>>> free_root_inode:
>>>>>> + if (retry_cnt > 0 && skip_recovery)
>>>>>> + shrink_dcache_sb(sb);
>>>>>
>>>>> Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(),
>>>> Can not find *evict_inodes*, could you please elaborate more detail?
>>>
>>> Could you please check whether below patch can fix this issue?
>>>
>>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=812a95977fd2f0d1f220c716a98
>>>
>>> Thanks,
>>>
>> I will test it.
>
> Could you please test on 5.14-rc1 first?
>
> Thanks,
>
Ok.
>>
>> Thansk,
>>>>> could you please check whether this can fix the issue?
>>>> I have run the test more than 1 day w/ this patch, it will fail in 1 hour before.
>>>> I believe this patch can fix *this* issue. But I'm not quite familiar with shrink_dcache_sb,
>>>> maybe I miss other scenario. If you have other comment, please let me know.
>>>>
>>>> Thanks,
>>>>>
>>>>> Thanks,
>>>>>
>>>>>> dput(sb->s_root);
>>>>>> sb->s_root = NULL;
>>>>>> free_node_inode:
>>>>>> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
>>>>>> /* give only one another chance */
>>>>>> if (retry_cnt > 0 && skip_recovery) {
>>>>>> retry_cnt--;
>>>>>> - shrink_dcache_sb(sb);
>>>>>> goto try_onemore;
>>>>>> }
>>>>>> return err;
>>>>>> --
>>>>>> 2.17.1
>>>>>>
>>>>> .
>>>>
>>> .
>>
> .
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-07-23 3:46 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-22 4:41 [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super Jack Qiu
2021-07-22 14:05 ` Chao Yu
2021-07-23 2:41 ` Jack Qiu
2021-07-23 2:51 ` Chao Yu
2021-07-23 3:27 ` Jack Qiu
2021-07-23 3:29 ` Chao Yu
2021-07-23 3:45 ` Jack Qiu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.