* [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super @ 2021-07-22 4:41 Jack Qiu 2021-07-22 14:05 ` Chao Yu 0 siblings, 1 reply; 7+ messages in thread From: Jack Qiu @ 2021-07-22 4:41 UTC (permalink / raw) To: chao, jaegeuk; +Cc: linux-f2fs-devel The root cause is shrink_dcache_sb after sbi has been freed. So call shrink_dcache_sb before free sbi and other resources. ================================================================== BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5 Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729 PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted 4.19.195-00002-g67dceea04431-dirty #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 Call Trace: dump_stack+0xe5/0x14b ? f2fs_evict_inode+0x31c/0xde5 print_address_description+0x6c/0x237 ? f2fs_evict_inode+0x31c/0xde5 kasan_report.cold+0x88/0x2a3 f2fs_evict_inode+0x31c/0xde5 ? full_proxy_open.cold+0x12/0x12 evict+0x2cd/0x5f0 iput+0x3d9/0x6f0 dentry_unlink_inode+0x273/0x330 __dentry_kill+0x340/0x5e0 dentry_kill+0xb7/0x740 shrink_dentry_list+0x256/0x660 shrink_dcache_sb+0x11f/0x1d0 ? shrink_dentry_list+0x660/0x660 ? __kasan_slab_free+0x144/0x180 f2fs_fill_super+0x2a34/0x4a80 ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 ? wait_for_completion+0x3c0/0x3c0 ? set_blocksize+0x230/0x2b0 mount_bdev+0x2c1/0x370 ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 mount_fs+0x4c/0x1c0 vfs_kern_mount.part.0+0x60/0x3d0 do_mount+0x367/0x2570 ? kasan_unpoison_shadow+0x33/0x40 ? copy_mount_string+0x40/0x40 ? kmem_cache_alloc_trace+0x13f/0x2b0 ? _copy_from_user+0x94/0x100 ? copy_mount_options+0x1f1/0x2e0 ksys_mount+0xa0/0x100 __x64_sys_mount+0xbf/0x160 do_syscall_64+0xc2/0x190 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x47938e Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0 RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000 R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00 Allocated by task 8729: kasan_kmalloc+0xc2/0xe0 kmem_cache_alloc_trace+0x13f/0x2b0 f2fs_fill_super+0x124/0x4a80 mount_bdev+0x2c1/0x370 mount_fs+0x4c/0x1c0 vfs_kern_mount.part.0+0x60/0x3d0 do_mount+0x367/0x2570 ksys_mount+0xa0/0x100 __x64_sys_mount+0xbf/0x160 do_syscall_64+0xc2/0x190 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8729: __kasan_slab_free+0x12f/0x180 kfree+0xfa/0x2a0 f2fs_fill_super+0x2a00/0x4a80 mount_bdev+0x2c1/0x370 mount_fs+0x4c/0x1c0 vfs_kern_mount.part.0+0x60/0x3d0 do_mount+0x367/0x2570 ksys_mount+0xa0/0x100 __x64_sys_mount+0xbf/0x160 do_syscall_64+0xc2/0x190 entry_SYSCALL_64_after_hwframe+0x49/0xbe Signed-off-by: Jack Qiu <jack.qiu@huawei.com> --- fs/f2fs/super.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index 8fecd3050ccd..b041625e06ce 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) free_compress_inode: f2fs_destroy_compress_inode(sbi); free_root_inode: + if (retry_cnt > 0 && skip_recovery) + shrink_dcache_sb(sb); dput(sb->s_root); sb->s_root = NULL; free_node_inode: @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) /* give only one another chance */ if (retry_cnt > 0 && skip_recovery) { retry_cnt--; - shrink_dcache_sb(sb); goto try_onemore; } return err; -- 2.17.1 _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super 2021-07-22 4:41 [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super Jack Qiu @ 2021-07-22 14:05 ` Chao Yu 2021-07-23 2:41 ` Jack Qiu 0 siblings, 1 reply; 7+ messages in thread From: Chao Yu @ 2021-07-22 14:05 UTC (permalink / raw) To: Jack Qiu, jaegeuk; +Cc: linux-f2fs-devel On 2021/7/22 12:41, Jack Qiu wrote: > The root cause is shrink_dcache_sb after sbi has been freed. > So call shrink_dcache_sb before free sbi and other resources. > > ================================================================== > BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5 > Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729 > > PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted > 4.19.195-00002-g67dceea04431-dirty #31 Does this bug below to 4.19.195? > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 > 04/01/2014 > Call Trace: > dump_stack+0xe5/0x14b > ? f2fs_evict_inode+0x31c/0xde5 > print_address_description+0x6c/0x237 > ? f2fs_evict_inode+0x31c/0xde5 > kasan_report.cold+0x88/0x2a3 > f2fs_evict_inode+0x31c/0xde5 > ? full_proxy_open.cold+0x12/0x12 > evict+0x2cd/0x5f0 > iput+0x3d9/0x6f0 > dentry_unlink_inode+0x273/0x330 > __dentry_kill+0x340/0x5e0 > dentry_kill+0xb7/0x740 > shrink_dentry_list+0x256/0x660 > shrink_dcache_sb+0x11f/0x1d0 > ? shrink_dentry_list+0x660/0x660 > ? __kasan_slab_free+0x144/0x180 > f2fs_fill_super+0x2a34/0x4a80 > ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 > ? wait_for_completion+0x3c0/0x3c0 > ? set_blocksize+0x230/0x2b0 > mount_bdev+0x2c1/0x370 > ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 > mount_fs+0x4c/0x1c0 > vfs_kern_mount.part.0+0x60/0x3d0 > do_mount+0x367/0x2570 > ? kasan_unpoison_shadow+0x33/0x40 > ? copy_mount_string+0x40/0x40 > ? kmem_cache_alloc_trace+0x13f/0x2b0 > ? _copy_from_user+0x94/0x100 > ? copy_mount_options+0x1f1/0x2e0 > ksys_mount+0xa0/0x100 > __x64_sys_mount+0xbf/0x160 > do_syscall_64+0xc2/0x190 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x47938e > Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 > 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 > f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 > RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e > RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0 > RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000 > R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00 > > Allocated by task 8729: > kasan_kmalloc+0xc2/0xe0 > kmem_cache_alloc_trace+0x13f/0x2b0 > f2fs_fill_super+0x124/0x4a80 > mount_bdev+0x2c1/0x370 > mount_fs+0x4c/0x1c0 > vfs_kern_mount.part.0+0x60/0x3d0 > do_mount+0x367/0x2570 > ksys_mount+0xa0/0x100 > __x64_sys_mount+0xbf/0x160 > do_syscall_64+0xc2/0x190 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > Freed by task 8729: > __kasan_slab_free+0x12f/0x180 > kfree+0xfa/0x2a0 > f2fs_fill_super+0x2a00/0x4a80 > mount_bdev+0x2c1/0x370 > mount_fs+0x4c/0x1c0 > vfs_kern_mount.part.0+0x60/0x3d0 > do_mount+0x367/0x2570 > ksys_mount+0xa0/0x100 > __x64_sys_mount+0xbf/0x160 > do_syscall_64+0xc2/0x190 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > Signed-off-by: Jack Qiu <jack.qiu@huawei.com> > --- > fs/f2fs/super.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c > index 8fecd3050ccd..b041625e06ce 100644 > --- a/fs/f2fs/super.c > +++ b/fs/f2fs/super.c > @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) > free_compress_inode: > f2fs_destroy_compress_inode(sbi); > free_root_inode: > + if (retry_cnt > 0 && skip_recovery) > + shrink_dcache_sb(sb); Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(), could you please check whether this can fix the issue? Thanks, > dput(sb->s_root); > sb->s_root = NULL; > free_node_inode: > @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) > /* give only one another chance */ > if (retry_cnt > 0 && skip_recovery) { > retry_cnt--; > - shrink_dcache_sb(sb); > goto try_onemore; > } > return err; > -- > 2.17.1 > _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super 2021-07-22 14:05 ` Chao Yu @ 2021-07-23 2:41 ` Jack Qiu 2021-07-23 2:51 ` Chao Yu 0 siblings, 1 reply; 7+ messages in thread From: Jack Qiu @ 2021-07-23 2:41 UTC (permalink / raw) To: Chao Yu, jaegeuk; +Cc: linux-f2fs-devel On 2021/7/22 22:05, Chao Yu wrote: > On 2021/7/22 12:41, Jack Qiu wrote: >> The root cause is shrink_dcache_sb after sbi has been freed. >> So call shrink_dcache_sb before free sbi and other resources. >> >> ================================================================== >> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5 >> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729 >> >> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted >> 4.19.195-00002-g67dceea04431-dirty #31 > > Does this bug below to 4.19.195? > Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug. git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2 v3.17-rc4~27^2~17 @@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) brelse(raw_super_buf); free_sbi: kfree(sbi); --- free sbi + + /* give only one another chance */ + if (retry) { + retry = !retry; + shrink_dcache_sb(sb); --- call f2fs_evict_inode(root inode), it will access sbi + goto try_onemore; + } return err; } >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS >> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 >> 04/01/2014 >> Call Trace: >> dump_stack+0xe5/0x14b >> ? f2fs_evict_inode+0x31c/0xde5 >> print_address_description+0x6c/0x237 >> ? f2fs_evict_inode+0x31c/0xde5 >> kasan_report.cold+0x88/0x2a3 >> f2fs_evict_inode+0x31c/0xde5 >> ? full_proxy_open.cold+0x12/0x12 >> evict+0x2cd/0x5f0 >> iput+0x3d9/0x6f0 >> dentry_unlink_inode+0x273/0x330 >> __dentry_kill+0x340/0x5e0 >> dentry_kill+0xb7/0x740 >> shrink_dentry_list+0x256/0x660 >> shrink_dcache_sb+0x11f/0x1d0 >> ? shrink_dentry_list+0x660/0x660 >> ? __kasan_slab_free+0x144/0x180 >> f2fs_fill_super+0x2a34/0x4a80 >> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 >> ? wait_for_completion+0x3c0/0x3c0 >> ? set_blocksize+0x230/0x2b0 >> mount_bdev+0x2c1/0x370 >> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 >> mount_fs+0x4c/0x1c0 >> vfs_kern_mount.part.0+0x60/0x3d0 >> do_mount+0x367/0x2570 >> ? kasan_unpoison_shadow+0x33/0x40 >> ? copy_mount_string+0x40/0x40 >> ? kmem_cache_alloc_trace+0x13f/0x2b0 >> ? _copy_from_user+0x94/0x100 >> ? copy_mount_options+0x1f1/0x2e0 >> ksys_mount+0xa0/0x100 >> __x64_sys_mount+0xbf/0x160 >> do_syscall_64+0xc2/0x190 >> entry_SYSCALL_64_after_hwframe+0x49/0xbe >> RIP: 0033:0x47938e >> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 >> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 >> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 >> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 >> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e >> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0 >> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000 >> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000 >> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00 >> >> Allocated by task 8729: >> kasan_kmalloc+0xc2/0xe0 >> kmem_cache_alloc_trace+0x13f/0x2b0 >> f2fs_fill_super+0x124/0x4a80 >> mount_bdev+0x2c1/0x370 >> mount_fs+0x4c/0x1c0 >> vfs_kern_mount.part.0+0x60/0x3d0 >> do_mount+0x367/0x2570 >> ksys_mount+0xa0/0x100 >> __x64_sys_mount+0xbf/0x160 >> do_syscall_64+0xc2/0x190 >> entry_SYSCALL_64_after_hwframe+0x49/0xbe >> >> Freed by task 8729: >> __kasan_slab_free+0x12f/0x180 >> kfree+0xfa/0x2a0 >> f2fs_fill_super+0x2a00/0x4a80 >> mount_bdev+0x2c1/0x370 >> mount_fs+0x4c/0x1c0 >> vfs_kern_mount.part.0+0x60/0x3d0 >> do_mount+0x367/0x2570 >> ksys_mount+0xa0/0x100 >> __x64_sys_mount+0xbf/0x160 >> do_syscall_64+0xc2/0x190 >> entry_SYSCALL_64_after_hwframe+0x49/0xbe >> >> Signed-off-by: Jack Qiu <jack.qiu@huawei.com> >> --- >> fs/f2fs/super.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c >> index 8fecd3050ccd..b041625e06ce 100644 >> --- a/fs/f2fs/super.c >> +++ b/fs/f2fs/super.c >> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) >> free_compress_inode: >> f2fs_destroy_compress_inode(sbi); >> free_root_inode: >> + if (retry_cnt > 0 && skip_recovery) >> + shrink_dcache_sb(sb); > > Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(), Can not find *evict_inodes*, could you please elaborate more detail? > could you please check whether this can fix the issue? I have run the test more than 1 day w/ this patch, it will fail in 1 hour before. I believe this patch can fix *this* issue. But I'm not quite familiar with shrink_dcache_sb, maybe I miss other scenario. If you have other comment, please let me know. Thanks, > > Thanks, > >> dput(sb->s_root); >> sb->s_root = NULL; >> free_node_inode: >> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) >> /* give only one another chance */ >> if (retry_cnt > 0 && skip_recovery) { >> retry_cnt--; >> - shrink_dcache_sb(sb); >> goto try_onemore; >> } >> return err; >> -- >> 2.17.1 >> > . _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super 2021-07-23 2:41 ` Jack Qiu @ 2021-07-23 2:51 ` Chao Yu 2021-07-23 3:27 ` Jack Qiu 0 siblings, 1 reply; 7+ messages in thread From: Chao Yu @ 2021-07-23 2:51 UTC (permalink / raw) To: Jack Qiu, jaegeuk; +Cc: linux-f2fs-devel On 2021/7/23 10:41, Jack Qiu wrote: > On 2021/7/22 22:05, Chao Yu wrote: >> On 2021/7/22 12:41, Jack Qiu wrote: >>> The root cause is shrink_dcache_sb after sbi has been freed. >>> So call shrink_dcache_sb before free sbi and other resources. >>> >>> ================================================================== >>> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5 >>> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729 >>> >>> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted >>> 4.19.195-00002-g67dceea04431-dirty #31 >> >> Does this bug below to 4.19.195? I mean whether this bug exists in mainline? Not sure, I just doubt maybe we have fixed this issue, but forgot to backport it to 4.19 stable kernel. >> > Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug. > > git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2 > v3.17-rc4~27^2~17 > > @@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) > brelse(raw_super_buf); > free_sbi: > kfree(sbi); --- free sbi > + > + /* give only one another chance */ > + if (retry) { > + retry = !retry; > + shrink_dcache_sb(sb); --- call f2fs_evict_inode(root inode), it will access sbi > + goto try_onemore; > + } > return err; > } > >>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS >>> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 >>> 04/01/2014 >>> Call Trace: >>> dump_stack+0xe5/0x14b >>> ? f2fs_evict_inode+0x31c/0xde5 >>> print_address_description+0x6c/0x237 >>> ? f2fs_evict_inode+0x31c/0xde5 >>> kasan_report.cold+0x88/0x2a3 >>> f2fs_evict_inode+0x31c/0xde5 >>> ? full_proxy_open.cold+0x12/0x12 >>> evict+0x2cd/0x5f0 >>> iput+0x3d9/0x6f0 >>> dentry_unlink_inode+0x273/0x330 >>> __dentry_kill+0x340/0x5e0 >>> dentry_kill+0xb7/0x740 >>> shrink_dentry_list+0x256/0x660 >>> shrink_dcache_sb+0x11f/0x1d0 >>> ? shrink_dentry_list+0x660/0x660 >>> ? __kasan_slab_free+0x144/0x180 >>> f2fs_fill_super+0x2a34/0x4a80 >>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 >>> ? wait_for_completion+0x3c0/0x3c0 >>> ? set_blocksize+0x230/0x2b0 >>> mount_bdev+0x2c1/0x370 >>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 >>> mount_fs+0x4c/0x1c0 >>> vfs_kern_mount.part.0+0x60/0x3d0 >>> do_mount+0x367/0x2570 >>> ? kasan_unpoison_shadow+0x33/0x40 >>> ? copy_mount_string+0x40/0x40 >>> ? kmem_cache_alloc_trace+0x13f/0x2b0 >>> ? _copy_from_user+0x94/0x100 >>> ? copy_mount_options+0x1f1/0x2e0 >>> ksys_mount+0xa0/0x100 >>> __x64_sys_mount+0xbf/0x160 >>> do_syscall_64+0xc2/0x190 >>> entry_SYSCALL_64_after_hwframe+0x49/0xbe >>> RIP: 0033:0x47938e >>> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 >>> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 >>> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 >>> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 >>> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e >>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0 >>> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000 >>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000 >>> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00 >>> >>> Allocated by task 8729: >>> kasan_kmalloc+0xc2/0xe0 >>> kmem_cache_alloc_trace+0x13f/0x2b0 >>> f2fs_fill_super+0x124/0x4a80 >>> mount_bdev+0x2c1/0x370 >>> mount_fs+0x4c/0x1c0 >>> vfs_kern_mount.part.0+0x60/0x3d0 >>> do_mount+0x367/0x2570 >>> ksys_mount+0xa0/0x100 >>> __x64_sys_mount+0xbf/0x160 >>> do_syscall_64+0xc2/0x190 >>> entry_SYSCALL_64_after_hwframe+0x49/0xbe >>> >>> Freed by task 8729: >>> __kasan_slab_free+0x12f/0x180 >>> kfree+0xfa/0x2a0 >>> f2fs_fill_super+0x2a00/0x4a80 >>> mount_bdev+0x2c1/0x370 >>> mount_fs+0x4c/0x1c0 >>> vfs_kern_mount.part.0+0x60/0x3d0 >>> do_mount+0x367/0x2570 >>> ksys_mount+0xa0/0x100 >>> __x64_sys_mount+0xbf/0x160 >>> do_syscall_64+0xc2/0x190 >>> entry_SYSCALL_64_after_hwframe+0x49/0xbe >>> >>> Signed-off-by: Jack Qiu <jack.qiu@huawei.com> >>> --- >>> fs/f2fs/super.c | 3 ++- >>> 1 file changed, 2 insertions(+), 1 deletion(-) >>> >>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c >>> index 8fecd3050ccd..b041625e06ce 100644 >>> --- a/fs/f2fs/super.c >>> +++ b/fs/f2fs/super.c >>> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) >>> free_compress_inode: >>> f2fs_destroy_compress_inode(sbi); >>> free_root_inode: >>> + if (retry_cnt > 0 && skip_recovery) >>> + shrink_dcache_sb(sb); >> >> Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(), > Can not find *evict_inodes*, could you please elaborate more detail? Could you please check whether below patch can fix this issue? https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=812a95977fd2f0d1f220c716a98 Thanks, >> could you please check whether this can fix the issue? > I have run the test more than 1 day w/ this patch, it will fail in 1 hour before. > I believe this patch can fix *this* issue. But I'm not quite familiar with shrink_dcache_sb, > maybe I miss other scenario. If you have other comment, please let me know. > > Thanks, >> >> Thanks, >> >>> dput(sb->s_root); >>> sb->s_root = NULL; >>> free_node_inode: >>> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) >>> /* give only one another chance */ >>> if (retry_cnt > 0 && skip_recovery) { >>> retry_cnt--; >>> - shrink_dcache_sb(sb); >>> goto try_onemore; >>> } >>> return err; >>> -- >>> 2.17.1 >>> >> . > _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super 2021-07-23 2:51 ` Chao Yu @ 2021-07-23 3:27 ` Jack Qiu 2021-07-23 3:29 ` Chao Yu 0 siblings, 1 reply; 7+ messages in thread From: Jack Qiu @ 2021-07-23 3:27 UTC (permalink / raw) To: Chao Yu, jaegeuk; +Cc: linux-f2fs-devel On 2021/7/23 10:51, Chao Yu wrote: > On 2021/7/23 10:41, Jack Qiu wrote: >> On 2021/7/22 22:05, Chao Yu wrote: >>> On 2021/7/22 12:41, Jack Qiu wrote: >>>> The root cause is shrink_dcache_sb after sbi has been freed. >>>> So call shrink_dcache_sb before free sbi and other resources. >>>> >>>> ================================================================== >>>> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5 >>>> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729 >>>> >>>> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted >>>> 4.19.195-00002-g67dceea04431-dirty #31 >>> >>> Does this bug below to 4.19.195? > > I mean whether this bug exists in mainline? Not sure, I just doubt maybe > we have fixed this issue, but forgot to backport it to 4.19 stable kernel. > Got it. >>> >> Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug. >> >> git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2 >> v3.17-rc4~27^2~17 >> >> @@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) >> brelse(raw_super_buf); >> free_sbi: >> kfree(sbi); --- free sbi >> + >> + /* give only one another chance */ >> + if (retry) { >> + retry = !retry; >> + shrink_dcache_sb(sb); --- call f2fs_evict_inode(root inode), it will access sbi >> + goto try_onemore; >> + } >> return err; >> } >> >>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS >>>> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 >>>> 04/01/2014 >>>> Call Trace: >>>> dump_stack+0xe5/0x14b >>>> ? f2fs_evict_inode+0x31c/0xde5 >>>> print_address_description+0x6c/0x237 >>>> ? f2fs_evict_inode+0x31c/0xde5 >>>> kasan_report.cold+0x88/0x2a3 >>>> f2fs_evict_inode+0x31c/0xde5 >>>> ? full_proxy_open.cold+0x12/0x12 >>>> evict+0x2cd/0x5f0 >>>> iput+0x3d9/0x6f0 >>>> dentry_unlink_inode+0x273/0x330 >>>> __dentry_kill+0x340/0x5e0 >>>> dentry_kill+0xb7/0x740 >>>> shrink_dentry_list+0x256/0x660 >>>> shrink_dcache_sb+0x11f/0x1d0 >>>> ? shrink_dentry_list+0x660/0x660 >>>> ? __kasan_slab_free+0x144/0x180 >>>> f2fs_fill_super+0x2a34/0x4a80 >>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 >>>> ? wait_for_completion+0x3c0/0x3c0 >>>> ? set_blocksize+0x230/0x2b0 >>>> mount_bdev+0x2c1/0x370 >>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 >>>> mount_fs+0x4c/0x1c0 >>>> vfs_kern_mount.part.0+0x60/0x3d0 >>>> do_mount+0x367/0x2570 >>>> ? kasan_unpoison_shadow+0x33/0x40 >>>> ? copy_mount_string+0x40/0x40 >>>> ? kmem_cache_alloc_trace+0x13f/0x2b0 >>>> ? _copy_from_user+0x94/0x100 >>>> ? copy_mount_options+0x1f1/0x2e0 >>>> ksys_mount+0xa0/0x100 >>>> __x64_sys_mount+0xbf/0x160 >>>> do_syscall_64+0xc2/0x190 >>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe >>>> RIP: 0033:0x47938e >>>> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 >>>> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 >>>> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 >>>> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 >>>> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e >>>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0 >>>> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000 >>>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000 >>>> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00 >>>> >>>> Allocated by task 8729: >>>> kasan_kmalloc+0xc2/0xe0 >>>> kmem_cache_alloc_trace+0x13f/0x2b0 >>>> f2fs_fill_super+0x124/0x4a80 >>>> mount_bdev+0x2c1/0x370 >>>> mount_fs+0x4c/0x1c0 >>>> vfs_kern_mount.part.0+0x60/0x3d0 >>>> do_mount+0x367/0x2570 >>>> ksys_mount+0xa0/0x100 >>>> __x64_sys_mount+0xbf/0x160 >>>> do_syscall_64+0xc2/0x190 >>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe >>>> >>>> Freed by task 8729: >>>> __kasan_slab_free+0x12f/0x180 >>>> kfree+0xfa/0x2a0 >>>> f2fs_fill_super+0x2a00/0x4a80 >>>> mount_bdev+0x2c1/0x370 >>>> mount_fs+0x4c/0x1c0 >>>> vfs_kern_mount.part.0+0x60/0x3d0 >>>> do_mount+0x367/0x2570 >>>> ksys_mount+0xa0/0x100 >>>> __x64_sys_mount+0xbf/0x160 >>>> do_syscall_64+0xc2/0x190 >>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe >>>> >>>> Signed-off-by: Jack Qiu <jack.qiu@huawei.com> >>>> --- >>>> fs/f2fs/super.c | 3 ++- >>>> 1 file changed, 2 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c >>>> index 8fecd3050ccd..b041625e06ce 100644 >>>> --- a/fs/f2fs/super.c >>>> +++ b/fs/f2fs/super.c >>>> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) >>>> free_compress_inode: >>>> f2fs_destroy_compress_inode(sbi); >>>> free_root_inode: >>>> + if (retry_cnt > 0 && skip_recovery) >>>> + shrink_dcache_sb(sb); >>> >>> Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(), >> Can not find *evict_inodes*, could you please elaborate more detail? > > Could you please check whether below patch can fix this issue? > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=812a95977fd2f0d1f220c716a98 > > Thanks, > I will test it. Thansk, >>> could you please check whether this can fix the issue? >> I have run the test more than 1 day w/ this patch, it will fail in 1 hour before. >> I believe this patch can fix *this* issue. But I'm not quite familiar with shrink_dcache_sb, >> maybe I miss other scenario. If you have other comment, please let me know. >> >> Thanks, >>> >>> Thanks, >>> >>>> dput(sb->s_root); >>>> sb->s_root = NULL; >>>> free_node_inode: >>>> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) >>>> /* give only one another chance */ >>>> if (retry_cnt > 0 && skip_recovery) { >>>> retry_cnt--; >>>> - shrink_dcache_sb(sb); >>>> goto try_onemore; >>>> } >>>> return err; >>>> -- >>>> 2.17.1 >>>> >>> . >> > . _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super 2021-07-23 3:27 ` Jack Qiu @ 2021-07-23 3:29 ` Chao Yu 2021-07-23 3:45 ` Jack Qiu 0 siblings, 1 reply; 7+ messages in thread From: Chao Yu @ 2021-07-23 3:29 UTC (permalink / raw) To: Jack Qiu, jaegeuk; +Cc: linux-f2fs-devel On 2021/7/23 11:27, Jack Qiu wrote: > On 2021/7/23 10:51, Chao Yu wrote: >> On 2021/7/23 10:41, Jack Qiu wrote: >>> On 2021/7/22 22:05, Chao Yu wrote: >>>> On 2021/7/22 12:41, Jack Qiu wrote: >>>>> The root cause is shrink_dcache_sb after sbi has been freed. >>>>> So call shrink_dcache_sb before free sbi and other resources. >>>>> >>>>> ================================================================== >>>>> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5 >>>>> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729 >>>>> >>>>> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted >>>>> 4.19.195-00002-g67dceea04431-dirty #31 >>>> >>>> Does this bug below to 4.19.195? >> >> I mean whether this bug exists in mainline? Not sure, I just doubt maybe >> we have fixed this issue, but forgot to backport it to 4.19 stable kernel. >> > Got it. >>>> >>> Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug. >>> >>> git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2 >>> v3.17-rc4~27^2~17 >>> >>> @@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) >>> brelse(raw_super_buf); >>> free_sbi: >>> kfree(sbi); --- free sbi >>> + >>> + /* give only one another chance */ >>> + if (retry) { >>> + retry = !retry; >>> + shrink_dcache_sb(sb); --- call f2fs_evict_inode(root inode), it will access sbi >>> + goto try_onemore; >>> + } >>> return err; >>> } >>> >>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS >>>>> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 >>>>> 04/01/2014 >>>>> Call Trace: >>>>> dump_stack+0xe5/0x14b >>>>> ? f2fs_evict_inode+0x31c/0xde5 >>>>> print_address_description+0x6c/0x237 >>>>> ? f2fs_evict_inode+0x31c/0xde5 >>>>> kasan_report.cold+0x88/0x2a3 >>>>> f2fs_evict_inode+0x31c/0xde5 >>>>> ? full_proxy_open.cold+0x12/0x12 >>>>> evict+0x2cd/0x5f0 >>>>> iput+0x3d9/0x6f0 >>>>> dentry_unlink_inode+0x273/0x330 >>>>> __dentry_kill+0x340/0x5e0 >>>>> dentry_kill+0xb7/0x740 >>>>> shrink_dentry_list+0x256/0x660 >>>>> shrink_dcache_sb+0x11f/0x1d0 >>>>> ? shrink_dentry_list+0x660/0x660 >>>>> ? __kasan_slab_free+0x144/0x180 >>>>> f2fs_fill_super+0x2a34/0x4a80 >>>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 >>>>> ? wait_for_completion+0x3c0/0x3c0 >>>>> ? set_blocksize+0x230/0x2b0 >>>>> mount_bdev+0x2c1/0x370 >>>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 >>>>> mount_fs+0x4c/0x1c0 >>>>> vfs_kern_mount.part.0+0x60/0x3d0 >>>>> do_mount+0x367/0x2570 >>>>> ? kasan_unpoison_shadow+0x33/0x40 >>>>> ? copy_mount_string+0x40/0x40 >>>>> ? kmem_cache_alloc_trace+0x13f/0x2b0 >>>>> ? _copy_from_user+0x94/0x100 >>>>> ? copy_mount_options+0x1f1/0x2e0 >>>>> ksys_mount+0xa0/0x100 >>>>> __x64_sys_mount+0xbf/0x160 >>>>> do_syscall_64+0xc2/0x190 >>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe >>>>> RIP: 0033:0x47938e >>>>> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 >>>>> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 >>>>> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 >>>>> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 >>>>> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e >>>>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0 >>>>> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000 >>>>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000 >>>>> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00 >>>>> >>>>> Allocated by task 8729: >>>>> kasan_kmalloc+0xc2/0xe0 >>>>> kmem_cache_alloc_trace+0x13f/0x2b0 >>>>> f2fs_fill_super+0x124/0x4a80 >>>>> mount_bdev+0x2c1/0x370 >>>>> mount_fs+0x4c/0x1c0 >>>>> vfs_kern_mount.part.0+0x60/0x3d0 >>>>> do_mount+0x367/0x2570 >>>>> ksys_mount+0xa0/0x100 >>>>> __x64_sys_mount+0xbf/0x160 >>>>> do_syscall_64+0xc2/0x190 >>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe >>>>> >>>>> Freed by task 8729: >>>>> __kasan_slab_free+0x12f/0x180 >>>>> kfree+0xfa/0x2a0 >>>>> f2fs_fill_super+0x2a00/0x4a80 >>>>> mount_bdev+0x2c1/0x370 >>>>> mount_fs+0x4c/0x1c0 >>>>> vfs_kern_mount.part.0+0x60/0x3d0 >>>>> do_mount+0x367/0x2570 >>>>> ksys_mount+0xa0/0x100 >>>>> __x64_sys_mount+0xbf/0x160 >>>>> do_syscall_64+0xc2/0x190 >>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe >>>>> >>>>> Signed-off-by: Jack Qiu <jack.qiu@huawei.com> >>>>> --- >>>>> fs/f2fs/super.c | 3 ++- >>>>> 1 file changed, 2 insertions(+), 1 deletion(-) >>>>> >>>>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c >>>>> index 8fecd3050ccd..b041625e06ce 100644 >>>>> --- a/fs/f2fs/super.c >>>>> +++ b/fs/f2fs/super.c >>>>> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) >>>>> free_compress_inode: >>>>> f2fs_destroy_compress_inode(sbi); >>>>> free_root_inode: >>>>> + if (retry_cnt > 0 && skip_recovery) >>>>> + shrink_dcache_sb(sb); >>>> >>>> Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(), >>> Can not find *evict_inodes*, could you please elaborate more detail? >> >> Could you please check whether below patch can fix this issue? >> >> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=812a95977fd2f0d1f220c716a98 >> >> Thanks, >> > I will test it. Could you please test on 5.14-rc1 first? Thanks, > > Thansk, >>>> could you please check whether this can fix the issue? >>> I have run the test more than 1 day w/ this patch, it will fail in 1 hour before. >>> I believe this patch can fix *this* issue. But I'm not quite familiar with shrink_dcache_sb, >>> maybe I miss other scenario. If you have other comment, please let me know. >>> >>> Thanks, >>>> >>>> Thanks, >>>> >>>>> dput(sb->s_root); >>>>> sb->s_root = NULL; >>>>> free_node_inode: >>>>> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) >>>>> /* give only one another chance */ >>>>> if (retry_cnt > 0 && skip_recovery) { >>>>> retry_cnt--; >>>>> - shrink_dcache_sb(sb); >>>>> goto try_onemore; >>>>> } >>>>> return err; >>>>> -- >>>>> 2.17.1 >>>>> >>>> . >>> >> . > _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super 2021-07-23 3:29 ` Chao Yu @ 2021-07-23 3:45 ` Jack Qiu 0 siblings, 0 replies; 7+ messages in thread From: Jack Qiu @ 2021-07-23 3:45 UTC (permalink / raw) To: Chao Yu, jaegeuk; +Cc: linux-f2fs-devel On 2021/7/23 11:29, Chao Yu wrote: > On 2021/7/23 11:27, Jack Qiu wrote: >> On 2021/7/23 10:51, Chao Yu wrote: >>> On 2021/7/23 10:41, Jack Qiu wrote: >>>> On 2021/7/22 22:05, Chao Yu wrote: >>>>> On 2021/7/22 12:41, Jack Qiu wrote: >>>>>> The root cause is shrink_dcache_sb after sbi has been freed. >>>>>> So call shrink_dcache_sb before free sbi and other resources. >>>>>> >>>>>> ================================================================== >>>>>> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5 >>>>>> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729 >>>>>> >>>>>> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted >>>>>> 4.19.195-00002-g67dceea04431-dirty #31 >>>>> >>>>> Does this bug below to 4.19.195? >>> >>> I mean whether this bug exists in mainline? Not sure, I just doubt maybe >>> we have fixed this issue, but forgot to backport it to 4.19 stable kernel. >>> >> Got it. >>>>> >>>> Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug. >>>> >>>> git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2 >>>> v3.17-rc4~27^2~17 >>>> >>>> @@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) >>>> brelse(raw_super_buf); >>>> free_sbi: >>>> kfree(sbi); --- free sbi >>>> + >>>> + /* give only one another chance */ >>>> + if (retry) { >>>> + retry = !retry; >>>> + shrink_dcache_sb(sb); --- call f2fs_evict_inode(root inode), it will access sbi >>>> + goto try_onemore; >>>> + } >>>> return err; >>>> } >>>> >>>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS >>>>>> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 >>>>>> 04/01/2014 >>>>>> Call Trace: >>>>>> dump_stack+0xe5/0x14b >>>>>> ? f2fs_evict_inode+0x31c/0xde5 >>>>>> print_address_description+0x6c/0x237 >>>>>> ? f2fs_evict_inode+0x31c/0xde5 >>>>>> kasan_report.cold+0x88/0x2a3 >>>>>> f2fs_evict_inode+0x31c/0xde5 >>>>>> ? full_proxy_open.cold+0x12/0x12 >>>>>> evict+0x2cd/0x5f0 >>>>>> iput+0x3d9/0x6f0 >>>>>> dentry_unlink_inode+0x273/0x330 >>>>>> __dentry_kill+0x340/0x5e0 >>>>>> dentry_kill+0xb7/0x740 >>>>>> shrink_dentry_list+0x256/0x660 >>>>>> shrink_dcache_sb+0x11f/0x1d0 >>>>>> ? shrink_dentry_list+0x660/0x660 >>>>>> ? __kasan_slab_free+0x144/0x180 >>>>>> f2fs_fill_super+0x2a34/0x4a80 >>>>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 >>>>>> ? wait_for_completion+0x3c0/0x3c0 >>>>>> ? set_blocksize+0x230/0x2b0 >>>>>> mount_bdev+0x2c1/0x370 >>>>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 >>>>>> mount_fs+0x4c/0x1c0 >>>>>> vfs_kern_mount.part.0+0x60/0x3d0 >>>>>> do_mount+0x367/0x2570 >>>>>> ? kasan_unpoison_shadow+0x33/0x40 >>>>>> ? copy_mount_string+0x40/0x40 >>>>>> ? kmem_cache_alloc_trace+0x13f/0x2b0 >>>>>> ? _copy_from_user+0x94/0x100 >>>>>> ? copy_mount_options+0x1f1/0x2e0 >>>>>> ksys_mount+0xa0/0x100 >>>>>> __x64_sys_mount+0xbf/0x160 >>>>>> do_syscall_64+0xc2/0x190 >>>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe >>>>>> RIP: 0033:0x47938e >>>>>> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 >>>>>> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 >>>>>> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 >>>>>> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 >>>>>> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e >>>>>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0 >>>>>> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000 >>>>>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000 >>>>>> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00 >>>>>> >>>>>> Allocated by task 8729: >>>>>> kasan_kmalloc+0xc2/0xe0 >>>>>> kmem_cache_alloc_trace+0x13f/0x2b0 >>>>>> f2fs_fill_super+0x124/0x4a80 >>>>>> mount_bdev+0x2c1/0x370 >>>>>> mount_fs+0x4c/0x1c0 >>>>>> vfs_kern_mount.part.0+0x60/0x3d0 >>>>>> do_mount+0x367/0x2570 >>>>>> ksys_mount+0xa0/0x100 >>>>>> __x64_sys_mount+0xbf/0x160 >>>>>> do_syscall_64+0xc2/0x190 >>>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe >>>>>> >>>>>> Freed by task 8729: >>>>>> __kasan_slab_free+0x12f/0x180 >>>>>> kfree+0xfa/0x2a0 >>>>>> f2fs_fill_super+0x2a00/0x4a80 >>>>>> mount_bdev+0x2c1/0x370 >>>>>> mount_fs+0x4c/0x1c0 >>>>>> vfs_kern_mount.part.0+0x60/0x3d0 >>>>>> do_mount+0x367/0x2570 >>>>>> ksys_mount+0xa0/0x100 >>>>>> __x64_sys_mount+0xbf/0x160 >>>>>> do_syscall_64+0xc2/0x190 >>>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe >>>>>> >>>>>> Signed-off-by: Jack Qiu <jack.qiu@huawei.com> >>>>>> --- >>>>>> fs/f2fs/super.c | 3 ++- >>>>>> 1 file changed, 2 insertions(+), 1 deletion(-) >>>>>> >>>>>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c >>>>>> index 8fecd3050ccd..b041625e06ce 100644 >>>>>> --- a/fs/f2fs/super.c >>>>>> +++ b/fs/f2fs/super.c >>>>>> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) >>>>>> free_compress_inode: >>>>>> f2fs_destroy_compress_inode(sbi); >>>>>> free_root_inode: >>>>>> + if (retry_cnt > 0 && skip_recovery) >>>>>> + shrink_dcache_sb(sb); >>>>> >>>>> Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(), >>>> Can not find *evict_inodes*, could you please elaborate more detail? >>> >>> Could you please check whether below patch can fix this issue? >>> >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=812a95977fd2f0d1f220c716a98 >>> >>> Thanks, >>> >> I will test it. > > Could you please test on 5.14-rc1 first? > > Thanks, > Ok. >> >> Thansk, >>>>> could you please check whether this can fix the issue? >>>> I have run the test more than 1 day w/ this patch, it will fail in 1 hour before. >>>> I believe this patch can fix *this* issue. But I'm not quite familiar with shrink_dcache_sb, >>>> maybe I miss other scenario. If you have other comment, please let me know. >>>> >>>> Thanks, >>>>> >>>>> Thanks, >>>>> >>>>>> dput(sb->s_root); >>>>>> sb->s_root = NULL; >>>>>> free_node_inode: >>>>>> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) >>>>>> /* give only one another chance */ >>>>>> if (retry_cnt > 0 && skip_recovery) { >>>>>> retry_cnt--; >>>>>> - shrink_dcache_sb(sb); >>>>>> goto try_onemore; >>>>>> } >>>>>> return err; >>>>>> -- >>>>>> 2.17.1 >>>>>> >>>>> . >>>> >>> . >> > . _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-07-23 3:46 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-07-22 4:41 [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super Jack Qiu 2021-07-22 14:05 ` Chao Yu 2021-07-23 2:41 ` Jack Qiu 2021-07-23 2:51 ` Chao Yu 2021-07-23 3:27 ` Jack Qiu 2021-07-23 3:29 ` Chao Yu 2021-07-23 3:45 ` Jack Qiu
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.