[PATCH 1/5] f2fs: give message and set need_fsck given broken node id

[PATCH 1/5] f2fs: give message and set need_fsck given broken node id

[Jaegeuk Kim]

syzbot hit the following crash on upstream commit
83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +0000)
Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=d154ec99402c6f628887

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5414336294027264
syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5471683234234368
Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5436660795834368
Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d154ec99402c6f628887@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for details.
If you forward the report, please keep this part and the footer.

F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop0): invalid crc value
------------[ cut here ]------------
kernel BUG at fs/f2fs/node.c:1185!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4549 Comm: syzkaller704305 Not tainted 4.17.0-rc1+ #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__get_node_page+0xb68/0x16e0 fs/f2fs/node.c:1185
RSP: 0018:ffff8801d960e820 EFLAGS: 00010293
RAX: ffff8801d88205c0 RBX: 0000000000000003 RCX: ffffffff82f6cc06
RDX: 0000000000000000 RSI: ffffffff82f6d5e8 RDI: 0000000000000004
RBP: ffff8801d960ec30 R08: ffff8801d88205c0 R09: ffffed003b5e46c2
R10: 0000000000000003 R11: 0000000000000003 R12: ffff8801a86e00c0
R13: 0000000000000001 R14: ffff8801a86e0530 R15: ffff8801d9745240
FS:  000000000072c880(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3d403209b8 CR3: 00000001d8f3f000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 get_node_page fs/f2fs/node.c:1237 [inline]
 truncate_xattr_node+0x152/0x2e0 fs/f2fs/node.c:1014
 remove_inode_page+0x200/0xaf0 fs/f2fs/node.c:1039
 f2fs_evict_inode+0xe86/0x1710 fs/f2fs/inode.c:547
 evict+0x4a6/0x960 fs/inode.c:557
 iput_final fs/inode.c:1519 [inline]
 iput+0x62d/0xa80 fs/inode.c:1545
 f2fs_fill_super+0x5f4e/0x7bf0 fs/f2fs/super.c:2849
 mount_bdev+0x30c/0x3e0 fs/super.c:1164
 f2fs_mount+0x34/0x40 fs/f2fs/super.c:3020
 mount_fs+0xae/0x328 fs/super.c:1267
 vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x564/0x3070 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x443dea
RSP: 002b:00007ffcc7882368 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000c00 RCX: 0000000000443dea
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffcc7882370
RBP: 0000000000000003 R08: 0000000020016a00 R09: 000000000000000a
R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000004
R13: 0000000000402ce0 R14: 0000000000000000 R15: 0000000000000000
RIP: __get_node_page+0xb68/0x16e0 fs/f2fs/node.c:1185 RSP: ffff8801d960e820
---[ end trace 4edbeb71f002bb76 ]---

Reported-and-tested-by: syzbot+d154ec99402c6f628887@syzkaller.appspotmail.com
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fs/f2fs/f2fs.h  | 13 +------------
 fs/f2fs/inode.c | 13 ++++++-------
 fs/f2fs/node.c  | 23 +++++++++++++++++++++--
 3 files changed, 28 insertions(+), 21 deletions(-)

diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index 8f3ad9662d13..d26aae5bf00d 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1583,18 +1583,6 @@ static inline bool __exist_node_summaries(struct f2fs_sb_info *sbi)
 			is_set_ckpt_flags(sbi, CP_FASTBOOT_FLAG));
 }
 
-/*
- * Check whether the given nid is within node id range.
- */
-static inline int check_nid_range(struct f2fs_sb_info *sbi, nid_t nid)
-{
-	if (unlikely(nid < F2FS_ROOT_INO(sbi)))
-		return -EINVAL;
-	if (unlikely(nid >= NM_I(sbi)->max_nid))
-		return -EINVAL;
-	return 0;
-}
-
 /*
  * Check whether the inode has blocks or not
  */
@@ -2768,6 +2756,7 @@ f2fs_hash_t f2fs_dentry_hash(const struct qstr *name_info,
 struct dnode_of_data;
 struct node_info;
 
+int check_nid_range(struct f2fs_sb_info *sbi, nid_t nid);
 bool available_free_memory(struct f2fs_sb_info *sbi, int type);
 int need_dentry_mark(struct f2fs_sb_info *sbi, nid_t nid);
 bool is_checkpointed_node(struct f2fs_sb_info *sbi, nid_t nid);
diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index 176f8e84bb6e..414b1ede642b 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -194,12 +194,8 @@ static int do_read_inode(struct inode *inode)
 	projid_t i_projid;
 
 	/* Check if ino is within scope */
-	if (check_nid_range(sbi, inode->i_ino)) {
-		f2fs_msg(inode->i_sb, KERN_ERR, "bad inode number: %lu",
-			 (unsigned long) inode->i_ino);
-		WARN_ON(1);
+	if (check_nid_range(sbi, inode->i_ino))
 		return -EINVAL;
-	}
 
 	node_page = get_node_page(sbi, inode->i_ino);
 	if (IS_ERR(node_page))
@@ -588,8 +584,11 @@ void f2fs_evict_inode(struct inode *inode)
 		alloc_nid_failed(sbi, inode->i_ino);
 		clear_inode_flag(inode, FI_FREE_NID);
 	} else {
-		f2fs_bug_on(sbi, err &&
-			!exist_written_data(sbi, inode->i_ino, ORPHAN_INO));
+		/*
+		 * If xattr nid is corrupted, we can reach out error condition,
+		 * err & !exist_written_data(sbi, inode->i_ino, ORPHAN_INO)).
+		 * In that case, check_nid_range() is enough to give a clue.
+		 */
 	}
 out_clear:
 	fscrypt_put_encryption_info(inode);
diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
index 3a3d38b3e9ec..2dd34cd980b1 100644
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -29,6 +29,21 @@ static struct kmem_cache *nat_entry_slab;
 static struct kmem_cache *free_nid_slab;
 static struct kmem_cache *nat_entry_set_slab;
 
+/*
+ * Check whether the given nid is within node id range.
+ */
+int check_nid_range(struct f2fs_sb_info *sbi, nid_t nid)
+{
+	if (unlikely(nid < F2FS_ROOT_INO(sbi) || nid >= NM_I(sbi)->max_nid)) {
+		set_sbi_flag(sbi, SBI_NEED_FSCK);
+		f2fs_msg(sbi->sb, KERN_WARNING,
+				"%s: out-of-range nid=%x, run fsck to fix.",
+				__func__, nid);
+		return -EINVAL;
+	}
+	return 0;
+}
+
 bool available_free_memory(struct f2fs_sb_info *sbi, int type)
 {
 	struct f2fs_nm_info *nm_i = NM_I(sbi);
@@ -1010,6 +1025,8 @@ int truncate_xattr_node(struct inode *inode)
 
 	if (!nid)
 		return 0;
+	if (check_nid_range(sbi, nid))
+		return -EINVAL;
 
 	npage = get_node_page(sbi, nid);
 	if (IS_ERR(npage))
@@ -1158,7 +1175,8 @@ void ra_node_page(struct f2fs_sb_info *sbi, nid_t nid)
 
 	if (!nid)
 		return;
-	f2fs_bug_on(sbi, check_nid_range(sbi, nid));
+	if (check_nid_range(sbi, nid))
+		return;
 
 	rcu_read_lock();
 	apage = radix_tree_lookup(&NODE_MAPPING(sbi)->i_pages, nid);
@@ -1182,7 +1200,8 @@ static struct page *__get_node_page(struct f2fs_sb_info *sbi, pgoff_t nid,
 
 	if (!nid)
 		return ERR_PTR(-ENOENT);
-	f2fs_bug_on(sbi, check_nid_range(sbi, nid));
+	if (check_nid_range(sbi, nid))
+		return ERR_PTR(-EINVAL);
 repeat:
 	page = f2fs_grab_cache_page(NODE_MAPPING(sbi), nid, false);
 	if (!page)
-- 
2.17.0.484.g0c8726318c-goog

[PATCH 2/5] f2fs: avoid bug_on on corrupted inode

[Jaegeuk Kim]

syzbot has tested the proposed patch but the reproducer still triggered crash:
kernel BUG at fs/f2fs/inode.c:LINE!

F2FS-fs (loop1): invalid crc value
F2FS-fs (loop5): Magic Mismatch, valid(0xf2f52010) - read(0x0)
F2FS-fs (loop5): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop5): invalid crc value
------------[ cut here ]------------
kernel BUG at fs/f2fs/inode.c:238!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4886 Comm: syz-executor1 Not tainted 4.17.0-rc1+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:do_read_inode fs/f2fs/inode.c:238 [inline]
RIP: 0010:f2fs_iget+0x3307/0x3ca0 fs/f2fs/inode.c:313
RSP: 0018:ffff8801c44a70e8 EFLAGS: 00010293
RAX: ffff8801ce208040 RBX: ffff8801b3621080 RCX: ffffffff82eace18
F2FS-fs (loop2): Magic Mismatch, valid(0xf2f52010) - read(0x0)
RDX: 0000000000000000 RSI: ffffffff82eaf047 RDI: 0000000000000007
RBP: ffff8801c44a7410 R08: ffff8801ce208040 R09: ffffed0039ee4176
R10: ffffed0039ee4176 R11: ffff8801cf720bb7 R12: ffff8801c0efa000
R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f753aa9d700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
------------[ cut here ]------------
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel BUG at fs/f2fs/inode.c:238!
CR2: 0000000001b03018 CR3: 00000001c8b74000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 f2fs_fill_super+0x4377/0x7bf0 fs/f2fs/super.c:2842
 mount_bdev+0x30c/0x3e0 fs/super.c:1165
 f2fs_mount+0x34/0x40 fs/f2fs/super.c:3020
 mount_fs+0xae/0x328 fs/super.c:1268
 vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2517 [inline]
 do_mount+0x564/0x3070 fs/namespace.c:2847
 ksys_mount+0x12d/0x140 fs/namespace.c:3063
 __do_sys_mount fs/namespace.c:3077 [inline]
 __se_sys_mount fs/namespace.c:3074 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3074
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457daa
RSP: 002b:00007f753aa9cba8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000000 RCX: 0000000000457daa
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f753aa9cbf0
RBP: 0000000000000064 R08: 0000000020016a00 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000064 R14: 00000000006fcb80 R15: 0000000000000000
RIP: do_read_inode fs/f2fs/inode.c:238 [inline] RSP: ffff8801c44a70e8
RIP: f2fs_iget+0x3307/0x3ca0 fs/f2fs/inode.c:313 RSP: ffff8801c44a70e8
invalid opcode: 0000 [#2] SMP KASAN
---[ end trace 1cbcbec2156680bc ]---

Reported-and-tested-by: syzbot+41a1b341571f0952badb@syzkaller.appspotmail.com
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fs/f2fs/inode.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index 414b1ede642b..7f2fe4574c48 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -185,6 +185,21 @@ void f2fs_inode_chksum_set(struct f2fs_sb_info *sbi, struct page *page)
 	ri->i_inode_checksum = cpu_to_le32(f2fs_inode_chksum(sbi, page));
 }
 
+static bool sanity_check_inode(struct inode *inode)
+{
+	struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+
+	if (f2fs_sb_has_flexible_inline_xattr(sbi->sb)
+			&& !f2fs_has_extra_attr(inode)) {
+		set_sbi_flag(sbi, SBI_NEED_FSCK);
+		f2fs_msg(sbi->sb, KERN_WARNING,
+			"%s: corrupted inode ino=%lx, run fsck to fix.",
+			__func__, inode->i_ino);
+		return false;
+	}
+	return true;
+}
+
 static int do_read_inode(struct inode *inode)
 {
 	struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
@@ -235,7 +250,6 @@ static int do_read_inode(struct inode *inode)
 					le16_to_cpu(ri->i_extra_isize) : 0;
 
 	if (f2fs_sb_has_flexible_inline_xattr(sbi->sb)) {
-		f2fs_bug_on(sbi, !f2fs_has_extra_attr(inode));
 		fi->i_inline_xattr_size = le16_to_cpu(ri->i_inline_xattr_size);
 	} else if (f2fs_has_inline_xattr(inode) ||
 				f2fs_has_inline_dentry(inode)) {
@@ -313,6 +327,10 @@ struct inode *f2fs_iget(struct super_block *sb, unsigned long ino)
 	ret = do_read_inode(inode);
 	if (ret)
 		goto bad_inode;
+	if (!sanity_check_inode(inode)) {
+		ret = -EINVAL;
+		goto bad_inode;
+	}
 make_now:
 	if (ino == F2FS_NODE_INO(sbi)) {
 		inode->i_mapping->a_ops = &f2fs_node_aops;
-- 
2.17.0.484.g0c8726318c-goog

[PATCH 3/5] f2fs: sanity check on sit entry

syzbot hit the following crash on upstream commit
87ef12027b9b1dd0e0b12cf311fbcb19f9d92539 (Wed Apr 18 19:48:17 2018 +0000)
Merge tag 'ceph-for-4.17-rc2' of git://github.com/ceph/ceph-client
syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=83699adeb2d13579c31e

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5805208181407744
syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6005073343676416
Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6555047731134464
Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+83699adeb2d13579c31e@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for details.
If you forward the report, please keep this part and the footer.

F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop0): invalid crc value
BUG: unable to handle kernel paging request at ffffed006b2a50c0
PGD 21ffee067 P4D 21ffee067 PUD 21fbeb067 PMD 0
Oops: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4514 Comm: syzkaller989480 Not tainted 4.17.0-rc1+ #8
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:build_sit_entries fs/f2fs/segment.c:3653 [inline]
RIP: 0010:build_segment_manager+0x7ef7/0xbf70 fs/f2fs/segment.c:3852
RSP: 0018:ffff8801b102e5b0 EFLAGS: 00010a06
RAX: 1ffff1006b2a50c0 RBX: 0000000000000004 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801ac74243e
RBP: ffff8801b102f410 R08: ffff8801acbd46c0 R09: fffffbfff14d9af8
R10: fffffbfff14d9af8 R11: ffff8801acbd46c0 R12: ffff8801ac742a80
R13: ffff8801d9519100 R14: dffffc0000000000 R15: ffff880359528600
FS:  0000000001e04880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed006b2a50c0 CR3: 00000001ac6ac000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 f2fs_fill_super+0x4095/0x7bf0 fs/f2fs/super.c:2803
 mount_bdev+0x30c/0x3e0 fs/super.c:1165
 f2fs_mount+0x34/0x40 fs/f2fs/super.c:3020
 mount_fs+0xae/0x328 fs/super.c:1268
 vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2517 [inline]
 do_mount+0x564/0x3070 fs/namespace.c:2847
 ksys_mount+0x12d/0x140 fs/namespace.c:3063
 __do_sys_mount fs/namespace.c:3077 [inline]
 __se_sys_mount fs/namespace.c:3074 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3074
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x443d6a
RSP: 002b:00007ffd312813c8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000c00 RCX: 0000000000443d6a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd312813d0
RBP: 0000000000000003 R08: 0000000020016a00 R09: 000000000000000a
R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000004
R13: 0000000000402c60 R14: 0000000000000000 R15: 0000000000000000
RIP: build_sit_entries fs/f2fs/segment.c:3653 [inline] RSP: ffff8801b102e5b0
RIP: build_segment_manager+0x7ef7/0xbf70 fs/f2fs/segment.c:3852 RSP: ffff8801b102e5b0
CR2: ffffed006b2a50c0
---[ end trace a2034989e196ff17 ]---

Reported-and-tested-by: syzbot+83699adeb2d13579c31e@syzkaller.appspotmail.com
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fs/f2fs/segment.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index e4e8bdd645ee..20250b88bf51 100644
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -3662,6 +3662,15 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
 		unsigned int old_valid_blocks;
 
 		start = le32_to_cpu(segno_in_journal(journal, i));
+		if (start >= MAIN_SEGS(sbi)) {
+			f2fs_msg(sbi->sb, KERN_ERR,
+					"Wrong journal entry on segno %u",
+					start);
+			set_sbi_flag(sbi, SBI_NEED_FSCK);
+			err = -EINVAL;
+			break;
+		}
+
 		se = &sit_i->sentries[start];
 		sit = sit_in_journal(journal, i);
 
-- 
2.17.0.484.g0c8726318c-goog

[PATCH 3/5] f2fs: sanity check on sit entry

[Jaegeuk Kim]

syzbot hit the following crash on upstream commit
87ef12027b9b1dd0e0b12cf311fbcb19f9d92539 (Wed Apr 18 19:48:17 2018 +0000)
Merge tag 'ceph-for-4.17-rc2' of git://github.com/ceph/ceph-client
syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=83699adeb2d13579c31e

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5805208181407744
syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6005073343676416
Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6555047731134464
Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+83699adeb2d13579c31e@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for details.
If you forward the report, please keep this part and the footer.

F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop0): invalid crc value
BUG: unable to handle kernel paging request at ffffed006b2a50c0
PGD 21ffee067 P4D 21ffee067 PUD 21fbeb067 PMD 0
Oops: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4514 Comm: syzkaller989480 Not tainted 4.17.0-rc1+ #8
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:build_sit_entries fs/f2fs/segment.c:3653 [inline]
RIP: 0010:build_segment_manager+0x7ef7/0xbf70 fs/f2fs/segment.c:3852
RSP: 0018:ffff8801b102e5b0 EFLAGS: 00010a06
RAX: 1ffff1006b2a50c0 RBX: 0000000000000004 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801ac74243e
RBP: ffff8801b102f410 R08: ffff8801acbd46c0 R09: fffffbfff14d9af8
R10: fffffbfff14d9af8 R11: ffff8801acbd46c0 R12: ffff8801ac742a80
R13: ffff8801d9519100 R14: dffffc0000000000 R15: ffff880359528600
FS:  0000000001e04880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed006b2a50c0 CR3: 00000001ac6ac000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 f2fs_fill_super+0x4095/0x7bf0 fs/f2fs/super.c:2803
 mount_bdev+0x30c/0x3e0 fs/super.c:1165
 f2fs_mount+0x34/0x40 fs/f2fs/super.c:3020
 mount_fs+0xae/0x328 fs/super.c:1268
 vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2517 [inline]
 do_mount+0x564/0x3070 fs/namespace.c:2847
 ksys_mount+0x12d/0x140 fs/namespace.c:3063
 __do_sys_mount fs/namespace.c:3077 [inline]
 __se_sys_mount fs/namespace.c:3074 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3074
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x443d6a
RSP: 002b:00007ffd312813c8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000c00 RCX: 0000000000443d6a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd312813d0
RBP: 0000000000000003 R08: 0000000020016a00 R09: 000000000000000a
R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000004
R13: 0000000000402c60 R14: 0000000000000000 R15: 0000000000000000
RIP: build_sit_entries fs/f2fs/segment.c:3653 [inline] RSP: ffff8801b102e5b0
RIP: build_segment_manager+0x7ef7/0xbf70 fs/f2fs/segment.c:3852 RSP: ffff8801b102e5b0
CR2: ffffed006b2a50c0
---[ end trace a2034989e196ff17 ]---

Reported-and-tested-by: syzbot+83699adeb2d13579c31e@syzkaller.appspotmail.com
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fs/f2fs/segment.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index e4e8bdd645ee..20250b88bf51 100644
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -3662,6 +3662,15 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
 		unsigned int old_valid_blocks;
 
 		start = le32_to_cpu(segno_in_journal(journal, i));
+		if (start >= MAIN_SEGS(sbi)) {
+			f2fs_msg(sbi->sb, KERN_ERR,
+					"Wrong journal entry on segno %u",
+					start);
+			set_sbi_flag(sbi, SBI_NEED_FSCK);
+			err = -EINVAL;
+			break;
+		}
+
 		se = &sit_i->sentries[start];
 		sit = sit_in_journal(journal, i);
 
-- 
2.17.0.484.g0c8726318c-goog


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

[PATCH 4/5] f2fs: sanity check for total valid blocks

[Jaegeuk Kim]

This patch enhances sanity check for SIT entries.

syzbot hit the following crash on upstream commit
83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +0000)
Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=bf9253040425feb155ad

syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5692130282438656
Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5095924598571008
Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+bf9253040425feb155ad@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for details.
If you forward the report, please keep this part and the footer.

F2FS-fs (loop0): invalid crc value
F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
F2FS-fs (loop0): Mounted with checkpoint version = d
F2FS-fs (loop0): Bitmap was wrongly cleared, blk:9740
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:1884!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4508 Comm: syz-executor0 Not tainted 4.17.0-rc1+ #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:update_sit_entry+0x1215/0x1590 fs/f2fs/segment.c:1882
RSP: 0018:ffff8801af526708 EFLAGS: 00010282
RAX: ffffed0035ea4cc0 RBX: ffff8801ad454f90 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff82eeb87e RDI: ffffed0035ea4cb6
RBP: ffff8801af526760 R08: ffff8801ad4a2480 R09: ffffed003b5e4f90
R10: ffffed003b5e4f90 R11: ffff8801daf27c87 R12: ffff8801adb8d380
R13: 0000000000000001 R14: 0000000000000008 R15: 00000000ffffffff
FS:  00000000014af940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f06bc223000 CR3: 00000001adb02000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 allocate_data_block+0x66f/0x2050 fs/f2fs/segment.c:2663
 do_write_page+0x105/0x1b0 fs/f2fs/segment.c:2727
 write_node_page+0x129/0x350 fs/f2fs/segment.c:2770
 __write_node_page+0x7da/0x1370 fs/f2fs/node.c:1398
 sync_node_pages+0x18cf/0x1eb0 fs/f2fs/node.c:1652
 block_operations+0x429/0xa60 fs/f2fs/checkpoint.c:1088
 write_checkpoint+0x3ba/0x5380 fs/f2fs/checkpoint.c:1405
 f2fs_sync_fs+0x2fb/0x6a0 fs/f2fs/super.c:1077
 __sync_filesystem fs/sync.c:39 [inline]
 sync_filesystem+0x265/0x310 fs/sync.c:67
 generic_shutdown_super+0xd7/0x520 fs/super.c:429
 kill_block_super+0xa4/0x100 fs/super.c:1191
 kill_f2fs_super+0x9f/0xd0 fs/f2fs/super.c:3030
 deactivate_locked_super+0x97/0x100 fs/super.c:316
 deactivate_super+0x188/0x1b0 fs/super.c:347
 cleanup_mnt+0xbf/0x160 fs/namespace.c:1174
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1181
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
 do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457d97
RSP: 002b:00007ffd46f9c8e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000457d97
RDX: 00000000014b09a3 RSI: 0000000000000002 RDI: 00007ffd46f9da50
RBP: 00007ffd46f9da50 R08: 0000000000000000 R09: 0000000000000009
R10: 0000000000000005 R11: 0000000000000246 R12: 00000000014b0940
R13: 0000000000000000 R14: 0000000000000002 R15: 000000000000658e
RIP: update_sit_entry+0x1215/0x1590 fs/f2fs/segment.c:1882 RSP: ffff8801af526708
---[ end trace f498328bb02610a2 ]---

Reported-and-tested-by: syzbot+bf9253040425feb155ad@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+7d6d31d3bc702f566ce3@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+0a725420475916460f12@syzkaller.appspotmail.com
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fs/f2fs/segment.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index 20250b88bf51..a55647f61232 100644
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -3612,6 +3612,7 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
 	unsigned int i, start, end;
 	unsigned int readed, start_blk = 0;
 	int err = 0;
+	block_t total_valid_blocks = 0;
 
 	do {
 		readed = ra_meta_pages(sbi, start_blk, BIO_MAX_PAGES,
@@ -3634,6 +3635,7 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
 			if (err)
 				return err;
 			seg_info_from_raw_sit(se, &sit);
+			total_valid_blocks += se->valid_blocks;
 
 			/* build discard map only one time */
 			if (f2fs_discard_en(sbi)) {
@@ -3675,11 +3677,13 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
 		sit = sit_in_journal(journal, i);
 
 		old_valid_blocks = se->valid_blocks;
+		total_valid_blocks -= old_valid_blocks;
 
 		err = check_block_count(sbi, start, &sit);
 		if (err)
 			break;
 		seg_info_from_raw_sit(se, &sit);
+		total_valid_blocks += se->valid_blocks;
 
 		if (f2fs_discard_en(sbi)) {
 			if (is_set_ckpt_flags(sbi, CP_TRIMMED_FLAG)) {
@@ -3698,6 +3702,15 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
 				se->valid_blocks - old_valid_blocks;
 	}
 	up_read(&curseg->journal_rwsem);
+
+	if (!err && total_valid_blocks != valid_user_blocks(sbi)) {
+		f2fs_msg(sbi->sb, KERN_ERR,
+			"SIT is corrupted %u vs %u",
+			total_valid_blocks, valid_user_blocks(sbi));
+		set_sbi_flag(sbi, SBI_NEED_FSCK);
+		err = -EINVAL;
+	}
+
 	return err;
 }
 
-- 
2.17.0.484.g0c8726318c-goog

[PATCH 5/5] f2fs: enforce fsync_mode=strict for renamed directory

[Jaegeuk Kim]

This is to give a option for user to be able to recover B/foo in the below
case.

mkdir A
sync()
rename(A, B)
creat (B/foo)
fsync (B/foo)
---crash---

Sugessted-by: Velayudhan Pillai <vijay@cs.utexas.edu>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fs/f2fs/namei.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
index b5f404674cad..fef6e3ab2135 100644
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -973,8 +973,11 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry,
 			f2fs_put_page(old_dir_page, 0);
 		f2fs_i_links_write(old_dir, false);
 	}
-	if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT)
+	if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT) {
 		add_ino_entry(sbi, new_dir->i_ino, TRANS_DIR_INO);
+		if (S_ISDIR(old_inode->i_mode))
+			add_ino_entry(sbi, old_inode->i_ino, TRANS_DIR_INO);
+	}
 
 	f2fs_unlock_op(sbi);
 
-- 
2.17.0.484.g0c8726318c-goog

[PATCH 5/5] f2fs: enforce fsync_mode=strict for renamed directory

[Jaegeuk Kim]

This is to give a option for user to be able to recover B/foo in the below
case.

mkdir A
sync()
rename(A, B)
creat (B/foo)
fsync (B/foo)
---crash---

Sugessted-by: Velayudhan Pillai <vijay@cs.utexas.edu>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fs/f2fs/namei.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
index b5f404674cad..fef6e3ab2135 100644
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -973,8 +973,11 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry,
 			f2fs_put_page(old_dir_page, 0);
 		f2fs_i_links_write(old_dir, false);
 	}
-	if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT)
+	if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT) {
 		add_ino_entry(sbi, new_dir->i_ino, TRANS_DIR_INO);
+		if (S_ISDIR(old_inode->i_mode))
+			add_ino_entry(sbi, old_inode->i_ino, TRANS_DIR_INO);
+	}
 
 	f2fs_unlock_op(sbi);
 
-- 
2.17.0.484.g0c8726318c-goog


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Re: [f2fs-dev] [PATCH 1/5] f2fs: give message and set need_fsck given broken node id

[Chao Yu]

On 2018/4/25 13:46, Jaegeuk Kim wrote:
> syzbot hit the following crash on upstream commit
> 83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +0000)
> Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
> syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=d154ec99402c6f628887
> 
> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5414336294027264
> syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5471683234234368
> Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5436660795834368
> Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+d154ec99402c6f628887@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for details.
> If you forward the report, please keep this part and the footer.
> 
> F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
> F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
> F2FS-fs (loop0): invalid crc value
> ------------[ cut here ]------------
> kernel BUG at fs/f2fs/node.c:1185!
> invalid opcode: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Modules linked in:
> CPU: 1 PID: 4549 Comm: syzkaller704305 Not tainted 4.17.0-rc1+ #10
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:__get_node_page+0xb68/0x16e0 fs/f2fs/node.c:1185
> RSP: 0018:ffff8801d960e820 EFLAGS: 00010293
> RAX: ffff8801d88205c0 RBX: 0000000000000003 RCX: ffffffff82f6cc06
> RDX: 0000000000000000 RSI: ffffffff82f6d5e8 RDI: 0000000000000004
> RBP: ffff8801d960ec30 R08: ffff8801d88205c0 R09: ffffed003b5e46c2
> R10: 0000000000000003 R11: 0000000000000003 R12: ffff8801a86e00c0
> R13: 0000000000000001 R14: ffff8801a86e0530 R15: ffff8801d9745240
> FS:  000000000072c880(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f3d403209b8 CR3: 00000001d8f3f000 CR4: 00000000001406e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  get_node_page fs/f2fs/node.c:1237 [inline]
>  truncate_xattr_node+0x152/0x2e0 fs/f2fs/node.c:1014
>  remove_inode_page+0x200/0xaf0 fs/f2fs/node.c:1039
>  f2fs_evict_inode+0xe86/0x1710 fs/f2fs/inode.c:547
>  evict+0x4a6/0x960 fs/inode.c:557
>  iput_final fs/inode.c:1519 [inline]
>  iput+0x62d/0xa80 fs/inode.c:1545
>  f2fs_fill_super+0x5f4e/0x7bf0 fs/f2fs/super.c:2849
>  mount_bdev+0x30c/0x3e0 fs/super.c:1164
>  f2fs_mount+0x34/0x40 fs/f2fs/super.c:3020
>  mount_fs+0xae/0x328 fs/super.c:1267
>  vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
>  vfs_kern_mount fs/namespace.c:1027 [inline]
>  do_new_mount fs/namespace.c:2518 [inline]
>  do_mount+0x564/0x3070 fs/namespace.c:2848
>  ksys_mount+0x12d/0x140 fs/namespace.c:3064
>  __do_sys_mount fs/namespace.c:3078 [inline]
>  __se_sys_mount fs/namespace.c:3075 [inline]
>  __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
>  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x443dea
> RSP: 002b:00007ffcc7882368 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 0000000020000c00 RCX: 0000000000443dea
> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffcc7882370
> RBP: 0000000000000003 R08: 0000000020016a00 R09: 000000000000000a
> R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000004
> R13: 0000000000402ce0 R14: 0000000000000000 R15: 0000000000000000
> RIP: __get_node_page+0xb68/0x16e0 fs/f2fs/node.c:1185 RSP: ffff8801d960e820
> ---[ end trace 4edbeb71f002bb76 ]---
> 
> Reported-and-tested-by: syzbot+d154ec99402c6f628887@syzkaller.appspotmail.com
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> ---
>  fs/f2fs/f2fs.h  | 13 +------------
>  fs/f2fs/inode.c | 13 ++++++-------
>  fs/f2fs/node.c  | 23 +++++++++++++++++++++--
>  3 files changed, 28 insertions(+), 21 deletions(-)
> 
> diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
> index 8f3ad9662d13..d26aae5bf00d 100644
> --- a/fs/f2fs/f2fs.h
> +++ b/fs/f2fs/f2fs.h
> @@ -1583,18 +1583,6 @@ static inline bool __exist_node_summaries(struct f2fs_sb_info *sbi)
>  			is_set_ckpt_flags(sbi, CP_FASTBOOT_FLAG));
>  }
>  
> -/*
> - * Check whether the given nid is within node id range.
> - */
> -static inline int check_nid_range(struct f2fs_sb_info *sbi, nid_t nid)
> -{
> -	if (unlikely(nid < F2FS_ROOT_INO(sbi)))
> -		return -EINVAL;
> -	if (unlikely(nid >= NM_I(sbi)->max_nid))
> -		return -EINVAL;
> -	return 0;
> -}
> -
>  /*
>   * Check whether the inode has blocks or not
>   */
> @@ -2768,6 +2756,7 @@ f2fs_hash_t f2fs_dentry_hash(const struct qstr *name_info,
>  struct dnode_of_data;
>  struct node_info;
>  
> +int check_nid_range(struct f2fs_sb_info *sbi, nid_t nid);
>  bool available_free_memory(struct f2fs_sb_info *sbi, int type);
>  int need_dentry_mark(struct f2fs_sb_info *sbi, nid_t nid);
>  bool is_checkpointed_node(struct f2fs_sb_info *sbi, nid_t nid);
> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> index 176f8e84bb6e..414b1ede642b 100644
> --- a/fs/f2fs/inode.c
> +++ b/fs/f2fs/inode.c
> @@ -194,12 +194,8 @@ static int do_read_inode(struct inode *inode)
>  	projid_t i_projid;
>  
>  	/* Check if ino is within scope */
> -	if (check_nid_range(sbi, inode->i_ino)) {
> -		f2fs_msg(inode->i_sb, KERN_ERR, "bad inode number: %lu",
> -			 (unsigned long) inode->i_ino);
> -		WARN_ON(1);
> +	if (check_nid_range(sbi, inode->i_ino))
>  		return -EINVAL;
> -	}
>  
>  	node_page = get_node_page(sbi, inode->i_ino);
>  	if (IS_ERR(node_page))
> @@ -588,8 +584,11 @@ void f2fs_evict_inode(struct inode *inode)
>  		alloc_nid_failed(sbi, inode->i_ino);
>  		clear_inode_flag(inode, FI_FREE_NID);
>  	} else {
> -		f2fs_bug_on(sbi, err &&
> -			!exist_written_data(sbi, inode->i_ino, ORPHAN_INO));
> +		/*
> +		 * If xattr nid is corrupted, we can reach out error condition,
> +		 * err & !exist_written_data(sbi, inode->i_ino, ORPHAN_INO)).
> +		 * In that case, check_nid_range() is enough to give a clue.
> +		 */
>  	}
>  out_clear:
>  	fscrypt_put_encryption_info(inode);
> diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
> index 3a3d38b3e9ec..2dd34cd980b1 100644
> --- a/fs/f2fs/node.c
> +++ b/fs/f2fs/node.c
> @@ -29,6 +29,21 @@ static struct kmem_cache *nat_entry_slab;
>  static struct kmem_cache *free_nid_slab;
>  static struct kmem_cache *nat_entry_set_slab;
>  
> +/*
> + * Check whether the given nid is within node id range.
> + */
> +int check_nid_range(struct f2fs_sb_info *sbi, nid_t nid)
> +{
> +	if (unlikely(nid < F2FS_ROOT_INO(sbi) || nid >= NM_I(sbi)->max_nid)) {
> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
> +		f2fs_msg(sbi->sb, KERN_WARNING,
> +				"%s: out-of-range nid=%x, run fsck to fix.",
> +				__func__, nid);
> +		return -EINVAL;
> +	}
> +	return 0;
> +}
> +
>  bool available_free_memory(struct f2fs_sb_info *sbi, int type)
>  {
>  	struct f2fs_nm_info *nm_i = NM_I(sbi);
> @@ -1010,6 +1025,8 @@ int truncate_xattr_node(struct inode *inode)
>  
>  	if (!nid)
>  		return 0;
> +	if (check_nid_range(sbi, nid))
> +		return -EINVAL;

Below get_node_page() will call check_nid_range(), so above check is redundant.

Thanks,

>  
>  	npage = get_node_page(sbi, nid);
>  	if (IS_ERR(npage))
> @@ -1158,7 +1175,8 @@ void ra_node_page(struct f2fs_sb_info *sbi, nid_t nid)
>  
>  	if (!nid)
>  		return;
> -	f2fs_bug_on(sbi, check_nid_range(sbi, nid));
> +	if (check_nid_range(sbi, nid))
> +		return;
>  
>  	rcu_read_lock();
>  	apage = radix_tree_lookup(&NODE_MAPPING(sbi)->i_pages, nid);
> @@ -1182,7 +1200,8 @@ static struct page *__get_node_page(struct f2fs_sb_info *sbi, pgoff_t nid,
>  
>  	if (!nid)
>  		return ERR_PTR(-ENOENT);
> -	f2fs_bug_on(sbi, check_nid_range(sbi, nid));
> +	if (check_nid_range(sbi, nid))
> +		return ERR_PTR(-EINVAL);
>  repeat:
>  	page = f2fs_grab_cache_page(NODE_MAPPING(sbi), nid, false);
>  	if (!page)
> 

Re: [f2fs-dev] [PATCH 2/5] f2fs: avoid bug_on on corrupted inode

[Chao Yu]

On 2018/4/25 13:46, Jaegeuk Kim wrote:
> syzbot has tested the proposed patch but the reproducer still triggered crash:
> kernel BUG at fs/f2fs/inode.c:LINE!
> 
> F2FS-fs (loop1): invalid crc value
> F2FS-fs (loop5): Magic Mismatch, valid(0xf2f52010) - read(0x0)
> F2FS-fs (loop5): Can't find valid F2FS filesystem in 1th superblock
> F2FS-fs (loop5): invalid crc value
> ------------[ cut here ]------------
> kernel BUG at fs/f2fs/inode.c:238!
> invalid opcode: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Modules linked in:
> CPU: 1 PID: 4886 Comm: syz-executor1 Not tainted 4.17.0-rc1+ #1
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:do_read_inode fs/f2fs/inode.c:238 [inline]
> RIP: 0010:f2fs_iget+0x3307/0x3ca0 fs/f2fs/inode.c:313
> RSP: 0018:ffff8801c44a70e8 EFLAGS: 00010293
> RAX: ffff8801ce208040 RBX: ffff8801b3621080 RCX: ffffffff82eace18
> F2FS-fs (loop2): Magic Mismatch, valid(0xf2f52010) - read(0x0)
> RDX: 0000000000000000 RSI: ffffffff82eaf047 RDI: 0000000000000007
> RBP: ffff8801c44a7410 R08: ffff8801ce208040 R09: ffffed0039ee4176
> R10: ffffed0039ee4176 R11: ffff8801cf720bb7 R12: ffff8801c0efa000
> R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000
> FS:  00007f753aa9d700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
> ------------[ cut here ]------------
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> kernel BUG at fs/f2fs/inode.c:238!
> CR2: 0000000001b03018 CR3: 00000001c8b74000 CR4: 00000000001406e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  f2fs_fill_super+0x4377/0x7bf0 fs/f2fs/super.c:2842
>  mount_bdev+0x30c/0x3e0 fs/super.c:1165
>  f2fs_mount+0x34/0x40 fs/f2fs/super.c:3020
>  mount_fs+0xae/0x328 fs/super.c:1268
>  vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
>  vfs_kern_mount fs/namespace.c:1027 [inline]
>  do_new_mount fs/namespace.c:2517 [inline]
>  do_mount+0x564/0x3070 fs/namespace.c:2847
>  ksys_mount+0x12d/0x140 fs/namespace.c:3063
>  __do_sys_mount fs/namespace.c:3077 [inline]
>  __se_sys_mount fs/namespace.c:3074 [inline]
>  __x64_sys_mount+0xbe/0x150 fs/namespace.c:3074
>  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x457daa
> RSP: 002b:00007f753aa9cba8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 0000000020000000 RCX: 0000000000457daa
> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f753aa9cbf0
> RBP: 0000000000000064 R08: 0000000020016a00 R09: 0000000020000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
> R13: 0000000000000064 R14: 00000000006fcb80 R15: 0000000000000000
> RIP: do_read_inode fs/f2fs/inode.c:238 [inline] RSP: ffff8801c44a70e8
> RIP: f2fs_iget+0x3307/0x3ca0 fs/f2fs/inode.c:313 RSP: ffff8801c44a70e8
> invalid opcode: 0000 [#2] SMP KASAN
> ---[ end trace 1cbcbec2156680bc ]---
> 
> Reported-and-tested-by: syzbot+41a1b341571f0952badb@syzkaller.appspotmail.com
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

Reviewed-by: Chao Yu <yuchao0@huawei.com>

Thanks,

Re: [f2fs-dev] [PATCH 3/5] f2fs: sanity check on sit entry

[Chao Yu]

On 2018/4/25 13:46, Jaegeuk Kim wrote:
> syzbot hit the following crash on upstream commit
> 87ef12027b9b1dd0e0b12cf311fbcb19f9d92539 (Wed Apr 18 19:48:17 2018 +0000)
> Merge tag 'ceph-for-4.17-rc2' of git://github.com/ceph/ceph-client
> syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=83699adeb2d13579c31e
> 
> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5805208181407744
> syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6005073343676416
> Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6555047731134464
> Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+83699adeb2d13579c31e@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for details.
> If you forward the report, please keep this part and the footer.
> 
> F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
> F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
> F2FS-fs (loop0): invalid crc value
> BUG: unable to handle kernel paging request at ffffed006b2a50c0
> PGD 21ffee067 P4D 21ffee067 PUD 21fbeb067 PMD 0
> Oops: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Modules linked in:
> CPU: 0 PID: 4514 Comm: syzkaller989480 Not tainted 4.17.0-rc1+ #8
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:build_sit_entries fs/f2fs/segment.c:3653 [inline]
> RIP: 0010:build_segment_manager+0x7ef7/0xbf70 fs/f2fs/segment.c:3852
> RSP: 0018:ffff8801b102e5b0 EFLAGS: 00010a06
> RAX: 1ffff1006b2a50c0 RBX: 0000000000000004 RCX: 0000000000000001
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801ac74243e
> RBP: ffff8801b102f410 R08: ffff8801acbd46c0 R09: fffffbfff14d9af8
> R10: fffffbfff14d9af8 R11: ffff8801acbd46c0 R12: ffff8801ac742a80
> R13: ffff8801d9519100 R14: dffffc0000000000 R15: ffff880359528600
> FS:  0000000001e04880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffed006b2a50c0 CR3: 00000001ac6ac000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  f2fs_fill_super+0x4095/0x7bf0 fs/f2fs/super.c:2803
>  mount_bdev+0x30c/0x3e0 fs/super.c:1165
>  f2fs_mount+0x34/0x40 fs/f2fs/super.c:3020
>  mount_fs+0xae/0x328 fs/super.c:1268
>  vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
>  vfs_kern_mount fs/namespace.c:1027 [inline]
>  do_new_mount fs/namespace.c:2517 [inline]
>  do_mount+0x564/0x3070 fs/namespace.c:2847
>  ksys_mount+0x12d/0x140 fs/namespace.c:3063
>  __do_sys_mount fs/namespace.c:3077 [inline]
>  __se_sys_mount fs/namespace.c:3074 [inline]
>  __x64_sys_mount+0xbe/0x150 fs/namespace.c:3074
>  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x443d6a
> RSP: 002b:00007ffd312813c8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 0000000020000c00 RCX: 0000000000443d6a
> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd312813d0
> RBP: 0000000000000003 R08: 0000000020016a00 R09: 000000000000000a
> R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000004
> R13: 0000000000402c60 R14: 0000000000000000 R15: 0000000000000000
> RIP: build_sit_entries fs/f2fs/segment.c:3653 [inline] RSP: ffff8801b102e5b0
> RIP: build_segment_manager+0x7ef7/0xbf70 fs/f2fs/segment.c:3852 RSP: ffff8801b102e5b0
> CR2: ffffed006b2a50c0
> ---[ end trace a2034989e196ff17 ]---
> 
> Reported-and-tested-by: syzbot+83699adeb2d13579c31e@syzkaller.appspotmail.com
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

Reviewed-by: Chao Yu <yuchao0@huawei.com>

Thanks,

Re: [f2fs-dev] [PATCH 4/5] f2fs: sanity check for total valid blocks

[Chao Yu]

Hi Jaegeuk,

This patch makes generic/008 failed, because for fallocate case, total valid
block count can not be calculated by gathering valid_blocks of all sit entries.

Thanks,

On 2018/4/25 13:46, Jaegeuk Kim wrote:
> This patch enhances sanity check for SIT entries.
> 
> syzbot hit the following crash on upstream commit
> 83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +0000)
> Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
> syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=bf9253040425feb155ad
> 
> syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5692130282438656
> Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5095924598571008
> Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+bf9253040425feb155ad@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for details.
> If you forward the report, please keep this part and the footer.
> 
> F2FS-fs (loop0): invalid crc value
> F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
> F2FS-fs (loop0): Mounted with checkpoint version = d
> F2FS-fs (loop0): Bitmap was wrongly cleared, blk:9740
> ------------[ cut here ]------------
> kernel BUG at fs/f2fs/segment.c:1884!
> invalid opcode: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Modules linked in:
> CPU: 1 PID: 4508 Comm: syz-executor0 Not tainted 4.17.0-rc1+ #10
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:update_sit_entry+0x1215/0x1590 fs/f2fs/segment.c:1882
> RSP: 0018:ffff8801af526708 EFLAGS: 00010282
> RAX: ffffed0035ea4cc0 RBX: ffff8801ad454f90 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffffffff82eeb87e RDI: ffffed0035ea4cb6
> RBP: ffff8801af526760 R08: ffff8801ad4a2480 R09: ffffed003b5e4f90
> R10: ffffed003b5e4f90 R11: ffff8801daf27c87 R12: ffff8801adb8d380
> R13: 0000000000000001 R14: 0000000000000008 R15: 00000000ffffffff
> FS:  00000000014af940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f06bc223000 CR3: 00000001adb02000 CR4: 00000000001406e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  allocate_data_block+0x66f/0x2050 fs/f2fs/segment.c:2663
>  do_write_page+0x105/0x1b0 fs/f2fs/segment.c:2727
>  write_node_page+0x129/0x350 fs/f2fs/segment.c:2770
>  __write_node_page+0x7da/0x1370 fs/f2fs/node.c:1398
>  sync_node_pages+0x18cf/0x1eb0 fs/f2fs/node.c:1652
>  block_operations+0x429/0xa60 fs/f2fs/checkpoint.c:1088
>  write_checkpoint+0x3ba/0x5380 fs/f2fs/checkpoint.c:1405
>  f2fs_sync_fs+0x2fb/0x6a0 fs/f2fs/super.c:1077
>  __sync_filesystem fs/sync.c:39 [inline]
>  sync_filesystem+0x265/0x310 fs/sync.c:67
>  generic_shutdown_super+0xd7/0x520 fs/super.c:429
>  kill_block_super+0xa4/0x100 fs/super.c:1191
>  kill_f2fs_super+0x9f/0xd0 fs/f2fs/super.c:3030
>  deactivate_locked_super+0x97/0x100 fs/super.c:316
>  deactivate_super+0x188/0x1b0 fs/super.c:347
>  cleanup_mnt+0xbf/0x160 fs/namespace.c:1174
>  __cleanup_mnt+0x16/0x20 fs/namespace.c:1181
>  task_work_run+0x1e4/0x290 kernel/task_work.c:113
>  tracehook_notify_resume include/linux/tracehook.h:191 [inline]
>  exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
>  prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
>  syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
>  do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x457d97
> RSP: 002b:00007ffd46f9c8e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000457d97
> RDX: 00000000014b09a3 RSI: 0000000000000002 RDI: 00007ffd46f9da50
> RBP: 00007ffd46f9da50 R08: 0000000000000000 R09: 0000000000000009
> R10: 0000000000000005 R11: 0000000000000246 R12: 00000000014b0940
> R13: 0000000000000000 R14: 0000000000000002 R15: 000000000000658e
> RIP: update_sit_entry+0x1215/0x1590 fs/f2fs/segment.c:1882 RSP: ffff8801af526708
> ---[ end trace f498328bb02610a2 ]---
> 
> Reported-and-tested-by: syzbot+bf9253040425feb155ad@syzkaller.appspotmail.com
> Reported-and-tested-by: syzbot+7d6d31d3bc702f566ce3@syzkaller.appspotmail.com
> Reported-and-tested-by: syzbot+0a725420475916460f12@syzkaller.appspotmail.com
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> ---
>  fs/f2fs/segment.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
> index 20250b88bf51..a55647f61232 100644
> --- a/fs/f2fs/segment.c
> +++ b/fs/f2fs/segment.c
> @@ -3612,6 +3612,7 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
>  	unsigned int i, start, end;
>  	unsigned int readed, start_blk = 0;
>  	int err = 0;
> +	block_t total_valid_blocks = 0;
>  
>  	do {
>  		readed = ra_meta_pages(sbi, start_blk, BIO_MAX_PAGES,
> @@ -3634,6 +3635,7 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
>  			if (err)
>  				return err;
>  			seg_info_from_raw_sit(se, &sit);
> +			total_valid_blocks += se->valid_blocks;
>  
>  			/* build discard map only one time */
>  			if (f2fs_discard_en(sbi)) {
> @@ -3675,11 +3677,13 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
>  		sit = sit_in_journal(journal, i);
>  
>  		old_valid_blocks = se->valid_blocks;
> +		total_valid_blocks -= old_valid_blocks;
>  
>  		err = check_block_count(sbi, start, &sit);
>  		if (err)
>  			break;
>  		seg_info_from_raw_sit(se, &sit);
> +		total_valid_blocks += se->valid_blocks;
>  
>  		if (f2fs_discard_en(sbi)) {
>  			if (is_set_ckpt_flags(sbi, CP_TRIMMED_FLAG)) {
> @@ -3698,6 +3702,15 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
>  				se->valid_blocks - old_valid_blocks;
>  	}
>  	up_read(&curseg->journal_rwsem);
> +
> +	if (!err && total_valid_blocks != valid_user_blocks(sbi)) {
> +		f2fs_msg(sbi->sb, KERN_ERR,
> +			"SIT is corrupted %u vs %u",
> +			total_valid_blocks, valid_user_blocks(sbi));
> +		set_sbi_flag(sbi, SBI_NEED_FSCK);
> +		err = -EINVAL;
> +	}
> +
>  	return err;
>  }
>  
> 

Re: [f2fs-dev] [PATCH 5/5] f2fs: enforce fsync_mode=strict for renamed directory

[Chao Yu]

On 2018/4/25 13:46, Jaegeuk Kim wrote:
> This is to give a option for user to be able to recover B/foo in the below
> case.
> 
> mkdir A
> sync()
> rename(A, B)
> creat (B/foo)
> fsync (B/foo)
> ---crash---

That makes sense, IMO, it will be better to cover cross rename case as well?

Thanks,

> 
> Sugessted-by: Velayudhan Pillai <vijay@cs.utexas.edu>
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> ---
>  fs/f2fs/namei.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
> index b5f404674cad..fef6e3ab2135 100644
> --- a/fs/f2fs/namei.c
> +++ b/fs/f2fs/namei.c
> @@ -973,8 +973,11 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry,
>  			f2fs_put_page(old_dir_page, 0);
>  		f2fs_i_links_write(old_dir, false);
>  	}
> -	if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT)
> +	if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT) {
>  		add_ino_entry(sbi, new_dir->i_ino, TRANS_DIR_INO);
> +		if (S_ISDIR(old_inode->i_mode))
> +			add_ino_entry(sbi, old_inode->i_ino, TRANS_DIR_INO);
> +	}
>  
>  	f2fs_unlock_op(sbi);
>  
> 

Re: [f2fs-dev] [PATCH 1/5] f2fs: give message and set need_fsck given broken node id

[Jaegeuk Kim]

On 04/25, Chao Yu wrote:
> On 2018/4/25 13:46, Jaegeuk Kim wrote:
> > syzbot hit the following crash on upstream commit
> > 83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +0000)
> > Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
> > syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=d154ec99402c6f628887
> > 
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5414336294027264
> > syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5471683234234368
> > Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5436660795834368
> > Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118
> > compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> > 
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+d154ec99402c6f628887@syzkaller.appspotmail.com
> > It will help syzbot understand when the bug is fixed. See footer for details.
> > If you forward the report, please keep this part and the footer.
> > 
> > F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
> > F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
> > F2FS-fs (loop0): invalid crc value
> > ------------[ cut here ]------------
> > kernel BUG at fs/f2fs/node.c:1185!
> > invalid opcode: 0000 [#1] SMP KASAN
> > Dumping ftrace buffer:
> >    (ftrace buffer empty)
> > Modules linked in:
> > CPU: 1 PID: 4549 Comm: syzkaller704305 Not tainted 4.17.0-rc1+ #10
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > RIP: 0010:__get_node_page+0xb68/0x16e0 fs/f2fs/node.c:1185
> > RSP: 0018:ffff8801d960e820 EFLAGS: 00010293
> > RAX: ffff8801d88205c0 RBX: 0000000000000003 RCX: ffffffff82f6cc06
> > RDX: 0000000000000000 RSI: ffffffff82f6d5e8 RDI: 0000000000000004
> > RBP: ffff8801d960ec30 R08: ffff8801d88205c0 R09: ffffed003b5e46c2
> > R10: 0000000000000003 R11: 0000000000000003 R12: ffff8801a86e00c0
> > R13: 0000000000000001 R14: ffff8801a86e0530 R15: ffff8801d9745240
> > FS:  000000000072c880(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007f3d403209b8 CR3: 00000001d8f3f000 CR4: 00000000001406e0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >  get_node_page fs/f2fs/node.c:1237 [inline]
> >  truncate_xattr_node+0x152/0x2e0 fs/f2fs/node.c:1014
> >  remove_inode_page+0x200/0xaf0 fs/f2fs/node.c:1039
> >  f2fs_evict_inode+0xe86/0x1710 fs/f2fs/inode.c:547
> >  evict+0x4a6/0x960 fs/inode.c:557
> >  iput_final fs/inode.c:1519 [inline]
> >  iput+0x62d/0xa80 fs/inode.c:1545
> >  f2fs_fill_super+0x5f4e/0x7bf0 fs/f2fs/super.c:2849
> >  mount_bdev+0x30c/0x3e0 fs/super.c:1164
> >  f2fs_mount+0x34/0x40 fs/f2fs/super.c:3020
> >  mount_fs+0xae/0x328 fs/super.c:1267
> >  vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
> >  vfs_kern_mount fs/namespace.c:1027 [inline]
> >  do_new_mount fs/namespace.c:2518 [inline]
> >  do_mount+0x564/0x3070 fs/namespace.c:2848
> >  ksys_mount+0x12d/0x140 fs/namespace.c:3064
> >  __do_sys_mount fs/namespace.c:3078 [inline]
> >  __se_sys_mount fs/namespace.c:3075 [inline]
> >  __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
> >  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
> >  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > RIP: 0033:0x443dea
> > RSP: 002b:00007ffcc7882368 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
> > RAX: ffffffffffffffda RBX: 0000000020000c00 RCX: 0000000000443dea
> > RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffcc7882370
> > RBP: 0000000000000003 R08: 0000000020016a00 R09: 000000000000000a
> > R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000004
> > R13: 0000000000402ce0 R14: 0000000000000000 R15: 0000000000000000
> > RIP: __get_node_page+0xb68/0x16e0 fs/f2fs/node.c:1185 RSP: ffff8801d960e820
> > ---[ end trace 4edbeb71f002bb76 ]---
> > 
> > Reported-and-tested-by: syzbot+d154ec99402c6f628887@syzkaller.appspotmail.com
> > Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> > ---
> >  fs/f2fs/f2fs.h  | 13 +------------
> >  fs/f2fs/inode.c | 13 ++++++-------
> >  fs/f2fs/node.c  | 23 +++++++++++++++++++++--
> >  3 files changed, 28 insertions(+), 21 deletions(-)
> > 
> > diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
> > index 8f3ad9662d13..d26aae5bf00d 100644
> > --- a/fs/f2fs/f2fs.h
> > +++ b/fs/f2fs/f2fs.h
> > @@ -1583,18 +1583,6 @@ static inline bool __exist_node_summaries(struct f2fs_sb_info *sbi)
> >  			is_set_ckpt_flags(sbi, CP_FASTBOOT_FLAG));
> >  }
> >  
> > -/*
> > - * Check whether the given nid is within node id range.
> > - */
> > -static inline int check_nid_range(struct f2fs_sb_info *sbi, nid_t nid)
> > -{
> > -	if (unlikely(nid < F2FS_ROOT_INO(sbi)))
> > -		return -EINVAL;
> > -	if (unlikely(nid >= NM_I(sbi)->max_nid))
> > -		return -EINVAL;
> > -	return 0;
> > -}
> > -
> >  /*
> >   * Check whether the inode has blocks or not
> >   */
> > @@ -2768,6 +2756,7 @@ f2fs_hash_t f2fs_dentry_hash(const struct qstr *name_info,
> >  struct dnode_of_data;
> >  struct node_info;
> >  
> > +int check_nid_range(struct f2fs_sb_info *sbi, nid_t nid);
> >  bool available_free_memory(struct f2fs_sb_info *sbi, int type);
> >  int need_dentry_mark(struct f2fs_sb_info *sbi, nid_t nid);
> >  bool is_checkpointed_node(struct f2fs_sb_info *sbi, nid_t nid);
> > diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> > index 176f8e84bb6e..414b1ede642b 100644
> > --- a/fs/f2fs/inode.c
> > +++ b/fs/f2fs/inode.c
> > @@ -194,12 +194,8 @@ static int do_read_inode(struct inode *inode)
> >  	projid_t i_projid;
> >  
> >  	/* Check if ino is within scope */
> > -	if (check_nid_range(sbi, inode->i_ino)) {
> > -		f2fs_msg(inode->i_sb, KERN_ERR, "bad inode number: %lu",
> > -			 (unsigned long) inode->i_ino);
> > -		WARN_ON(1);
> > +	if (check_nid_range(sbi, inode->i_ino))
> >  		return -EINVAL;
> > -	}
> >  
> >  	node_page = get_node_page(sbi, inode->i_ino);
> >  	if (IS_ERR(node_page))
> > @@ -588,8 +584,11 @@ void f2fs_evict_inode(struct inode *inode)
> >  		alloc_nid_failed(sbi, inode->i_ino);
> >  		clear_inode_flag(inode, FI_FREE_NID);
> >  	} else {
> > -		f2fs_bug_on(sbi, err &&
> > -			!exist_written_data(sbi, inode->i_ino, ORPHAN_INO));
> > +		/*
> > +		 * If xattr nid is corrupted, we can reach out error condition,
> > +		 * err & !exist_written_data(sbi, inode->i_ino, ORPHAN_INO)).
> > +		 * In that case, check_nid_range() is enough to give a clue.
> > +		 */
> >  	}
> >  out_clear:
> >  	fscrypt_put_encryption_info(inode);
> > diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
> > index 3a3d38b3e9ec..2dd34cd980b1 100644
> > --- a/fs/f2fs/node.c
> > +++ b/fs/f2fs/node.c
> > @@ -29,6 +29,21 @@ static struct kmem_cache *nat_entry_slab;
> >  static struct kmem_cache *free_nid_slab;
> >  static struct kmem_cache *nat_entry_set_slab;
> >  
> > +/*
> > + * Check whether the given nid is within node id range.
> > + */
> > +int check_nid_range(struct f2fs_sb_info *sbi, nid_t nid)
> > +{
> > +	if (unlikely(nid < F2FS_ROOT_INO(sbi) || nid >= NM_I(sbi)->max_nid)) {
> > +		set_sbi_flag(sbi, SBI_NEED_FSCK);
> > +		f2fs_msg(sbi->sb, KERN_WARNING,
> > +				"%s: out-of-range nid=%x, run fsck to fix.",
> > +				__func__, nid);
> > +		return -EINVAL;
> > +	}
> > +	return 0;
> > +}
> > +
> >  bool available_free_memory(struct f2fs_sb_info *sbi, int type)
> >  {
> >  	struct f2fs_nm_info *nm_i = NM_I(sbi);
> > @@ -1010,6 +1025,8 @@ int truncate_xattr_node(struct inode *inode)
> >  
> >  	if (!nid)
> >  		return 0;
> > +	if (check_nid_range(sbi, nid))
> > +		return -EINVAL;
> 
> Below get_node_page() will call check_nid_range(), so above check is redundant.

Done.

> 
> Thanks,
> 
> >  
> >  	npage = get_node_page(sbi, nid);
> >  	if (IS_ERR(npage))
> > @@ -1158,7 +1175,8 @@ void ra_node_page(struct f2fs_sb_info *sbi, nid_t nid)
> >  
> >  	if (!nid)
> >  		return;
> > -	f2fs_bug_on(sbi, check_nid_range(sbi, nid));
> > +	if (check_nid_range(sbi, nid))
> > +		return;
> >  
> >  	rcu_read_lock();
> >  	apage = radix_tree_lookup(&NODE_MAPPING(sbi)->i_pages, nid);
> > @@ -1182,7 +1200,8 @@ static struct page *__get_node_page(struct f2fs_sb_info *sbi, pgoff_t nid,
> >  
> >  	if (!nid)
> >  		return ERR_PTR(-ENOENT);
> > -	f2fs_bug_on(sbi, check_nid_range(sbi, nid));
> > +	if (check_nid_range(sbi, nid))
> > +		return ERR_PTR(-EINVAL);
> >  repeat:
> >  	page = f2fs_grab_cache_page(NODE_MAPPING(sbi), nid, false);
> >  	if (!page)
> > 

Re: [f2fs-dev] [PATCH 4/5] f2fs: sanity check for total valid blocks

[Jaegeuk Kim]

On 04/25, Chao Yu wrote:
> Hi Jaegeuk,
> 
> This patch makes generic/008 failed, because for fallocate case, total valid
> block count can not be calculated by gathering valid_blocks of all sit entries.

Yeah, I got that too, and I've been testing to change it by valid_node_count,
which works for syzbot case as well.

> 
> Thanks,
> 
> On 2018/4/25 13:46, Jaegeuk Kim wrote:
> > This patch enhances sanity check for SIT entries.
> > 
> > syzbot hit the following crash on upstream commit
> > 83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +0000)
> > Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
> > syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=bf9253040425feb155ad
> > 
> > syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5692130282438656
> > Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5095924598571008
> > Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118
> > compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> > 
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+bf9253040425feb155ad@syzkaller.appspotmail.com
> > It will help syzbot understand when the bug is fixed. See footer for details.
> > If you forward the report, please keep this part and the footer.
> > 
> > F2FS-fs (loop0): invalid crc value
> > F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
> > F2FS-fs (loop0): Mounted with checkpoint version = d
> > F2FS-fs (loop0): Bitmap was wrongly cleared, blk:9740
> > ------------[ cut here ]------------
> > kernel BUG at fs/f2fs/segment.c:1884!
> > invalid opcode: 0000 [#1] SMP KASAN
> > Dumping ftrace buffer:
> >    (ftrace buffer empty)
> > Modules linked in:
> > CPU: 1 PID: 4508 Comm: syz-executor0 Not tainted 4.17.0-rc1+ #10
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > RIP: 0010:update_sit_entry+0x1215/0x1590 fs/f2fs/segment.c:1882
> > RSP: 0018:ffff8801af526708 EFLAGS: 00010282
> > RAX: ffffed0035ea4cc0 RBX: ffff8801ad454f90 RCX: 0000000000000000
> > RDX: 0000000000000000 RSI: ffffffff82eeb87e RDI: ffffed0035ea4cb6
> > RBP: ffff8801af526760 R08: ffff8801ad4a2480 R09: ffffed003b5e4f90
> > R10: ffffed003b5e4f90 R11: ffff8801daf27c87 R12: ffff8801adb8d380
> > R13: 0000000000000001 R14: 0000000000000008 R15: 00000000ffffffff
> > FS:  00000000014af940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007f06bc223000 CR3: 00000001adb02000 CR4: 00000000001406e0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >  allocate_data_block+0x66f/0x2050 fs/f2fs/segment.c:2663
> >  do_write_page+0x105/0x1b0 fs/f2fs/segment.c:2727
> >  write_node_page+0x129/0x350 fs/f2fs/segment.c:2770
> >  __write_node_page+0x7da/0x1370 fs/f2fs/node.c:1398
> >  sync_node_pages+0x18cf/0x1eb0 fs/f2fs/node.c:1652
> >  block_operations+0x429/0xa60 fs/f2fs/checkpoint.c:1088
> >  write_checkpoint+0x3ba/0x5380 fs/f2fs/checkpoint.c:1405
> >  f2fs_sync_fs+0x2fb/0x6a0 fs/f2fs/super.c:1077
> >  __sync_filesystem fs/sync.c:39 [inline]
> >  sync_filesystem+0x265/0x310 fs/sync.c:67
> >  generic_shutdown_super+0xd7/0x520 fs/super.c:429
> >  kill_block_super+0xa4/0x100 fs/super.c:1191
> >  kill_f2fs_super+0x9f/0xd0 fs/f2fs/super.c:3030
> >  deactivate_locked_super+0x97/0x100 fs/super.c:316
> >  deactivate_super+0x188/0x1b0 fs/super.c:347
> >  cleanup_mnt+0xbf/0x160 fs/namespace.c:1174
> >  __cleanup_mnt+0x16/0x20 fs/namespace.c:1181
> >  task_work_run+0x1e4/0x290 kernel/task_work.c:113
> >  tracehook_notify_resume include/linux/tracehook.h:191 [inline]
> >  exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
> >  prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
> >  syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
> >  do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
> >  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > RIP: 0033:0x457d97
> > RSP: 002b:00007ffd46f9c8e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> > RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000457d97
> > RDX: 00000000014b09a3 RSI: 0000000000000002 RDI: 00007ffd46f9da50
> > RBP: 00007ffd46f9da50 R08: 0000000000000000 R09: 0000000000000009
> > R10: 0000000000000005 R11: 0000000000000246 R12: 00000000014b0940
> > R13: 0000000000000000 R14: 0000000000000002 R15: 000000000000658e
> > RIP: update_sit_entry+0x1215/0x1590 fs/f2fs/segment.c:1882 RSP: ffff8801af526708
> > ---[ end trace f498328bb02610a2 ]---
> > 
> > Reported-and-tested-by: syzbot+bf9253040425feb155ad@syzkaller.appspotmail.com
> > Reported-and-tested-by: syzbot+7d6d31d3bc702f566ce3@syzkaller.appspotmail.com
> > Reported-and-tested-by: syzbot+0a725420475916460f12@syzkaller.appspotmail.com
> > Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> > ---
> >  fs/f2fs/segment.c | 13 +++++++++++++
> >  1 file changed, 13 insertions(+)
> > 
> > diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
> > index 20250b88bf51..a55647f61232 100644
> > --- a/fs/f2fs/segment.c
> > +++ b/fs/f2fs/segment.c
> > @@ -3612,6 +3612,7 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
> >  	unsigned int i, start, end;
> >  	unsigned int readed, start_blk = 0;
> >  	int err = 0;
> > +	block_t total_valid_blocks = 0;
> >  
> >  	do {
> >  		readed = ra_meta_pages(sbi, start_blk, BIO_MAX_PAGES,
> > @@ -3634,6 +3635,7 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
> >  			if (err)
> >  				return err;
> >  			seg_info_from_raw_sit(se, &sit);
> > +			total_valid_blocks += se->valid_blocks;
> >  
> >  			/* build discard map only one time */
> >  			if (f2fs_discard_en(sbi)) {
> > @@ -3675,11 +3677,13 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
> >  		sit = sit_in_journal(journal, i);
> >  
> >  		old_valid_blocks = se->valid_blocks;
> > +		total_valid_blocks -= old_valid_blocks;
> >  
> >  		err = check_block_count(sbi, start, &sit);
> >  		if (err)
> >  			break;
> >  		seg_info_from_raw_sit(se, &sit);
> > +		total_valid_blocks += se->valid_blocks;
> >  
> >  		if (f2fs_discard_en(sbi)) {
> >  			if (is_set_ckpt_flags(sbi, CP_TRIMMED_FLAG)) {
> > @@ -3698,6 +3702,15 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
> >  				se->valid_blocks - old_valid_blocks;
> >  	}
> >  	up_read(&curseg->journal_rwsem);
> > +
> > +	if (!err && total_valid_blocks != valid_user_blocks(sbi)) {
> > +		f2fs_msg(sbi->sb, KERN_ERR,
> > +			"SIT is corrupted %u vs %u",
> > +			total_valid_blocks, valid_user_blocks(sbi));
> > +		set_sbi_flag(sbi, SBI_NEED_FSCK);
> > +		err = -EINVAL;
> > +	}
> > +
> >  	return err;
> >  }
> >  
> > 

Re: [f2fs-dev] [PATCH 4/5 v2] f2fs: sanity check for total valid blocks

[Jaegeuk Kim]

This patch enhances sanity check for SIT entries.

syzbot hit the following crash on upstream commit
83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +0000)
Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=bf9253040425feb155ad

syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5692130282438656
Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5095924598571008
Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+bf9253040425feb155ad@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for details.
If you forward the report, please keep this part and the footer.

F2FS-fs (loop0): invalid crc value
F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
F2FS-fs (loop0): Mounted with checkpoint version = d
F2FS-fs (loop0): Bitmap was wrongly cleared, blk:9740
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:1884!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4508 Comm: syz-executor0 Not tainted 4.17.0-rc1+ #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:update_sit_entry+0x1215/0x1590 fs/f2fs/segment.c:1882
RSP: 0018:ffff8801af526708 EFLAGS: 00010282
RAX: ffffed0035ea4cc0 RBX: ffff8801ad454f90 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff82eeb87e RDI: ffffed0035ea4cb6
RBP: ffff8801af526760 R08: ffff8801ad4a2480 R09: ffffed003b5e4f90
R10: ffffed003b5e4f90 R11: ffff8801daf27c87 R12: ffff8801adb8d380
R13: 0000000000000001 R14: 0000000000000008 R15: 00000000ffffffff
FS:  00000000014af940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f06bc223000 CR3: 00000001adb02000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 allocate_data_block+0x66f/0x2050 fs/f2fs/segment.c:2663
 do_write_page+0x105/0x1b0 fs/f2fs/segment.c:2727
 write_node_page+0x129/0x350 fs/f2fs/segment.c:2770
 __write_node_page+0x7da/0x1370 fs/f2fs/node.c:1398
 sync_node_pages+0x18cf/0x1eb0 fs/f2fs/node.c:1652
 block_operations+0x429/0xa60 fs/f2fs/checkpoint.c:1088
 write_checkpoint+0x3ba/0x5380 fs/f2fs/checkpoint.c:1405
 f2fs_sync_fs+0x2fb/0x6a0 fs/f2fs/super.c:1077
 __sync_filesystem fs/sync.c:39 [inline]
 sync_filesystem+0x265/0x310 fs/sync.c:67
 generic_shutdown_super+0xd7/0x520 fs/super.c:429
 kill_block_super+0xa4/0x100 fs/super.c:1191
 kill_f2fs_super+0x9f/0xd0 fs/f2fs/super.c:3030
 deactivate_locked_super+0x97/0x100 fs/super.c:316
 deactivate_super+0x188/0x1b0 fs/super.c:347
 cleanup_mnt+0xbf/0x160 fs/namespace.c:1174
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1181
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
 do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457d97
RSP: 002b:00007ffd46f9c8e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000457d97
RDX: 00000000014b09a3 RSI: 0000000000000002 RDI: 00007ffd46f9da50
RBP: 00007ffd46f9da50 R08: 0000000000000000 R09: 0000000000000009
R10: 0000000000000005 R11: 0000000000000246 R12: 00000000014b0940
R13: 0000000000000000 R14: 0000000000000002 R15: 000000000000658e
RIP: update_sit_entry+0x1215/0x1590 fs/f2fs/segment.c:1882 RSP: ffff8801af526708
---[ end trace f498328bb02610a2 ]---

Reported-and-tested-by: syzbot+bf9253040425feb155ad@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+7d6d31d3bc702f566ce3@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+0a725420475916460f12@syzkaller.appspotmail.com
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---

Change log from v1:
 - check valid node count

 fs/f2fs/segment.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index 20250b88bf51..c60f87822e9c 100644
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -3612,6 +3612,7 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
 	unsigned int i, start, end;
 	unsigned int readed, start_blk = 0;
 	int err = 0;
+	block_t total_node_blocks = 0;
 
 	do {
 		readed = ra_meta_pages(sbi, start_blk, BIO_MAX_PAGES,
@@ -3634,6 +3635,8 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
 			if (err)
 				return err;
 			seg_info_from_raw_sit(se, &sit);
+			if (IS_NODESEG(se->type))
+				total_node_blocks += se->valid_blocks;
 
 			/* build discard map only one time */
 			if (f2fs_discard_en(sbi)) {
@@ -3675,11 +3678,15 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
 		sit = sit_in_journal(journal, i);
 
 		old_valid_blocks = se->valid_blocks;
+		if (IS_NODESEG(se->type))
+			total_node_blocks -= old_valid_blocks;
 
 		err = check_block_count(sbi, start, &sit);
 		if (err)
 			break;
 		seg_info_from_raw_sit(se, &sit);
+		if (IS_NODESEG(se->type))
+			total_node_blocks += se->valid_blocks;
 
 		if (f2fs_discard_en(sbi)) {
 			if (is_set_ckpt_flags(sbi, CP_TRIMMED_FLAG)) {
@@ -3698,6 +3705,15 @@ static int build_sit_entries(struct f2fs_sb_info *sbi)
 				se->valid_blocks - old_valid_blocks;
 	}
 	up_read(&curseg->journal_rwsem);
+
+	if (!err && total_node_blocks != valid_node_count(sbi)) {
+		f2fs_msg(sbi->sb, KERN_ERR,
+			"SIT is corrupted node# %u vs %u",
+			total_node_blocks, valid_node_count(sbi));
+		set_sbi_flag(sbi, SBI_NEED_FSCK);
+		err = -EINVAL;
+	}
+
 	return err;
 }
 
-- 
2.17.0.484.g0c8726318c-goog

Re: [f2fs-dev] [PATCH 5/5] f2fs: enforce fsync_mode=strict for renamed directory

[Jaegeuk Kim]

On 04/25, Chao Yu wrote:
> On 2018/4/25 13:46, Jaegeuk Kim wrote:
> > This is to give a option for user to be able to recover B/foo in the below
> > case.
> > 
> > mkdir A
> > sync()
> > rename(A, B)
> > creat (B/foo)
> > fsync (B/foo)
> > ---crash---
> 
> That makes sense, IMO, it will be better to cover cross rename case as well?

file_lost_pino(old_inode) seems covering that.

> 
> Thanks,
> 
> > 
> > Sugessted-by: Velayudhan Pillai <vijay@cs.utexas.edu>
> > Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> > ---
> >  fs/f2fs/namei.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
> > index b5f404674cad..fef6e3ab2135 100644
> > --- a/fs/f2fs/namei.c
> > +++ b/fs/f2fs/namei.c
> > @@ -973,8 +973,11 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry,
> >  			f2fs_put_page(old_dir_page, 0);
> >  		f2fs_i_links_write(old_dir, false);
> >  	}
> > -	if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT)
> > +	if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT) {
> >  		add_ino_entry(sbi, new_dir->i_ino, TRANS_DIR_INO);
> > +		if (S_ISDIR(old_inode->i_mode))
> > +			add_ino_entry(sbi, old_inode->i_ino, TRANS_DIR_INO);
> > +	}
> >  
> >  	f2fs_unlock_op(sbi);
> >  
> > 

Re: [f2fs-dev] [PATCH 5/5] f2fs: enforce fsync_mode=strict for renamed directory

[Chao Yu]

On 2018/4/26 23:32, Jaegeuk Kim wrote:
> On 04/25, Chao Yu wrote:
>> On 2018/4/25 13:46, Jaegeuk Kim wrote:
>>> This is to give a option for user to be able to recover B/foo in the below
>>> case.
>>>
>>> mkdir A
>>> sync()
>>> rename(A, B)
>>> creat (B/foo)
>>> fsync (B/foo)
>>> ---crash---
>>
>> That makes sense, IMO, it will be better to cover cross rename case as well?
> 
> file_lost_pino(old_inode) seems covering that.

Confirmed.

Thanks,

> 
>>
>> Thanks,
>>
>>>
>>> Sugessted-by: Velayudhan Pillai <vijay@cs.utexas.edu>
>>> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
>>> ---
>>>  fs/f2fs/namei.c | 5 ++++-
>>>  1 file changed, 4 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
>>> index b5f404674cad..fef6e3ab2135 100644
>>> --- a/fs/f2fs/namei.c
>>> +++ b/fs/f2fs/namei.c
>>> @@ -973,8 +973,11 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry,
>>>  			f2fs_put_page(old_dir_page, 0);
>>>  		f2fs_i_links_write(old_dir, false);
>>>  	}
>>> -	if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT)
>>> +	if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT) {
>>>  		add_ino_entry(sbi, new_dir->i_ino, TRANS_DIR_INO);
>>> +		if (S_ISDIR(old_inode->i_mode))
>>> +			add_ino_entry(sbi, old_inode->i_ino, TRANS_DIR_INO);
>>> +	}
>>>  
>>>  	f2fs_unlock_op(sbi);
>>>  
>>>
> 
> .
> 

Re: [f2fs-dev] [PATCH 5/5] f2fs: enforce fsync_mode=strict for renamed directory

[Chao Yu]

On 2018/4/26 23:32, Jaegeuk Kim wrote:
> On 04/25, Chao Yu wrote:
>> On 2018/4/25 13:46, Jaegeuk Kim wrote:
>>> This is to give a option for user to be able to recover B/foo in the below
>>> case.
>>>
>>> mkdir A
>>> sync()
>>> rename(A, B)
>>> creat (B/foo)
>>> fsync (B/foo)
>>> ---crash---
>>
>> That makes sense, IMO, it will be better to cover cross rename case as well?
> 
> file_lost_pino(old_inode) seems covering that.

Confirmed.

Thanks,

> 
>>
>> Thanks,
>>
>>>
>>> Sugessted-by: Velayudhan Pillai <vijay@cs.utexas.edu>
>>> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
>>> ---
>>>  fs/f2fs/namei.c | 5 ++++-
>>>  1 file changed, 4 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
>>> index b5f404674cad..fef6e3ab2135 100644
>>> --- a/fs/f2fs/namei.c
>>> +++ b/fs/f2fs/namei.c
>>> @@ -973,8 +973,11 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry,
>>>  			f2fs_put_page(old_dir_page, 0);
>>>  		f2fs_i_links_write(old_dir, false);
>>>  	}
>>> -	if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT)
>>> +	if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT) {
>>>  		add_ino_entry(sbi, new_dir->i_ino, TRANS_DIR_INO);
>>> +		if (S_ISDIR(old_inode->i_mode))
>>> +			add_ino_entry(sbi, old_inode->i_ino, TRANS_DIR_INO);
>>> +	}
>>>  
>>>  	f2fs_unlock_op(sbi);
>>>  
>>>
> 
> .
> 

Re: [f2fs-dev] [PATCH 4/5 v2] f2fs: sanity check for total valid blocks

[Chao Yu]

On 2018/4/26 23:29, Jaegeuk Kim wrote:
> This patch enhances sanity check for SIT entries.
> 
> syzbot hit the following crash on upstream commit
> 83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +0000)
> Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
> syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=bf9253040425feb155ad
> 
> syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5692130282438656
> Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5095924598571008
> Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+bf9253040425feb155ad@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for details.
> If you forward the report, please keep this part and the footer.
> 
> F2FS-fs (loop0): invalid crc value
> F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
> F2FS-fs (loop0): Mounted with checkpoint version = d
> F2FS-fs (loop0): Bitmap was wrongly cleared, blk:9740
> ------------[ cut here ]------------
> kernel BUG at fs/f2fs/segment.c:1884!
> invalid opcode: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Modules linked in:
> CPU: 1 PID: 4508 Comm: syz-executor0 Not tainted 4.17.0-rc1+ #10
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:update_sit_entry+0x1215/0x1590 fs/f2fs/segment.c:1882
> RSP: 0018:ffff8801af526708 EFLAGS: 00010282
> RAX: ffffed0035ea4cc0 RBX: ffff8801ad454f90 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffffffff82eeb87e RDI: ffffed0035ea4cb6
> RBP: ffff8801af526760 R08: ffff8801ad4a2480 R09: ffffed003b5e4f90
> R10: ffffed003b5e4f90 R11: ffff8801daf27c87 R12: ffff8801adb8d380
> R13: 0000000000000001 R14: 0000000000000008 R15: 00000000ffffffff
> FS:  00000000014af940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f06bc223000 CR3: 00000001adb02000 CR4: 00000000001406e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  allocate_data_block+0x66f/0x2050 fs/f2fs/segment.c:2663
>  do_write_page+0x105/0x1b0 fs/f2fs/segment.c:2727
>  write_node_page+0x129/0x350 fs/f2fs/segment.c:2770
>  __write_node_page+0x7da/0x1370 fs/f2fs/node.c:1398
>  sync_node_pages+0x18cf/0x1eb0 fs/f2fs/node.c:1652
>  block_operations+0x429/0xa60 fs/f2fs/checkpoint.c:1088
>  write_checkpoint+0x3ba/0x5380 fs/f2fs/checkpoint.c:1405
>  f2fs_sync_fs+0x2fb/0x6a0 fs/f2fs/super.c:1077
>  __sync_filesystem fs/sync.c:39 [inline]
>  sync_filesystem+0x265/0x310 fs/sync.c:67
>  generic_shutdown_super+0xd7/0x520 fs/super.c:429
>  kill_block_super+0xa4/0x100 fs/super.c:1191
>  kill_f2fs_super+0x9f/0xd0 fs/f2fs/super.c:3030
>  deactivate_locked_super+0x97/0x100 fs/super.c:316
>  deactivate_super+0x188/0x1b0 fs/super.c:347
>  cleanup_mnt+0xbf/0x160 fs/namespace.c:1174
>  __cleanup_mnt+0x16/0x20 fs/namespace.c:1181
>  task_work_run+0x1e4/0x290 kernel/task_work.c:113
>  tracehook_notify_resume include/linux/tracehook.h:191 [inline]
>  exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
>  prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
>  syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
>  do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x457d97
> RSP: 002b:00007ffd46f9c8e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000457d97
> RDX: 00000000014b09a3 RSI: 0000000000000002 RDI: 00007ffd46f9da50
> RBP: 00007ffd46f9da50 R08: 0000000000000000 R09: 0000000000000009
> R10: 0000000000000005 R11: 0000000000000246 R12: 00000000014b0940
> R13: 0000000000000000 R14: 0000000000000002 R15: 000000000000658e
> RIP: update_sit_entry+0x1215/0x1590 fs/f2fs/segment.c:1882 RSP: ffff8801af526708
> ---[ end trace f498328bb02610a2 ]---
> 
> Reported-and-tested-by: syzbot+bf9253040425feb155ad@syzkaller.appspotmail.com
> Reported-and-tested-by: syzbot+7d6d31d3bc702f566ce3@syzkaller.appspotmail.com
> Reported-and-tested-by: syzbot+0a725420475916460f12@syzkaller.appspotmail.com
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

Reviewed-by: Chao Yu <yuchao0@huawei.com>

Thanks,

Re: [f2fs-dev] [PATCH 4/5 v2] f2fs: sanity check for total valid blocks

[Chao Yu]

On 2018/4/26 23:29, Jaegeuk Kim wrote:
> This patch enhances sanity check for SIT entries.
> 
> syzbot hit the following crash on upstream commit
> 83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +0000)
> Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
> syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=bf9253040425feb155ad
> 
> syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=5692130282438656
> Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5095924598571008
> Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+bf9253040425feb155ad@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for details.
> If you forward the report, please keep this part and the footer.
> 
> F2FS-fs (loop0): invalid crc value
> F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
> F2FS-fs (loop0): Mounted with checkpoint version = d
> F2FS-fs (loop0): Bitmap was wrongly cleared, blk:9740
> ------------[ cut here ]------------
> kernel BUG at fs/f2fs/segment.c:1884!
> invalid opcode: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Modules linked in:
> CPU: 1 PID: 4508 Comm: syz-executor0 Not tainted 4.17.0-rc1+ #10
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:update_sit_entry+0x1215/0x1590 fs/f2fs/segment.c:1882
> RSP: 0018:ffff8801af526708 EFLAGS: 00010282
> RAX: ffffed0035ea4cc0 RBX: ffff8801ad454f90 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffffffff82eeb87e RDI: ffffed0035ea4cb6
> RBP: ffff8801af526760 R08: ffff8801ad4a2480 R09: ffffed003b5e4f90
> R10: ffffed003b5e4f90 R11: ffff8801daf27c87 R12: ffff8801adb8d380
> R13: 0000000000000001 R14: 0000000000000008 R15: 00000000ffffffff
> FS:  00000000014af940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f06bc223000 CR3: 00000001adb02000 CR4: 00000000001406e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  allocate_data_block+0x66f/0x2050 fs/f2fs/segment.c:2663
>  do_write_page+0x105/0x1b0 fs/f2fs/segment.c:2727
>  write_node_page+0x129/0x350 fs/f2fs/segment.c:2770
>  __write_node_page+0x7da/0x1370 fs/f2fs/node.c:1398
>  sync_node_pages+0x18cf/0x1eb0 fs/f2fs/node.c:1652
>  block_operations+0x429/0xa60 fs/f2fs/checkpoint.c:1088
>  write_checkpoint+0x3ba/0x5380 fs/f2fs/checkpoint.c:1405
>  f2fs_sync_fs+0x2fb/0x6a0 fs/f2fs/super.c:1077
>  __sync_filesystem fs/sync.c:39 [inline]
>  sync_filesystem+0x265/0x310 fs/sync.c:67
>  generic_shutdown_super+0xd7/0x520 fs/super.c:429
>  kill_block_super+0xa4/0x100 fs/super.c:1191
>  kill_f2fs_super+0x9f/0xd0 fs/f2fs/super.c:3030
>  deactivate_locked_super+0x97/0x100 fs/super.c:316
>  deactivate_super+0x188/0x1b0 fs/super.c:347
>  cleanup_mnt+0xbf/0x160 fs/namespace.c:1174
>  __cleanup_mnt+0x16/0x20 fs/namespace.c:1181
>  task_work_run+0x1e4/0x290 kernel/task_work.c:113
>  tracehook_notify_resume include/linux/tracehook.h:191 [inline]
>  exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
>  prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
>  syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
>  do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x457d97
> RSP: 002b:00007ffd46f9c8e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000457d97
> RDX: 00000000014b09a3 RSI: 0000000000000002 RDI: 00007ffd46f9da50
> RBP: 00007ffd46f9da50 R08: 0000000000000000 R09: 0000000000000009
> R10: 0000000000000005 R11: 0000000000000246 R12: 00000000014b0940
> R13: 0000000000000000 R14: 0000000000000002 R15: 000000000000658e
> RIP: update_sit_entry+0x1215/0x1590 fs/f2fs/segment.c:1882 RSP: ffff8801af526708
> ---[ end trace f498328bb02610a2 ]---
> 
> Reported-and-tested-by: syzbot+bf9253040425feb155ad@syzkaller.appspotmail.com
> Reported-and-tested-by: syzbot+7d6d31d3bc702f566ce3@syzkaller.appspotmail.com
> Reported-and-tested-by: syzbot+0a725420475916460f12@syzkaller.appspotmail.com
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

Reviewed-by: Chao Yu <yuchao0@huawei.com>

Thanks,