From: Jaegeuk Kim <jaegeuk@kernel.org>
To: Chao Yu <chao@kernel.org>
Cc: linux-f2fs-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
syzbot+775a3440817f74fddb8c@syzkaller.appspotmail.com
Subject: Re: [PATCH] f2fs: fix to detect obsolete inner inode during fill_super()
Date: Mon, 12 Sep 2022 08:37:58 -0700 [thread overview]
Message-ID: <Yx9SVsxVzNErMDpv@google.com> (raw)
In-Reply-To: <20220908105334.98572-1-chao@kernel.org>
On 09/08, Chao Yu wrote:
> Sometimes we can get a cached meta_inode which has no aops yet. Let's set it
> all the time to fix the below panic.
>
> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
> Mem abort info:
> ESR = 0x0000000086000004
> EC = 0x21: IABT (current EL), IL = 32 bits
> SET = 0, FnV = 0
> EA = 0, S1PTW = 0
> FSC = 0x04: level 0 translation fault
> user pgtable: 4k pages, 48-bit VAs, pgdp=0000000109ee4000
> [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
> Internal error: Oops: 86000004 [#1] PREEMPT SMP
> Modules linked in:
> CPU: 1 PID: 3045 Comm: syz-executor330 Not tainted 6.0.0-rc2-syzkaller-16455-ga41a877bc12d #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : 0x0
> lr : folio_mark_dirty+0xbc/0x208 mm/page-writeback.c:2748
> sp : ffff800012783970
> x29: ffff800012783970 x28: 0000000000000000 x27: ffff800012783b08
> x26: 0000000000000001 x25: 0000000000000400 x24: 0000000000000001
> x23: ffff0000c736e000 x22: 0000000000000045 x21: 05ffc00000000015
> x20: ffff0000ca7403b8 x19: fffffc00032ec600 x18: 0000000000000181
> x17: ffff80000c04d6bc x16: ffff80000dbb8658 x15: 0000000000000000
> x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
> x11: ff808000083e9814 x10: 0000000000000000 x9 : ffff8000083e9814
> x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
> x5 : ffff0000cbb19000 x4 : ffff0000cb3d2000 x3 : ffff0000cbb18f80
> x2 : fffffffffffffff0 x1 : fffffc00032ec600 x0 : ffff0000ca7403b8
> Call trace:
> 0x0
> set_page_dirty+0x38/0xbc mm/folio-compat.c:62
> f2fs_update_meta_page+0x80/0xa8 fs/f2fs/segment.c:2369
> do_checkpoint+0x794/0xea8 fs/f2fs/checkpoint.c:1522
> f2fs_write_checkpoint+0x3b8/0x568 fs/f2fs/checkpoint.c:1679
>
> The root cause is, quoted from Jaegeuk:
>
> It turned out there is a bug in reiserfs which doesn't free the root
> inode (ino=2). That leads f2fs to find an ino=2 with the previous
> superblock point used by reiserfs. That stale inode has no valid
> mapping that f2fs can use, result in kernel panic.
>
> This patch adds sanity check in f2fs_iget() to avoid finding stale
> inode during inner inode initialization.
>
> Cc: stable@vger.kernel.org
> Reported-by: syzbot+775a3440817f74fddb8c@syzkaller.appspotmail.com
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> Signed-off-by: Chao Yu <chao@kernel.org>
> ---
> fs/f2fs/inode.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> index ccb29034af59..df1a82fbfaf2 100644
> --- a/fs/f2fs/inode.c
> +++ b/fs/f2fs/inode.c
> @@ -493,6 +493,17 @@ struct inode *f2fs_iget_inner(struct super_block *sb, unsigned long ino)
> struct inode *inode;
> int ret = 0;
>
> + if (ino == F2FS_NODE_INO(sbi) || ino == F2FS_META_INO(sbi) ||
> + ino == F2FS_COMPRESS_INO(sbi)) {
> + inode = ilookup(sb, ino);
> + if (inode) {
> + iput(inode);
> + f2fs_err(sbi, "there is obsoleted inner inode %lu cached in hash table",
> + ino);
> + return ERR_PTR(-EFSCORRUPTED);
Well, this does not indicate f2fs is corrupted. I'd rather expect to fix
reiserfs instead of f2fs workaround which hides the bug.
> + }
> + }
> +
> inode = iget_locked(sb, ino);
> if (!inode)
> return ERR_PTR(-ENOMEM);
> --
> 2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Jaegeuk Kim <jaegeuk@kernel.org>
To: Chao Yu <chao@kernel.org>
Cc: syzbot+775a3440817f74fddb8c@syzkaller.appspotmail.com,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net
Subject: Re: [f2fs-dev] [PATCH] f2fs: fix to detect obsolete inner inode during fill_super()
Date: Mon, 12 Sep 2022 08:37:58 -0700 [thread overview]
Message-ID: <Yx9SVsxVzNErMDpv@google.com> (raw)
In-Reply-To: <20220908105334.98572-1-chao@kernel.org>
On 09/08, Chao Yu wrote:
> Sometimes we can get a cached meta_inode which has no aops yet. Let's set it
> all the time to fix the below panic.
>
> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
> Mem abort info:
> ESR = 0x0000000086000004
> EC = 0x21: IABT (current EL), IL = 32 bits
> SET = 0, FnV = 0
> EA = 0, S1PTW = 0
> FSC = 0x04: level 0 translation fault
> user pgtable: 4k pages, 48-bit VAs, pgdp=0000000109ee4000
> [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
> Internal error: Oops: 86000004 [#1] PREEMPT SMP
> Modules linked in:
> CPU: 1 PID: 3045 Comm: syz-executor330 Not tainted 6.0.0-rc2-syzkaller-16455-ga41a877bc12d #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : 0x0
> lr : folio_mark_dirty+0xbc/0x208 mm/page-writeback.c:2748
> sp : ffff800012783970
> x29: ffff800012783970 x28: 0000000000000000 x27: ffff800012783b08
> x26: 0000000000000001 x25: 0000000000000400 x24: 0000000000000001
> x23: ffff0000c736e000 x22: 0000000000000045 x21: 05ffc00000000015
> x20: ffff0000ca7403b8 x19: fffffc00032ec600 x18: 0000000000000181
> x17: ffff80000c04d6bc x16: ffff80000dbb8658 x15: 0000000000000000
> x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
> x11: ff808000083e9814 x10: 0000000000000000 x9 : ffff8000083e9814
> x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
> x5 : ffff0000cbb19000 x4 : ffff0000cb3d2000 x3 : ffff0000cbb18f80
> x2 : fffffffffffffff0 x1 : fffffc00032ec600 x0 : ffff0000ca7403b8
> Call trace:
> 0x0
> set_page_dirty+0x38/0xbc mm/folio-compat.c:62
> f2fs_update_meta_page+0x80/0xa8 fs/f2fs/segment.c:2369
> do_checkpoint+0x794/0xea8 fs/f2fs/checkpoint.c:1522
> f2fs_write_checkpoint+0x3b8/0x568 fs/f2fs/checkpoint.c:1679
>
> The root cause is, quoted from Jaegeuk:
>
> It turned out there is a bug in reiserfs which doesn't free the root
> inode (ino=2). That leads f2fs to find an ino=2 with the previous
> superblock point used by reiserfs. That stale inode has no valid
> mapping that f2fs can use, result in kernel panic.
>
> This patch adds sanity check in f2fs_iget() to avoid finding stale
> inode during inner inode initialization.
>
> Cc: stable@vger.kernel.org
> Reported-by: syzbot+775a3440817f74fddb8c@syzkaller.appspotmail.com
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> Signed-off-by: Chao Yu <chao@kernel.org>
> ---
> fs/f2fs/inode.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> index ccb29034af59..df1a82fbfaf2 100644
> --- a/fs/f2fs/inode.c
> +++ b/fs/f2fs/inode.c
> @@ -493,6 +493,17 @@ struct inode *f2fs_iget_inner(struct super_block *sb, unsigned long ino)
> struct inode *inode;
> int ret = 0;
>
> + if (ino == F2FS_NODE_INO(sbi) || ino == F2FS_META_INO(sbi) ||
> + ino == F2FS_COMPRESS_INO(sbi)) {
> + inode = ilookup(sb, ino);
> + if (inode) {
> + iput(inode);
> + f2fs_err(sbi, "there is obsoleted inner inode %lu cached in hash table",
> + ino);
> + return ERR_PTR(-EFSCORRUPTED);
Well, this does not indicate f2fs is corrupted. I'd rather expect to fix
reiserfs instead of f2fs workaround which hides the bug.
> + }
> + }
> +
> inode = iget_locked(sb, ino);
> if (!inode)
> return ERR_PTR(-ENOMEM);
> --
> 2.25.1
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
next prev parent reply other threads:[~2022-09-12 15:38 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-08 10:53 [PATCH] f2fs: fix to detect obsolete inner inode during fill_super() Chao Yu
2022-09-08 10:53 ` [f2fs-dev] " Chao Yu
2022-09-12 15:37 ` Jaegeuk Kim [this message]
2022-09-12 15:37 ` Jaegeuk Kim
2022-09-13 2:33 ` Chao Yu
2022-09-13 2:33 ` [f2fs-dev] " Chao Yu
2022-09-13 6:04 ` Jaegeuk Kim
2022-09-13 6:04 ` [f2fs-dev] " Jaegeuk Kim
2022-09-14 15:53 ` Chao Yu
2022-09-14 15:53 ` [f2fs-dev] " Chao Yu
2022-09-16 18:21 ` Jaegeuk Kim
2022-09-16 18:21 ` [f2fs-dev] " Jaegeuk Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yx9SVsxVzNErMDpv@google.com \
--to=jaegeuk@kernel.org \
--cc=chao@kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+775a3440817f74fddb8c@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.