* [Bug 203197] New: kernel read fault at __is_cp_guaranteed
@ 2019-04-09 11:32 bugzilla-daemon
2019-04-09 14:58 ` [Bug 203197] " bugzilla-daemon
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: bugzilla-daemon @ 2019-04-09 11:32 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=203197
Bug ID: 203197
Summary: kernel read fault at __is_cp_guaranteed
Product: File System
Version: 2.5
Kernel Version: 5.0.0
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: f2fs
Assignee: filesystem_f2fs@kernel-bugs.kernel.org
Reporter: jungyeon@gatech.edu
Regression: No
Created attachment 282189
--> https://bugzilla.kernel.org/attachment.cgi?id=282189&action=edit
The (compressed) crafted image which causes crash & program
- Overview
When mounting the attached crafted image and running program, I got this error.
The image is intentionally fuzzed from a normal f2fs image for testing.
- Produces
cc poc_07.c
./run.sh f2fs
- Messages
[ 20.290851] BUG: unable to handle kernel NULL pointer dereference at
000000000000002e
[ 20.291962] #PF error: [normal kernel read fault]
[ 20.292640] PGD 800000023283a067 P4D 800000023283a067 PUD 234087067 PMD 0
[ 20.293602] Oops: 0000 [#1] SMP PTI
[ 20.294134] CPU: 0 PID: 1094 Comm: apport Not tainted 5.0.0-rc8+ #9
[ 20.295020] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 20.296331] RIP: 0010:__rb_insert_augmented+0x30/0x220
[ 20.297050] Code: 41 55 41 54 53 49 89 fc 49 89 f6 48 83 ec 08 84 d2 48 8b 3f
74 03 4c 89 21 48 85 ff 0f 84 4c 01 00 00 48 8b 1f f6 c3 01 75 45 <48> 8b 43 08
48 89 da 48 39 f8 0f 84 a0 00 00 00 48 85 c0 74 3d f6
[ 20.299663] RSP: 0018:ffffa144410b7cb0 EFLAGS: 00010246
[ 20.300390] RAX: 0000000000000000 RBX: 0000000000000026 RCX: ffff9115b21723b0
[ 20.301375] RDX: 0000000000000000 RSI: ffff9115b21723a8 RDI: ffff9115af598780
[ 20.302398] RBP: ffffa144410b7cd8 R08: ffffffff8d81b860 R09: ffff9115af598780
[ 20.303387] R10: 0000000000000000 R11: ffff9115aa8060c8 R12: ffff9115aa806120
[ 20.304375] R13: ffff9115b4efa020 R14: ffff9115b21723a8 R15: ffff9115b21723b8
[ 20.305365] FS: 0000000000000000(0000) GS:ffff9115b7a00000(0000)
knlGS:0000000000000000
[ 20.306522] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 20.307317] CR2: 000000000000002e CR3: 000000022f5c8006 CR4: 00000000001606f0
[ 20.308301] Call Trace:
[ 20.308656] vma_interval_tree_insert+0x84/0x90
[ 20.309292] __vma_link_file+0x46/0x50
[ 20.309820] vma_link+0x74/0xc0
[ 20.310309] mmap_region+0x43f/0x610
[ 20.310815] do_mmap+0x46e/0x610
[ 20.311274] ? ima_file_mmap+0x61/0x90
[ 20.311804] vm_mmap_pgoff+0xcc/0x120
[ 20.312322] ksys_mmap_pgoff+0x1cb/0x290
[ 20.312876] __x64_sys_mmap+0x33/0x40
[ 20.313394] do_syscall_64+0x5a/0x110
[ 20.313915] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 20.314663] RIP: 0033:0x7f5b857824ba
[ 20.315168] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9
49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0
ff ff 77 4e 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
[ 20.317740] RSP: 002b:00007ffc4b7909f8 EFLAGS: 00000246 ORIG_RAX:
0000000000000009
[ 20.318831] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f5b857824ba
[ 20.319810] RDX: 0000000000000005 RSI: 0000000000228068 RDI: 0000000000000000
[ 20.320789] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
[ 20.321771] R10: 0000000000000802 R11: 0000000000000246 R12: 0000000000000000
[ 20.322792] R13: 0000000000228068 R14: 0000000000000802 R15: 0000000000000000
[ 20.323776] Modules linked in:
[ 20.324210] CR2: 000000000000002e
[ 20.324695] ---[ end trace e553cf509f875842 ]---
[ 20.325346] RIP: 0010:__rb_insert_augmented+0x30/0x220
[ 20.326092] Code: 41 55 41 54 53 49 89 fc 49 89 f6 48 83 ec 08 84 d2 48 8b 3f
74 03 4c 89 21 48 85 ff 0f 84 4c 01 00 00 48 8b 1f f6 c3 01 75 45 <48> 8b 43 08
48 89 da 48 39 f8 0f 84 a0 00 00 00 48 85 c0 74 3d f6
[ 20.328680] RSP: 0018:ffffa144410b7cb0 EFLAGS: 00010246
[ 20.329410] RAX: 0000000000000000 RBX: 0000000000000026 RCX: ffff9115b21723b0
[ 20.330456] RDX: 0000000000000000 RSI: ffff9115b21723a8 RDI: ffff9115af598780
[ 20.331469] RBP: ffffa144410b7cd8 R08: ffffffff8d81b860 R09: ffff9115af598780
[ 20.332458] R10: 0000000000000000 R11: ffff9115aa8060c8 R12: ffff9115aa806120
[ 20.333444] R13: ffff9115b4efa020 R14: ffff9115b21723a8 R15: ffff9115b21723b8
[ 20.334481] FS: 0000000000000000(0000) GS:ffff9115b7a00000(0000)
knlGS:0000000000000000
[ 20.335601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 20.336401] CR2: 000000000000002e CR3: 000000022f5c8006 CR4: 00000000001606f0
wait a little bit...
[ 34.969989] general protection fault: 0000 [#2] SMP PTI
[ 34.970784] CPU: 0 PID: 1095 Comm: systemd-cgroups Tainted: G D 5.0.0-rc8+ #9
[ 34.971981] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 34.973320] RIP: 0010:vma_interval_tree_insert+0x2c/0x90
[ 34.974126] Code: 44 00 00 48 8b 47 08 48 2b 07 49 89 fb 4c 8b 97 98 00 00 00
48 89 f1 ba 01 00 00 00 45 31 c9 48 c1 e8 0c 4d 8d 44 02 ff eb 1d <4c> 39 40 18
73 04 4c 89 40 18 4c 3b 50 40 48 8d 48 10 72 06 48 8d
[ 34.976747] RSP: 0018:ffffa1444155bd08 EFLAGS: 00010286
[ 34.977486] RAX: c5ffff9115ab8436 RBX: ffff9115b4e51cf8 RCX: ffff9115ab843431
[ 34.978531] RDX: 0000000000000000 RSI: ffff9115b5b21730 RDI: ffff9115ab2b9bb8
[ 34.979571] RBP: ffffa1444155bd10 R08: 00000000000001c5 R09: ffff9115ab843421
[ 34.980610] R10: 00000000000001c4 R11: ffff9115ab2b9bb8 R12: ffff9115b4e51c80
[ 34.981650] R13: ffff9115b4e51898 R14: 0000000000000000 R15: 0000000000000000
[ 34.982716] FS: 00007ff7107dd840(0000) GS:ffff9115b7a00000(0000)
knlGS:0000000000000000
[ 34.983890] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 34.984729] CR2: 00007ff70fc3e280 CR3: 000000023299e004 CR4: 00000000001606f0
[ 34.985773] Call Trace:
[ 34.986147] ? __vma_link_file+0x46/0x50
[ 34.986729] __vma_adjust+0x111/0x7b0
[ 34.987273] ? kmem_cache_alloc+0x3a/0x170
[ 34.987880] __split_vma+0x18c/0x1a0
[ 34.988412] split_vma+0x1b/0x30
[ 34.988893] mprotect_fixup+0x2a7/0x360
[ 34.989464] ? common_file_perm+0x47/0x140
[ 34.990073] ? common_mmap+0x4b/0x50
[ 34.990604] ? apparmor_file_mprotect+0x2d/0x30
[ 34.991272] do_mprotect_pkey+0x214/0x380
[ 34.991865] __x64_sys_mprotect+0x1f/0x30
[ 34.992467] do_syscall_64+0x5a/0x110
[ 34.993009] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 34.993772] RIP: 0033:0x7ff7105df557
[ 34.994304] Code: ff 66 90 b8 0b 00 00 00 0f 05 48 3d 01 f0 ff ff 73 01 c3 48
8d 0d d9 bb 20 00 f7 d8 89 01 48 83 c8 ff c3 b8 0a 00 00 00 0f 05 <48> 3d 01 f0
ff ff 73 01 c3 48 8d 0d b9 bb 20 00 f7 d8 89 01 48 83
[ 34.996989] RSP: 002b:00007ffe23ac78b8 EFLAGS: 00000206 ORIG_RAX:
000000000000000a
[ 34.998085] RAX: ffffffffffffffda RBX: 00007ff70fbd27b8 RCX: 00007ff7105df557
[ 34.999086] RDX: 0000000000000001 RSI: 0000000000004000 RDI: 00007ff70ff73000
[ 35.000119] RBP: 00007ffe23ac79e0 R08: 0000000000000000 R09: 00007ff7107eb700
[ 35.001120] R10: 0000000000000003 R11: 0000000000000206 R12: 00007ff7107e0000
[ 35.002191] R13: 00007ff70fbb3000 R14: 00007ff70fbd27a0 R15: 00000000003c4018
[ 35.003190] Modules linked in:
[ 35.003643] ---[ end trace e553cf509f875843 ]---
[ 35.004304] RIP: 0010:__rb_insert_augmented+0x30/0x220
[ 35.005034] Code: 41 55 41 54 53 49 89 fc 49 89 f6 48 83 ec 08 84 d2 48 8b 3f
74 03 4c 89 21 48 85 ff 0f 84 4c 01 00 00 48 8b 1f f6 c3 01 75 45 <48> 8b 43 08
48 89 da 48 39 f8 0f 84 a0 00 00 00 48 85 c0 74 3d f6
[ 35.007704] RSP: 0018:ffffa144410b7cb0 EFLAGS: 00010246
[ 35.008466] RAX: 0000000000000000 RBX: 0000000000000026 RCX: ffff9115b21723b0
[ 35.009472] RDX: 0000000000000000 RSI: ffff9115b21723a8 RDI: ffff9115af598780
[ 35.010520] RBP: ffffa144410b7cd8 R08: ffffffff8d81b860 R09: ffff9115af598780
[ 35.011528] R10: 0000000000000000 R11: ffff9115aa8060c8 R12: ffff9115aa806120
[ 35.012536] R13: ffff9115b4efa020 R14: ffff9115b21723a8 R15: ffff9115b21723b8
[ 35.013588] FS: 00007ff7107dd840(0000) GS:ffff9115b7a00000(0000)
knlGS:0000000000000000
[ 35.014746] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 35.015561] CR2: 00007ff70fc3e280 CR3: 000000023299e004 CR4: 00000000001606f0
- Possible reason
The address of inode (F2FS_I_SB) is not accessible. (in my case, it is 0xa034)
It seems that this is because the given address of page is not appropriate.
│33 static bool __is_cp_guaranteed(struct page *page)
│34 {
│35 struct address_space *mapping = page->mapping;
│36 struct inode *inode;
│37 struct f2fs_sb_info *sbi;
│38
│39 if (!mapping)
│40 return false;
│41
│42 inode = mapping->host;
>│43 sbi = F2FS_I_SB(inode);
│44
│45 if (inode->i_ino == F2FS_META_INO(sbi) ||
│46 inode->i_ino == F2FS_NODE_INO(sbi) ||
│47 S_ISDIR(inode->i_mode) ||
│48 (S_ISREG(inode->i_mode) &&
│49 (f2fs_is_atomic_file(inode) ||
IS_NOQUOTA(inode))) ||
│50 is_cold_data(page))
│51 return true;
│52 return false;
│53 }
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 203197] kernel read fault at __is_cp_guaranteed
2019-04-09 11:32 [Bug 203197] New: kernel read fault at __is_cp_guaranteed bugzilla-daemon
@ 2019-04-09 14:58 ` bugzilla-daemon
2019-04-10 0:55 ` bugzilla-daemon
2019-04-11 1:03 ` bugzilla-daemon
2 siblings, 0 replies; 4+ messages in thread
From: bugzilla-daemon @ 2019-04-09 14:58 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=203197
Chao Yu (chao@kernel.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |chao@kernel.org
--- Comment #1 from Chao Yu (chao@kernel.org) ---
I only got below info when reproducing this bug in 5.1-rc1 kernel.
[ 258.605917] F2FS-fs (loop0): Mismatch start address, segment0(512)
cp_blkaddr(4293329408)
[ 258.605917] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th
superblock
[ 258.637909] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
[ 258.637912] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d6
[ 334.914699] F2FS-fs (loop0): sanity_check_inode: corrupted inode i_blocks
i_ino=7 iblocks=0, run fsck to fix.
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 203197] kernel read fault at __is_cp_guaranteed
2019-04-09 11:32 [Bug 203197] New: kernel read fault at __is_cp_guaranteed bugzilla-daemon
2019-04-09 14:58 ` [Bug 203197] " bugzilla-daemon
@ 2019-04-10 0:55 ` bugzilla-daemon
2019-04-11 1:03 ` bugzilla-daemon
2 siblings, 0 replies; 4+ messages in thread
From: bugzilla-daemon @ 2019-04-10 0:55 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=203197
Chao Yu (chao@kernel.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #2 from Chao Yu (chao@kernel.org) ---
>From your kernel message, I only see we crashed at __rb_insert_augmented() or
vma_interval_tree_insert(), did you pick the wrong kernel message and incorrect
tmp.img and poc.c?
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 203197] kernel read fault at __is_cp_guaranteed
2019-04-09 11:32 [Bug 203197] New: kernel read fault at __is_cp_guaranteed bugzilla-daemon
2019-04-09 14:58 ` [Bug 203197] " bugzilla-daemon
2019-04-10 0:55 ` bugzilla-daemon
@ 2019-04-11 1:03 ` bugzilla-daemon
2 siblings, 0 replies; 4+ messages in thread
From: bugzilla-daemon @ 2019-04-11 1:03 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=203197
--- Comment #3 from Jungyeon (jungyeon@gatech.edu) ---
I've tested with kernel version 5.0.0.
The image and program is okay. It just seems that the errors are keeping
changing.. I also saw vma_interval_tree_insert() error.
It's hard to say that when is the exact time that error comes out.
And, in 5.1-rc1 kernel, it seems that error doesn't show up.
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-04-11 1:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-09 11:32 [Bug 203197] New: kernel read fault at __is_cp_guaranteed bugzilla-daemon
2019-04-09 14:58 ` [Bug 203197] " bugzilla-daemon
2019-04-10 0:55 ` bugzilla-daemon
2019-04-11 1:03 ` bugzilla-daemon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.