All of lore.kernel.org
 help / color / mirror / Atom feed
* [f2fs-dev] [Bug 215231] New: kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image
@ 2021-12-06  4:12 bugzilla-daemon
  2021-12-07  2:26 ` [f2fs-dev] [Bug 215231] " bugzilla-daemon
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: bugzilla-daemon @ 2021-12-06  4:12 UTC (permalink / raw)
  To: linux-f2fs-devel

https://bugzilla.kernel.org/show_bug.cgi?id=215231

            Bug ID: 215231
           Summary: kernel NULL pointer dereference triggered in
                    folio_mark_dirty() when mount and operate on a crafted
                    f2fs image
           Product: File System
           Version: 2.5
    Kernel Version: 5.16-rc3, 5.15.X
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: f2fs
          Assignee: filesystem_f2fs@kernel-bugs.kernel.org
          Reporter: wenqingliu0120@gmail.com
        Regression: No

Created attachment 299909
  --> https://bugzilla.kernel.org/attachment.cgi?id=299909&action=edit
crafted image and .config file

- Overview 
kernel NULL pointer dereference triggered  in folio_mark_dirty() when mount and
operate on a crafted f2fs image

- Reproduce 
tested on kernel 5.16-rc3, 5.15.X under root

# mkdir mnt
# mount -t f2fs tmp1.img mnt
# touch tmp
# cp tmp mnt

- Kernel dump
[   41.932734] F2FS-fs (loop0): sanity_check_inode: inode (ino=49) extent info
[5942, 4294180864, 4] is incorrect, run fsck to fix
[   41.932743] F2FS-fs (loop0): Inconsistent error blkaddr:5942, sit bitmap:0
[   41.932811] ------------[ cut here ]------------
[   41.932811] WARNING: CPU: 0 PID: 910 at fs/f2fs/checkpoint.c:154
f2fs_is_valid_blkaddr+0x1d6/0x390 [f2fs]
[   41.932824] Modules linked in: f2fs crc32_generic joydev input_leds
serio_raw qemu_fw_cfg iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi
autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov
async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath
linear qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt
fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel hid_generic
psmouse usbhid hid aesni_intel crypto_simd cryptd
[   41.932840] CPU: 0 PID: 910 Comm: cp Tainted: G        W         5.16.0-rc3
#2
[   41.932842] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[   41.932842] RIP: 0010:f2fs_is_valid_blkaddr+0x1d6/0x390 [f2fs]
[   41.932853] Code: fe ff ff 83 fb 07 0f 85 bb fe ff ff 0f b6 c8 89 ea 48 c7
c6 c8 1b 70 a0 4c 89 e7 88 04 24 e8 31 52 ff ff f0 41 80 4c 24 48 04 <0f> 0b 0f
b6 04 24 e9 92 fe ff ff 83 fa 09 0f 85 15 01 00 00 48 8b
[   41.932854] RSP: 0018:ffffc90000687968 EFLAGS: 00010206
[   41.932855] RAX: 0000000000000000 RBX: 0000000000000007 RCX:
0000000000000001
[   41.932855] RDX: 0000000000000000 RSI: ffffffff8232a839 RDI:
00000000ffffffff
[   41.932856] RBP: 0000000000001736 R08: 0000000000000000 R09:
0000000000000001
[   41.932857] R10: 00000009cb0c1476 R11: 0000000000000001 R12:
ffff888110275000
[   41.932857] R13: 0000000000004000 R14: ffff888105f460f0 R15:
ffff888110f4a000
[   41.932858] FS:  00007f3530f15800(0000) GS:ffff8882f5c00000(0000)
knlGS:0000000000000000
[   41.932859] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   41.932860] CR2: 0000562fdc7b15c8 CR3: 000000010319c002 CR4:
0000000000370ef0
[   41.932862] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[   41.932863] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[   41.932863] Call Trace:
[   41.932864]  <TASK>
[   41.932865]  f2fs_iget+0xeee/0x11b0 [f2fs]
[   41.932874]  do_garbage_collect+0xf0f/0x16a0 [f2fs]
[   41.932886]  ? _raw_spin_lock+0x13/0x30
[   41.932888]  f2fs_gc+0x1d3/0xd90 [f2fs]
[   41.932899]  ? _raw_spin_unlock+0x16/0x30
[   41.932901]  ? f2fs_balance_fs+0x13a/0x570 [f2fs]
[   41.932915]  f2fs_balance_fs+0x13a/0x570 [f2fs]
[   41.932927]  ? _raw_spin_lock+0x13/0x30
[   41.932929]  ? __d_instantiate+0x34/0xf0
[   41.932931]  f2fs_create+0x285/0x840 [f2fs]
[   41.932940]  path_openat+0xe6d/0x1040
[   41.932943]  do_filp_open+0xc5/0x140
[   41.932945]  ? __check_object_size+0xd4/0x1a0
[   41.932948]  ? _raw_spin_unlock+0x16/0x30
[   41.932949]  ? do_sys_openat2+0x23a/0x310
[   41.932950]  do_sys_openat2+0x23a/0x310
[   41.932952]  do_sys_open+0x57/0x80
[   41.932953]  do_syscall_64+0x37/0xb0
[   41.932955]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   41.932956] RIP: 0033:0x7f35303e4d5e
[   41.932957] Code: 25 00 00 41 00 3d 00 00 41 00 74 48 48 8d 05 91 0c 2e 00
8b 00 85 c0 75 69 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00
f0 ff ff 0f 87 a6 00 00 00 48 8b 4c 24 28 64 48 33 0c 25
[   41.932958] RSP: 002b:00007ffe4b2cb810 EFLAGS: 00000246 ORIG_RAX:
0000000000000101
[   41.932959] RAX: ffffffffffffffda RBX: 0000000000000001 RCX:
00007f35303e4d5e
[   41.932960] RDX: 00000000000000c1 RSI: 0000561d23a37cc0 RDI:
00000000ffffff9c
[   41.932961] RBP: 00007ffe4b2cbcb0 R08: 00007ffe4b2cbe70 R09:
0000000000000000
[   41.932961] R10: 00000000000001a4 R11: 0000000000000246 R12:
00007ffe4b2cbe70
[   41.932962] R13: 0000000000000000 R14: 00007ffe4b2cbe00 R15:
00007ffe4b2cc7b4
[   41.932963]  </TASK>
[   41.932964] ---[ end trace 1bf4370a7a01de20 ]---
[   41.932965] F2FS-fs (loop0): sanity_check_inode: inode (ino=49) extent info
[5942, 4294180864, 4] is incorrect, run fsck to fix
[   41.933060] F2FS-fs (loop0): f2fs_check_nid_range: out-of-range
nid=31340049, run fsck to fix.
[   41.934251] BUG: kernel NULL pointer dereference, address: 0000000000000000
[   41.934338] #PF: supervisor instruction fetch in kernel mode
[   41.934409] #PF: error_code(0x0010) - not-present page
[   41.934484] PGD 0 P4D 0 
[   41.934561] Oops: 0010 [#1] PREEMPT SMP NOPTI
[   41.934646] CPU: 1 PID: 910 Comm: cp Tainted: G        W         5.16.0-rc3
#2
[   41.934741] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[   41.934893] RIP: 0010:0x0
[   41.935041] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[   41.935174] RSP: 0018:ffffc90000687928 EFLAGS: 00010246
[   41.935314] RAX: 0000000000000000 RBX: ffffea000478be40 RCX:
0000000000000001
[   41.935456] RDX: 0017ffffc0000015 RSI: 0000000000000000 RDI:
ffffea000478be40
[   41.935604] RBP: ffff888105f44680 R08: ffffc90000687808 R09:
0000000000000000
[   41.935818] R10: 000000003ee1af28 R11: 0000000000000001 R12:
00000000fffffffe
[   41.935993] R13: ffffea000478be68 R14: 0017ffffc0000015 R15:
ffff888105f44680
[   41.936163] FS:  00007f3530f15800(0000) GS:ffff8882f5c80000(0000)
knlGS:0000000000000000
[   41.936344] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   41.936540] CR2: ffffffffffffffd6 CR3: 000000010319c006 CR4:
0000000000370ee0
[   41.936738] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[   41.936950] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[   41.937254] Call Trace:
[   41.937470]  <TASK>
[   41.937683]  folio_mark_dirty+0x33/0x50
[   41.937935]  move_data_page+0x2dd/0x460 [f2fs]
[   41.938188]  do_garbage_collect+0xc18/0x16a0 [f2fs]
[   41.938412]  ? _raw_spin_lock+0x13/0x30
[   41.938628]  f2fs_gc+0x1d3/0xd90 [f2fs]
[   41.938856]  ? _raw_spin_unlock+0x16/0x30
[   41.939078]  ? f2fs_balance_fs+0x13a/0x570 [f2fs]
[   41.939321]  f2fs_balance_fs+0x13a/0x570 [f2fs]
[   41.939568]  ? _raw_spin_lock+0x13/0x30
[   41.939802]  ? __d_instantiate+0x34/0xf0
[   41.940040]  f2fs_create+0x285/0x840 [f2fs]
[   41.940290]  path_openat+0xe6d/0x1040
[   41.940536]  do_filp_open+0xc5/0x140
[   41.940782]  ? __check_object_size+0xd4/0x1a0
[   41.941034]  ? _raw_spin_unlock+0x16/0x30
[   41.941288]  ? do_sys_openat2+0x23a/0x310
[   41.941582]  do_sys_openat2+0x23a/0x310
[   41.941842]  do_sys_open+0x57/0x80
[   41.942290]  do_syscall_64+0x37/0xb0
[   41.942607]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   41.942881] RIP: 0033:0x7f35303e4d5e
[   41.943156] Code: 25 00 00 41 00 3d 00 00 41 00 74 48 48 8d 05 91 0c 2e 00
8b 00 85 c0 75 69 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00
f0 ff ff 0f 87 a6 00 00 00 48 8b 4c 24 28 64 48 33 0c 25
[   41.943761] RSP: 002b:00007ffe4b2cb810 EFLAGS: 00000246 ORIG_RAX:
0000000000000101
[   41.944078] RAX: ffffffffffffffda RBX: 0000000000000001 RCX:
00007f35303e4d5e
[   41.944403] RDX: 00000000000000c1 RSI: 0000561d23a37cc0 RDI:
00000000ffffff9c
[   41.944762] RBP: 00007ffe4b2cbcb0 R08: 00007ffe4b2cbe70 R09:
0000000000000000
[   41.945195] R10: 00000000000001a4 R11: 0000000000000246 R12:
00007ffe4b2cbe70
[   41.945631] R13: 0000000000000000 R14: 00007ffe4b2cbe00 R15:
00007ffe4b2cc7b4
[   41.946058]  </TASK>
[   41.946479] Modules linked in: f2fs crc32_generic joydev input_leds
serio_raw qemu_fw_cfg iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi
autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov
async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath
linear qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt
fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel hid_generic
psmouse usbhid hid aesni_intel crypto_simd cryptd
[   41.948320] CR2: 0000000000000000
[   41.948750] ---[ end trace 1bf4370a7a01de21 ]---
[   41.949238] RIP: 0010:0x0
[   41.949648] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[   41.950064] RSP: 0018:ffffc90000687928 EFLAGS: 00010246
[   41.950408] RAX: 0000000000000000 RBX: ffffea000478be40 RCX:
0000000000000001
[   41.950754] RDX: 0017ffffc0000015 RSI: 0000000000000000 RDI:
ffffea000478be40
[   41.951098] RBP: ffff888105f44680 R08: ffffc90000687808 R09:
0000000000000000
[   41.951439] R10: 000000003ee1af28 R11: 0000000000000001 R12:
00000000fffffffe
[   41.951778] R13: ffffea000478be68 R14: 0017ffffc0000015 R15:
ffff888105f44680
[   41.952118] FS:  00007f3530f15800(0000) GS:ffff8882f5c80000(0000)
knlGS:0000000000000000
[   41.952555] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   41.953157] CR2: ffffffffffffffd6 CR3: 000000010319c006 CR4:
0000000000370ee0
[   41.953687] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[   41.954237] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [f2fs-dev] [Bug 215231] kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image
  2021-12-06  4:12 [f2fs-dev] [Bug 215231] New: kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image bugzilla-daemon
@ 2021-12-07  2:26 ` bugzilla-daemon
  2021-12-07  4:49 ` bugzilla-daemon
  2021-12-12  4:05 ` bugzilla-daemon
  2 siblings, 0 replies; 4+ messages in thread
From: bugzilla-daemon @ 2021-12-07  2:26 UTC (permalink / raw)
  To: linux-f2fs-devel

https://bugzilla.kernel.org/show_bug.cgi?id=215231

Chao Yu (chao@kernel.org) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |chao@kernel.org

--- Comment #1 from Chao Yu (chao@kernel.org) ---
Wenqing, thanks for catching this and the report.

I fixed this up with below patchset, could you please test with them?

https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev&id=6889d573d5dd09ad2569218cfd222abf4a91d1c2

https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev&id=09716c3ffd052b1a45500a3588099e3abfd4c18c

https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev&id=8e81cd35d20e64426bc2e517983ab7021a0298f2

Thanks,

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [f2fs-dev] [Bug 215231] kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image
  2021-12-06  4:12 [f2fs-dev] [Bug 215231] New: kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image bugzilla-daemon
  2021-12-07  2:26 ` [f2fs-dev] [Bug 215231] " bugzilla-daemon
@ 2021-12-07  4:49 ` bugzilla-daemon
  2021-12-12  4:05 ` bugzilla-daemon
  2 siblings, 0 replies; 4+ messages in thread
From: bugzilla-daemon @ 2021-12-07  4:49 UTC (permalink / raw)
  To: linux-f2fs-devel

https://bugzilla.kernel.org/show_bug.cgi?id=215231

--- Comment #2 from Wenqing Liu (wenqingliu0120@gmail.com) ---
Thank you for your prompt reply.The bug disappeared after patched the kernel
with the fixes.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [f2fs-dev] [Bug 215231] kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image
  2021-12-06  4:12 [f2fs-dev] [Bug 215231] New: kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image bugzilla-daemon
  2021-12-07  2:26 ` [f2fs-dev] [Bug 215231] " bugzilla-daemon
  2021-12-07  4:49 ` bugzilla-daemon
@ 2021-12-12  4:05 ` bugzilla-daemon
  2 siblings, 0 replies; 4+ messages in thread
From: bugzilla-daemon @ 2021-12-12  4:05 UTC (permalink / raw)
  To: linux-f2fs-devel

https://bugzilla.kernel.org/show_bug.cgi?id=215231

Chao Yu (chao@kernel.org) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |CODE_FIX

--- Comment #3 from Chao Yu (chao@kernel.org) ---
Thanks for the verification. :)

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-12-12  4:05 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-06  4:12 [f2fs-dev] [Bug 215231] New: kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image bugzilla-daemon
2021-12-07  2:26 ` [f2fs-dev] [Bug 215231] " bugzilla-daemon
2021-12-07  4:49 ` bugzilla-daemon
2021-12-12  4:05 ` bugzilla-daemon

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.