* [f2fs-dev] [Bug 215231] New: kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image
@ 2021-12-06 4:12 bugzilla-daemon
2021-12-07 2:26 ` [f2fs-dev] [Bug 215231] " bugzilla-daemon
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: bugzilla-daemon @ 2021-12-06 4:12 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=215231
Bug ID: 215231
Summary: kernel NULL pointer dereference triggered in
folio_mark_dirty() when mount and operate on a crafted
f2fs image
Product: File System
Version: 2.5
Kernel Version: 5.16-rc3, 5.15.X
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: f2fs
Assignee: filesystem_f2fs@kernel-bugs.kernel.org
Reporter: wenqingliu0120@gmail.com
Regression: No
Created attachment 299909
--> https://bugzilla.kernel.org/attachment.cgi?id=299909&action=edit
crafted image and .config file
- Overview
kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and
operate on a crafted f2fs image
- Reproduce
tested on kernel 5.16-rc3, 5.15.X under root
# mkdir mnt
# mount -t f2fs tmp1.img mnt
# touch tmp
# cp tmp mnt
- Kernel dump
[ 41.932734] F2FS-fs (loop0): sanity_check_inode: inode (ino=49) extent info
[5942, 4294180864, 4] is incorrect, run fsck to fix
[ 41.932743] F2FS-fs (loop0): Inconsistent error blkaddr:5942, sit bitmap:0
[ 41.932811] ------------[ cut here ]------------
[ 41.932811] WARNING: CPU: 0 PID: 910 at fs/f2fs/checkpoint.c:154
f2fs_is_valid_blkaddr+0x1d6/0x390 [f2fs]
[ 41.932824] Modules linked in: f2fs crc32_generic joydev input_leds
serio_raw qemu_fw_cfg iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi
autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov
async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath
linear qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt
fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel hid_generic
psmouse usbhid hid aesni_intel crypto_simd cryptd
[ 41.932840] CPU: 0 PID: 910 Comm: cp Tainted: G W 5.16.0-rc3
#2
[ 41.932842] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[ 41.932842] RIP: 0010:f2fs_is_valid_blkaddr+0x1d6/0x390 [f2fs]
[ 41.932853] Code: fe ff ff 83 fb 07 0f 85 bb fe ff ff 0f b6 c8 89 ea 48 c7
c6 c8 1b 70 a0 4c 89 e7 88 04 24 e8 31 52 ff ff f0 41 80 4c 24 48 04 <0f> 0b 0f
b6 04 24 e9 92 fe ff ff 83 fa 09 0f 85 15 01 00 00 48 8b
[ 41.932854] RSP: 0018:ffffc90000687968 EFLAGS: 00010206
[ 41.932855] RAX: 0000000000000000 RBX: 0000000000000007 RCX:
0000000000000001
[ 41.932855] RDX: 0000000000000000 RSI: ffffffff8232a839 RDI:
00000000ffffffff
[ 41.932856] RBP: 0000000000001736 R08: 0000000000000000 R09:
0000000000000001
[ 41.932857] R10: 00000009cb0c1476 R11: 0000000000000001 R12:
ffff888110275000
[ 41.932857] R13: 0000000000004000 R14: ffff888105f460f0 R15:
ffff888110f4a000
[ 41.932858] FS: 00007f3530f15800(0000) GS:ffff8882f5c00000(0000)
knlGS:0000000000000000
[ 41.932859] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 41.932860] CR2: 0000562fdc7b15c8 CR3: 000000010319c002 CR4:
0000000000370ef0
[ 41.932862] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 41.932863] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 41.932863] Call Trace:
[ 41.932864] <TASK>
[ 41.932865] f2fs_iget+0xeee/0x11b0 [f2fs]
[ 41.932874] do_garbage_collect+0xf0f/0x16a0 [f2fs]
[ 41.932886] ? _raw_spin_lock+0x13/0x30
[ 41.932888] f2fs_gc+0x1d3/0xd90 [f2fs]
[ 41.932899] ? _raw_spin_unlock+0x16/0x30
[ 41.932901] ? f2fs_balance_fs+0x13a/0x570 [f2fs]
[ 41.932915] f2fs_balance_fs+0x13a/0x570 [f2fs]
[ 41.932927] ? _raw_spin_lock+0x13/0x30
[ 41.932929] ? __d_instantiate+0x34/0xf0
[ 41.932931] f2fs_create+0x285/0x840 [f2fs]
[ 41.932940] path_openat+0xe6d/0x1040
[ 41.932943] do_filp_open+0xc5/0x140
[ 41.932945] ? __check_object_size+0xd4/0x1a0
[ 41.932948] ? _raw_spin_unlock+0x16/0x30
[ 41.932949] ? do_sys_openat2+0x23a/0x310
[ 41.932950] do_sys_openat2+0x23a/0x310
[ 41.932952] do_sys_open+0x57/0x80
[ 41.932953] do_syscall_64+0x37/0xb0
[ 41.932955] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 41.932956] RIP: 0033:0x7f35303e4d5e
[ 41.932957] Code: 25 00 00 41 00 3d 00 00 41 00 74 48 48 8d 05 91 0c 2e 00
8b 00 85 c0 75 69 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00
f0 ff ff 0f 87 a6 00 00 00 48 8b 4c 24 28 64 48 33 0c 25
[ 41.932958] RSP: 002b:00007ffe4b2cb810 EFLAGS: 00000246 ORIG_RAX:
0000000000000101
[ 41.932959] RAX: ffffffffffffffda RBX: 0000000000000001 RCX:
00007f35303e4d5e
[ 41.932960] RDX: 00000000000000c1 RSI: 0000561d23a37cc0 RDI:
00000000ffffff9c
[ 41.932961] RBP: 00007ffe4b2cbcb0 R08: 00007ffe4b2cbe70 R09:
0000000000000000
[ 41.932961] R10: 00000000000001a4 R11: 0000000000000246 R12:
00007ffe4b2cbe70
[ 41.932962] R13: 0000000000000000 R14: 00007ffe4b2cbe00 R15:
00007ffe4b2cc7b4
[ 41.932963] </TASK>
[ 41.932964] ---[ end trace 1bf4370a7a01de20 ]---
[ 41.932965] F2FS-fs (loop0): sanity_check_inode: inode (ino=49) extent info
[5942, 4294180864, 4] is incorrect, run fsck to fix
[ 41.933060] F2FS-fs (loop0): f2fs_check_nid_range: out-of-range
nid=31340049, run fsck to fix.
[ 41.934251] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 41.934338] #PF: supervisor instruction fetch in kernel mode
[ 41.934409] #PF: error_code(0x0010) - not-present page
[ 41.934484] PGD 0 P4D 0
[ 41.934561] Oops: 0010 [#1] PREEMPT SMP NOPTI
[ 41.934646] CPU: 1 PID: 910 Comm: cp Tainted: G W 5.16.0-rc3
#2
[ 41.934741] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[ 41.934893] RIP: 0010:0x0
[ 41.935041] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[ 41.935174] RSP: 0018:ffffc90000687928 EFLAGS: 00010246
[ 41.935314] RAX: 0000000000000000 RBX: ffffea000478be40 RCX:
0000000000000001
[ 41.935456] RDX: 0017ffffc0000015 RSI: 0000000000000000 RDI:
ffffea000478be40
[ 41.935604] RBP: ffff888105f44680 R08: ffffc90000687808 R09:
0000000000000000
[ 41.935818] R10: 000000003ee1af28 R11: 0000000000000001 R12:
00000000fffffffe
[ 41.935993] R13: ffffea000478be68 R14: 0017ffffc0000015 R15:
ffff888105f44680
[ 41.936163] FS: 00007f3530f15800(0000) GS:ffff8882f5c80000(0000)
knlGS:0000000000000000
[ 41.936344] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 41.936540] CR2: ffffffffffffffd6 CR3: 000000010319c006 CR4:
0000000000370ee0
[ 41.936738] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 41.936950] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 41.937254] Call Trace:
[ 41.937470] <TASK>
[ 41.937683] folio_mark_dirty+0x33/0x50
[ 41.937935] move_data_page+0x2dd/0x460 [f2fs]
[ 41.938188] do_garbage_collect+0xc18/0x16a0 [f2fs]
[ 41.938412] ? _raw_spin_lock+0x13/0x30
[ 41.938628] f2fs_gc+0x1d3/0xd90 [f2fs]
[ 41.938856] ? _raw_spin_unlock+0x16/0x30
[ 41.939078] ? f2fs_balance_fs+0x13a/0x570 [f2fs]
[ 41.939321] f2fs_balance_fs+0x13a/0x570 [f2fs]
[ 41.939568] ? _raw_spin_lock+0x13/0x30
[ 41.939802] ? __d_instantiate+0x34/0xf0
[ 41.940040] f2fs_create+0x285/0x840 [f2fs]
[ 41.940290] path_openat+0xe6d/0x1040
[ 41.940536] do_filp_open+0xc5/0x140
[ 41.940782] ? __check_object_size+0xd4/0x1a0
[ 41.941034] ? _raw_spin_unlock+0x16/0x30
[ 41.941288] ? do_sys_openat2+0x23a/0x310
[ 41.941582] do_sys_openat2+0x23a/0x310
[ 41.941842] do_sys_open+0x57/0x80
[ 41.942290] do_syscall_64+0x37/0xb0
[ 41.942607] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 41.942881] RIP: 0033:0x7f35303e4d5e
[ 41.943156] Code: 25 00 00 41 00 3d 00 00 41 00 74 48 48 8d 05 91 0c 2e 00
8b 00 85 c0 75 69 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00
f0 ff ff 0f 87 a6 00 00 00 48 8b 4c 24 28 64 48 33 0c 25
[ 41.943761] RSP: 002b:00007ffe4b2cb810 EFLAGS: 00000246 ORIG_RAX:
0000000000000101
[ 41.944078] RAX: ffffffffffffffda RBX: 0000000000000001 RCX:
00007f35303e4d5e
[ 41.944403] RDX: 00000000000000c1 RSI: 0000561d23a37cc0 RDI:
00000000ffffff9c
[ 41.944762] RBP: 00007ffe4b2cbcb0 R08: 00007ffe4b2cbe70 R09:
0000000000000000
[ 41.945195] R10: 00000000000001a4 R11: 0000000000000246 R12:
00007ffe4b2cbe70
[ 41.945631] R13: 0000000000000000 R14: 00007ffe4b2cbe00 R15:
00007ffe4b2cc7b4
[ 41.946058] </TASK>
[ 41.946479] Modules linked in: f2fs crc32_generic joydev input_leds
serio_raw qemu_fw_cfg iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi
autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov
async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath
linear qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt
fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel hid_generic
psmouse usbhid hid aesni_intel crypto_simd cryptd
[ 41.948320] CR2: 0000000000000000
[ 41.948750] ---[ end trace 1bf4370a7a01de21 ]---
[ 41.949238] RIP: 0010:0x0
[ 41.949648] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[ 41.950064] RSP: 0018:ffffc90000687928 EFLAGS: 00010246
[ 41.950408] RAX: 0000000000000000 RBX: ffffea000478be40 RCX:
0000000000000001
[ 41.950754] RDX: 0017ffffc0000015 RSI: 0000000000000000 RDI:
ffffea000478be40
[ 41.951098] RBP: ffff888105f44680 R08: ffffc90000687808 R09:
0000000000000000
[ 41.951439] R10: 000000003ee1af28 R11: 0000000000000001 R12:
00000000fffffffe
[ 41.951778] R13: ffffea000478be68 R14: 0017ffffc0000015 R15:
ffff888105f44680
[ 41.952118] FS: 00007f3530f15800(0000) GS:ffff8882f5c80000(0000)
knlGS:0000000000000000
[ 41.952555] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 41.953157] CR2: ffffffffffffffd6 CR3: 000000010319c006 CR4:
0000000000370ee0
[ 41.953687] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 41.954237] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [f2fs-dev] [Bug 215231] kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image
2021-12-06 4:12 [f2fs-dev] [Bug 215231] New: kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image bugzilla-daemon
@ 2021-12-07 2:26 ` bugzilla-daemon
2021-12-07 4:49 ` bugzilla-daemon
2021-12-12 4:05 ` bugzilla-daemon
2 siblings, 0 replies; 4+ messages in thread
From: bugzilla-daemon @ 2021-12-07 2:26 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=215231
Chao Yu (chao@kernel.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |chao@kernel.org
--- Comment #1 from Chao Yu (chao@kernel.org) ---
Wenqing, thanks for catching this and the report.
I fixed this up with below patchset, could you please test with them?
https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev&id=6889d573d5dd09ad2569218cfd222abf4a91d1c2
https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev&id=09716c3ffd052b1a45500a3588099e3abfd4c18c
https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev&id=8e81cd35d20e64426bc2e517983ab7021a0298f2
Thanks,
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [f2fs-dev] [Bug 215231] kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image
2021-12-06 4:12 [f2fs-dev] [Bug 215231] New: kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image bugzilla-daemon
2021-12-07 2:26 ` [f2fs-dev] [Bug 215231] " bugzilla-daemon
@ 2021-12-07 4:49 ` bugzilla-daemon
2021-12-12 4:05 ` bugzilla-daemon
2 siblings, 0 replies; 4+ messages in thread
From: bugzilla-daemon @ 2021-12-07 4:49 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=215231
--- Comment #2 from Wenqing Liu (wenqingliu0120@gmail.com) ---
Thank you for your prompt reply.The bug disappeared after patched the kernel
with the fixes.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [f2fs-dev] [Bug 215231] kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image
2021-12-06 4:12 [f2fs-dev] [Bug 215231] New: kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image bugzilla-daemon
2021-12-07 2:26 ` [f2fs-dev] [Bug 215231] " bugzilla-daemon
2021-12-07 4:49 ` bugzilla-daemon
@ 2021-12-12 4:05 ` bugzilla-daemon
2 siblings, 0 replies; 4+ messages in thread
From: bugzilla-daemon @ 2021-12-12 4:05 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=215231
Chao Yu (chao@kernel.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |CODE_FIX
--- Comment #3 from Chao Yu (chao@kernel.org) ---
Thanks for the verification. :)
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-12-12 4:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-06 4:12 [f2fs-dev] [Bug 215231] New: kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image bugzilla-daemon
2021-12-07 2:26 ` [f2fs-dev] [Bug 215231] " bugzilla-daemon
2021-12-07 4:49 ` bugzilla-daemon
2021-12-12 4:05 ` bugzilla-daemon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.