* [f2fs-dev] [Bug 204193] New: BUG: KASAN: null-ptr-deref in f2fs_write_end_io+0x215/0x650
@ 2019-07-17 2:21 bugzilla-daemon
2019-07-17 2:36 ` [f2fs-dev] [Bug 204193] " bugzilla-daemon
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: bugzilla-daemon @ 2019-07-17 2:21 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=204193
Bug ID: 204193
Summary: BUG: KASAN: null-ptr-deref in
f2fs_write_end_io+0x215/0x650
Product: File System
Version: 2.5
Kernel Version: 5.1.3
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: f2fs
Assignee: filesystem_f2fs@kernel-bugs.kernel.org
Reporter: midwinter1993@gmail.com
Regression: No
A null pointer dereference bug is triggered in f2fs under kernel-5.1.3.
--- Core dump ---
[ 81.996211] BUG: KASAN: null-ptr-deref in f2fs_write_end_io+0x215/0x650
[ 81.997150] Read of size 8 at addr 0000000000000030 by task swapper/1/0
[ 81.998084]
[ 81.998312] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.1.3 #10
[ 81.999142] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 82.000470] Call Trace:
[ 82.000829] <IRQ>
[ 82.001133] dump_stack+0x8a/0xce
[ 82.001616] ? f2fs_write_end_io+0x215/0x650
[ 82.002234] ? f2fs_write_end_io+0x215/0x650
[ 82.002848] kasan_report.cold+0x5/0x32
[ 82.003403] ? f2fs_write_end_io+0x215/0x650
[ 82.004017] f2fs_write_end_io+0x215/0x650
[ 82.004606] ? __read_end_io+0x360/0x360
[ 82.005176] bio_endio+0x26e/0x320
[ 82.005671] blk_update_request+0x209/0x5d0
[ 82.006286] blk_mq_end_request+0x2e/0x230
[ 82.006881] lo_complete_rq+0x12c/0x190
[ 82.007437] blk_done_softirq+0x14a/0x1a0
[ 82.008015] ? blk_try_merge+0x120/0x120
[ 82.008584] ? pvclock_clocksource_read+0xd9/0x1a0
[ 82.009273] __do_softirq+0x119/0x3e5
[ 82.009801] ? blk_done_softirq+0x1a0/0x1a0
[ 82.010409] ? flush_smp_call_function_queue+0x10d/0x220
[ 82.011164] irq_exit+0x94/0xe0
[ 82.011621] call_function_single_interrupt+0xf/0x20
[ 82.012327] </IRQ>
[ 82.012639] RIP: 0010:default_idle+0x64/0x1f0
[ 82.013263] Code: c7 c7 a0 c8 99 85 e8 9b 9a 82 fe 48 c7 c7 a0 c8 99 85 e8
bf b6 82 fe 8b 05 e9 1e c5 01 85 c0 7e 07 0f 00 2d 7e 45 4d 00 fb f4 <65> 8b 2d
65 d7 2c 7c be 04 00 00 00 48 c7 c7 88 53 07 85 e8 64 9a
[ 82.015868] RSP: 0018:ffff88811ab9fdf0 EFLAGS: 00000246 ORIG_RAX:
ffffffffffffff04
[ 82.016933] RAX: 0000000000000000 RBX: ffff88811ab88cc0 RCX:
ffffffff83d4a9b1
[ 82.017932] RDX: 0000000000000003 RSI: dffffc0000000000 RDI:
ffffffff8599c8a0
[ 82.018940] RBP: 0000000000000001 R08: ffff88811ab88cc0 R09:
fffffbfff0b33915
[ 82.019936] R10: fffffbfff0b33914 R11: 0000000000000003 R12:
ffff88811ab88cc0
[ 82.020936] R13: 0000000000000000 R14: 0000000000000000 R15:
ffff88811ab88cc0
[ 82.021941] ? default_idle+0x51/0x1f0
[ 82.022489] do_idle+0x25a/0x2b0
[ 82.022958] ? arch_cpu_idle_exit+0x30/0x30
[ 82.023557] ? schedule_idle+0x34/0x50
[ 82.024095] cpu_startup_entry+0x14/0x20
[ 82.024657] start_secondary+0x206/0x250
[ 82.025219] ? set_cpu_sibling_map+0x970/0x970
[ 82.025855] secondary_startup_64+0xa4/0xb0
[ 82.026455]
==================================================================
[ 82.027466] Disabling lock debugging due to kernel taint
[ 82.028266] BUG: unable to handle kernel NULL pointer dereference at
0000000000000030
[ 82.029367] #PF error: [normal kernel read fault]
[ 82.030038] PGD 0 P4D 0
[ 82.030412] Oops: 0000 [#1] SMP KASAN PTI
[ 82.030985] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 5.1.3
#10
[ 82.032008] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 82.033335] RIP: 0010:f2fs_write_end_io+0x21e/0x650
[ 82.034035] Code: 00 e8 a6 83 74 ff 48 8d 7d 78 e8 5d bf 8a ff 48 8b 45 78
48 8d 78 30 48 89 44 24 08 e8 4b bf 8a ff 48 8b 44 24 08 48 8b 0c 24 <48> 39 48
30 0f 84 35 03 00 00 e8 73 83 74 ff 4e 8d a4 a5 28 04 00
[ 82.036593] RSP: 0018:ffff88811b507d70 EFLAGS: 00010286
[ 82.037337] RAX: 0000000000000000 RBX: ffffea0004276c00 RCX:
ffff8881098bc160
[ 82.038349] RDX: 1ffffffff0b41557 RSI: 0000000000000246 RDI:
ffffffff85a0aab8
[ 82.039345] RBP: ffff88810a4a9100 R08: 000000000000002c R09:
ffffed10236a3c9b
[ 82.040349] R10: ffffed10236a3c9a R11: ffff88811b51e4d7 R12:
0000000000000007
[ 82.041350] R13: ffff888116b1ac00 R14: 0000000000000000 R15:
0000000000000001
[ 82.042357] FS: 0000000000000000(0000) GS:ffff88811b500000(0000)
knlGS:0000000000000000
[ 82.043488] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 82.044305] CR2: 0000000000000030 CR3: 000000010c12c000 CR4:
00000000000006e0
[ 82.045307] Call Trace:
[ 82.045665] <IRQ>
[ 82.045957] ? __read_end_io+0x360/0x360
[ 82.046523] bio_endio+0x26e/0x320
[ 82.047002] blk_update_request+0x209/0x5d0
[ 82.047607] blk_mq_end_request+0x2e/0x230
[ 82.048176] lo_complete_rq+0x12c/0x190
[ 82.048713] blk_done_softirq+0x14a/0x1a0
[ 82.049324] ? blk_try_merge+0x120/0x120
[ 82.049889] ? pvclock_clocksource_read+0xd9/0x1a0
[ 82.050573] __do_softirq+0x119/0x3e5
[ 82.051096] ? blk_done_softirq+0x1a0/0x1a0
[ 82.051691] ? flush_smp_call_function_queue+0x10d/0x220
[ 82.052439] irq_exit+0x94/0xe0
[ 82.052892] call_function_single_interrupt+0xf/0x20
[ 82.053586] </IRQ>
[ 82.053893] RIP: 0010:default_idle+0x64/0x1f0
[ 82.054523] Code: c7 c7 a0 c8 99 85 e8 9b 9a 82 fe 48 c7 c7 a0 c8 99 85 e8
bf b6 82 fe 8b 05 e9 1e c5 01 85 c0 7e 07 0f 00 2d 7e 45 4d 00 fb f4 <65> 8b 2d
65 d7 2c 7c be 04 00 00 00 48 c7 c7 88 53 07 85 e8 64 9a
[ 82.057132] RSP: 0018:ffff88811ab9fdf0 EFLAGS: 00000246 ORIG_RAX:
ffffffffffffff04
[ 82.058203] RAX: 0000000000000000 RBX: ffff88811ab88cc0 RCX:
ffffffff83d4a9b1
[ 82.059209] RDX: 0000000000000003 RSI: dffffc0000000000 RDI:
ffffffff8599c8a0
[ 82.060234] RBP: 0000000000000001 R08: ffff88811ab88cc0 R09:
fffffbfff0b33915
[ 82.061239] R10: fffffbfff0b33914 R11: 0000000000000003 R12:
ffff88811ab88cc0
[ 82.062252] R13: 0000000000000000 R14: 0000000000000000 R15:
ffff88811ab88cc0
[ 82.063263] ? default_idle+0x51/0x1f0
[ 82.063808] do_idle+0x25a/0x2b0
[ 82.064280] ? arch_cpu_idle_exit+0x30/0x30
[ 82.064883] ? schedule_idle+0x34/0x50
[ 82.065424] cpu_startup_entry+0x14/0x20
[ 82.065990] start_secondary+0x206/0x250
[ 82.066562] ? set_cpu_sibling_map+0x970/0x970
[ 82.067202] secondary_startup_64+0xa4/0xb0
[ 82.067804] Modules linked in:
[ 82.068252] Dumping ftrace buffer:
[ 82.068752] (ftrace buffer empty)
[ 82.069270] CR2: 0000000000000030
[ 82.069754] ---[ end trace 6f7cea09b723ae50 ]---
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [f2fs-dev] [Bug 204193] BUG: KASAN: null-ptr-deref in f2fs_write_end_io+0x215/0x650
2019-07-17 2:21 [f2fs-dev] [Bug 204193] New: BUG: KASAN: null-ptr-deref in f2fs_write_end_io+0x215/0x650 bugzilla-daemon
@ 2019-07-17 2:36 ` bugzilla-daemon
2019-07-18 1:49 ` bugzilla-daemon
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: bugzilla-daemon @ 2019-07-17 2:36 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=204193
Chao Yu (chao@kernel.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |chao@kernel.org
--- Comment #1 from Chao Yu (chao@kernel.org) ---
How to reproduce this, remount to change io_bits option?
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [f2fs-dev] [Bug 204193] BUG: KASAN: null-ptr-deref in f2fs_write_end_io+0x215/0x650
2019-07-17 2:21 [f2fs-dev] [Bug 204193] New: BUG: KASAN: null-ptr-deref in f2fs_write_end_io+0x215/0x650 bugzilla-daemon
2019-07-17 2:36 ` [f2fs-dev] [Bug 204193] " bugzilla-daemon
@ 2019-07-18 1:49 ` bugzilla-daemon
2019-07-18 8:41 ` bugzilla-daemon
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: bugzilla-daemon @ 2019-07-18 1:49 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=204193
--- Comment #2 from midwinter1993@gmail.com ---
(In reply to Chao Yu from comment #1)
> How to reproduce this, remount to change io_bits option?
It's not triggered by remount, the following script manifests it (note that
this bug does not occur deterministically, you may execute it repeatedly):
```
#!/bin/bash
DISK=bingo.img
MOUNT_DIR=/root/mnt
dd if=/dev/zero of=$DISK bs=1M count=180
mkfs.f2fs -a 1 -o 9 -t 0 -z 10 -f -q $DISK
mkdir -pv $MOUNT_DIR
# A little bit long options, I have not reduced it yet.
mount $DISK $MOUNT_DIR -o
"background_gc=on,disable_roll_forward,no_heap,nouser_xattr,active_logs=2,disable_ext_identify,inline_dentry,noinline_dentry,flush_merge,nobarrier,noextent_cache,noinline_data,checkpoint=disable,usrquota,grpquota,quota,noquota,alloc_mode=reuse,fsync_mode=posix"
mkdir -pv $MOUNT_DIR/a
new_dir="$MOUNT_DIR/a"
for (( i = 0; i < 512; i++ )); do
name=`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 1`
new_dir="$new_dir/$name"
mkdir $new_dir
done
mv "$MOUNT_DIR/a" "$MOUNT_DIR/b1"
mkdir -pv "$MOUNT_DIR/b1/b2/b3/b4/b5"
sync
for (( i = 0; i < 4096; i++ )); do
name=`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 10`
mkdir $MOUNT_DIR/b1/b2/b3/b4/b5/$name
done
umount $MOUNT_DIR
```
Sorry that I didn't provide the script before because it's tedious for me to
reduce it. :(
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [f2fs-dev] [Bug 204193] BUG: KASAN: null-ptr-deref in f2fs_write_end_io+0x215/0x650
2019-07-17 2:21 [f2fs-dev] [Bug 204193] New: BUG: KASAN: null-ptr-deref in f2fs_write_end_io+0x215/0x650 bugzilla-daemon
2019-07-17 2:36 ` [f2fs-dev] [Bug 204193] " bugzilla-daemon
2019-07-18 1:49 ` bugzilla-daemon
@ 2019-07-18 8:41 ` bugzilla-daemon
2019-07-22 3:28 ` bugzilla-daemon
2019-07-22 3:42 ` bugzilla-daemon
4 siblings, 0 replies; 6+ messages in thread
From: bugzilla-daemon @ 2019-07-18 8:41 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=204193
Chao Yu (chao@kernel.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #3 from Chao Yu (chao@kernel.org) ---
Thanks, I can reproduce it now.
I've made a patch for this issue, could you verify it?
https://lore.kernel.org/linux-f2fs-devel/20190718083959.32321-1-yuchao0@huawei.com/T/#u
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [f2fs-dev] [Bug 204193] BUG: KASAN: null-ptr-deref in f2fs_write_end_io+0x215/0x650
2019-07-17 2:21 [f2fs-dev] [Bug 204193] New: BUG: KASAN: null-ptr-deref in f2fs_write_end_io+0x215/0x650 bugzilla-daemon
` (2 preceding siblings ...)
2019-07-18 8:41 ` bugzilla-daemon
@ 2019-07-22 3:28 ` bugzilla-daemon
2019-07-22 3:42 ` bugzilla-daemon
4 siblings, 0 replies; 6+ messages in thread
From: bugzilla-daemon @ 2019-07-22 3:28 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=204193
--- Comment #4 from midwinter1993@gmail.com ---
(In reply to Chao Yu from comment #3)
> Thanks, I can reproduce it now.
>
> I've made a patch for this issue, could you verify it?
>
> https://lore.kernel.org/linux-f2fs-devel/20190718083959.32321-1-
> yuchao0@huawei.com/T/#u
Hi! I used the script to test the patched code several times, this bug does not
manifest again. :-P
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [f2fs-dev] [Bug 204193] BUG: KASAN: null-ptr-deref in f2fs_write_end_io+0x215/0x650
2019-07-17 2:21 [f2fs-dev] [Bug 204193] New: BUG: KASAN: null-ptr-deref in f2fs_write_end_io+0x215/0x650 bugzilla-daemon
` (3 preceding siblings ...)
2019-07-22 3:28 ` bugzilla-daemon
@ 2019-07-22 3:42 ` bugzilla-daemon
4 siblings, 0 replies; 6+ messages in thread
From: bugzilla-daemon @ 2019-07-22 3:42 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=204193
Chao Yu (chao@kernel.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |CODE_FIX
--- Comment #5 from Chao Yu (chao@kernel.org) ---
Cool, I test it with your script for a long time, and it looks the bug was
fixed.
Anyway, thanks very much, let me close this track. :)
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-07-22 3:42 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-17 2:21 [f2fs-dev] [Bug 204193] New: BUG: KASAN: null-ptr-deref in f2fs_write_end_io+0x215/0x650 bugzilla-daemon
2019-07-17 2:36 ` [f2fs-dev] [Bug 204193] " bugzilla-daemon
2019-07-18 1:49 ` bugzilla-daemon
2019-07-18 8:41 ` bugzilla-daemon
2019-07-22 3:28 ` bugzilla-daemon
2019-07-22 3:42 ` bugzilla-daemon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).