[f2fs-dev] [Bug 215235] New: page fault in f2fs_setxattr() when mount and operate on corrupted image

[f2fs-dev] [Bug 215235] New: page fault in f2fs_setxattr() when mount and operate on corrupted image

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=215235

            Bug ID: 215235
           Summary: page fault in f2fs_setxattr() when mount and operate
                    on corrupted image
           Product: File System
           Version: 2.5
    Kernel Version: 5.16-rc3, 5.15.X
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: f2fs
          Assignee: filesystem_f2fs@kernel-bugs.kernel.org
          Reporter: wenqingliu0120@gmail.com
        Regression: No

Created attachment 299911
  --> https://bugzilla.kernel.org/attachment.cgi?id=299911&action=edit
poc and .config file

- Overview 
 page fault in f2fs_setxattr() when mount and operate on corrupted image 

- Reproduce 
tested on kernel 5.16-rc3, 5.15.X under root

# unzip tmp7.zip 
#./single.sh f2fs 7

Sometimes need to run the script several times

- Kernel dump
[   46.683775] loop0: detected capacity change from 0 to 131072
[   46.699526] F2FS-fs (loop0): Found nat_bits in checkpoint
[   46.712845] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2ee
[   46.773227] BUG: unable to handle page fault for address: ffffe47bc7123f48
[   46.773247] #PF: supervisor read access in kernel mode
[   46.773257] #PF: error_code(0x0000) - not-present page
[   46.773266] PGD 0 P4D 0 
[   46.773272] Oops: 0000 [#1] PREEMPT SMP NOPTI
[   46.773281] CPU: 0 PID: 1184 Comm: tmp7 Not tainted 5.16.0-rc3 #1
[   46.773293] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[   46.773308] RIP: 0010:kfree+0x66/0x320
[   46.773318] Code: 80 4c 01 ed 0f 82 a0 02 00 00 48 c7 c0 00 00 00 80 48 2b
05 3c 6f 10 01 48 01 c5 48 c1 ed 0c 48 c1 e5 06 48 03 2d 1a 6f 10 01 <48> 8b 45
08 48 8d 50 ff a8 01 48 0f 45 ea 48 8b 55 08 48 8d 42 ff
[   46.773348] RSP: 0018:ffffac4b008bfb28 EFLAGS: 00010282
[   46.773358] RAX: 0000726bc0000000 RBX: 0000000000000000 RCX:
0000000000000001
[   46.773370] RDX: 0000000080000001 RSI: ffffffffc07f5b9a RDI:
ffffe325848fd480
[   46.773383] RBP: ffffe47bc7123f40 R08: ffff8d94c63e6f10 R09:
ffffe325848fd480
[   46.773395] R10: 0000000000000018 R11: ffff8d94c63e71f8 R12:
ffffe32584098680
[   46.773407] R13: ffffe325848fd480 R14: ffff8d94d2203000 R15:
ffff8d94c261af0c
[   46.773419] FS:  00007f97e4524500(0000) GS:ffff8d96b5c00000(0000)
knlGS:0000000000000000
[   46.773433] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   46.773443] CR2: ffffe47bc7123f48 CR3: 00000001035ec003 CR4:
0000000000370ef0
[   46.773459] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[   46.773471] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[   46.773483] Call Trace:
[   46.773490]  <TASK>
[   46.773494]  ? __mark_inode_dirty+0x15c/0x360
[   46.773506]  __f2fs_setxattr+0x2aa/0xc00 [f2fs]
[   46.773553]  f2fs_setxattr+0xfa/0x480 [f2fs]
[   46.773573]  ? selinux_inode_permission+0xd5/0x190
[   46.773584]  __f2fs_set_acl+0x19b/0x330 [f2fs]
[   46.773603]  ? make_kuid+0xf/0x20
[   46.773610]  __vfs_removexattr+0x52/0x70
[   46.773619]  __vfs_removexattr_locked+0xb1/0x140
[   46.773629]  vfs_removexattr+0x56/0x100
[   46.773637]  removexattr+0x57/0x80
[   46.773644]  ? __check_object_size+0xd1/0x1a0
[   46.773654]  ? user_path_at_empty+0x40/0x50
[   46.773663]  ? kmem_cache_free+0xcb/0x310
[   46.773671]  ? preempt_count_add+0x49/0xa0
[   46.773680]  ? __mnt_want_write+0x5e/0x90
[   46.773689]  path_removexattr+0xa3/0xc0
[   46.773697]  __x64_sys_removexattr+0x17/0x20
[   46.774002]  do_syscall_64+0x37/0xb0
[   46.774303]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   46.774607] RIP: 0033:0x7f97e402e639
[   46.774902] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89
f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 1f f8 2c 00 f7 d8 64 89 01 48
[   46.775573] RSP: 002b:00007ffc1de8b648 EFLAGS: 00000217 ORIG_RAX:
00000000000000c5
[   46.775897] RAX: ffffffffffffffda RBX: 9e1da79895bd8a4a RCX:
00007f97e402e639
[   46.776230] RDX: 00007f97e402e639 RSI: 00007ffc1de8b860 RDI:
00007ffc1de8b679
[   46.776563] RBP: 00007ffc1dede2f0 R08: 00007ffc1dede3d8 R09:
00007ffc1dede3d8
[   46.776888] R10: 00007ffc1dede3d8 R11: 0000000000000217 R12:
6c73732e72657375
[   46.777214] R13: 007373656363615f R14: 702e6d6574737973 R15:
6c63615f7869736f
[   46.777543]  </TASK>
[   46.777866] Modules linked in: f2fs crc32_generic joydev input_leds
serio_raw qemu_fw_cfg iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi
autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov
async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath
linear qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt
fb_sys_fops drm hid_generic crct10dif_pclmul crc32_pclmul ghash_clmulni_intel
aesni_intel usbhid crypto_simd hid psmouse cryptd
[   46.779358] CR2: ffffe47bc7123f48
[   46.779707] ---[ end trace 52653140d82b5d23 ]---
[   46.780053] RIP: 0010:kfree+0x66/0x320
[   46.780396] Code: 80 4c 01 ed 0f 82 a0 02 00 00 48 c7 c0 00 00 00 80 48 2b
05 3c 6f 10 01 48 01 c5 48 c1 ed 0c 48 c1 e5 06 48 03 2d 1a 6f 10 01 <48> 8b 45
08 48 8d 50 ff a8 01 48 0f 45 ea 48 8b 55 08 48 8d 42 ff
[   46.781119] RSP: 0018:ffffac4b008bfb28 EFLAGS: 00010282
[   46.781484] RAX: 0000726bc0000000 RBX: 0000000000000000 RCX:
0000000000000001
[   46.781853] RDX: 0000000080000001 RSI: ffffffffc07f5b9a RDI:
ffffe325848fd480
[   46.782218] RBP: ffffe47bc7123f40 R08: ffff8d94c63e6f10 R09:
ffffe325848fd480
[   46.782580] R10: 0000000000000018 R11: ffff8d94c63e71f8 R12:
ffffe32584098680
[   46.782938] R13: ffffe325848fd480 R14: ffff8d94d2203000 R15:
ffff8d94c261af0c
[   46.783342] FS:  00007f97e4524500(0000) GS:ffff8d96b5c00000(0000)
knlGS:0000000000000000
[   46.783712] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   46.784078] CR2: ffffe47bc7123f48 CR3: 00000001035ec003 CR4:
0000000000370ef0
[   46.784454] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[   46.784830] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 215235] page fault in f2fs_setxattr() when mount and operate on corrupted image

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=215235

Chao Yu (chao@kernel.org) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |chao@kernel.org

--- Comment #1 from Chao Yu (chao@kernel.org) ---
Thanks for the report!

I've submitted a fixing patch, could you please have a try?

https://lore.kernel.org/linux-f2fs-devel/20211211154059.7173-1-chao@kernel.org/T/#u

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 215235] page fault in f2fs_setxattr() when mount and operate on corrupted image

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=215235

--- Comment #2 from Wenqing Liu (wenqingliu0120@gmail.com) ---
Thank you. The issue is gone with the patch on my test machine.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 215235] page fault in f2fs_setxattr() when mount and operate on corrupted image

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=215235

Chao Yu (chao@kernel.org) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |CODE_FIX

--- Comment #3 from Chao Yu (chao@kernel.org) ---
Thanks for the verification. :)

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 215235] page fault in f2fs_setxattr() when mount and operate on corrupted image

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=215235

David Disseldorp (ddiss.dev@gmail.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ddiss.dev@gmail.com

--- Comment #4 from David Disseldorp (ddiss.dev@gmail.com) ---
(In reply to Chao Yu from comment #1)
> Thanks for the report!
> 
> I've submitted a fixing patch, could you please have a try?
> 
> https://lore.kernel.org/linux-f2fs-devel/20211211154059.7173-1-chao@kernel.
> org/T/#u

This fix appears to be missing from mainline. Do you still plan on submitting
it?

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 215235] page fault in f2fs_setxattr() when mount and operate on corrupted image

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=215235

--- Comment #5 from Chao Yu (chao@kernel.org) ---
This patch was merged in dev branch, and will be pushed to mainline in
5.17-rc1.

https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git/commit/?h=dev-test&id=645a3c40ca3d40cc32b4b5972bf2620f2eb5dba6

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 215235] page fault in f2fs_setxattr() when mount and operate on corrupted image

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=215235

alexwriter (alexwriter2003@gmail.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |alexwriter2003@gmail.com

--- Comment #6 from alexwriter (alexwriter2003@gmail.com) ---
Re:
- Overview 
 page fault in f2fs_setxattr(https://stemhave.com/programming-help.html)  when
mount and operate on corrupted image 

- Reproduce 
tested on kernel 5.16-rc3, 5.15.X under root

# unzip tmp7.zip 
#./single.sh f2fs 7

Sometimes need to run the script several times

---------------------------------
Thaks for fix this...

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel