* [f2fs-dev] [Bug 216285] New: KASAN: slab-out-of-bounds in mutex_lock and NULL pointer deference at fs/f2fs/segment.c: f2fs_update_meta_page() when mount a crafted f2fs image
@ 2022-07-26 19:57 bugzilla-daemon
2022-07-26 20:06 ` [f2fs-dev] [Bug 216285] KASAN: slab-out-of-bounds in mutex_lock and NULL pointer dereference " bugzilla-daemon
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: bugzilla-daemon @ 2022-07-26 19:57 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=216285
Bug ID: 216285
Summary: KASAN: slab-out-of-bounds in mutex_lock and NULL
pointer deference at fs/f2fs/segment.c:
f2fs_update_meta_page() when mount a crafted f2fs
image
Product: File System
Version: 2.5
Kernel Version: 5.15-5.19-rc8
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: f2fs
Assignee: filesystem_f2fs@kernel-bugs.kernel.org
Reporter: wenqingliu0120@gmail.com
Regression: No
Created attachment 301488
--> https://bugzilla.kernel.org/attachment.cgi?id=301488&action=edit
crafted image and .config
- Overview
KASAN: slab-out-of-bounds in mutex_lock and NULL pointer deference at
fs/f2fs/segment.c:f2fs_update_meta_page() when mount a crafted f2fs image
- Reproduce
tested on kernel 5.15.57, 5.19-rc8
# mkdir mnt
# mount tmp1.img mnt
-Kernel dump
[ 185.716899] ------------[ cut here ]------------
[ 185.716900] WARNING: CPU: 3 PID: 1155 at fs/f2fs/segment.c:719
__locate_dirty_segment+0x89f/0xb70 [f2fs]
[ 185.716921] Modules linked in: f2fs crc32_generic joydev input_leds
serio_raw qemu_fw_cfg xfs autofs4 raid10 raid456 async_raid6_recov async_memcpy
async_pq async_xor async_tx raid1 raid0 multipath linear qxl drm_ttm_helper ttm
drm_kms_helper hid_generic usbhid syscopyarea sysfillrect crct10dif_pclmul
crc32_pclmul sysimgblt fb_sys_fops hid ghash_clmulni_intel drm aesni_intel
crypto_simd psmouse cryptd
[ 185.716948] CPU: 3 PID: 1155 Comm: mount Tainted: G W
5.19.0-rc8 #1
[ 185.716950] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[ 185.716951] RIP: 0010:__locate_dirty_segment+0x89f/0xb70 [f2fs]
[ 185.716971] Code: ff ff e8 d4 59 0c c8 e9 8c f8 ff ff e8 ca 59 0c c8 e9 fc
f8 ff ff e8 c0 59 0c c8 e9 2f f9 ff ff e8 b6 59 0c c8 e9 62 f9 ff ff <0f> 0b 48
83 c4 18 4c 89 e7 5b 5d 41 5c 41 5d 41 5e 41 5f e9 29 f7
[ 185.716973] RSP: 0018:ffff888122d7f4d8 EFLAGS: 00010206
[ 185.716974] RAX: 0000000000000019 RBX: ffff888118930d00 RCX:
0000000000000019
[ 185.716976] RDX: 000000000000000f RSI: 0000000000000008 RDI:
ffff88811db4e670
[ 185.716977] RBP: 000000000000000f R08: ffff888100bcea00 R09:
ffffed1020179d41
[ 185.716978] R10: ffff888100bcea07 R11: ffffed1020179d40 R12:
ffff88814fa24000
[ 185.716979] R13: ffff8881247b0258 R14: 0000000000000000 R15:
ffff88814fa24080
[ 185.716981] FS: 00007f60badb8840(0000) GS:ffff888293780000(0000)
knlGS:0000000000000000
[ 185.716982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 185.716984] CR2: 0000559740896c48 CR3: 000000011bae6002 CR4:
0000000000370ee0
[ 185.716986] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 185.716987] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 185.716989] Call Trace:
[ 185.716991] <TASK>
[ 185.716993] locate_dirty_segment+0x42b/0x570 [f2fs]
[ 185.717014] f2fs_do_replace_block+0x869/0x18a0 [f2fs]
[ 185.717035] f2fs_replace_block+0xeb/0x180 [f2fs]
[ 185.717056] ? f2fs_do_replace_block+0x18a0/0x18a0 [f2fs]
[ 185.717076] recover_data+0x1abd/0x6f50 [f2fs]
[ 185.717098] ? pagecache_get_page+0x50/0x160
[ 185.717101] ? check_index_in_prev_nodes+0x2860/0x2860 [f2fs]
[ 185.717121] ? __get_meta_page+0x1c4/0x1710 [f2fs]
[ 185.717141] ? __add_ino_entry+0x430/0x430 [f2fs]
[ 185.717159] ? filemap_map_pages+0x1390/0x1390
[ 185.717162] ? pagecache_get_page+0x50/0x160
[ 185.717164] ? f2fs_ra_meta_pages_cond+0x136/0x370 [f2fs]
[ 185.717183] f2fs_recover_fsync_data+0x12ce/0x3250 [f2fs]
[ 185.717204] ? _raw_write_unlock+0x39/0x70
[ 185.717206] ? proc_register+0x2d4/0x4c0
[ 185.717209] ? f2fs_space_for_roll_forward+0x1d0/0x1d0 [f2fs]
[ 185.717230] ? proc_create_single_data+0xbf/0x120
[ 185.717233] ? f2fs_remove_orphan_inode+0x10/0x10 [f2fs]
[ 185.717252] ? f2fs_register_sysfs+0x37f/0x490 [f2fs]
[ 185.717274] f2fs_fill_super+0x4459/0x6190 [f2fs]
[ 185.717295] ? f2fs_commit_super+0x740/0x740 [f2fs]
[ 185.717313] ? mutex_unlock+0x80/0xd0
[ 185.717315] ? __mutex_unlock_slowpath.isra.0+0x2d0/0x2d0
[ 185.717318] ? sget+0x3a4/0x490
[ 185.717321] mount_bdev+0x2cf/0x3b0
[ 185.717323] ? f2fs_commit_super+0x740/0x740 [f2fs]
[ 185.717341] ? f2fs_sync_fs+0x230/0x230 [f2fs]
[ 185.717359] legacy_get_tree+0xed/0x1d0
[ 185.717361] ? security_capable+0x53/0xa0
[ 185.717363] vfs_get_tree+0x81/0x2b0
[ 185.717366] ? ns_capable_common+0x57/0xe0
[ 185.717368] path_mount+0x47e/0x19d0
[ 185.717371] ? finish_automount+0x5f0/0x5f0
[ 185.717373] ? user_path_at_empty+0x45/0x60
[ 185.717375] ? kmem_cache_free+0xd3/0x3b0
[ 185.717378] ? slab_post_alloc_hook+0x48/0x2d0
[ 185.717380] do_mount+0xce/0xf0
[ 185.717383] ? path_mount+0x19d0/0x19d0
[ 185.717385] ? _copy_from_user+0x50/0x80
[ 185.717387] ? memdup_user+0x4e/0xa0
[ 185.717389] __x64_sys_mount+0x12c/0x1a0
[ 185.717392] do_syscall_64+0x38/0x90
[ 185.717394] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 185.717397] RIP: 0033:0x7f60bb017c7e
[ 185.717398] Code: 48 8b 0d 15 c2 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e
0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d e2 c1 0c 00 f7 d8 64 89 01 48
[ 185.717400] RSP: 002b:00007fff9fdd3e58 EFLAGS: 00000246 ORIG_RAX:
00000000000000a5
[ 185.717402] RAX: ffffffffffffffda RBX: 00007f60bb149204 RCX:
00007f60bb017c7e
[ 185.717403] RDX: 000055db59fe3670 RSI: 000055db59fec290 RDI:
000055db59febe40
[ 185.717404] RBP: 000055db59fe3460 R08: 0000000000000000 R09:
00007f60bb0e4c00
[ 185.717406] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000000000000
[ 185.717407] R13: 000055db59febe40 R14: 000055db59fe3670 R15:
000055db59fe3460
[ 185.717409] </TASK>
[ 185.717410] ---[ end trace 0000000000000000 ]---
[ 185.717441] F2FS-fs (loop5): recover_data: ino = d (i_size: recover)
recovered = 42, err = 0
[ 185.717445] F2FS-fs (loop5): recover_inode: ino = d, name =
Es3yhcX39Mydt60WMDsgZfJcOh0RMFJ, inline = 1
[ 185.717484] ------------[ cut here ]------------
[ 185.717485] WARNING: CPU: 3 PID: 1155 at fs/f2fs/segment.c:3512
f2fs_do_replace_block+0xd7e/0x18a0 [f2fs]
[ 185.717508] Modules linked in: f2fs crc32_generic joydev input_leds
serio_raw qemu_fw_cfg xfs autofs4 raid10 raid456 async_raid6_recov async_memcpy
async_pq async_xor async_tx raid1 raid0 multipath linear qxl drm_ttm_helper ttm
drm_kms_helper hid_generic usbhid syscopyarea sysfillrect crct10dif_pclmul
crc32_pclmul sysimgblt fb_sys_fops hid ghash_clmulni_intel drm aesni_intel
crypto_simd psmouse cryptd
[ 185.717535] CPU: 3 PID: 1155 Comm: mount Tainted: G W
5.19.0-rc8 #1
[ 185.717537] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[ 185.717538] RIP: 0010:f2fs_do_replace_block+0xd7e/0x18a0 [f2fs]
[ 185.717559] Code: 5c 04 00 00 41 83 c4 01 41 83 fc 08 75 c6 89 54 24 10 0f
0b 48 89 df 41 bf c0 03 00 00 e8 ca d8 fd ff 8b 54 24 10 89 54 24 10 <0f> 0b be
08 00 00 00 48 8d 7b 48 e8 42 3e 0a c8 f0 80 4b 48 04 4c
[ 185.717562] RSP: 0018:ffff888122d7f568 EFLAGS: 00010206
[ 185.717564] RAX: 0000000000000019 RBX: ffff88814fa24000 RCX:
0000000000000000
[ 185.717566] RDX: 000000000000000f RSI: 1ffff110248f604b RDI:
0000000000000000
[ 185.717567] RBP: 0000000000000177 R08: 0000000000000001 R09:
ffffed102446d726
[ 185.717568] R10: ffff88812236b92f R11: ffffed102446d725 R12:
0000000000000019
[ 185.717569] R13: ffff88814fa24080 R14: ffff88811db4e600 R15:
0000000000000bb8
[ 185.717571] FS: 00007f60badb8840(0000) GS:ffff888293780000(0000)
knlGS:0000000000000000
[ 185.717572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 185.717574] CR2: 0000559740896c48 CR3: 000000011bae6002 CR4:
0000000000370ee0
[ 185.717577] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 185.717578] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 185.717579] Call Trace:
[ 185.717580] <TASK>
[ 185.717581] ? _raw_write_lock+0x81/0xe0
[ 185.717584] ? f2fs_inode_dirtied+0xf9/0x2b0 [f2fs]
[ 185.717603] f2fs_replace_block+0xeb/0x180 [f2fs]
[ 185.717624] ? f2fs_reserve_new_blocks+0xa5b/0x11f0 [f2fs]
[ 185.717645] ? f2fs_do_replace_block+0x18a0/0x18a0 [f2fs]
[ 185.717665] recover_data+0x1abd/0x6f50 [f2fs]
[ 185.717687] ? pagecache_get_page+0x50/0x160
[ 185.717690] ? check_index_in_prev_nodes+0x2860/0x2860 [f2fs]
[ 185.717710] ? __get_meta_page+0x1c4/0x1710 [f2fs]
[ 185.717729] ? __add_ino_entry+0x430/0x430 [f2fs]
[ 185.717747] ? filemap_map_pages+0x1390/0x1390
[ 185.717751] ? pagecache_get_page+0x50/0x160
[ 185.717753] ? f2fs_ra_meta_pages_cond+0x136/0x370 [f2fs]
[ 185.717771] f2fs_recover_fsync_data+0x12ce/0x3250 [f2fs]
[ 185.717793] ? _raw_write_unlock+0x39/0x70
[ 185.717795] ? proc_register+0x2d4/0x4c0
[ 185.717798] ? f2fs_space_for_roll_forward+0x1d0/0x1d0 [f2fs]
[ 185.717819] ? proc_create_single_data+0xbf/0x120
[ 185.717822] ? f2fs_remove_orphan_inode+0x10/0x10 [f2fs]
[ 185.717842] ? f2fs_register_sysfs+0x37f/0x490 [f2fs]
[ 185.717863] f2fs_fill_super+0x4459/0x6190 [f2fs]
[ 185.717884] ? f2fs_commit_super+0x740/0x740 [f2fs]
[ 185.717902] ? mutex_unlock+0x80/0xd0
[ 185.717904] ? __mutex_unlock_slowpath.isra.0+0x2d0/0x2d0
[ 185.717907] ? sget+0x3a4/0x490
[ 185.717910] mount_bdev+0x2cf/0x3b0
[ 185.717912] ? f2fs_commit_super+0x740/0x740 [f2fs]
[ 185.717930] ? f2fs_sync_fs+0x230/0x230 [f2fs]
[ 185.717948] legacy_get_tree+0xed/0x1d0
[ 185.717950] ? security_capable+0x53/0xa0
[ 185.717952] vfs_get_tree+0x81/0x2b0
[ 185.717986] ? ns_capable_common+0x57/0xe0
[ 185.717989] path_mount+0x47e/0x19d0
[ 185.717992] ? finish_automount+0x5f0/0x5f0
[ 185.717995] ? user_path_at_empty+0x45/0x60
[ 185.717997] ? kmem_cache_free+0xd3/0x3b0
[ 185.718000] ? slab_post_alloc_hook+0x48/0x2d0
[ 185.718002] do_mount+0xce/0xf0
[ 185.718005] ? path_mount+0x19d0/0x19d0
[ 185.718007] ? _copy_from_user+0x50/0x80
[ 185.718009] ? memdup_user+0x4e/0xa0
[ 185.718012] __x64_sys_mount+0x12c/0x1a0
[ 185.718014] do_syscall_64+0x38/0x90
[ 185.718017] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 185.718019] RIP: 0033:0x7f60bb017c7e
[ 185.718021] Code: 48 8b 0d 15 c2 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e
0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d e2 c1 0c 00 f7 d8 64 89 01 48
[ 185.718023] RSP: 002b:00007fff9fdd3e58 EFLAGS: 00000246 ORIG_RAX:
00000000000000a5
[ 185.718025] RAX: ffffffffffffffda RBX: 00007f60bb149204 RCX:
00007f60bb017c7e
[ 185.718027] RDX: 000055db59fe3670 RSI: 000055db59fec290 RDI:
000055db59febe40
[ 185.718028] RBP: 000055db59fe3460 R08: 0000000000000000 R09:
00007f60bb0e4c00
[ 185.718029] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000000000000
[ 185.718031] R13: 000055db59febe40 R14: 000055db59fe3670 R15:
000055db59fe3460
[ 185.718033] </TASK>
[ 185.718034] ---[ end trace 0000000000000000 ]---
[ 185.718035]
==================================================================
[ 185.718108] BUG: KASAN: slab-out-of-bounds in mutex_lock+0x7f/0xe0
[ 185.718138] Write of size 8 at addr ffff8881247b13b8 by task mount/1155
[ 185.718173] CPU: 3 PID: 1155 Comm: mount Tainted: G W
5.19.0-rc8 #1
[ 185.718206] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[ 185.718240] Call Trace:
[ 185.718252] <TASK>
[ 185.718262] dump_stack_lvl+0x45/0x5e
[ 185.718282] print_report.cold+0xf3/0x67f
[ 185.718302] ? mutex_lock+0x7f/0xe0
[ 185.718318] kasan_report+0xa9/0x120
[ 185.718336] ? __rdgsbase_inactive+0x11/0x20
[ 185.718360] ? mutex_lock+0x7f/0xe0
[ 185.718378] kasan_check_range+0x144/0x1c0
[ 185.718409] mutex_lock+0x7f/0xe0
[ 185.718425] ? __mutex_lock_slowpath+0x10/0x10
[ 185.718445] ? f2fs_do_replace_block+0xd80/0x18a0 [f2fs]
[ 185.718488] f2fs_do_replace_block+0x4e9/0x18a0 [f2fs]
[ 185.718529] ? _raw_write_lock+0x81/0xe0
[ 185.718547] ? f2fs_inode_dirtied+0xf9/0x2b0 [f2fs]
[ 185.718605] f2fs_replace_block+0xeb/0x180 [f2fs]
[ 185.718645] ? f2fs_reserve_new_blocks+0xa5b/0x11f0 [f2fs]
[ 185.718688] ? f2fs_do_replace_block+0x18a0/0x18a0 [f2fs]
[ 185.718730] recover_data+0x1abd/0x6f50 [f2fs]
[ 185.718771] ? pagecache_get_page+0x50/0x160
[ 185.718790] ? check_index_in_prev_nodes+0x2860/0x2860 [f2fs]
[ 185.718834] ? __get_meta_page+0x1c4/0x1710 [f2fs]
[ 185.718873] ? __add_ino_entry+0x430/0x430 [f2fs]
[ 185.718911] ? filemap_map_pages+0x1390/0x1390
[ 185.718945] ? pagecache_get_page+0x50/0x160
[ 185.718964] ? f2fs_ra_meta_pages_cond+0x136/0x370 [f2fs]
[ 185.719003] f2fs_recover_fsync_data+0x12ce/0x3250 [f2fs]
[ 185.719046] ? _raw_write_unlock+0x39/0x70
[ 185.719064] ? proc_register+0x2d4/0x4c0
[ 185.719083] ? f2fs_space_for_roll_forward+0x1d0/0x1d0 [f2fs]
[ 185.719126] ? proc_create_single_data+0xbf/0x120
[ 185.719147] ? f2fs_remove_orphan_inode+0x10/0x10 [f2fs]
[ 185.719188] ? f2fs_register_sysfs+0x37f/0x490 [f2fs]
[ 185.719229] f2fs_fill_super+0x4459/0x6190 [f2fs]
[ 185.719284] ? f2fs_commit_super+0x740/0x740 [f2fs]
[ 185.719320] ? mutex_unlock+0x80/0xd0
[ 185.719337] ? __mutex_unlock_slowpath.isra.0+0x2d0/0x2d0
[ 185.719359] ? sget+0x3a4/0x490
[ 185.719374] mount_bdev+0x2cf/0x3b0
[ 185.719999] ? f2fs_commit_super+0x740/0x740 [f2fs]
[ 185.720639] ? f2fs_sync_fs+0x230/0x230 [f2fs]
[ 185.721278] legacy_get_tree+0xed/0x1d0
[ 185.721882] ? security_capable+0x53/0xa0
[ 185.722549] vfs_get_tree+0x81/0x2b0
[ 185.723127] ? ns_capable_common+0x57/0xe0
[ 185.723700] path_mount+0x47e/0x19d0
[ 185.724264] ? finish_automount+0x5f0/0x5f0
[ 185.724817] ? user_path_at_empty+0x45/0x60
[ 185.725355] ? kmem_cache_free+0xd3/0x3b0
[ 185.725897] ? slab_post_alloc_hook+0x48/0x2d0
[ 185.726518] do_mount+0xce/0xf0
[ 185.727062] ? path_mount+0x19d0/0x19d0
[ 185.727608] ? _copy_from_user+0x50/0x80
[ 185.728157] ? memdup_user+0x4e/0xa0
[ 185.728705] __x64_sys_mount+0x12c/0x1a0
[ 185.729253] do_syscall_64+0x38/0x90
[ 185.729799] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 185.730429] RIP: 0033:0x7f60bb017c7e
[ 185.730982] Code: 48 8b 0d 15 c2 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e
0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d e2 c1 0c 00 f7 d8 64 89 01 48
[ 185.732178] RSP: 002b:00007fff9fdd3e58 EFLAGS: 00000246 ORIG_RAX:
00000000000000a5
[ 185.732793] RAX: ffffffffffffffda RBX: 00007f60bb149204 RCX:
00007f60bb017c7e
[ 185.733415] RDX: 000055db59fe3670 RSI: 000055db59fec290 RDI:
000055db59febe40
[ 185.734078] RBP: 000055db59fe3460 R08: 0000000000000000 R09:
00007f60bb0e4c00
[ 185.734740] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000000000000
[ 185.735362] R13: 000055db59febe40 R14: 000055db59fe3670 R15:
000055db59fe3460
[ 185.736019] </TASK>
[ 185.737232] Allocated by task 1155:
[ 185.737832] kasan_save_stack+0x1e/0x40
[ 185.737835] __kasan_kmalloc+0xa9/0xe0
[ 185.737838] __kmalloc+0x18e/0x340
[ 185.737840] f2fs_init_write_merge_io+0x5c/0x460 [f2fs]
[ 185.737860] f2fs_fill_super+0x1ab9/0x6190 [f2fs]
[ 185.737879] mount_bdev+0x2cf/0x3b0
[ 185.737881] legacy_get_tree+0xed/0x1d0
[ 185.737883] vfs_get_tree+0x81/0x2b0
[ 185.737885] path_mount+0x47e/0x19d0
[ 185.737887] do_mount+0xce/0xf0
[ 185.737889] __x64_sys_mount+0x12c/0x1a0
[ 185.737894] do_syscall_64+0x38/0x90
[ 185.737896] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 185.738571] The buggy address belongs to the object at ffff8881247b1000
which belongs to the cache kmalloc-1k of size 1024
[ 185.739810] The buggy address is located 952 bytes inside of
1024-byte region [ffff8881247b1000, ffff8881247b1400)
[ 185.741678] The buggy address belongs to the physical page:
[ 185.742374] page:0000000070dda483 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x1247b0
[ 185.742404] head:0000000070dda483 order:3 compound_mapcount:0
compound_pincount:0
[ 185.742406] flags:
0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 185.742429] raw: 0017ffffc0010200 0000000000000000 dead000000000122
ffff888100042dc0
[ 185.742432] raw: 0000000000000000 0000000080100010 00000001ffffffff
0000000000000000
[ 185.742433] page dumped because: kasan: bad access detected
[ 185.743104] Memory state around the buggy address:
[ 185.743750] ffff8881247b1280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 185.744411] ffff8881247b1300: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
fc
[ 185.745069] >ffff8881247b1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 185.745725] ^
[ 185.746487] ffff8881247b1400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 185.747157] ffff8881247b1480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 185.747814]
==================================================================
[ 185.748513] Disabling lock debugging due to kernel taint
[ 185.748547] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 185.749279] #PF: supervisor read access in kernel mode
[ 185.750048] #PF: error_code(0x0000) - not-present page
[ 185.750915] PGD 0 P4D 0
[ 185.751642] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 185.752363] CPU: 2 PID: 1155 Comm: mount Tainted: G B W
5.19.0-rc8 #1
[ 185.753114] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.13.0-1ubuntu1.1 04/01/2014
[ 185.753968] RIP: 0010:memcpy_erms+0x6/0x10
[ 185.754871] Code: fe ff ff cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03
83 e2 07 f3 48 a5 89 d1 f3 a4 c3 cc cc cc cc 66 90 48 89 f8 48 89 d1 <f3> a4 c3
cc cc cc cc 0f 1f 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[ 185.756547] RSP: 0018:ffff888122d7f4c0 EFLAGS: 00010202
[ 185.757551] RAX: ffff88812236f000 RBX: ffff88812236f000 RCX:
0000000000001000
[ 185.758540] RDX: 0000000000001000 RSI: 0000000000000000 RDI:
ffff88812236f000
[ 185.759794] RBP: ffffea000488dbc0 R08: 0000000000000001 R09:
0000000000000000
[ 185.760805] R10: ffff88812236ffff R11: ffffed102446dfff R12:
0000000000000000
[ 185.761740] R13: ffff88814fa24080 R14: ffff88814fa24000 R15:
ffff8881247b13b8
[ 185.762832] FS: 00007f60badb8840(0000) GS:ffff888293700000(0000)
knlGS:0000000000000000
[ 185.763849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 185.764860] CR2: 0000000000000000 CR3: 000000011bae6005 CR4:
0000000000370ee0
[ 185.765802] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 185.766827] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 185.767772] Call Trace:
[ 185.768695] <TASK>
[ 185.769557] f2fs_update_meta_page+0x84/0x570 [f2fs]
[ 185.770530] change_curseg.constprop.0+0x159/0xbd0 [f2fs]
[ 185.771441] f2fs_do_replace_block+0x5c7/0x18a0 [f2fs]
[ 185.772338] ? _raw_write_lock+0x81/0xe0
[ 185.773147] f2fs_replace_block+0xeb/0x180 [f2fs]
[ 185.774076] ? f2fs_reserve_new_blocks+0xa5b/0x11f0 [f2fs]
[ 185.775041] ? f2fs_do_replace_block+0x18a0/0x18a0 [f2fs]
[ 185.775950] recover_data+0x1abd/0x6f50 [f2fs]
[ 185.776852] ? pagecache_get_page+0x50/0x160
[ 185.777705] ? check_index_in_prev_nodes+0x2860/0x2860 [f2fs]
[ 185.778654] ? __get_meta_page+0x1c4/0x1710 [f2fs]
[ 185.779523] ? __add_ino_entry+0x430/0x430 [f2fs]
[ 185.780355] ? filemap_map_pages+0x1390/0x1390
[ 185.781142] ? pagecache_get_page+0x50/0x160
[ 185.781919] ? f2fs_ra_meta_pages_cond+0x136/0x370 [f2fs]
[ 185.782765] f2fs_recover_fsync_data+0x12ce/0x3250 [f2fs]
[ 185.783565] ? _raw_write_unlock+0x39/0x70
[ 185.784343] ? proc_register+0x2d4/0x4c0
[ 185.785106] ? f2fs_space_for_roll_forward+0x1d0/0x1d0 [f2fs]
[ 185.785926] ? proc_create_single_data+0xbf/0x120
[ 185.786980] ? f2fs_remove_orphan_inode+0x10/0x10 [f2fs]
[ 185.788114] ? f2fs_register_sysfs+0x37f/0x490 [f2fs]
[ 185.789143] f2fs_fill_super+0x4459/0x6190 [f2fs]
[ 185.790196] ? f2fs_commit_super+0x740/0x740 [f2fs]
[ 185.791275] ? mutex_unlock+0x80/0xd0
[ 185.792296] ? __mutex_unlock_slowpath.isra.0+0x2d0/0x2d0
[ 185.793070] ? sget+0x3a4/0x490
[ 185.793837] mount_bdev+0x2cf/0x3b0
[ 185.794681] ? f2fs_commit_super+0x740/0x740 [f2fs]
[ 185.795431] ? f2fs_sync_fs+0x230/0x230 [f2fs]
[ 185.796170] legacy_get_tree+0xed/0x1d0
[ 185.796877] ? security_capable+0x53/0xa0
[ 185.797568] vfs_get_tree+0x81/0x2b0
[ 185.798272] ? ns_capable_common+0x57/0xe0
[ 185.798977] path_mount+0x47e/0x19d0
[ 185.799609] ? finish_automount+0x5f0/0x5f0
[ 185.800233] ? user_path_at_empty+0x45/0x60
[ 185.800853] ? kmem_cache_free+0xd3/0x3b0
[ 185.801467] ? slab_post_alloc_hook+0x48/0x2d0
[ 185.802117] do_mount+0xce/0xf0
[ 185.802785] ? path_mount+0x19d0/0x19d0
[ 185.803380] ? _copy_from_user+0x50/0x80
[ 185.803963] ? memdup_user+0x4e/0xa0
[ 185.804536] __x64_sys_mount+0x12c/0x1a0
[ 185.805111] do_syscall_64+0x38/0x90
[ 185.805689] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 185.806303] RIP: 0033:0x7f60bb017c7e
[ 185.806945] Code: 48 8b 0d 15 c2 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e
0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d e2 c1 0c 00 f7 d8 64 89 01 48
[ 185.808194] RSP: 002b:00007fff9fdd3e58 EFLAGS: 00000246 ORIG_RAX:
00000000000000a5
[ 185.808834] RAX: ffffffffffffffda RBX: 00007f60bb149204 RCX:
00007f60bb017c7e
[ 185.809478] RDX: 000055db59fe3670 RSI: 000055db59fec290 RDI:
000055db59febe40
[ 185.810164] RBP: 000055db59fe3460 R08: 0000000000000000 R09:
00007f60bb0e4c00
[ 185.810869] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000000000000
[ 185.811511] R13: 000055db59febe40 R14: 000055db59fe3670 R15:
000055db59fe3460
[ 185.812154] </TASK>
[ 185.812787] Modules linked in: f2fs crc32_generic joydev input_leds
serio_raw qemu_fw_cfg xfs autofs4 raid10 raid456 async_raid6_recov async_memcpy
async_pq async_xor async_tx raid1 raid0 multipath linear qxl drm_ttm_helper ttm
drm_kms_helper hid_generic usbhid syscopyarea sysfillrect crct10dif_pclmul
crc32_pclmul sysimgblt fb_sys_fops hid ghash_clmulni_intel drm aesni_intel
crypto_simd psmouse cryptd
[ 185.815760] CR2: 0000000000000000
[ 185.816493] ---[ end trace 0000000000000000 ]---
[ 185.817225] RIP: 0010:memcpy_erms+0x6/0x10
[ 185.817955] Code: fe ff ff cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03
83 e2 07 f3 48 a5 89 d1 f3 a4 c3 cc cc cc cc 66 90 48 89 f8 48 89 d1 <f3> a4 c3
cc cc cc cc 0f 1f 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[ 185.819586] RSP: 0018:ffff888122d7f4c0 EFLAGS: 00010202
[ 185.820369] RAX: ffff88812236f000 RBX: ffff88812236f000 RCX:
0000000000001000
[ 185.821163] RDX: 0000000000001000 RSI: 0000000000000000 RDI:
ffff88812236f000
[ 185.821960] RBP: ffffea000488dbc0 R08: 0000000000000001 R09:
0000000000000000
[ 185.822850] R10: ffff88812236ffff R11: ffffed102446dfff R12:
0000000000000000
[ 185.823647] R13: ffff88814fa24080 R14: ffff88814fa24000 R15:
ffff8881247b13b8
[ 185.824445] FS: 00007f60badb8840(0000) GS:ffff888293700000(0000)
knlGS:0000000000000000
[ 185.825258] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 185.826106] CR2: 0000000000000000 CR3: 000000011bae6005 CR4:
0000000000370ee0
[ 185.826991] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 185.827811] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [f2fs-dev] [Bug 216285] KASAN: slab-out-of-bounds in mutex_lock and NULL pointer dereference at fs/f2fs/segment.c: f2fs_update_meta_page() when mount a crafted f2fs image
2022-07-26 19:57 [f2fs-dev] [Bug 216285] New: KASAN: slab-out-of-bounds in mutex_lock and NULL pointer deference at fs/f2fs/segment.c: f2fs_update_meta_page() when mount a crafted f2fs image bugzilla-daemon
@ 2022-07-26 20:06 ` bugzilla-daemon
2022-08-27 23:29 ` bugzilla-daemon
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2022-07-26 20:06 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=216285
Wenqing Liu (wenqingliu0120@gmail.com) changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|KASAN: slab-out-of-bounds |KASAN: slab-out-of-bounds
|in mutex_lock and NULL |in mutex_lock and NULL
|pointer deference at |pointer dereference at
|fs/f2fs/segment.c: |fs/f2fs/segment.c:
|f2fs_update_meta_page() |f2fs_update_meta_page()
|when mount a crafted f2fs |when mount a crafted f2fs
|image |image
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [f2fs-dev] [Bug 216285] KASAN: slab-out-of-bounds in mutex_lock and NULL pointer dereference at fs/f2fs/segment.c: f2fs_update_meta_page() when mount a crafted f2fs image
2022-07-26 19:57 [f2fs-dev] [Bug 216285] New: KASAN: slab-out-of-bounds in mutex_lock and NULL pointer deference at fs/f2fs/segment.c: f2fs_update_meta_page() when mount a crafted f2fs image bugzilla-daemon
2022-07-26 20:06 ` [f2fs-dev] [Bug 216285] KASAN: slab-out-of-bounds in mutex_lock and NULL pointer dereference " bugzilla-daemon
@ 2022-08-27 23:29 ` bugzilla-daemon
2022-09-07 1:39 ` bugzilla-daemon
2022-09-19 9:04 ` bugzilla-daemon
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2022-08-27 23:29 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=216285
Chao Yu (chao@kernel.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |chao@kernel.org
--- Comment #1 from Chao Yu (chao@kernel.org) ---
Wenqing, thanks for the report.
I've figured out a fixing patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=09beadf289d6e300553e60d6e76f13c0427ecab3
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [f2fs-dev] [Bug 216285] KASAN: slab-out-of-bounds in mutex_lock and NULL pointer dereference at fs/f2fs/segment.c: f2fs_update_meta_page() when mount a crafted f2fs image
2022-07-26 19:57 [f2fs-dev] [Bug 216285] New: KASAN: slab-out-of-bounds in mutex_lock and NULL pointer deference at fs/f2fs/segment.c: f2fs_update_meta_page() when mount a crafted f2fs image bugzilla-daemon
2022-07-26 20:06 ` [f2fs-dev] [Bug 216285] KASAN: slab-out-of-bounds in mutex_lock and NULL pointer dereference " bugzilla-daemon
2022-08-27 23:29 ` bugzilla-daemon
@ 2022-09-07 1:39 ` bugzilla-daemon
2022-09-19 9:04 ` bugzilla-daemon
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2022-09-07 1:39 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=216285
--- Comment #2 from Wenqing Liu (wenqingliu0120@gmail.com) ---
Thank you so much.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [f2fs-dev] [Bug 216285] KASAN: slab-out-of-bounds in mutex_lock and NULL pointer dereference at fs/f2fs/segment.c: f2fs_update_meta_page() when mount a crafted f2fs image
2022-07-26 19:57 [f2fs-dev] [Bug 216285] New: KASAN: slab-out-of-bounds in mutex_lock and NULL pointer deference at fs/f2fs/segment.c: f2fs_update_meta_page() when mount a crafted f2fs image bugzilla-daemon
` (2 preceding siblings ...)
2022-09-07 1:39 ` bugzilla-daemon
@ 2022-09-19 9:04 ` bugzilla-daemon
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2022-09-19 9:04 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=216285
Chao Yu (chao@kernel.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |CODE_FIX
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-09-19 9:05 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-26 19:57 [f2fs-dev] [Bug 216285] New: KASAN: slab-out-of-bounds in mutex_lock and NULL pointer deference at fs/f2fs/segment.c: f2fs_update_meta_page() when mount a crafted f2fs image bugzilla-daemon
2022-07-26 20:06 ` [f2fs-dev] [Bug 216285] KASAN: slab-out-of-bounds in mutex_lock and NULL pointer dereference " bugzilla-daemon
2022-08-27 23:29 ` bugzilla-daemon
2022-09-07 1:39 ` bugzilla-daemon
2022-09-19 9:04 ` bugzilla-daemon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).