From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E558CC04AB4 for ; Thu, 16 May 2019 06:37:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B6CCD2082E for ; Thu, 16 May 2019 06:37:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726537AbfEPGhU (ORCPT ); Thu, 16 May 2019 02:37:20 -0400 Received: from szxga01-in.huawei.com ([45.249.212.187]:2956 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726221AbfEPGhU (ORCPT ); Thu, 16 May 2019 02:37:20 -0400 Received: from DGGEMM405-HUB.china.huawei.com (unknown [172.30.72.54]) by Forcepoint Email with ESMTP id 9EFC7766B2DB253AA9B5; Thu, 16 May 2019 14:37:15 +0800 (CST) Received: from dggeme763-chm.china.huawei.com (10.3.19.109) by DGGEMM405-HUB.china.huawei.com (10.3.20.213) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 16 May 2019 14:37:15 +0800 Received: from szvp000201624.huawei.com (10.120.216.130) by dggeme763-chm.china.huawei.com (10.3.19.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1591.10; Thu, 16 May 2019 14:37:14 +0800 From: Chao Yu To: CC: , , , Chao Yu Subject: [PATCH] f2fs: fix to do sanity check on segment bitmap of LFS curseg Date: Thu, 16 May 2019 14:36:53 +0800 Message-ID: <20190516063653.14142-1-yuchao0@huawei.com> X-Mailer: git-send-email 2.18.0.rc1 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.120.216.130] X-ClientProxiedBy: dggeme714-chm.china.huawei.com (10.1.199.110) To dggeme763-chm.china.huawei.com (10.3.19.109) X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org As Jungyeon Reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203233 - Reproduces gcc poc_13.c ./run.sh f2fs - Kernel messages F2FS-fs (sdb): Bitmap was wrongly set, blk:4608 kernel BUG at fs/f2fs/segment.c:2133! RIP: 0010:update_sit_entry+0x35d/0x3e0 Call Trace: f2fs_allocate_data_block+0x16c/0x5a0 do_write_page+0x57/0x100 f2fs_do_write_node_page+0x33/0xa0 __write_node_page+0x270/0x4e0 f2fs_sync_node_pages+0x5df/0x670 f2fs_write_checkpoint+0x364/0x13a0 f2fs_sync_fs+0xa3/0x130 f2fs_do_sync_file+0x1a6/0x810 do_fsync+0x33/0x60 __x64_sys_fsync+0xb/0x10 do_syscall_64+0x43/0x110 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The testcase fails because that, in fuzzed image, current segment was allocated with LFS type, its .next_blkoff should point to an unused block address, but actually, its bitmap shows it's not. So during allocation, f2fs crash when setting bitmap. Introducing sanity_check_curseg() to check such inconsistence of current in-used segment. Signed-off-by: Chao Yu --- fs/f2fs/segment.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c index 8dee063c833f..4a25fb12bdb1 100644 --- a/fs/f2fs/segment.c +++ b/fs/f2fs/segment.c @@ -4232,6 +4232,35 @@ static int build_dirty_segmap(struct f2fs_sb_info *sbi) return init_victim_secmap(sbi); } +int sanity_check_curseg(struct f2fs_sb_info *sbi) +{ + int i, j; + + /* + * In current segment with LFS allocation type, all space after + * .next_blkoff position should be all valid. + */ + for (i = 0; i < NO_CHECK_TYPE; i++) { + struct curseg_info *curseg = CURSEG_I(sbi, i); + struct seg_entry *se = get_seg_entry(sbi, curseg->segno); + + if (curseg->alloc_type == SSR) + continue; + + for (j = curseg->next_blkoff; j < sbi->blocks_per_seg; j++) { + if (!f2fs_test_bit(j, se->cur_valid_map)) + continue; + + f2fs_msg(sbi->sb, KERN_ERR, + "Current segment:%u, segno:%u, " + "next_blkoff:%u, cur:%u", + i, curseg->segno, curseg->next_blkoff, j); + return -EINVAL; + } + } + return 0; +} + /* * Update min, max modified time for cost-benefit GC algorithm */ @@ -4327,6 +4356,10 @@ int f2fs_build_segment_manager(struct f2fs_sb_info *sbi) if (err) return err; + err = sanity_check_curseg(sbi); + if (err) + return err; + init_min_max_mtime(sbi); return 0; } -- 2.18.0.rc1