1. 11 3月, 2020 2 次提交
  2. 18 1月, 2020 1 次提交
    • C
      f2fs: support data compression · 4c8ff709
      Chao Yu 提交于
      This patch tries to support compression in f2fs.
      
      - New term named cluster is defined as basic unit of compression, file can
      be divided into multiple clusters logically. One cluster includes 4 << n
      (n >= 0) logical pages, compression size is also cluster size, each of
      cluster can be compressed or not.
      
      - In cluster metadata layout, one special flag is used to indicate cluster
      is compressed one or normal one, for compressed cluster, following metadata
      maps cluster to [1, 4 << n - 1] physical blocks, in where f2fs stores
      data including compress header and compressed data.
      
      - In order to eliminate write amplification during overwrite, F2FS only
      support compression on write-once file, data can be compressed only when
      all logical blocks in file are valid and cluster compress ratio is lower
      than specified threshold.
      
      - To enable compression on regular inode, there are three ways:
      * chattr +c file
      * chattr +c dir; touch dir/file
      * mount w/ -o compress_extension=ext; touch file.ext
      
      Compress metadata layout:
                                   [Dnode Structure]
                   +-----------------------------------------------+
                   | cluster 1 | cluster 2 | ......... | cluster N |
                   +-----------------------------------------------+
                   .           .                       .           .
             .                       .                .                      .
        .         Compressed Cluster       .        .        Normal Cluster            .
      +----------+---------+---------+---------+  +---------+---------+---------+---------+
      |compr flag| block 1 | block 2 | block 3 |  | block 1 | block 2 | block 3 | block 4 |
      +----------+---------+---------+---------+  +---------+---------+---------+---------+
                 .                             .
               .                                           .
             .                                                           .
            +-------------+-------------+----------+----------------------------+
            | data length | data chksum | reserved |      compressed data       |
            +-------------+-------------+----------+----------------------------+
      
      Changelog:
      
      20190326:
      - fix error handling of read_end_io().
      - remove unneeded comments in f2fs_encrypt_one_page().
      
      20190327:
      - fix wrong use of f2fs_cluster_is_full() in f2fs_mpage_readpages().
      - don't jump into loop directly to avoid uninitialized variables.
      - add TODO tag in error path of f2fs_write_cache_pages().
      
      20190328:
      - fix wrong merge condition in f2fs_read_multi_pages().
      - check compressed file in f2fs_post_read_required().
      
      20190401
      - allow overwrite on non-compressed cluster.
      - check cluster meta before writing compressed data.
      
      20190402
      - don't preallocate blocks for compressed file.
      
      - add lz4 compress algorithm
      - process multiple post read works in one workqueue
        Now f2fs supports processing post read work in multiple workqueue,
        it shows low performance due to schedule overhead of multiple
        workqueue executing orderly.
      
      20190921
      - compress: support buffered overwrite
      C: compress cluster flag
      V: valid block address
      N: NEW_ADDR
      
      One cluster contain 4 blocks
      
       before overwrite   after overwrite
      
      - VVVV		->	CVNN
      - CVNN		->	VVVV
      
      - CVNN		->	CVNN
      - CVNN		->	CVVV
      
      - CVVV		->	CVNN
      - CVVV		->	CVVV
      
      20191029
      - add kconfig F2FS_FS_COMPRESSION to isolate compression related
      codes, add kconfig F2FS_FS_{LZO,LZ4} to cover backend algorithm.
      note that: will remove lzo backend if Jaegeuk agreed that too.
      - update codes according to Eric's comments.
      
      20191101
      - apply fixes from Jaegeuk
      
      20191113
      - apply fixes from Jaegeuk
      - split workqueue for fsverity
      
      20191216
      - apply fixes from Jaegeuk
      
      20200117
      - fix to avoid NULL pointer dereference
      
      [Jaegeuk Kim]
      - add tracepoint for f2fs_{,de}compress_pages()
      - fix many bugs and add some compression stats
      - fix overwrite/mmap bugs
      - address 32bit build error, reported by Geert.
      - bug fixes when handling errors and i_compressed_blocks
      
      Reported-by: <noreply@ellerman.id.au>
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      4c8ff709
  3. 20 11月, 2019 1 次提交
  4. 05 10月, 2019 1 次提交
    • C
      f2fs: fix to update time in lazytime mode · fe1897ea
      Chao Yu 提交于
      generic/018 reports an inconsistent status of atime, the
      testcase is as below:
      - open file with O_SYNC
      - write file to construct fraged space
      - calc md5 of file
      - record {a,c,m}time
      - defrag file --- do nothing
      - umount & mount
      - check {a,c,m}time
      
      The root cause is, as f2fs enables lazytime by default, atime
      update will dirty vfs inode, rather than dirtying f2fs inode (by set
      with FI_DIRTY_INODE), so later f2fs_write_inode() called from VFS will
      fail to update inode page due to our skip:
      
      f2fs_write_inode()
      	if (is_inode_flag_set(inode, FI_DIRTY_INODE))
      		return 0;
      
      So eventually, after evict(), we lose last atime for ever.
      
      To fix this issue, we need to check whether {a,c,m,cr}time is
      consistent in between inode cache and inode page, and only skip
      f2fs_update_inode() if f2fs inode is not dirty and time is
      consistent as well.
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      fe1897ea
  5. 07 9月, 2019 1 次提交
  6. 23 8月, 2019 3 次提交
    • C
      f2fs: use wrapped f2fs_cp_error() · 33ac18a1
      Chao Yu 提交于
      Just cleanup, no logic change.
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      33ac18a1
    • D
      f2fs: Support case-insensitive file name lookups · 2c2eb7a3
      Daniel Rosenberg 提交于
      Modeled after commit b886ee3e ("ext4: Support case-insensitive file
      name lookups")
      
      """
      This patch implements the actual support for case-insensitive file name
      lookups in f2fs, based on the feature bit and the encoding stored in the
      superblock.
      
      A filesystem that has the casefold feature set is able to configure
      directories with the +F (F2FS_CASEFOLD_FL) attribute, enabling lookups
      to succeed in that directory in a case-insensitive fashion, i.e: match
      a directory entry even if the name used by userspace is not a byte per
      byte match with the disk name, but is an equivalent case-insensitive
      version of the Unicode string.  This operation is called a
      case-insensitive file name lookup.
      
      The feature is configured as an inode attribute applied to directories
      and inherited by its children.  This attribute can only be enabled on
      empty directories for filesystems that support the encoding feature,
      thus preventing collision of file names that only differ by case.
      
      * dcache handling:
      
      For a +F directory, F2Fs only stores the first equivalent name dentry
      used in the dcache. This is done to prevent unintentional duplication of
      dentries in the dcache, while also allowing the VFS code to quickly find
      the right entry in the cache despite which equivalent string was used in
      a previous lookup, without having to resort to ->lookup().
      
      d_hash() of casefolded directories is implemented as the hash of the
      casefolded string, such that we always have a well-known bucket for all
      the equivalencies of the same string. d_compare() uses the
      utf8_strncasecmp() infrastructure, which handles the comparison of
      equivalent, same case, names as well.
      
      For now, negative lookups are not inserted in the dcache, since they
      would need to be invalidated anyway, because we can't trust missing file
      dentries.  This is bad for performance but requires some leveraging of
      the vfs layer to fix.  We can live without that for now, and so does
      everyone else.
      
      * on-disk data:
      
      Despite using a specific version of the name as the internal
      representation within the dcache, the name stored and fetched from the
      disk is a byte-per-byte match with what the user requested, making this
      implementation 'name-preserving'. i.e. no actual information is lost
      when writing to storage.
      
      DX is supported by modifying the hashes used in +F directories to make
      them case/encoding-aware.  The new disk hashes are calculated as the
      hash of the full casefolded string, instead of the string directly.
      This allows us to efficiently search for file names in the htree without
      requiring the user to provide an exact name.
      
      * Dealing with invalid sequences:
      
      By default, when a invalid UTF-8 sequence is identified, ext4 will treat
      it as an opaque byte sequence, ignoring the encoding and reverting to
      the old behavior for that unique file.  This means that case-insensitive
      file name lookup will not work only for that file.  An optional bit can
      be set in the superblock telling the filesystem code and userspace tools
      to enforce the encoding.  When that optional bit is set, any attempt to
      create a file name using an invalid UTF-8 sequence will fail and return
      an error to userspace.
      
      * Normalization algorithm:
      
      The UTF-8 algorithms used to compare strings in f2fs is implemented
      in fs/unicode, and is based on a previous version developed by
      SGI.  It implements the Canonical decomposition (NFD) algorithm
      described by the Unicode specification 12.1, or higher, combined with
      the elimination of ignorable code points (NFDi) and full
      case-folding (CF) as documented in fs/unicode/utf8_norm.c.
      
      NFD seems to be the best normalization method for F2FS because:
      
        - It has a lower cost than NFC/NFKC (which requires
          decomposing to NFD as an intermediary step)
        - It doesn't eliminate important semantic meaning like
          compatibility decompositions.
      
      Although:
      
      - This implementation is not completely linguistic accurate, because
      different languages have conflicting rules, which would require the
      specialization of the filesystem to a given locale, which brings all
      sorts of problems for removable media and for users who use more than
      one language.
      """
      Signed-off-by: NDaniel Rosenberg <drosen@google.com>
      Reviewed-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      2c2eb7a3
    • C
      f2fs: fix to avoid tagging SBI_QUOTA_NEED_REPAIR incorrectly · 0f1898f9
      Chao Yu 提交于
      On a quota disabled image, with fault injection, SBI_QUOTA_NEED_REPAIR
      will be set incorrectly in error path of f2fs_evict_inode(), fix it.
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      0f1898f9
  7. 13 8月, 2019 1 次提交
    • E
      f2fs: add fs-verity support · 95ae251f
      Eric Biggers 提交于
      Add fs-verity support to f2fs.  fs-verity is a filesystem feature that
      enables transparent integrity protection and authentication of read-only
      files.  It uses a dm-verity like mechanism at the file level: a Merkle
      tree is used to verify any block in the file in log(filesize) time.  It
      is implemented mainly by helper functions in fs/verity/.  See
      Documentation/filesystems/fsverity.rst for the full documentation.
      
      The f2fs support for fs-verity consists of:
      
      - Adding a filesystem feature flag and an inode flag for fs-verity.
      
      - Implementing the fsverity_operations to support enabling verity on an
        inode and reading/writing the verity metadata.
      
      - Updating ->readpages() to verify data as it's read from verity files
        and to support reading verity metadata pages.
      
      - Updating ->write_begin(), ->write_end(), and ->writepages() to support
        writing verity metadata pages.
      
      - Calling the fs-verity hooks for ->open(), ->setattr(), and ->ioctl().
      
      Like ext4, f2fs stores the verity metadata (Merkle tree and
      fsverity_descriptor) past the end of the file, starting at the first 64K
      boundary beyond i_size.  This approach works because (a) verity files
      are readonly, and (b) pages fully beyond i_size aren't visible to
      userspace but can be read/written internally by f2fs with only some
      relatively small changes to f2fs.  Extended attributes cannot be used
      because (a) f2fs limits the total size of an inode's xattr entries to
      4096 bytes, which wouldn't be enough for even a single Merkle tree
      block, and (b) f2fs encryption doesn't encrypt xattrs, yet the verity
      metadata *must* be encrypted when the file is because it contains hashes
      of the plaintext data.
      Acked-by: NJaegeuk Kim <jaegeuk@kernel.org>
      Acked-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      95ae251f
  8. 03 7月, 2019 2 次提交
  9. 22 6月, 2019 1 次提交
  10. 09 5月, 2019 3 次提交
    • C
      f2fs: introduce DATA_GENERIC_ENHANCE · 93770ab7
      Chao Yu 提交于
      Previously, f2fs_is_valid_blkaddr(, blkaddr, DATA_GENERIC) will check
      whether @blkaddr locates in main area or not.
      
      That check is weak, since the block address in range of main area can
      point to the address which is not valid in segment info table, and we
      can not detect such condition, we may suffer worse corruption as system
      continues running.
      
      So this patch introduce DATA_GENERIC_ENHANCE to enhance the sanity check
      which trigger SIT bitmap check rather than only range check.
      
      This patch did below changes as wel:
      - set SBI_NEED_FSCK in f2fs_is_valid_blkaddr().
      - get rid of is_valid_data_blkaddr() to avoid panic if blkaddr is invalid.
      - introduce verify_fio_blkaddr() to wrap fio {new,old}_blkaddr validation check.
      - spread blkaddr check in:
       * f2fs_get_node_info()
       * __read_out_blkaddrs()
       * f2fs_submit_page_read()
       * ra_data_block()
       * do_recover_data()
      
      This patch can fix bug reported from bugzilla below:
      
      https://bugzilla.kernel.org/show_bug.cgi?id=203215
      https://bugzilla.kernel.org/show_bug.cgi?id=203223
      https://bugzilla.kernel.org/show_bug.cgi?id=203231
      https://bugzilla.kernel.org/show_bug.cgi?id=203235
      https://bugzilla.kernel.org/show_bug.cgi?id=203241
      
      = Update by Jaegeuk Kim =
      
      DATA_GENERIC_ENHANCE enhanced to validate block addresses on read/write paths.
      But, xfstest/generic/446 compalins some generated kernel messages saying invalid
      bitmap was detected when reading a block. The reaons is, when we get the
      block addresses from extent_cache, there is no lock to synchronize it from
      truncating the blocks in parallel.
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      93770ab7
    • C
      f2fs: fix to do checksum even if inode page is uptodate · b42b179b
      Chao Yu 提交于
      As Jungyeon reported in bugzilla:
      
      https://bugzilla.kernel.org/show_bug.cgi?id=203221
      
      - Overview
      When mounting the attached crafted image and running program, this error is reported.
      
      The image is intentionally fuzzed from a normal f2fs image for testing and I enabled option CONFIG_F2FS_CHECK_FS on.
      
      - Reproduces
      cc poc_07.c
      mkdir test
      mount -t f2fs tmp.img test
      cp a.out test
      cd test
      sudo ./a.out
      
      - Messages
       kernel BUG at fs/f2fs/node.c:1279!
       RIP: 0010:read_node_page+0xcf/0xf0
       Call Trace:
        __get_node_page+0x6b/0x2f0
        f2fs_iget+0x8f/0xdf0
        f2fs_lookup+0x136/0x320
        __lookup_slow+0x92/0x140
        lookup_slow+0x30/0x50
        walk_component+0x1c1/0x350
        path_lookupat+0x62/0x200
        filename_lookup+0xb3/0x1a0
        do_fchmodat+0x3e/0xa0
        __x64_sys_chmod+0x12/0x20
        do_syscall_64+0x43/0xf0
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      On below paths, we can have opportunity to readahead inode page
      - gc_node_segment -> f2fs_ra_node_page
      - gc_data_segment -> f2fs_ra_node_page
      - f2fs_fill_dentries -> f2fs_ra_node_page
      
      Unlike synchronized read, on readahead path, we can set page uptodate
      before verifying page's checksum, then read_node_page() will trigger
      kernel panic once it encounters a uptodated page w/ incorrect checksum.
      
      So considering readahead scenario, we have to do checksum each time
      when loading inode page even if it is uptodated.
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      b42b179b
    • C
      f2fs: fix to clear dirty inode in error path of f2fs_iget() · 546d22f0
      Chao Yu 提交于
      As Jungyeon reported in bugzilla:
      
      https://bugzilla.kernel.org/show_bug.cgi?id=203217
      
      - Overview
      When mounting the attached crafted image and running program, I got this error.
      Additionally, it hangs on sync after running the program.
      
      The image is intentionally fuzzed from a normal f2fs image for testing and I enabled option CONFIG_F2FS_CHECK_FS on.
      
      - Reproduces
      cc poc_test_05.c
      mkdir test
      mount -t f2fs tmp.img test
      sudo ./a.out
      sync
      
      - Messages
       kernel BUG at fs/f2fs/inode.c:707!
       RIP: 0010:f2fs_evict_inode+0x33f/0x3a0
       Call Trace:
        evict+0xba/0x180
        f2fs_iget+0x598/0xdf0
        f2fs_lookup+0x136/0x320
        __lookup_slow+0x92/0x140
        lookup_slow+0x30/0x50
        walk_component+0x1c1/0x350
        path_lookupat+0x62/0x200
        filename_lookup+0xb3/0x1a0
        do_readlinkat+0x56/0x110
        __x64_sys_readlink+0x16/0x20
        do_syscall_64+0x43/0xf0
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      During inode loading, __recover_inline_status() can recovery inode status
      and set inode dirty, once we failed in following process, it will fail
      the check in f2fs_evict_inode, result in trigger BUG_ON().
      
      Let's clear dirty inode in error path of f2fs_iget() to avoid panic.
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      546d22f0
  11. 13 3月, 2019 1 次提交
    • C
      f2fs: fix to do sanity check with inode.i_inline_xattr_size · dd6c89b5
      Chao Yu 提交于
      As Paul Bandha reported in bugzilla:
      
      https://bugzilla.kernel.org/show_bug.cgi?id=202709
      
      When I run the poc on the mounted f2fs img I get a buffer overflow in
      read_inline_xattr due to there being no sanity check on the value of
      i_inline_xattr_size.
      
      I created the img by just modifying the value of i_inline_xattr_size
      in the inode:
      
      i_name                        		[test1.txt]
      i_ext: fofs:0 blkaddr:0 len:0
      i_extra_isize                 		[0x      18 : 24]
      i_inline_xattr_size           		[0x    ffff : 65535]
      i_addr[ofs]                   		[0x       0 : 0]
      
      mkdir /mnt/f2fs
      mount ./f2fs1.img /mnt/f2fs
      gcc poc.c -o poc
      ./poc
      
      int main() {
      	int y = syscall(SYS_listxattr, "/mnt/f2fs/test1.txt", NULL, 0);
      	printf("ret %d", y);
      	printf("errno: %d\n", errno);
      
      }
      
       BUG: KASAN: slab-out-of-bounds in read_inline_xattr+0x18f/0x260
       Read of size 262140 at addr ffff88011035efd8 by task f2fs1poc/3263
      
       CPU: 0 PID: 3263 Comm: f2fs1poc Not tainted 4.18.0-custom #1
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
       Call Trace:
        dump_stack+0x71/0xab
        print_address_description+0x83/0x250
        kasan_report+0x213/0x350
        memcpy+0x1f/0x50
        read_inline_xattr+0x18f/0x260
        read_all_xattrs+0xba/0x190
        f2fs_listxattr+0x9d/0x3f0
        listxattr+0xb2/0xd0
        path_listxattr+0x93/0xe0
        do_syscall_64+0x9d/0x220
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Let's add sanity check for inode.i_inline_xattr_size during f2fs_iget()
      to avoid this issue.
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      dd6c89b5
  12. 24 1月, 2019 1 次提交
  13. 27 12月, 2018 1 次提交
  14. 27 11月, 2018 1 次提交
  15. 23 10月, 2018 1 次提交
    • C
      f2fs: guarantee journalled quota data by checkpoint · af033b2a
      Chao Yu 提交于
      For journalled quota mode, let checkpoint to flush dquot dirty data
      and quota file data to guarntee persistence of all quota sysfile in
      last checkpoint, by this way, we can avoid corrupting quota sysfile
      when encountering SPO.
      
      The implementation is as below:
      
      1. add a global state SBI_QUOTA_NEED_FLUSH to indicate that there is
      cached dquot metadata changes in quota subsystem, and later checkpoint
      should:
       a) flush dquot metadata into quota file.
       b) flush quota file to storage to keep file usage be consistent.
      
      2. add a global state SBI_QUOTA_NEED_REPAIR to indicate that quota
      operation failed due to -EIO or -ENOSPC, so later,
       a) checkpoint will skip syncing dquot metadata.
       b) CP_QUOTA_NEED_FSCK_FLAG will be set in last cp pack to give a
          hint for fsck repairing.
      
      3. add a global state SBI_QUOTA_SKIP_FLUSH, in checkpoint, if quota
      data updating is very heavy, it may cause hungtask in block_operation().
      To avoid this, if our retry time exceed threshold, let's just skip
      flushing and retry in next checkpoint().
      Signed-off-by: NWeichao Guo <guoweichao@huawei.com>
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      [Jaegeuk Kim: avoid warnings and set fsck flag]
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      af033b2a
  16. 17 10月, 2018 2 次提交
    • C
      f2fs: fix to recover cold bit of inode block during POR · ef2a0071
      Chao Yu 提交于
      Testcase to reproduce this bug:
      1. mkfs.f2fs /dev/sdd
      2. mount -t f2fs /dev/sdd /mnt/f2fs
      3. touch /mnt/f2fs/file
      4. sync
      5. chattr +A /mnt/f2fs/file
      6. xfs_io -f /mnt/f2fs/file -c "fsync"
      7. godown /mnt/f2fs
      8. umount /mnt/f2fs
      9. mount -t f2fs /dev/sdd /mnt/f2fs
      10. chattr -A /mnt/f2fs/file
      11. xfs_io -f /mnt/f2fs/file -c "fsync"
      12. umount /mnt/f2fs
      13. mount -t f2fs /dev/sdd /mnt/f2fs
      14. lsattr /mnt/f2fs/file
      
      -----------------N- /mnt/f2fs/file
      
      But actually, we expect the corrct result is:
      
      -------A---------N- /mnt/f2fs/file
      
      The reason is in step 9) we missed to recover cold bit flag in inode
      block, so later, in fsync, we will skip write inode block due to below
      condition check, result in lossing data in another SPOR.
      
      f2fs_fsync_node_pages()
      	if (!IS_DNODE(page) || !is_cold_node(page))
      		continue;
      
      Note that, I guess that some non-dir inode has already lost cold bit
      during POR, so in order to reenable recovery for those inode, let's
      try to recover cold bit in f2fs_iget() to save more fsynced data.
      
      Fixes: c5667575 ("f2fs: remove unneeded set_cold_node()")
      Cc: <stable@vger.kernel.org> 4.17+
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      ef2a0071
    • D
      f2fs: checkpoint disabling · 4354994f
      Daniel Rosenberg 提交于
      Note that, it requires "f2fs: return correct errno in f2fs_gc".
      
      This adds a lightweight non-persistent snapshotting scheme to f2fs.
      
      To use, mount with the option checkpoint=disable, and to return to
      normal operation, remount with checkpoint=enable. If the filesystem
      is shut down before remounting with checkpoint=enable, it will revert
      back to its apparent state when it was first mounted with
      checkpoint=disable. This is useful for situations where you wish to be
      able to roll back the state of the disk in case of some critical
      failure.
      Signed-off-by: NDaniel Rosenberg <drosen@google.com>
      [Jaegeuk Kim: use SB_RDONLY instead of MS_RDONLY]
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      4354994f
  17. 13 9月, 2018 1 次提交
  18. 15 8月, 2018 2 次提交
    • C
      f2fs: fix to skip verifying block address for non-regular inode · dda9f4b9
      Chao Yu 提交于
      generic/184 1s ... [failed, exit status 1]- output mismatch
          --- tests/generic/184.out	2015-01-11 16:52:27.643681072 +0800
           QA output created by 184 - silence is golden
          +rm: cannot remove '/mnt/f2fs/null': Bad address
          +mknod: '/mnt/f2fs/null': Bad address
          +chmod: cannot access '/mnt/f2fs/null': Bad address
          +./tests/generic/184: line 36: /mnt/f2fs/null: Bad address
          ...
      
      F2FS-fs (zram0): access invalid blkaddr:259
      EIP: f2fs_is_valid_blkaddr+0x14b/0x1b0 [f2fs]
       f2fs_iget+0x927/0x1010 [f2fs]
       f2fs_lookup+0x26e/0x630 [f2fs]
       __lookup_slow+0xb3/0x140
       lookup_slow+0x31/0x50
       walk_component+0x185/0x1f0
       path_lookupat+0x51/0x190
       filename_lookup+0x7f/0x140
       user_path_at_empty+0x36/0x40
       vfs_statx+0x61/0xc0
       __do_sys_stat64+0x29/0x40
       sys_stat64+0x13/0x20
       do_fast_syscall_32+0xaa/0x22c
       entry_SYSENTER_32+0x53/0x86
      
      In f2fs_iget(), we will check inode's first block address, if it is valid,
      we will set FI_FIRST_BLOCK_WRITTEN flag in inode.
      
      But we should only do this for regular inode, otherwise, like special
      inode, i_addr[0] is used for storing device info instead of block address,
      it will fail checking flow obviously.
      
      So for non-regular inode, let's skip verifying address and setting flag.
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      dda9f4b9
    • A
      f2fs: rework fault injection handling to avoid a warning · 7fa750a1
      Arnd Bergmann 提交于
      When CONFIG_F2FS_FAULT_INJECTION is disabled, we get a warning about an
      unused label:
      
      fs/f2fs/segment.c: In function '__submit_discard_cmd':
      fs/f2fs/segment.c:1059:1: error: label 'submit' defined but not used [-Werror=unused-label]
      
      This could be fixed by adding another #ifdef around it, but the more
      reliable way of doing this seems to be to remove the other #ifdefs
      where that is easily possible.
      
      By defining time_to_inject() as a trivial stub, most of the checks for
      CONFIG_F2FS_FAULT_INJECTION can go away. This also leads to nicer
      formatting of the code.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      7fa750a1
  19. 14 8月, 2018 2 次提交
    • C
      f2fs: fix to do sanity check with block address in main area v2 · 91291e99
      Chao Yu 提交于
      This patch adds f2fs_is_valid_blkaddr() in below functions to do sanity
      check with block address to avoid pentential panic:
      - f2fs_grab_read_bio()
      - __written_first_block()
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200465
      
      - Reproduce
      
      - POC (poc.c)
          #define _GNU_SOURCE
          #include <sys/types.h>
          #include <sys/mount.h>
          #include <sys/mman.h>
          #include <sys/stat.h>
          #include <sys/xattr.h>
      
          #include <dirent.h>
          #include <errno.h>
          #include <error.h>
          #include <fcntl.h>
          #include <stdio.h>
          #include <stdlib.h>
          #include <string.h>
          #include <unistd.h>
      
          #include <linux/falloc.h>
          #include <linux/loop.h>
      
          static void activity(char *mpoint) {
      
            char *xattr;
            int err;
      
            err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint);
      
            char buf2[113];
            memset(buf2, 0, sizeof(buf2));
            listxattr(xattr, buf2, sizeof(buf2));
      
          }
      
          int main(int argc, char *argv[]) {
            activity(argv[1]);
            return 0;
          }
      
      - kernel message
      [  844.718738] F2FS-fs (loop0): Mounted with checkpoint version = 2
      [  846.430929] F2FS-fs (loop0): access invalid blkaddr:1024
      [  846.431058] WARNING: CPU: 1 PID: 1249 at fs/f2fs/checkpoint.c:154 f2fs_is_valid_blkaddr+0x10f/0x160
      [  846.431059] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 multipath linear qxl ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops pcbc drm 8139too aesni_intel 8139cp floppy psmouse mii aes_x86_64 crypto_simd pata_acpi cryptd glue_helper
      [  846.431310] CPU: 1 PID: 1249 Comm: a.out Not tainted 4.18.0-rc3+ #1
      [  846.431312] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  846.431315] RIP: 0010:f2fs_is_valid_blkaddr+0x10f/0x160
      [  846.431316] Code: 00 eb ed 31 c0 83 fa 05 75 ae 48 83 ec 08 48 8b 3f 89 f1 48 c7 c2 fc 0b 0f 8b 48 c7 c6 8b d7 09 8b 88 44 24 07 e8 61 8b ff ff <0f> 0b 0f b6 44 24 07 48 83 c4 08 eb 81 4c 8b 47 10 8b 8f 38 04 00
      [  846.431347] RSP: 0018:ffff961c414a7bc0 EFLAGS: 00010282
      [  846.431349] RAX: 0000000000000000 RBX: ffffc5f787b8ea80 RCX: 0000000000000000
      [  846.431350] RDX: 0000000000000000 RSI: ffff89dfffd165d8 RDI: ffff89dfffd165d8
      [  846.431351] RBP: ffff961c414a7c20 R08: 0000000000000001 R09: 0000000000000248
      [  846.431353] R10: 0000000000000000 R11: 0000000000000248 R12: 0000000000000007
      [  846.431369] R13: ffff89dff5492800 R14: ffff89dfae3aa000 R15: ffff89dff4ff88d0
      [  846.431372] FS:  00007f882e2fb700(0000) GS:ffff89dfffd00000(0000) knlGS:0000000000000000
      [  846.431373] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  846.431374] CR2: 0000000001a88008 CR3: 00000001eb572000 CR4: 00000000000006e0
      [  846.431384] Call Trace:
      [  846.431426]  f2fs_iget+0x6f4/0xe70
      [  846.431430]  ? f2fs_find_entry+0x71/0x90
      [  846.431432]  f2fs_lookup+0x1aa/0x390
      [  846.431452]  __lookup_slow+0x97/0x150
      [  846.431459]  lookup_slow+0x35/0x50
      [  846.431462]  walk_component+0x1c6/0x470
      [  846.431479]  ? memcg_kmem_charge_memcg+0x70/0x90
      [  846.431488]  ? page_add_file_rmap+0x13/0x200
      [  846.431491]  path_lookupat+0x76/0x230
      [  846.431501]  ? __alloc_pages_nodemask+0xfc/0x280
      [  846.431504]  filename_lookup+0xb8/0x1a0
      [  846.431534]  ? _cond_resched+0x16/0x40
      [  846.431541]  ? kmem_cache_alloc+0x160/0x1d0
      [  846.431549]  ? path_listxattr+0x41/0xa0
      [  846.431551]  path_listxattr+0x41/0xa0
      [  846.431570]  do_syscall_64+0x55/0x100
      [  846.431583]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  846.431607] RIP: 0033:0x7f882de1c0d7
      [  846.431607] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
      [  846.431639] RSP: 002b:00007ffe8e66c238 EFLAGS: 00000202 ORIG_RAX: 00000000000000c2
      [  846.431641] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f882de1c0d7
      [  846.431642] RDX: 0000000000000071 RSI: 00007ffe8e66c280 RDI: 0000000001a880c0
      [  846.431643] RBP: 00007ffe8e66c300 R08: 0000000001a88010 R09: 0000000000000000
      [  846.431645] R10: 00000000000001ab R11: 0000000000000202 R12: 0000000000400550
      [  846.431646] R13: 00007ffe8e66c400 R14: 0000000000000000 R15: 0000000000000000
      [  846.431648] ---[ end trace abca54df39d14f5c ]---
      [  846.431651] F2FS-fs (loop0): invalid blkaddr: 1024, type: 5, run fsck to fix.
      [  846.431762] WARNING: CPU: 1 PID: 1249 at fs/f2fs/f2fs.h:2697 f2fs_iget+0xd17/0xe70
      [  846.431763] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 multipath linear qxl ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops pcbc drm 8139too aesni_intel 8139cp floppy psmouse mii aes_x86_64 crypto_simd pata_acpi cryptd glue_helper
      [  846.431797] CPU: 1 PID: 1249 Comm: a.out Tainted: G        W         4.18.0-rc3+ #1
      [  846.431798] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  846.431800] RIP: 0010:f2fs_iget+0xd17/0xe70
      [  846.431801] Code: ff ff 48 63 d8 e9 e1 f6 ff ff 48 8b 45 c8 41 b8 05 00 00 00 48 c7 c2 d8 e8 0e 8b 48 c7 c6 1d b0 0a 8b 48 8b 38 e8 f9 b4 00 00 <0f> 0b 48 8b 45 c8 f0 80 48 48 04 e9 d8 f9 ff ff 0f 0b 48 8b 43 18
      [  846.431832] RSP: 0018:ffff961c414a7bd0 EFLAGS: 00010282
      [  846.431834] RAX: 0000000000000000 RBX: ffffc5f787b8ea80 RCX: 0000000000000006
      [  846.431835] RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff89dfffd165d0
      [  846.431836] RBP: ffff961c414a7c20 R08: 0000000000000000 R09: 0000000000000273
      [  846.431837] R10: 0000000000000000 R11: ffff89dfad50ca60 R12: 0000000000000007
      [  846.431838] R13: ffff89dff5492800 R14: ffff89dfae3aa000 R15: ffff89dff4ff88d0
      [  846.431840] FS:  00007f882e2fb700(0000) GS:ffff89dfffd00000(0000) knlGS:0000000000000000
      [  846.431841] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  846.431842] CR2: 0000000001a88008 CR3: 00000001eb572000 CR4: 00000000000006e0
      [  846.431846] Call Trace:
      [  846.431850]  ? f2fs_find_entry+0x71/0x90
      [  846.431853]  f2fs_lookup+0x1aa/0x390
      [  846.431856]  __lookup_slow+0x97/0x150
      [  846.431858]  lookup_slow+0x35/0x50
      [  846.431874]  walk_component+0x1c6/0x470
      [  846.431878]  ? memcg_kmem_charge_memcg+0x70/0x90
      [  846.431880]  ? page_add_file_rmap+0x13/0x200
      [  846.431882]  path_lookupat+0x76/0x230
      [  846.431884]  ? __alloc_pages_nodemask+0xfc/0x280
      [  846.431886]  filename_lookup+0xb8/0x1a0
      [  846.431890]  ? _cond_resched+0x16/0x40
      [  846.431891]  ? kmem_cache_alloc+0x160/0x1d0
      [  846.431894]  ? path_listxattr+0x41/0xa0
      [  846.431896]  path_listxattr+0x41/0xa0
      [  846.431898]  do_syscall_64+0x55/0x100
      [  846.431901]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  846.431902] RIP: 0033:0x7f882de1c0d7
      [  846.431903] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
      [  846.431934] RSP: 002b:00007ffe8e66c238 EFLAGS: 00000202 ORIG_RAX: 00000000000000c2
      [  846.431936] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f882de1c0d7
      [  846.431937] RDX: 0000000000000071 RSI: 00007ffe8e66c280 RDI: 0000000001a880c0
      [  846.431939] RBP: 00007ffe8e66c300 R08: 0000000001a88010 R09: 0000000000000000
      [  846.431940] R10: 00000000000001ab R11: 0000000000000202 R12: 0000000000400550
      [  846.431941] R13: 00007ffe8e66c400 R14: 0000000000000000 R15: 0000000000000000
      [  846.431943] ---[ end trace abca54df39d14f5d ]---
      [  846.432033] F2FS-fs (loop0): access invalid blkaddr:1024
      [  846.432051] WARNING: CPU: 1 PID: 1249 at fs/f2fs/checkpoint.c:154 f2fs_is_valid_blkaddr+0x10f/0x160
      [  846.432051] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 multipath linear qxl ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops pcbc drm 8139too aesni_intel 8139cp floppy psmouse mii aes_x86_64 crypto_simd pata_acpi cryptd glue_helper
      [  846.432085] CPU: 1 PID: 1249 Comm: a.out Tainted: G        W         4.18.0-rc3+ #1
      [  846.432086] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  846.432089] RIP: 0010:f2fs_is_valid_blkaddr+0x10f/0x160
      [  846.432089] Code: 00 eb ed 31 c0 83 fa 05 75 ae 48 83 ec 08 48 8b 3f 89 f1 48 c7 c2 fc 0b 0f 8b 48 c7 c6 8b d7 09 8b 88 44 24 07 e8 61 8b ff ff <0f> 0b 0f b6 44 24 07 48 83 c4 08 eb 81 4c 8b 47 10 8b 8f 38 04 00
      [  846.432120] RSP: 0018:ffff961c414a7900 EFLAGS: 00010286
      [  846.432122] RAX: 0000000000000000 RBX: 0000000000000400 RCX: 0000000000000006
      [  846.432123] RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff89dfffd165d0
      [  846.432124] RBP: ffff89dff5492800 R08: 0000000000000001 R09: 000000000000029d
      [  846.432125] R10: ffff961c414a7820 R11: 000000000000029d R12: 0000000000000400
      [  846.432126] R13: 0000000000000000 R14: ffff89dff4ff88d0 R15: 0000000000000000
      [  846.432128] FS:  00007f882e2fb700(0000) GS:ffff89dfffd00000(0000) knlGS:0000000000000000
      [  846.432130] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  846.432131] CR2: 0000000001a88008 CR3: 00000001eb572000 CR4: 00000000000006e0
      [  846.432135] Call Trace:
      [  846.432151]  f2fs_wait_on_block_writeback+0x20/0x110
      [  846.432158]  f2fs_grab_read_bio+0xbc/0xe0
      [  846.432161]  f2fs_submit_page_read+0x21/0x280
      [  846.432163]  f2fs_get_read_data_page+0xb7/0x3c0
      [  846.432165]  f2fs_get_lock_data_page+0x29/0x1e0
      [  846.432167]  f2fs_get_new_data_page+0x148/0x550
      [  846.432170]  f2fs_add_regular_entry+0x1d2/0x550
      [  846.432178]  ? __switch_to+0x12f/0x460
      [  846.432181]  f2fs_add_dentry+0x6a/0xd0
      [  846.432184]  f2fs_do_add_link+0xe9/0x140
      [  846.432186]  __recover_dot_dentries+0x260/0x280
      [  846.432189]  f2fs_lookup+0x343/0x390
      [  846.432193]  __lookup_slow+0x97/0x150
      [  846.432195]  lookup_slow+0x35/0x50
      [  846.432208]  walk_component+0x1c6/0x470
      [  846.432212]  ? memcg_kmem_charge_memcg+0x70/0x90
      [  846.432215]  ? page_add_file_rmap+0x13/0x200
      [  846.432217]  path_lookupat+0x76/0x230
      [  846.432219]  ? __alloc_pages_nodemask+0xfc/0x280
      [  846.432221]  filename_lookup+0xb8/0x1a0
      [  846.432224]  ? _cond_resched+0x16/0x40
      [  846.432226]  ? kmem_cache_alloc+0x160/0x1d0
      [  846.432228]  ? path_listxattr+0x41/0xa0
      [  846.432230]  path_listxattr+0x41/0xa0
      [  846.432233]  do_syscall_64+0x55/0x100
      [  846.432235]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  846.432237] RIP: 0033:0x7f882de1c0d7
      [  846.432237] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
      [  846.432269] RSP: 002b:00007ffe8e66c238 EFLAGS: 00000202 ORIG_RAX: 00000000000000c2
      [  846.432271] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f882de1c0d7
      [  846.432272] RDX: 0000000000000071 RSI: 00007ffe8e66c280 RDI: 0000000001a880c0
      [  846.432273] RBP: 00007ffe8e66c300 R08: 0000000001a88010 R09: 0000000000000000
      [  846.432274] R10: 00000000000001ab R11: 0000000000000202 R12: 0000000000400550
      [  846.432275] R13: 00007ffe8e66c400 R14: 0000000000000000 R15: 0000000000000000
      [  846.432277] ---[ end trace abca54df39d14f5e ]---
      [  846.432279] F2FS-fs (loop0): invalid blkaddr: 1024, type: 5, run fsck to fix.
      [  846.432376] WARNING: CPU: 1 PID: 1249 at fs/f2fs/f2fs.h:2697 f2fs_wait_on_block_writeback+0xb1/0x110
      [  846.432376] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 multipath linear qxl ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops pcbc drm 8139too aesni_intel 8139cp floppy psmouse mii aes_x86_64 crypto_simd pata_acpi cryptd glue_helper
      [  846.432410] CPU: 1 PID: 1249 Comm: a.out Tainted: G        W         4.18.0-rc3+ #1
      [  846.432411] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  846.432413] RIP: 0010:f2fs_wait_on_block_writeback+0xb1/0x110
      [  846.432414] Code: 66 90 f0 ff 4b 34 74 59 5b 5d c3 48 8b 7d 00 41 b8 05 00 00 00 89 d9 48 c7 c2 d8 e8 0e 8b 48 c7 c6 1d b0 0a 8b e8 df bc fd ff <0f> 0b f0 80 4d 48 04 e9 67 ff ff ff 48 8b 03 48 c1 e8 37 83 e0 07
      [  846.432445] RSP: 0018:ffff961c414a7910 EFLAGS: 00010286
      [  846.432447] RAX: 0000000000000000 RBX: 0000000000000400 RCX: 0000000000000006
      [  846.432448] RDX: 0000000000000000 RSI: 0000000000000092 RDI: ffff89dfffd165d0
      [  846.432449] RBP: ffff89dff5492800 R08: 0000000000000000 R09: 00000000000002d1
      [  846.432450] R10: ffff961c414a7820 R11: ffff89dfad50cf80 R12: 0000000000000400
      [  846.432451] R13: 0000000000000000 R14: ffff89dff4ff88d0 R15: 0000000000000000
      [  846.432453] FS:  00007f882e2fb700(0000) GS:ffff89dfffd00000(0000) knlGS:0000000000000000
      [  846.432454] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  846.432455] CR2: 0000000001a88008 CR3: 00000001eb572000 CR4: 00000000000006e0
      [  846.432459] Call Trace:
      [  846.432463]  f2fs_grab_read_bio+0xbc/0xe0
      [  846.432464]  f2fs_submit_page_read+0x21/0x280
      [  846.432466]  f2fs_get_read_data_page+0xb7/0x3c0
      [  846.432468]  f2fs_get_lock_data_page+0x29/0x1e0
      [  846.432470]  f2fs_get_new_data_page+0x148/0x550
      [  846.432473]  f2fs_add_regular_entry+0x1d2/0x550
      [  846.432475]  ? __switch_to+0x12f/0x460
      [  846.432477]  f2fs_add_dentry+0x6a/0xd0
      [  846.432480]  f2fs_do_add_link+0xe9/0x140
      [  846.432483]  __recover_dot_dentries+0x260/0x280
      [  846.432485]  f2fs_lookup+0x343/0x390
      [  846.432488]  __lookup_slow+0x97/0x150
      [  846.432490]  lookup_slow+0x35/0x50
      [  846.432505]  walk_component+0x1c6/0x470
      [  846.432509]  ? memcg_kmem_charge_memcg+0x70/0x90
      [  846.432511]  ? page_add_file_rmap+0x13/0x200
      [  846.432513]  path_lookupat+0x76/0x230
      [  846.432515]  ? __alloc_pages_nodemask+0xfc/0x280
      [  846.432517]  filename_lookup+0xb8/0x1a0
      [  846.432520]  ? _cond_resched+0x16/0x40
      [  846.432522]  ? kmem_cache_alloc+0x160/0x1d0
      [  846.432525]  ? path_listxattr+0x41/0xa0
      [  846.432526]  path_listxattr+0x41/0xa0
      [  846.432529]  do_syscall_64+0x55/0x100
      [  846.432531]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  846.432533] RIP: 0033:0x7f882de1c0d7
      [  846.432533] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
      [  846.432565] RSP: 002b:00007ffe8e66c238 EFLAGS: 00000202 ORIG_RAX: 00000000000000c2
      [  846.432567] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f882de1c0d7
      [  846.432568] RDX: 0000000000000071 RSI: 00007ffe8e66c280 RDI: 0000000001a880c0
      [  846.432569] RBP: 00007ffe8e66c300 R08: 0000000001a88010 R09: 0000000000000000
      [  846.432570] R10: 00000000000001ab R11: 0000000000000202 R12: 0000000000400550
      [  846.432571] R13: 00007ffe8e66c400 R14: 0000000000000000 R15: 0000000000000000
      [  846.432573] ---[ end trace abca54df39d14f5f ]---
      [  846.434280] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
      [  846.434424] PGD 80000001ebd3a067 P4D 80000001ebd3a067 PUD 1eb1ae067 PMD 0
      [  846.434551] Oops: 0000 [#1] SMP PTI
      [  846.434697] CPU: 0 PID: 44 Comm: kworker/u5:0 Tainted: G        W         4.18.0-rc3+ #1
      [  846.434805] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  846.435000] Workqueue: fscrypt_read_queue decrypt_work
      [  846.435174] RIP: 0010:fscrypt_do_page_crypto+0x6e/0x2d0
      [  846.435351] Code: 00 65 48 8b 04 25 28 00 00 00 48 89 84 24 88 00 00 00 31 c0 e8 43 c2 e0 ff 49 8b 86 48 02 00 00 85 ed c7 44 24 70 00 00 00 00 <48> 8b 58 08 0f 84 14 02 00 00 48 8b 78 10 48 8b 0c 24 48 c7 84 24
      [  846.435696] RSP: 0018:ffff961c40f9bd60 EFLAGS: 00010206
      [  846.435870] RAX: 0000000000000000 RBX: ffffc5f787719b80 RCX: ffffc5f787719b80
      [  846.436051] RDX: ffffffff8b9f4b88 RSI: ffffffff8b0ae622 RDI: ffff961c40f9bdb8
      [  846.436261] RBP: 0000000000001000 R08: ffffc5f787719b80 R09: 0000000000001000
      [  846.436433] R10: 0000000000000018 R11: fefefefefefefeff R12: ffffc5f787719b80
      [  846.436562] R13: ffffc5f787719b80 R14: ffff89dff4ff88d0 R15: 0ffff89dfaddee60
      [  846.436658] FS:  0000000000000000(0000) GS:ffff89dfffc00000(0000) knlGS:0000000000000000
      [  846.436758] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  846.436898] CR2: 0000000000000008 CR3: 00000001eddd0000 CR4: 00000000000006f0
      [  846.437001] Call Trace:
      [  846.437181]  ? check_preempt_wakeup+0xf2/0x230
      [  846.437276]  ? check_preempt_curr+0x7c/0x90
      [  846.437370]  fscrypt_decrypt_page+0x48/0x4d
      [  846.437466]  __fscrypt_decrypt_bio+0x5b/0x90
      [  846.437542]  decrypt_work+0x12/0x20
      [  846.437651]  process_one_work+0x15e/0x3d0
      [  846.437740]  worker_thread+0x4c/0x440
      [  846.437848]  kthread+0xf8/0x130
      [  846.437938]  ? rescuer_thread+0x350/0x350
      [  846.438022]  ? kthread_associate_blkcg+0x90/0x90
      [  846.438117]  ret_from_fork+0x35/0x40
      [  846.438201] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 multipath linear qxl ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops pcbc drm 8139too aesni_intel 8139cp floppy psmouse mii aes_x86_64 crypto_simd pata_acpi cryptd glue_helper
      [  846.438653] CR2: 0000000000000008
      [  846.438713] ---[ end trace abca54df39d14f60 ]---
      [  846.438796] RIP: 0010:fscrypt_do_page_crypto+0x6e/0x2d0
      [  846.438844] Code: 00 65 48 8b 04 25 28 00 00 00 48 89 84 24 88 00 00 00 31 c0 e8 43 c2 e0 ff 49 8b 86 48 02 00 00 85 ed c7 44 24 70 00 00 00 00 <48> 8b 58 08 0f 84 14 02 00 00 48 8b 78 10 48 8b 0c 24 48 c7 84 24
      [  846.439084] RSP: 0018:ffff961c40f9bd60 EFLAGS: 00010206
      [  846.439176] RAX: 0000000000000000 RBX: ffffc5f787719b80 RCX: ffffc5f787719b80
      [  846.440927] RDX: ffffffff8b9f4b88 RSI: ffffffff8b0ae622 RDI: ffff961c40f9bdb8
      [  846.442083] RBP: 0000000000001000 R08: ffffc5f787719b80 R09: 0000000000001000
      [  846.443284] R10: 0000000000000018 R11: fefefefefefefeff R12: ffffc5f787719b80
      [  846.444448] R13: ffffc5f787719b80 R14: ffff89dff4ff88d0 R15: 0ffff89dfaddee60
      [  846.445558] FS:  0000000000000000(0000) GS:ffff89dfffc00000(0000) knlGS:0000000000000000
      [  846.446687] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  846.447796] CR2: 0000000000000008 CR3: 00000001eddd0000 CR4: 00000000000006f0
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc4/source/fs/crypto/crypto.c#L149
      	struct crypto_skcipher *tfm = ci->ci_ctfm;
      Here ci can be NULL
      
      Note that this issue maybe require CONFIG_F2FS_FS_ENCRYPTION=y to reproduce.
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      91291e99
    • C
      f2fs: fix to do sanity check with inline flags · bcbfbd60
      Chao Yu 提交于
      https://bugzilla.kernel.org/show_bug.cgi?id=200221
      
      - Overview
      BUG() in clear_inode() when mounting and un-mounting a corrupted f2fs image
      
      - Reproduce
      
      - Kernel message
      [  538.601448] F2FS-fs (loop0): Invalid segment/section count (31, 24 x 1376257)
      [  538.601458] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
      [  538.724091] F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
      [  538.724102] F2FS-fs (loop0): Mounted with checkpoint version = 2
      [  540.970834] ------------[ cut here ]------------
      [  540.970838] kernel BUG at fs/inode.c:512!
      [  540.971750] invalid opcode: 0000 [#1] SMP KASAN PTI
      [  540.972755] CPU: 1 PID: 1305 Comm: umount Not tainted 4.18.0-rc1+ #4
      [  540.974034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  540.982913] RIP: 0010:clear_inode+0xc0/0xd0
      [  540.983774] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
      [  540.987570] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
      [  540.988636] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
      [  540.990063] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
      [  540.991499] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
      [  540.992923] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
      [  540.994360] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
      [  540.995786] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  540.997403] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  540.998571] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
      [  541.000015] Call Trace:
      [  541.000554]  f2fs_evict_inode+0x253/0x630
      [  541.001381]  evict+0x16f/0x290
      [  541.002015]  iput+0x280/0x300
      [  541.002654]  dentry_unlink_inode+0x165/0x1e0
      [  541.003528]  __dentry_kill+0x16a/0x260
      [  541.004300]  dentry_kill+0x70/0x250
      [  541.005018]  dput+0x154/0x1d0
      [  541.005635]  do_one_tree+0x34/0x40
      [  541.006354]  shrink_dcache_for_umount+0x3f/0xa0
      [  541.007285]  generic_shutdown_super+0x43/0x1c0
      [  541.008192]  kill_block_super+0x52/0x80
      [  541.008978]  kill_f2fs_super+0x62/0x70
      [  541.009750]  deactivate_locked_super+0x6f/0xa0
      [  541.010664]  deactivate_super+0x5e/0x80
      [  541.011450]  cleanup_mnt+0x61/0xa0
      [  541.012151]  __cleanup_mnt+0x12/0x20
      [  541.012893]  task_work_run+0xc8/0xf0
      [  541.013635]  exit_to_usermode_loop+0x125/0x130
      [  541.014555]  do_syscall_64+0x138/0x170
      [  541.015340]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  541.016375] RIP: 0033:0x7f46624bf487
      [  541.017104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
      [  541.020923] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
      [  541.022452] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
      [  541.023885] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
      [  541.025318] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
      [  541.026755] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
      [  541.028186] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
      [  541.029626] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  541.039445] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  541.040392] RIP: 0010:clear_inode+0xc0/0xd0
      [  541.041240] Code: 8d a3 30 01 00 00 4c 89 e7 e8 1c ec f8 ff 48 8b 83 30 01 00 00 49 39 c4 75 1a 48 c7 83 a0 00 00 00 60 00 00 00 5b 41 5c 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 1f 40 00 66 66 66 66 90 55
      [  541.045042] RSP: 0018:ffff8801e34a7b70 EFLAGS: 00010002
      [  541.046099] RAX: 0000000000000000 RBX: ffff8801e9b744e8 RCX: ffffffffb840eb3a
      [  541.047537] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801e9b746b8
      [  541.048965] RBP: ffff8801e34a7b80 R08: ffffed003d36e8ce R09: ffffed003d36e8ce
      [  541.050402] R10: 0000000000000001 R11: ffffed003d36e8cd R12: ffff8801e9b74668
      [  541.051832] R13: ffff8801e9b74760 R14: ffff8801e9b74528 R15: ffff8801e9b74530
      [  541.053263] FS:  00007f4662bdf840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  541.054891] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  541.056039] CR2: 000000000175c568 CR3: 00000001dcfe6000 CR4: 00000000000006e0
      [  541.058506] ==================================================================
      [  541.059991] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
      [  541.061513] Read of size 8 at addr ffff8801e34a7970 by task umount/1305
      
      [  541.063302] CPU: 1 PID: 1305 Comm: umount Tainted: G      D           4.18.0-rc1+ #4
      [  541.064838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  541.066778] Call Trace:
      [  541.067294]  dump_stack+0x7b/0xb5
      [  541.067986]  print_address_description+0x70/0x290
      [  541.068941]  kasan_report+0x291/0x390
      [  541.069692]  ? update_stack_state+0x38c/0x3e0
      [  541.070598]  __asan_load8+0x54/0x90
      [  541.071315]  update_stack_state+0x38c/0x3e0
      [  541.072172]  ? __read_once_size_nocheck.constprop.7+0x20/0x20
      [  541.073340]  ? vprintk_func+0x27/0x60
      [  541.074096]  ? printk+0xa3/0xd3
      [  541.074762]  ? __save_stack_trace+0x5e/0x100
      [  541.075634]  unwind_next_frame.part.5+0x18e/0x490
      [  541.076594]  ? unwind_dump+0x290/0x290
      [  541.077368]  ? __show_regs+0x2c4/0x330
      [  541.078142]  __unwind_start+0x106/0x190
      [  541.085422]  __save_stack_trace+0x5e/0x100
      [  541.086268]  ? __save_stack_trace+0x5e/0x100
      [  541.087161]  ? unlink_anon_vmas+0xba/0x2c0
      [  541.087997]  save_stack_trace+0x1f/0x30
      [  541.088782]  save_stack+0x46/0xd0
      [  541.089475]  ? __alloc_pages_slowpath+0x1420/0x1420
      [  541.090477]  ? flush_tlb_mm_range+0x15e/0x220
      [  541.091364]  ? __dec_node_state+0x24/0xb0
      [  541.092180]  ? lock_page_memcg+0x85/0xf0
      [  541.092979]  ? unlock_page_memcg+0x16/0x80
      [  541.093812]  ? page_remove_rmap+0x198/0x520
      [  541.094674]  ? mark_page_accessed+0x133/0x200
      [  541.095559]  ? _cond_resched+0x1a/0x50
      [  541.096326]  ? unmap_page_range+0xcd4/0xe50
      [  541.097179]  ? rb_next+0x58/0x80
      [  541.097845]  ? rb_next+0x58/0x80
      [  541.098518]  __kasan_slab_free+0x13c/0x1a0
      [  541.099352]  ? unlink_anon_vmas+0xba/0x2c0
      [  541.100184]  kasan_slab_free+0xe/0x10
      [  541.100934]  kmem_cache_free+0x89/0x1e0
      [  541.101724]  unlink_anon_vmas+0xba/0x2c0
      [  541.102534]  free_pgtables+0x101/0x1b0
      [  541.103299]  exit_mmap+0x146/0x2a0
      [  541.103996]  ? __ia32_sys_munmap+0x50/0x50
      [  541.104829]  ? kasan_check_read+0x11/0x20
      [  541.105649]  ? mm_update_next_owner+0x322/0x380
      [  541.106578]  mmput+0x8b/0x1d0
      [  541.107191]  do_exit+0x43a/0x1390
      [  541.107876]  ? mm_update_next_owner+0x380/0x380
      [  541.108791]  ? deactivate_super+0x5e/0x80
      [  541.109610]  ? cleanup_mnt+0x61/0xa0
      [  541.110351]  ? __cleanup_mnt+0x12/0x20
      [  541.111115]  ? task_work_run+0xc8/0xf0
      [  541.111879]  ? exit_to_usermode_loop+0x125/0x130
      [  541.112817]  rewind_stack_do_exit+0x17/0x20
      [  541.113666] RIP: 0033:0x7f46624bf487
      [  541.114404] Code: Bad RIP value.
      [  541.115094] RSP: 002b:00007fff5e12e9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
      [  541.116605] RAX: 0000000000000000 RBX: 0000000001753030 RCX: 00007f46624bf487
      [  541.118034] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000175a1e0
      [  541.119472] RBP: 000000000175a1e0 R08: 0000000000000000 R09: 0000000000000014
      [  541.120890] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f46629c883c
      [  541.122321] R13: 0000000000000000 R14: 0000000001753210 R15: 00007fff5e12ec30
      
      [  541.124061] The buggy address belongs to the page:
      [  541.125042] page:ffffea00078d29c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  541.126651] flags: 0x2ffff0000000000()
      [  541.127418] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
      [  541.128963] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [  541.130516] page dumped because: kasan: bad access detected
      
      [  541.131954] Memory state around the buggy address:
      [  541.132924]  ffff8801e34a7800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
      [  541.134378]  ffff8801e34a7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  541.135814] >ffff8801e34a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
      [  541.137253]                                                              ^
      [  541.138637]  ffff8801e34a7980: f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  541.140075]  ffff8801e34a7a00: 00 00 00 00 00 00 00 00 f3 00 00 00 00 00 00 00
      [  541.141509] ==================================================================
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/inode.c#L512
      	BUG_ON(inode->i_data.nrpages);
      
      The root cause is root directory inode is corrupted, it has both
      inline_data and inline_dentry flag, and its nlink is zero, so in
      ->evict(), after dropping all page cache, it grabs page #0 for inline
      data truncation, result in panic in later clear_inode() where we will
      check inode->i_data.nrpages value.
      
      This patch adds inline flags check in sanity_check_inode, in addition,
      do sanity check with root inode's nlink.
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      bcbfbd60
  20. 02 8月, 2018 4 次提交
    • C
      f2fs: fix to propagate error from __get_meta_page() · 7735730d
      Chao Yu 提交于
      If caller of __get_meta_page() can handle error, let's propagate error
      from __get_meta_page().
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      7735730d
    • C
      f2fs: fix to do sanity check with i_extra_isize · 18dd6470
      Chao Yu 提交于
      If inode.i_extra_isize was fuzzed to an abnormal value, when
      calculating inline data size, the result will overflow, result
      in accessing invalid memory area when operating inline data.
      
      Let's do sanity check with i_extra_isize during inode loading
      for fixing.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200421
      
      - Reproduce
      
      - POC (poc.c)
          #define _GNU_SOURCE
          #include <sys/types.h>
          #include <sys/mount.h>
          #include <sys/mman.h>
          #include <sys/stat.h>
          #include <sys/xattr.h>
      
          #include <dirent.h>
          #include <errno.h>
          #include <error.h>
          #include <fcntl.h>
          #include <stdio.h>
          #include <stdlib.h>
          #include <string.h>
          #include <unistd.h>
      
          #include <linux/falloc.h>
          #include <linux/loop.h>
      
          static void activity(char *mpoint) {
      
            char *foo_bar_baz;
            char *foo_baz;
            char *xattr;
            int err;
      
            err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
            err = asprintf(&foo_baz, "%s/foo/baz", mpoint);
            err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint);
      
            rename(foo_bar_baz, foo_baz);
      
            char buf2[113];
            memset(buf2, 0, sizeof(buf2));
            listxattr(xattr, buf2, sizeof(buf2));
            removexattr(xattr, "user.mime_type");
      
          }
      
          int main(int argc, char *argv[]) {
            activity(argv[1]);
            return 0;
          }
      
      - Kernel message
      Umount the image will leave the following message
      [ 2910.995489] F2FS-fs (loop0): Mounted with checkpoint version = 2
      [ 2918.416465] ==================================================================
      [ 2918.416807] BUG: KASAN: slab-out-of-bounds in f2fs_iget+0xcb9/0x1a80
      [ 2918.417009] Read of size 4 at addr ffff88018efc2068 by task a.out/1229
      
      [ 2918.417311] CPU: 1 PID: 1229 Comm: a.out Not tainted 4.17.0+ #1
      [ 2918.417314] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [ 2918.417323] Call Trace:
      [ 2918.417366]  dump_stack+0x71/0xab
      [ 2918.417401]  print_address_description+0x6b/0x290
      [ 2918.417407]  kasan_report+0x28e/0x390
      [ 2918.417411]  ? f2fs_iget+0xcb9/0x1a80
      [ 2918.417415]  f2fs_iget+0xcb9/0x1a80
      [ 2918.417422]  ? f2fs_lookup+0x2e7/0x580
      [ 2918.417425]  f2fs_lookup+0x2e7/0x580
      [ 2918.417433]  ? __recover_dot_dentries+0x400/0x400
      [ 2918.417447]  ? legitimize_path.isra.29+0x5a/0xa0
      [ 2918.417453]  __lookup_slow+0x11c/0x220
      [ 2918.417457]  ? may_delete+0x2a0/0x2a0
      [ 2918.417475]  ? deref_stack_reg+0xe0/0xe0
      [ 2918.417479]  ? __lookup_hash+0xb0/0xb0
      [ 2918.417483]  lookup_slow+0x3e/0x60
      [ 2918.417488]  walk_component+0x3ac/0x990
      [ 2918.417492]  ? generic_permission+0x51/0x1e0
      [ 2918.417495]  ? inode_permission+0x51/0x1d0
      [ 2918.417499]  ? pick_link+0x3e0/0x3e0
      [ 2918.417502]  ? link_path_walk+0x4b1/0x770
      [ 2918.417513]  ? _raw_spin_lock_irqsave+0x25/0x50
      [ 2918.417518]  ? walk_component+0x990/0x990
      [ 2918.417522]  ? path_init+0x2e6/0x580
      [ 2918.417526]  path_lookupat+0x13f/0x430
      [ 2918.417531]  ? trailing_symlink+0x3a0/0x3a0
      [ 2918.417534]  ? do_renameat2+0x270/0x7b0
      [ 2918.417538]  ? __kasan_slab_free+0x14c/0x190
      [ 2918.417541]  ? do_renameat2+0x270/0x7b0
      [ 2918.417553]  ? kmem_cache_free+0x85/0x1e0
      [ 2918.417558]  ? do_renameat2+0x270/0x7b0
      [ 2918.417563]  filename_lookup+0x13c/0x280
      [ 2918.417567]  ? filename_parentat+0x2b0/0x2b0
      [ 2918.417572]  ? kasan_unpoison_shadow+0x31/0x40
      [ 2918.417575]  ? kasan_kmalloc+0xa6/0xd0
      [ 2918.417593]  ? strncpy_from_user+0xaa/0x1c0
      [ 2918.417598]  ? getname_flags+0x101/0x2b0
      [ 2918.417614]  ? path_listxattr+0x87/0x110
      [ 2918.417619]  path_listxattr+0x87/0x110
      [ 2918.417623]  ? listxattr+0xc0/0xc0
      [ 2918.417637]  ? mm_fault_error+0x1b0/0x1b0
      [ 2918.417654]  do_syscall_64+0x73/0x160
      [ 2918.417660]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 2918.417676] RIP: 0033:0x7f2f3a3480d7
      [ 2918.417677] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
      [ 2918.417732] RSP: 002b:00007fff4095b7d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000c2
      [ 2918.417744] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2f3a3480d7
      [ 2918.417746] RDX: 0000000000000071 RSI: 00007fff4095b810 RDI: 000000000126a0c0
      [ 2918.417749] RBP: 00007fff4095b890 R08: 000000000126a010 R09: 0000000000000000
      [ 2918.417751] R10: 00000000000001ab R11: 0000000000000206 R12: 00000000004005e0
      [ 2918.417753] R13: 00007fff4095b990 R14: 0000000000000000 R15: 0000000000000000
      
      [ 2918.417853] Allocated by task 329:
      [ 2918.418002]  kasan_kmalloc+0xa6/0xd0
      [ 2918.418007]  kmem_cache_alloc+0xc8/0x1e0
      [ 2918.418023]  mempool_init_node+0x194/0x230
      [ 2918.418027]  mempool_init+0x12/0x20
      [ 2918.418042]  bioset_init+0x2bd/0x380
      [ 2918.418052]  blk_alloc_queue_node+0xe9/0x540
      [ 2918.418075]  dm_create+0x2c0/0x800
      [ 2918.418080]  dev_create+0xd2/0x530
      [ 2918.418083]  ctl_ioctl+0x2a3/0x5b0
      [ 2918.418087]  dm_ctl_ioctl+0xa/0x10
      [ 2918.418092]  do_vfs_ioctl+0x13e/0x8c0
      [ 2918.418095]  ksys_ioctl+0x66/0x70
      [ 2918.418098]  __x64_sys_ioctl+0x3d/0x50
      [ 2918.418102]  do_syscall_64+0x73/0x160
      [ 2918.418106]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [ 2918.418204] Freed by task 0:
      [ 2918.418301] (stack is not available)
      
      [ 2918.418521] The buggy address belongs to the object at ffff88018efc0000
                      which belongs to the cache biovec-max of size 8192
      [ 2918.418894] The buggy address is located 104 bytes to the right of
                      8192-byte region [ffff88018efc0000, ffff88018efc2000)
      [ 2918.419257] The buggy address belongs to the page:
      [ 2918.419431] page:ffffea00063bf000 count:1 mapcount:0 mapping:ffff8801f2242540 index:0x0 compound_mapcount: 0
      [ 2918.419702] flags: 0x17fff8000008100(slab|head)
      [ 2918.419879] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f2242540
      [ 2918.420101] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000
      [ 2918.420322] page dumped because: kasan: bad access detected
      
      [ 2918.420599] Memory state around the buggy address:
      [ 2918.420764]  ffff88018efc1f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 2918.420975]  ffff88018efc1f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 2918.421194] >ffff88018efc2000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [ 2918.421406]                                                           ^
      [ 2918.421627]  ffff88018efc2080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [ 2918.421838]  ffff88018efc2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [ 2918.422046] ==================================================================
      [ 2918.422264] Disabling lock debugging due to kernel taint
      [ 2923.901641] BUG: unable to handle kernel paging request at ffff88018f0db000
      [ 2923.901884] PGD 22226a067 P4D 22226a067 PUD 222273067 PMD 18e642063 PTE 800000018f0db061
      [ 2923.902120] Oops: 0003 [#1] SMP KASAN PTI
      [ 2923.902274] CPU: 1 PID: 1231 Comm: umount Tainted: G    B             4.17.0+ #1
      [ 2923.902490] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [ 2923.902761] RIP: 0010:__memset+0x24/0x30
      [ 2923.902906] Code: 90 90 90 90 90 90 66 66 90 66 90 49 89 f9 48 89 d1 83 e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3
      [ 2923.903446] RSP: 0018:ffff88018ddf7ae0 EFLAGS: 00010206
      [ 2923.903622] RAX: 0000000000000000 RBX: ffff8801d549d888 RCX: 1ffffffffffdaffb
      [ 2923.903833] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88018f0daffc
      [ 2923.904062] RBP: ffff88018efc206c R08: 1ffff10031df840d R09: ffff88018efc206c
      [ 2923.904273] R10: ffffffffffffe1ee R11: ffffed0031df65fa R12: 0000000000000000
      [ 2923.904485] R13: ffff8801d549dc98 R14: 00000000ffffc3db R15: ffffea00063bec80
      [ 2923.904693] FS:  00007fa8b2f8a840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000
      [ 2923.904937] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2923.910080] CR2: ffff88018f0db000 CR3: 000000018f892000 CR4: 00000000000006e0
      [ 2923.914930] Call Trace:
      [ 2923.919724]  f2fs_truncate_inline_inode+0x114/0x170
      [ 2923.924487]  f2fs_truncate_blocks+0x11b/0x7c0
      [ 2923.929178]  ? f2fs_truncate_data_blocks+0x10/0x10
      [ 2923.933834]  ? dqget+0x670/0x670
      [ 2923.938437]  ? f2fs_destroy_extent_tree+0xd6/0x270
      [ 2923.943107]  ? __radix_tree_lookup+0x2f/0x150
      [ 2923.947772]  f2fs_truncate+0xd4/0x1a0
      [ 2923.952491]  f2fs_evict_inode+0x5ab/0x610
      [ 2923.957204]  evict+0x15f/0x280
      [ 2923.961898]  __dentry_kill+0x161/0x250
      [ 2923.966634]  shrink_dentry_list+0xf3/0x250
      [ 2923.971897]  shrink_dcache_parent+0xa9/0x100
      [ 2923.976561]  ? shrink_dcache_sb+0x1f0/0x1f0
      [ 2923.981177]  ? wait_for_completion+0x8a/0x210
      [ 2923.985781]  ? migrate_swap_stop+0x2d0/0x2d0
      [ 2923.990332]  do_one_tree+0xe/0x40
      [ 2923.994735]  shrink_dcache_for_umount+0x3a/0xa0
      [ 2923.999077]  generic_shutdown_super+0x3e/0x1c0
      [ 2924.003350]  kill_block_super+0x4b/0x70
      [ 2924.007619]  deactivate_locked_super+0x65/0x90
      [ 2924.011812]  cleanup_mnt+0x5c/0xa0
      [ 2924.015995]  task_work_run+0xce/0xf0
      [ 2924.020174]  exit_to_usermode_loop+0x115/0x120
      [ 2924.024293]  do_syscall_64+0x12f/0x160
      [ 2924.028479]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 2924.032709] RIP: 0033:0x7fa8b2868487
      [ 2924.036888] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
      [ 2924.045750] RSP: 002b:00007ffc39824d58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
      [ 2924.050190] RAX: 0000000000000000 RBX: 00000000008ea030 RCX: 00007fa8b2868487
      [ 2924.054604] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000008f4360
      [ 2924.058940] RBP: 00000000008f4360 R08: 0000000000000000 R09: 0000000000000014
      [ 2924.063186] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007fa8b2d7183c
      [ 2924.067418] R13: 0000000000000000 R14: 00000000008ea210 R15: 00007ffc39824fe0
      [ 2924.071534] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer joydev input_leds serio_raw snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel psmouse aes_x86_64 8139cp crypto_simd cryptd mii glue_helper pata_acpi floppy
      [ 2924.098044] CR2: ffff88018f0db000
      [ 2924.102520] ---[ end trace a8e0d899985faf31 ]---
      [ 2924.107012] RIP: 0010:__memset+0x24/0x30
      [ 2924.111448] Code: 90 90 90 90 90 90 66 66 90 66 90 49 89 f9 48 89 d1 83 e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3
      [ 2924.120724] RSP: 0018:ffff88018ddf7ae0 EFLAGS: 00010206
      [ 2924.125312] RAX: 0000000000000000 RBX: ffff8801d549d888 RCX: 1ffffffffffdaffb
      [ 2924.129931] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88018f0daffc
      [ 2924.134537] RBP: ffff88018efc206c R08: 1ffff10031df840d R09: ffff88018efc206c
      [ 2924.139175] R10: ffffffffffffe1ee R11: ffffed0031df65fa R12: 0000000000000000
      [ 2924.143825] R13: ffff8801d549dc98 R14: 00000000ffffc3db R15: ffffea00063bec80
      [ 2924.148500] FS:  00007fa8b2f8a840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000
      [ 2924.153247] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2924.158003] CR2: ffff88018f0db000 CR3: 000000018f892000 CR4: 00000000000006e0
      [ 2924.164641] BUG: Bad rss-counter state mm:00000000fa04621e idx:0 val:4
      [ 2924.170007] BUG: Bad rss-counter
      tate mm:00000000fa04621e idx:1 val:2
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc3/source/fs/f2fs/inline.c#L78
      	memset(addr + from, 0, MAX_INLINE_DATA(inode) - from);
      Here the length can be negative.
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      18dd6470
    • C
      f2fs: clean up with IS_INODE() · 4c6b56c0
      Chao Yu 提交于
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      4c6b56c0
    • C
      f2fs: fix to do sanity check with block address in main area · c9b60788
      Chao Yu 提交于
      This patch add to do sanity check with below field:
      - cp_pack_total_block_count
      - blkaddr of data/node
      - extent info
      
      - Overview
      BUG() in verify_block_addr() when writing to a corrupted f2fs image
      
      - Reproduce (4.18 upstream kernel)
      
      - POC (poc.c)
      
      static void activity(char *mpoint) {
      
        char *foo_bar_baz;
        int err;
      
        static int buf[8192];
        memset(buf, 0, sizeof(buf));
      
        err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
      
        int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777);
        if (fd >= 0) {
          write(fd, (char *)buf, sizeof(buf));
          fdatasync(fd);
          close(fd);
        }
      }
      
      int main(int argc, char *argv[]) {
        activity(argv[1]);
        return 0;
      }
      
      - Kernel message
      [  689.349473] F2FS-fs (loop0): Mounted with checkpoint version = 3
      [  699.728662] WARNING: CPU: 0 PID: 1309 at fs/f2fs/segment.c:2860 f2fs_inplace_write_data+0x232/0x240
      [  699.728670] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  699.729056] CPU: 0 PID: 1309 Comm: a.out Not tainted 4.18.0-rc1+ #4
      [  699.729064] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  699.729074] RIP: 0010:f2fs_inplace_write_data+0x232/0x240
      [  699.729076] Code: ff e9 cf fe ff ff 49 8d 7d 10 e8 39 45 ad ff 4d 8b 7d 10 be 04 00 00 00 49 8d 7f 48 e8 07 49 ad ff 45 8b 7f 48 e9 fb fe ff ff <0f> 0b f0 41 80 4d 48 04 e9 65 fe ff ff 90 66 66 66 66 90 55 48 8d
      [  699.729130] RSP: 0018:ffff8801f43af568 EFLAGS: 00010202
      [  699.729139] RAX: 000000000000003f RBX: ffff8801f43af7b8 RCX: ffffffffb88c9113
      [  699.729142] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffff8802024e5540
      [  699.729144] RBP: ffff8801f43af590 R08: 0000000000000009 R09: ffffffffffffffe8
      [  699.729147] R10: 0000000000000001 R11: ffffed0039b0596a R12: ffff8802024e5540
      [  699.729149] R13: ffff8801f0335500 R14: ffff8801e3e7a700 R15: ffff8801e1ee4450
      [  699.729154] FS:  00007f9bf97f5700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  699.729156] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  699.729159] CR2: 00007f9bf925d170 CR3: 00000001f0c34000 CR4: 00000000000006f0
      [  699.729171] Call Trace:
      [  699.729192]  f2fs_do_write_data_page+0x2e2/0xe00
      [  699.729203]  ? f2fs_should_update_outplace+0xd0/0xd0
      [  699.729238]  ? memcg_drain_all_list_lrus+0x280/0x280
      [  699.729269]  ? __radix_tree_replace+0xa3/0x120
      [  699.729276]  __write_data_page+0x5c7/0xe30
      [  699.729291]  ? kasan_check_read+0x11/0x20
      [  699.729310]  ? page_mapped+0x8a/0x110
      [  699.729321]  ? page_mkclean+0xe9/0x160
      [  699.729327]  ? f2fs_do_write_data_page+0xe00/0xe00
      [  699.729331]  ? invalid_page_referenced_vma+0x130/0x130
      [  699.729345]  ? clear_page_dirty_for_io+0x332/0x450
      [  699.729351]  f2fs_write_cache_pages+0x4ca/0x860
      [  699.729358]  ? __write_data_page+0xe30/0xe30
      [  699.729374]  ? percpu_counter_add_batch+0x22/0xa0
      [  699.729380]  ? kasan_check_write+0x14/0x20
      [  699.729391]  ? _raw_spin_lock+0x17/0x40
      [  699.729403]  ? f2fs_mark_inode_dirty_sync.part.18+0x16/0x30
      [  699.729413]  ? iov_iter_advance+0x113/0x640
      [  699.729418]  ? f2fs_write_end+0x133/0x2e0
      [  699.729423]  ? balance_dirty_pages_ratelimited+0x239/0x640
      [  699.729428]  f2fs_write_data_pages+0x329/0x520
      [  699.729433]  ? generic_perform_write+0x250/0x320
      [  699.729438]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.729454]  ? current_time+0x110/0x110
      [  699.729459]  ? f2fs_preallocate_blocks+0x1ef/0x370
      [  699.729464]  do_writepages+0x37/0xb0
      [  699.729468]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.729472]  ? do_writepages+0x37/0xb0
      [  699.729478]  __filemap_fdatawrite_range+0x19a/0x1f0
      [  699.729483]  ? delete_from_page_cache_batch+0x4e0/0x4e0
      [  699.729496]  ? __vfs_write+0x2b2/0x410
      [  699.729501]  file_write_and_wait_range+0x66/0xb0
      [  699.729506]  f2fs_do_sync_file+0x1f9/0xd90
      [  699.729511]  ? truncate_partial_data_page+0x290/0x290
      [  699.729521]  ? __sb_end_write+0x30/0x50
      [  699.729526]  ? vfs_write+0x20f/0x260
      [  699.729530]  f2fs_sync_file+0x9a/0xb0
      [  699.729534]  ? f2fs_do_sync_file+0xd90/0xd90
      [  699.729548]  vfs_fsync_range+0x68/0x100
      [  699.729554]  ? __fget_light+0xc9/0xe0
      [  699.729558]  do_fsync+0x3d/0x70
      [  699.729562]  __x64_sys_fdatasync+0x24/0x30
      [  699.729585]  do_syscall_64+0x78/0x170
      [  699.729595]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  699.729613] RIP: 0033:0x7f9bf930d800
      [  699.729615] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 49 bf 2c 00 00 75 10 b8 4b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be 78 01 00 48 89 04 24
      [  699.729668] RSP: 002b:00007ffee3606c68 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
      [  699.729673] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bf930d800
      [  699.729675] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003
      [  699.729678] RBP: 00007ffee3606ca0 R08: 0000000001503010 R09: 0000000000000000
      [  699.729680] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400610
      [  699.729683] R13: 00007ffee3606da0 R14: 0000000000000000 R15: 0000000000000000
      [  699.729687] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  699.729782] ------------[ cut here ]------------
      [  699.729785] kernel BUG at fs/f2fs/segment.h:654!
      [  699.731055] invalid opcode: 0000 [#1] SMP KASAN PTI
      [  699.732104] CPU: 0 PID: 1309 Comm: a.out Tainted: G        W         4.18.0-rc1+ #4
      [  699.733684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  699.735611] RIP: 0010:f2fs_submit_page_bio+0x29b/0x730
      [  699.736649] Code: 54 49 8d bd 18 04 00 00 e8 b2 59 af ff 41 8b 8d 18 04 00 00 8b 45 b8 41 d3 e6 44 01 f0 4c 8d 73 14 41 39 c7 0f 82 37 fe ff ff <0f> 0b 65 8b 05 2c 04 77 47 89 c0 48 0f a3 05 52 c1 d5 01 0f 92 c0
      [  699.740524] RSP: 0018:ffff8801f43af508 EFLAGS: 00010283
      [  699.741573] RAX: 0000000000000000 RBX: ffff8801f43af7b8 RCX: ffffffffb88a7cef
      [  699.743006] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffff8801e3e7a64c
      [  699.744426] RBP: ffff8801f43af558 R08: ffffed003e066b55 R09: ffffed003e066b55
      [  699.745833] R10: 0000000000000001 R11: ffffed003e066b54 R12: ffffea0007876940
      [  699.747256] R13: ffff8801f0335500 R14: ffff8801e3e7a600 R15: 0000000000000001
      [  699.748683] FS:  00007f9bf97f5700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  699.750293] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  699.751462] CR2: 00007f9bf925d170 CR3: 00000001f0c34000 CR4: 00000000000006f0
      [  699.752874] Call Trace:
      [  699.753386]  ? f2fs_inplace_write_data+0x93/0x240
      [  699.754341]  f2fs_inplace_write_data+0xd2/0x240
      [  699.755271]  f2fs_do_write_data_page+0x2e2/0xe00
      [  699.756214]  ? f2fs_should_update_outplace+0xd0/0xd0
      [  699.757215]  ? memcg_drain_all_list_lrus+0x280/0x280
      [  699.758209]  ? __radix_tree_replace+0xa3/0x120
      [  699.759164]  __write_data_page+0x5c7/0xe30
      [  699.760002]  ? kasan_check_read+0x11/0x20
      [  699.760823]  ? page_mapped+0x8a/0x110
      [  699.761573]  ? page_mkclean+0xe9/0x160
      [  699.762345]  ? f2fs_do_write_data_page+0xe00/0xe00
      [  699.763332]  ? invalid_page_referenced_vma+0x130/0x130
      [  699.764374]  ? clear_page_dirty_for_io+0x332/0x450
      [  699.765347]  f2fs_write_cache_pages+0x4ca/0x860
      [  699.766276]  ? __write_data_page+0xe30/0xe30
      [  699.767161]  ? percpu_counter_add_batch+0x22/0xa0
      [  699.768112]  ? kasan_check_write+0x14/0x20
      [  699.768951]  ? _raw_spin_lock+0x17/0x40
      [  699.769739]  ? f2fs_mark_inode_dirty_sync.part.18+0x16/0x30
      [  699.770885]  ? iov_iter_advance+0x113/0x640
      [  699.771743]  ? f2fs_write_end+0x133/0x2e0
      [  699.772569]  ? balance_dirty_pages_ratelimited+0x239/0x640
      [  699.773680]  f2fs_write_data_pages+0x329/0x520
      [  699.774603]  ? generic_perform_write+0x250/0x320
      [  699.775544]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.776510]  ? current_time+0x110/0x110
      [  699.777299]  ? f2fs_preallocate_blocks+0x1ef/0x370
      [  699.778279]  do_writepages+0x37/0xb0
      [  699.779026]  ? f2fs_write_cache_pages+0x860/0x860
      [  699.779978]  ? do_writepages+0x37/0xb0
      [  699.780755]  __filemap_fdatawrite_range+0x19a/0x1f0
      [  699.781746]  ? delete_from_page_cache_batch+0x4e0/0x4e0
      [  699.782820]  ? __vfs_write+0x2b2/0x410
      [  699.783597]  file_write_and_wait_range+0x66/0xb0
      [  699.784540]  f2fs_do_sync_file+0x1f9/0xd90
      [  699.785381]  ? truncate_partial_data_page+0x290/0x290
      [  699.786415]  ? __sb_end_write+0x30/0x50
      [  699.787204]  ? vfs_write+0x20f/0x260
      [  699.787941]  f2fs_sync_file+0x9a/0xb0
      [  699.788694]  ? f2fs_do_sync_file+0xd90/0xd90
      [  699.789572]  vfs_fsync_range+0x68/0x100
      [  699.790360]  ? __fget_light+0xc9/0xe0
      [  699.791128]  do_fsync+0x3d/0x70
      [  699.791779]  __x64_sys_fdatasync+0x24/0x30
      [  699.792614]  do_syscall_64+0x78/0x170
      [  699.793371]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  699.794406] RIP: 0033:0x7f9bf930d800
      [  699.795134] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 49 bf 2c 00 00 75 10 b8 4b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be 78 01 00 48 89 04 24
      [  699.798960] RSP: 002b:00007ffee3606c68 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
      [  699.800483] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bf930d800
      [  699.801923] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003
      [  699.803373] RBP: 00007ffee3606ca0 R08: 0000000001503010 R09: 0000000000000000
      [  699.804798] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400610
      [  699.806233] R13: 00007ffee3606da0 R14: 0000000000000000 R15: 0000000000000000
      [  699.807667] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  699.817079] ---[ end trace 4ce02f25ff7d3df6 ]---
      [  699.818068] RIP: 0010:f2fs_submit_page_bio+0x29b/0x730
      [  699.819114] Code: 54 49 8d bd 18 04 00 00 e8 b2 59 af ff 41 8b 8d 18 04 00 00 8b 45 b8 41 d3 e6 44 01 f0 4c 8d 73 14 41 39 c7 0f 82 37 fe ff ff <0f> 0b 65 8b 05 2c 04 77 47 89 c0 48 0f a3 05 52 c1 d5 01 0f 92 c0
      [  699.822919] RSP: 0018:ffff8801f43af508 EFLAGS: 00010283
      [  699.823977] RAX: 0000000000000000 RBX: ffff8801f43af7b8 RCX: ffffffffb88a7cef
      [  699.825436] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffff8801e3e7a64c
      [  699.826881] RBP: ffff8801f43af558 R08: ffffed003e066b55 R09: ffffed003e066b55
      [  699.828292] R10: 0000000000000001 R11: ffffed003e066b54 R12: ffffea0007876940
      [  699.829750] R13: ffff8801f0335500 R14: ffff8801e3e7a600 R15: 0000000000000001
      [  699.831192] FS:  00007f9bf97f5700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  699.832793] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  699.833981] CR2: 00007f9bf925d170 CR3: 00000001f0c34000 CR4: 00000000000006f0
      [  699.835556] ==================================================================
      [  699.837029] BUG: KASAN: stack-out-of-bounds in update_stack_state+0x38c/0x3e0
      [  699.838462] Read of size 8 at addr ffff8801f43af970 by task a.out/1309
      
      [  699.840086] CPU: 0 PID: 1309 Comm: a.out Tainted: G      D W         4.18.0-rc1+ #4
      [  699.841603] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  699.843475] Call Trace:
      [  699.843982]  dump_stack+0x7b/0xb5
      [  699.844661]  print_address_description+0x70/0x290
      [  699.845607]  kasan_report+0x291/0x390
      [  699.846351]  ? update_stack_state+0x38c/0x3e0
      [  699.853831]  __asan_load8+0x54/0x90
      [  699.854569]  update_stack_state+0x38c/0x3e0
      [  699.855428]  ? __read_once_size_nocheck.constprop.7+0x20/0x20
      [  699.856601]  ? __save_stack_trace+0x5e/0x100
      [  699.857476]  unwind_next_frame.part.5+0x18e/0x490
      [  699.858448]  ? unwind_dump+0x290/0x290
      [  699.859217]  ? clear_page_dirty_for_io+0x332/0x450
      [  699.860185]  __unwind_start+0x106/0x190
      [  699.860974]  __save_stack_trace+0x5e/0x100
      [  699.861808]  ? __save_stack_trace+0x5e/0x100
      [  699.862691]  ? unlink_anon_vmas+0xba/0x2c0
      [  699.863525]  save_stack_trace+0x1f/0x30
      [  699.864312]  save_stack+0x46/0xd0
      [  699.864993]  ? __alloc_pages_slowpath+0x1420/0x1420
      [  699.865990]  ? flush_tlb_mm_range+0x15e/0x220
      [  699.866889]  ? kasan_check_write+0x14/0x20
      [  699.867724]  ? __dec_node_state+0x92/0xb0
      [  699.868543]  ? lock_page_memcg+0x85/0xf0
      [  699.869350]  ? unlock_page_memcg+0x16/0x80
      [  699.870185]  ? page_remove_rmap+0x198/0x520
      [  699.871048]  ? mark_page_accessed+0x133/0x200
      [  699.871930]  ? _cond_resched+0x1a/0x50
      [  699.872700]  ? unmap_page_range+0xcd4/0xe50
      [  699.873551]  ? rb_next+0x58/0x80
      [  699.874217]  ? rb_next+0x58/0x80
      [  699.874895]  __kasan_slab_free+0x13c/0x1a0
      [  699.875734]  ? unlink_anon_vmas+0xba/0x2c0
      [  699.876563]  kasan_slab_free+0xe/0x10
      [  699.877315]  kmem_cache_free+0x89/0x1e0
      [  699.878095]  unlink_anon_vmas+0xba/0x2c0
      [  699.878913]  free_pgtables+0x101/0x1b0
      [  699.879677]  exit_mmap+0x146/0x2a0
      [  699.880378]  ? __ia32_sys_munmap+0x50/0x50
      [  699.881214]  ? kasan_check_read+0x11/0x20
      [  699.882052]  ? mm_update_next_owner+0x322/0x380
      [  699.882985]  mmput+0x8b/0x1d0
      [  699.883602]  do_exit+0x43a/0x1390
      [  699.884288]  ? mm_update_next_owner+0x380/0x380
      [  699.885212]  ? f2fs_sync_file+0x9a/0xb0
      [  699.885995]  ? f2fs_do_sync_file+0xd90/0xd90
      [  699.886877]  ? vfs_fsync_range+0x68/0x100
      [  699.887694]  ? __fget_light+0xc9/0xe0
      [  699.888442]  ? do_fsync+0x3d/0x70
      [  699.889118]  ? __x64_sys_fdatasync+0x24/0x30
      [  699.889996]  rewind_stack_do_exit+0x17/0x20
      [  699.890860] RIP: 0033:0x7f9bf930d800
      [  699.891585] Code: Bad RIP value.
      [  699.892268] RSP: 002b:00007ffee3606c68 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
      [  699.893781] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9bf930d800
      [  699.895220] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003
      [  699.896643] RBP: 00007ffee3606ca0 R08: 0000000001503010 R09: 0000000000000000
      [  699.898069] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400610
      [  699.899505] R13: 00007ffee3606da0 R14: 0000000000000000 R15: 0000000000000000
      
      [  699.901241] The buggy address belongs to the page:
      [  699.902215] page:ffffea0007d0ebc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  699.903811] flags: 0x2ffff0000000000()
      [  699.904585] raw: 02ffff0000000000 0000000000000000 ffffffff07d00101 0000000000000000
      [  699.906125] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000
      [  699.907673] page dumped because: kasan: bad access detected
      
      [  699.909108] Memory state around the buggy address:
      [  699.910077]  ffff8801f43af800: 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00 00
      [  699.911528]  ffff8801f43af880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  699.912953] >ffff8801f43af900: 00 00 00 00 00 00 00 00 f1 01 f4 f4 f4 f2 f2 f2
      [  699.914392]                                                              ^
      [  699.915758]  ffff8801f43af980: f2 00 f4 f4 00 00 00 00 f2 00 00 00 00 00 00 00
      [  699.917193]  ffff8801f43afa00: 00 00 00 00 00 00 00 00 00 f3 f3 f3 00 00 00 00
      [  699.918634] ==================================================================
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.h#L644
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      c9b60788
  21. 29 7月, 2018 1 次提交
    • C
      f2fs: fix to do sanity check with node footer and iblocks · e34438c9
      Chao Yu 提交于
      This patch adds to do sanity check with below fields of inode to
      avoid reported panic.
      - node footer
      - iblocks
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200223
      
      - Overview
      BUG() triggered in f2fs_truncate_inode_blocks() when un-mounting a mounted f2fs image after writing to it
      
      - Reproduce
      
      - POC (poc.c)
      
      static void activity(char *mpoint) {
      
        char *foo_bar_baz;
        int err;
      
        static int buf[8192];
        memset(buf, 0, sizeof(buf));
      
        err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
      
        // open / write / read
        int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777);
        if (fd >= 0) {
          write(fd, (char *)buf, 517);
          write(fd, (char *)buf, sizeof(buf));
          close(fd);
        }
      
      }
      
      int main(int argc, char *argv[]) {
        activity(argv[1]);
        return 0;
      }
      
      - Kernel meesage
      [  552.479723] F2FS-fs (loop0): Mounted with checkpoint version = 2
      [  556.451891] ------------[ cut here ]------------
      [  556.451899] kernel BUG at fs/f2fs/node.c:987!
      [  556.452920] invalid opcode: 0000 [#1] SMP KASAN PTI
      [  556.453936] CPU: 1 PID: 1310 Comm: umount Not tainted 4.18.0-rc1+ #4
      [  556.455213] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  556.457140] RIP: 0010:f2fs_truncate_inode_blocks+0x4a7/0x6f0
      [  556.458280] Code: e8 ae ea ff ff 41 89 c7 c1 e8 1f 84 c0 74 0a 41 83 ff fe 0f 85 35 ff ff ff 81 85 b0 fe ff ff fb 03 00 00 e9 f7 fd ff ff 0f 0b <0f> 0b e8 62 b7 9a 00 48 8b bd a0 fe ff ff e8 56 54 ae ff 48 8b b5
      [  556.462015] RSP: 0018:ffff8801f292f808 EFLAGS: 00010286
      [  556.463068] RAX: ffffed003e73242d RBX: ffff8801f292f958 RCX: ffffffffb88b81bc
      [  556.464479] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8801f3992164
      [  556.465901] RBP: ffff8801f292f980 R08: ffffed003e73242d R09: ffffed003e73242d
      [  556.467311] R10: 0000000000000001 R11: ffffed003e73242c R12: 00000000fffffc64
      [  556.468706] R13: ffff8801f3992000 R14: 0000000000000058 R15: 00000000ffff8801
      [  556.470117] FS:  00007f8029297840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  556.471702] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  556.472838] CR2: 000055f5f57305d8 CR3: 00000001f18b0000 CR4: 00000000000006e0
      [  556.474265] Call Trace:
      [  556.474782]  ? f2fs_alloc_nid_failed+0xf0/0xf0
      [  556.475686]  ? truncate_nodes+0x980/0x980
      [  556.476516]  ? pagecache_get_page+0x21f/0x2f0
      [  556.477412]  ? __asan_loadN+0xf/0x20
      [  556.478153]  ? __get_node_page+0x331/0x5b0
      [  556.478992]  ? reweight_entity+0x1e6/0x3b0
      [  556.479826]  f2fs_truncate_blocks+0x55e/0x740
      [  556.480709]  ? f2fs_truncate_data_blocks+0x20/0x20
      [  556.481689]  ? __radix_tree_lookup+0x34/0x160
      [  556.482630]  ? radix_tree_lookup+0xd/0x10
      [  556.483445]  f2fs_truncate+0xd4/0x1a0
      [  556.484206]  f2fs_evict_inode+0x5ce/0x630
      [  556.485032]  evict+0x16f/0x290
      [  556.485664]  iput+0x280/0x300
      [  556.486300]  dentry_unlink_inode+0x165/0x1e0
      [  556.487169]  __dentry_kill+0x16a/0x260
      [  556.487936]  dentry_kill+0x70/0x250
      [  556.488651]  shrink_dentry_list+0x125/0x260
      [  556.489504]  shrink_dcache_parent+0xc1/0x110
      [  556.490379]  ? shrink_dcache_sb+0x200/0x200
      [  556.491231]  ? bit_wait_timeout+0xc0/0xc0
      [  556.492047]  do_one_tree+0x12/0x40
      [  556.492743]  shrink_dcache_for_umount+0x3f/0xa0
      [  556.493656]  generic_shutdown_super+0x43/0x1c0
      [  556.494561]  kill_block_super+0x52/0x80
      [  556.495341]  kill_f2fs_super+0x62/0x70
      [  556.496105]  deactivate_locked_super+0x6f/0xa0
      [  556.497004]  deactivate_super+0x5e/0x80
      [  556.497785]  cleanup_mnt+0x61/0xa0
      [  556.498492]  __cleanup_mnt+0x12/0x20
      [  556.499218]  task_work_run+0xc8/0xf0
      [  556.499949]  exit_to_usermode_loop+0x125/0x130
      [  556.500846]  do_syscall_64+0x138/0x170
      [  556.501609]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  556.502659] RIP: 0033:0x7f8028b77487
      [  556.503384] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
      [  556.507137] RSP: 002b:00007fff9f2e3598 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
      [  556.508637] RAX: 0000000000000000 RBX: 0000000000ebd030 RCX: 00007f8028b77487
      [  556.510069] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000ec41e0
      [  556.511481] RBP: 0000000000ec41e0 R08: 0000000000000000 R09: 0000000000000014
      [  556.512892] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f802908083c
      [  556.514320] R13: 0000000000000000 R14: 0000000000ebd210 R15: 00007fff9f2e3820
      [  556.515745] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  556.529276] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  556.530340] RIP: 0010:f2fs_truncate_inode_blocks+0x4a7/0x6f0
      [  556.531513] Code: e8 ae ea ff ff 41 89 c7 c1 e8 1f 84 c0 74 0a 41 83 ff fe 0f 85 35 ff ff ff 81 85 b0 fe ff ff fb 03 00 00 e9 f7 fd ff ff 0f 0b <0f> 0b e8 62 b7 9a 00 48 8b bd a0 fe ff ff e8 56 54 ae ff 48 8b b5
      [  556.535330] RSP: 0018:ffff8801f292f808 EFLAGS: 00010286
      [  556.536395] RAX: ffffed003e73242d RBX: ffff8801f292f958 RCX: ffffffffb88b81bc
      [  556.537824] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8801f3992164
      [  556.539290] RBP: ffff8801f292f980 R08: ffffed003e73242d R09: ffffed003e73242d
      [  556.540709] R10: 0000000000000001 R11: ffffed003e73242c R12: 00000000fffffc64
      [  556.542131] R13: ffff8801f3992000 R14: 0000000000000058 R15: 00000000ffff8801
      [  556.543579] FS:  00007f8029297840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
      [  556.545180] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  556.546338] CR2: 000055f5f57305d8 CR3: 00000001f18b0000 CR4: 00000000000006e0
      [  556.547809] ==================================================================
      [  556.549248] BUG: KASAN: stack-out-of-bounds in arch_tlb_gather_mmu+0x52/0x170
      [  556.550672] Write of size 8 at addr ffff8801f292fd10 by task umount/1310
      
      [  556.552338] CPU: 1 PID: 1310 Comm: umount Tainted: G      D           4.18.0-rc1+ #4
      [  556.553886] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  556.555756] Call Trace:
      [  556.556264]  dump_stack+0x7b/0xb5
      [  556.556944]  print_address_description+0x70/0x290
      [  556.557903]  kasan_report+0x291/0x390
      [  556.558649]  ? arch_tlb_gather_mmu+0x52/0x170
      [  556.559537]  __asan_store8+0x57/0x90
      [  556.560268]  arch_tlb_gather_mmu+0x52/0x170
      [  556.561110]  tlb_gather_mmu+0x12/0x40
      [  556.561862]  exit_mmap+0x123/0x2a0
      [  556.562555]  ? __ia32_sys_munmap+0x50/0x50
      [  556.563384]  ? exit_aio+0x98/0x230
      [  556.564079]  ? __x32_compat_sys_io_submit+0x260/0x260
      [  556.565099]  ? taskstats_exit+0x1f4/0x640
      [  556.565925]  ? kasan_check_read+0x11/0x20
      [  556.566739]  ? mm_update_next_owner+0x322/0x380
      [  556.567652]  mmput+0x8b/0x1d0
      [  556.568260]  do_exit+0x43a/0x1390
      [  556.568937]  ? mm_update_next_owner+0x380/0x380
      [  556.569855]  ? deactivate_super+0x5e/0x80
      [  556.570668]  ? cleanup_mnt+0x61/0xa0
      [  556.571395]  ? __cleanup_mnt+0x12/0x20
      [  556.572156]  ? task_work_run+0xc8/0xf0
      [  556.572917]  ? exit_to_usermode_loop+0x125/0x130
      [  556.573861]  rewind_stack_do_exit+0x17/0x20
      [  556.574707] RIP: 0033:0x7f8028b77487
      [  556.575428] Code: Bad RIP value.
      [  556.576106] RSP: 002b:00007fff9f2e3598 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
      [  556.577599] RAX: 0000000000000000 RBX: 0000000000ebd030 RCX: 00007f8028b77487
      [  556.579020] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000ec41e0
      [  556.580422] RBP: 0000000000ec41e0 R08: 0000000000000000 R09: 0000000000000014
      [  556.581833] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f802908083c
      [  556.583252] R13: 0000000000000000 R14: 0000000000ebd210 R15: 00007fff9f2e3820
      
      [  556.584983] The buggy address belongs to the page:
      [  556.585961] page:ffffea0007ca4bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      [  556.587540] flags: 0x2ffff0000000000()
      [  556.588296] raw: 02ffff0000000000 0000000000000000 dead000000000200 0000000000000000
      [  556.589822] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      [  556.591359] page dumped because: kasan: bad access detected
      
      [  556.592786] Memory state around the buggy address:
      [  556.593753]  ffff8801f292fc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  556.595191]  ffff8801f292fc80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
      [  556.596613] >ffff8801f292fd00: 00 00 f3 00 00 00 00 f3 f3 00 00 00 00 f4 f4 f4
      [  556.598044]                          ^
      [  556.598797]  ffff8801f292fd80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
      [  556.600225]  ffff8801f292fe00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4
      [  556.601647] ==================================================================
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/node.c#L987
      		case NODE_DIND_BLOCK:
      			err = truncate_nodes(&dn, nofs, offset[1], 3);
      			cont = 0;
      			break;
      
      		default:
      			BUG(); <---
      		}
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      e34438c9
  22. 27 7月, 2018 5 次提交
    • C
      f2fs: fix to do sanity check with extra_attr feature · 76d56d4a
      Chao Yu 提交于
      If FI_EXTRA_ATTR is set in inode by fuzzing, inode.i_addr[0] will be
      parsed as inode.i_extra_isize, then in __recover_inline_status, inline
      data address will beyond boundary of page, result in accessing invalid
      memory.
      
      So in this condition, during reading inode page, let's do sanity check
      with EXTRA_ATTR feature of fs and extra_attr bit of inode, if they're
      inconsistent, deny to load this inode.
      
      - Overview
      Out-of-bound access in f2fs_iget() when mounting a corrupted f2fs image
      
      - Reproduce
      
      The following message will be got in KASAN build of 4.18 upstream kernel.
      [  819.392227] ==================================================================
      [  819.393901] BUG: KASAN: slab-out-of-bounds in f2fs_iget+0x736/0x1530
      [  819.395329] Read of size 4 at addr ffff8801f099c968 by task mount/1292
      
      [  819.397079] CPU: 1 PID: 1292 Comm: mount Not tainted 4.18.0-rc1+ #4
      [  819.397082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  819.397088] Call Trace:
      [  819.397124]  dump_stack+0x7b/0xb5
      [  819.397154]  print_address_description+0x70/0x290
      [  819.397159]  kasan_report+0x291/0x390
      [  819.397163]  ? f2fs_iget+0x736/0x1530
      [  819.397176]  check_memory_region+0x139/0x190
      [  819.397182]  __asan_loadN+0xf/0x20
      [  819.397185]  f2fs_iget+0x736/0x1530
      [  819.397197]  f2fs_fill_super+0x1b4f/0x2b40
      [  819.397202]  ? f2fs_fill_super+0x1b4f/0x2b40
      [  819.397208]  ? f2fs_commit_super+0x1b0/0x1b0
      [  819.397227]  ? set_blocksize+0x90/0x140
      [  819.397241]  mount_bdev+0x1c5/0x210
      [  819.397245]  ? f2fs_commit_super+0x1b0/0x1b0
      [  819.397252]  f2fs_mount+0x15/0x20
      [  819.397256]  mount_fs+0x60/0x1a0
      [  819.397267]  ? alloc_vfsmnt+0x309/0x360
      [  819.397272]  vfs_kern_mount+0x6b/0x1a0
      [  819.397282]  do_mount+0x34a/0x18c0
      [  819.397300]  ? lockref_put_or_lock+0xcf/0x160
      [  819.397306]  ? copy_mount_string+0x20/0x20
      [  819.397318]  ? memcg_kmem_put_cache+0x1b/0xa0
      [  819.397324]  ? kasan_check_write+0x14/0x20
      [  819.397334]  ? _copy_from_user+0x6a/0x90
      [  819.397353]  ? memdup_user+0x42/0x60
      [  819.397359]  ksys_mount+0x83/0xd0
      [  819.397365]  __x64_sys_mount+0x67/0x80
      [  819.397388]  do_syscall_64+0x78/0x170
      [  819.397403]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  819.397422] RIP: 0033:0x7f54c667cb9a
      [  819.397424] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
      [  819.397483] RSP: 002b:00007ffd8f46cd08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
      [  819.397496] RAX: ffffffffffffffda RBX: 0000000000dfa030 RCX: 00007f54c667cb9a
      [  819.397498] RDX: 0000000000dfa210 RSI: 0000000000dfbf30 RDI: 0000000000e02ec0
      [  819.397501] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
      [  819.397503] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000000e02ec0
      [  819.397505] R13: 0000000000dfa210 R14: 0000000000000000 R15: 0000000000000003
      
      [  819.397866] Allocated by task 139:
      [  819.398702]  save_stack+0x46/0xd0
      [  819.398705]  kasan_kmalloc+0xad/0xe0
      [  819.398709]  kasan_slab_alloc+0x11/0x20
      [  819.398713]  kmem_cache_alloc+0xd1/0x1e0
      [  819.398717]  dup_fd+0x50/0x4c0
      [  819.398740]  copy_process.part.37+0xbed/0x32e0
      [  819.398744]  _do_fork+0x16e/0x590
      [  819.398748]  __x64_sys_clone+0x69/0x80
      [  819.398752]  do_syscall_64+0x78/0x170
      [  819.398756]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [  819.399097] Freed by task 159:
      [  819.399743]  save_stack+0x46/0xd0
      [  819.399747]  __kasan_slab_free+0x13c/0x1a0
      [  819.399750]  kasan_slab_free+0xe/0x10
      [  819.399754]  kmem_cache_free+0x89/0x1e0
      [  819.399757]  put_files_struct+0x132/0x150
      [  819.399761]  exit_files+0x62/0x70
      [  819.399766]  do_exit+0x47b/0x1390
      [  819.399770]  do_group_exit+0x86/0x130
      [  819.399774]  __x64_sys_exit_group+0x2c/0x30
      [  819.399778]  do_syscall_64+0x78/0x170
      [  819.399782]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [  819.400115] The buggy address belongs to the object at ffff8801f099c680
                      which belongs to the cache files_cache of size 704
      [  819.403234] The buggy address is located 40 bytes to the right of
                      704-byte region [ffff8801f099c680, ffff8801f099c940)
      [  819.405689] The buggy address belongs to the page:
      [  819.406709] page:ffffea0007c26700 count:1 mapcount:0 mapping:ffff8801f69a3340 index:0xffff8801f099d380 compound_mapcount: 0
      [  819.408984] flags: 0x2ffff0000008100(slab|head)
      [  819.409932] raw: 02ffff0000008100 ffffea00077fb600 0000000200000002 ffff8801f69a3340
      [  819.411514] raw: ffff8801f099d380 0000000080130000 00000001ffffffff 0000000000000000
      [  819.413073] page dumped because: kasan: bad access detected
      
      [  819.414539] Memory state around the buggy address:
      [  819.415521]  ffff8801f099c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  819.416981]  ffff8801f099c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  819.418454] >ffff8801f099c900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
      [  819.419921]                                                           ^
      [  819.421265]  ffff8801f099c980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
      [  819.422745]  ffff8801f099ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  819.424206] ==================================================================
      [  819.425668] Disabling lock debugging due to kernel taint
      [  819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3
      
      The kernel still mounts the image. If you run the following program on the mounted folder mnt,
      
      (poc.c)
      
      static void activity(char *mpoint) {
      
        char *foo_bar_baz;
        int err;
      
        static int buf[8192];
        memset(buf, 0, sizeof(buf));
      
        err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
          int fd = open(foo_bar_baz, O_RDONLY, 0);
        if (fd >= 0) {
            read(fd, (char *)buf, 11);
            close(fd);
        }
      }
      
      int main(int argc, char *argv[]) {
        activity(argv[1]);
        return 0;
      }
      
      You can get kernel crash:
      [  819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3
      [  918.028501] BUG: unable to handle kernel paging request at ffffed0048000d82
      [  918.044020] PGD 23ffee067 P4D 23ffee067 PUD 23fbef067 PMD 0
      [  918.045207] Oops: 0000 [#1] SMP KASAN PTI
      [  918.046048] CPU: 0 PID: 1309 Comm: poc Tainted: G    B             4.18.0-rc1+ #4
      [  918.047573] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  918.049552] RIP: 0010:check_memory_region+0x5e/0x190
      [  918.050565] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0
      [  918.054322] RSP: 0018:ffff8801e3a1f258 EFLAGS: 00010202
      [  918.055400] RAX: ffffed0048000d82 RBX: ffff880240006c11 RCX: ffffffffb8867d14
      [  918.056832] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff880240006c10
      [  918.058253] RBP: ffff8801e3a1f268 R08: 1ffff10048000d82 R09: ffffed0048000d82
      [  918.059717] R10: 0000000000000001 R11: ffffed0048000d82 R12: ffffed0048000d83
      [  918.061159] R13: ffff8801e3a1f390 R14: 0000000000000000 R15: ffff880240006c08
      [  918.062614] FS:  00007fac9732c700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  918.064246] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  918.065412] CR2: ffffed0048000d82 CR3: 00000001df77a000 CR4: 00000000000006f0
      [  918.066882] Call Trace:
      [  918.067410]  __asan_loadN+0xf/0x20
      [  918.068149]  f2fs_find_target_dentry+0xf4/0x270
      [  918.069083]  ? __get_node_page+0x331/0x5b0
      [  918.069925]  f2fs_find_in_inline_dir+0x24b/0x310
      [  918.070881]  ? f2fs_recover_inline_data+0x4c0/0x4c0
      [  918.071905]  ? unwind_next_frame.part.5+0x34f/0x490
      [  918.072901]  ? unwind_dump+0x290/0x290
      [  918.073695]  ? is_bpf_text_address+0xe/0x20
      [  918.074566]  __f2fs_find_entry+0x599/0x670
      [  918.075408]  ? kasan_unpoison_shadow+0x36/0x50
      [  918.076315]  ? kasan_kmalloc+0xad/0xe0
      [  918.077100]  ? memcg_kmem_put_cache+0x55/0xa0
      [  918.077998]  ? f2fs_find_target_dentry+0x270/0x270
      [  918.079006]  ? d_set_d_op+0x30/0x100
      [  918.079749]  ? __d_lookup_rcu+0x69/0x2e0
      [  918.080556]  ? __d_alloc+0x275/0x450
      [  918.081297]  ? kasan_check_write+0x14/0x20
      [  918.082135]  ? memset+0x31/0x40
      [  918.082820]  ? fscrypt_setup_filename+0x1ec/0x4c0
      [  918.083782]  ? d_alloc_parallel+0x5bb/0x8c0
      [  918.084640]  f2fs_find_entry+0xe9/0x110
      [  918.085432]  ? __f2fs_find_entry+0x670/0x670
      [  918.086308]  ? kasan_check_write+0x14/0x20
      [  918.087163]  f2fs_lookup+0x297/0x590
      [  918.087902]  ? f2fs_link+0x2b0/0x2b0
      [  918.088646]  ? legitimize_path.isra.29+0x61/0xa0
      [  918.089589]  __lookup_slow+0x12e/0x240
      [  918.090371]  ? may_delete+0x2b0/0x2b0
      [  918.091123]  ? __nd_alloc_stack+0xa0/0xa0
      [  918.091944]  lookup_slow+0x44/0x60
      [  918.092642]  walk_component+0x3ee/0xa40
      [  918.093428]  ? is_bpf_text_address+0xe/0x20
      [  918.094283]  ? pick_link+0x3e0/0x3e0
      [  918.095047]  ? in_group_p+0xa5/0xe0
      [  918.095771]  ? generic_permission+0x53/0x1e0
      [  918.096666]  ? security_inode_permission+0x1d/0x70
      [  918.097646]  ? inode_permission+0x7a/0x1f0
      [  918.098497]  link_path_walk+0x2a2/0x7b0
      [  918.099298]  ? apparmor_capget+0x3d0/0x3d0
      [  918.100140]  ? walk_component+0xa40/0xa40
      [  918.100958]  ? path_init+0x2e6/0x580
      [  918.101695]  path_openat+0x1bb/0x2160
      [  918.102471]  ? __save_stack_trace+0x92/0x100
      [  918.103352]  ? save_stack+0xb5/0xd0
      [  918.104070]  ? vfs_unlink+0x250/0x250
      [  918.104822]  ? save_stack+0x46/0xd0
      [  918.105538]  ? kasan_slab_alloc+0x11/0x20
      [  918.106370]  ? kmem_cache_alloc+0xd1/0x1e0
      [  918.107213]  ? getname_flags+0x76/0x2c0
      [  918.107997]  ? getname+0x12/0x20
      [  918.108677]  ? do_sys_open+0x14b/0x2c0
      [  918.109450]  ? __x64_sys_open+0x4c/0x60
      [  918.110255]  ? do_syscall_64+0x78/0x170
      [  918.111083]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  918.112148]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  918.113204]  ? f2fs_empty_inline_dir+0x1e0/0x1e0
      [  918.114150]  ? timespec64_trunc+0x5c/0x90
      [  918.114993]  ? wb_io_lists_depopulated+0x1a/0xc0
      [  918.115937]  ? inode_io_list_move_locked+0x102/0x110
      [  918.116949]  do_filp_open+0x12b/0x1d0
      [  918.117709]  ? may_open_dev+0x50/0x50
      [  918.118475]  ? kasan_kmalloc+0xad/0xe0
      [  918.119246]  do_sys_open+0x17c/0x2c0
      [  918.119983]  ? do_sys_open+0x17c/0x2c0
      [  918.120751]  ? filp_open+0x60/0x60
      [  918.121463]  ? task_work_run+0x4d/0xf0
      [  918.122237]  __x64_sys_open+0x4c/0x60
      [  918.123001]  do_syscall_64+0x78/0x170
      [  918.123759]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  918.124802] RIP: 0033:0x7fac96e3e040
      [  918.125537] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 09 27 2d 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 7e e0 01 00 48 89 04 24
      [  918.129341] RSP: 002b:00007fff1b37f848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
      [  918.130870] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fac96e3e040
      [  918.132295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000122d080
      [  918.133748] RBP: 00007fff1b37f9b0 R08: 00007fac9710bbd8 R09: 0000000000000001
      [  918.135209] R10: 000000000000069d R11: 0000000000000246 R12: 0000000000400c20
      [  918.136650] R13: 00007fff1b37fab0 R14: 0000000000000000 R15: 0000000000000000
      [  918.138093] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
      [  918.147924] CR2: ffffed0048000d82
      [  918.148619] ---[ end trace 4ce02f25ff7d3df5 ]---
      [  918.149563] RIP: 0010:check_memory_region+0x5e/0x190
      [  918.150576] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0
      [  918.154360] RSP: 0018:ffff8801e3a1f258 EFLAGS: 00010202
      [  918.155411] RAX: ffffed0048000d82 RBX: ffff880240006c11 RCX: ffffffffb8867d14
      [  918.156833] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff880240006c10
      [  918.158257] RBP: ffff8801e3a1f268 R08: 1ffff10048000d82 R09: ffffed0048000d82
      [  918.159722] R10: 0000000000000001 R11: ffffed0048000d82 R12: ffffed0048000d83
      [  918.161149] R13: ffff8801e3a1f390 R14: 0000000000000000 R15: ffff880240006c08
      [  918.162587] FS:  00007fac9732c700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
      [  918.164203] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  918.165356] CR2: ffffed0048000d82 CR3: 00000001df77a000 CR4: 00000000000006f0
      Reported-by: NWen Xu <wen.xu@gatech.edu>
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      76d56d4a
    • C
      f2fs: introduce and spread verify_blkaddr · e1da7872
      Chao Yu 提交于
      This patch introduces verify_blkaddr to check meta/data block address
      with valid range to detect bug earlier.
      
      In addition, once we encounter an invalid blkaddr, notice user to run
      fsck to fix, and let the kernel panic.
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      e1da7872
    • A
      f2fs: use timespec64 for inode timestamps · 24b81dfc
      Arnd Bergmann 提交于
      The on-disk representation and the vfs both use 64-bit tv_sec values,
      so let's change the last missing piece in the middle.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Reviewed-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      24b81dfc
    • W
      f2fs: support in-memory inode checksum when checking consistency · 54c55c4e
      Weichao Guo 提交于
      Enable in-memory inode checksum to protect metadata blocks from
      in-memory scribbles when checking consistency, which has no
      performance requirements.
      Signed-off-by: NWeichao Guo <guoweichao@huawei.com>
      Reviewed-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      54c55c4e
    • J
      f2fs: indicate shutdown f2fs to allow unmount successfully · 83a3bfdb
      Jaegeuk Kim 提交于
      Once we shutdown f2fs, we have to flush stale pages in order to unmount
      the system. In order to make stable, we need to stop fault injection as well.
      Reviewed-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      83a3bfdb
  23. 06 6月, 2018 1 次提交
    • D
      vfs: change inode times to use struct timespec64 · 95582b00
      Deepa Dinamani 提交于
      struct timespec is not y2038 safe. Transition vfs to use
      y2038 safe struct timespec64 instead.
      
      The change was made with the help of the following cocinelle
      script. This catches about 80% of the changes.
      All the header file and logic changes are included in the
      first 5 rules. The rest are trivial substitutions.
      I avoid changing any of the function signatures or any other
      filesystem specific data structures to keep the patch simple
      for review.
      
      The script can be a little shorter by combining different cases.
      But, this version was sufficient for my usecase.
      
      virtual patch
      
      @ depends on patch @
      identifier now;
      @@
      - struct timespec
      + struct timespec64
        current_time ( ... )
        {
      - struct timespec now = current_kernel_time();
      + struct timespec64 now = current_kernel_time64();
        ...
      - return timespec_trunc(
      + return timespec64_trunc(
        ... );
        }
      
      @ depends on patch @
      identifier xtime;
      @@
       struct \( iattr \| inode \| kstat \) {
       ...
      -       struct timespec xtime;
      +       struct timespec64 xtime;
       ...
       }
      
      @ depends on patch @
      identifier t;
      @@
       struct inode_operations {
       ...
      int (*update_time) (...,
      -       struct timespec t,
      +       struct timespec64 t,
      ...);
       ...
       }
      
      @ depends on patch @
      identifier t;
      identifier fn_update_time =~ "update_time$";
      @@
       fn_update_time (...,
      - struct timespec *t,
      + struct timespec64 *t,
       ...) { ... }
      
      @ depends on patch @
      identifier t;
      @@
      lease_get_mtime( ... ,
      - struct timespec *t
      + struct timespec64 *t
        ) { ... }
      
      @te depends on patch forall@
      identifier ts;
      local idexpression struct inode *inode_node;
      identifier i_xtime =~ "^i_[acm]time$";
      identifier ia_xtime =~ "^ia_[acm]time$";
      identifier fn_update_time =~ "update_time$";
      identifier fn;
      expression e, E3;
      local idexpression struct inode *node1;
      local idexpression struct inode *node2;
      local idexpression struct iattr *attr1;
      local idexpression struct iattr *attr2;
      local idexpression struct iattr attr;
      identifier i_xtime1 =~ "^i_[acm]time$";
      identifier i_xtime2 =~ "^i_[acm]time$";
      identifier ia_xtime1 =~ "^ia_[acm]time$";
      identifier ia_xtime2 =~ "^ia_[acm]time$";
      @@
      (
      (
      - struct timespec ts;
      + struct timespec64 ts;
      |
      - struct timespec ts = current_time(inode_node);
      + struct timespec64 ts = current_time(inode_node);
      )
      
      <+... when != ts
      (
      - timespec_equal(&inode_node->i_xtime, &ts)
      + timespec64_equal(&inode_node->i_xtime, &ts)
      |
      - timespec_equal(&ts, &inode_node->i_xtime)
      + timespec64_equal(&ts, &inode_node->i_xtime)
      |
      - timespec_compare(&inode_node->i_xtime, &ts)
      + timespec64_compare(&inode_node->i_xtime, &ts)
      |
      - timespec_compare(&ts, &inode_node->i_xtime)
      + timespec64_compare(&ts, &inode_node->i_xtime)
      |
      ts = current_time(e)
      |
      fn_update_time(..., &ts,...)
      |
      inode_node->i_xtime = ts
      |
      node1->i_xtime = ts
      |
      ts = inode_node->i_xtime
      |
      <+... attr1->ia_xtime ...+> = ts
      |
      ts = attr1->ia_xtime
      |
      ts.tv_sec
      |
      ts.tv_nsec
      |
      btrfs_set_stack_timespec_sec(..., ts.tv_sec)
      |
      btrfs_set_stack_timespec_nsec(..., ts.tv_nsec)
      |
      - ts = timespec64_to_timespec(
      + ts =
      ...
      -)
      |
      - ts = ktime_to_timespec(
      + ts = ktime_to_timespec64(
      ...)
      |
      - ts = E3
      + ts = timespec_to_timespec64(E3)
      |
      - ktime_get_real_ts(&ts)
      + ktime_get_real_ts64(&ts)
      |
      fn(...,
      - ts
      + timespec64_to_timespec(ts)
      ,...)
      )
      ...+>
      (
      <... when != ts
      - return ts;
      + return timespec64_to_timespec(ts);
      ...>
      )
      |
      - timespec_equal(&node1->i_xtime1, &node2->i_xtime2)
      + timespec64_equal(&node1->i_xtime2, &node2->i_xtime2)
      |
      - timespec_equal(&node1->i_xtime1, &attr2->ia_xtime2)
      + timespec64_equal(&node1->i_xtime2, &attr2->ia_xtime2)
      |
      - timespec_compare(&node1->i_xtime1, &node2->i_xtime2)
      + timespec64_compare(&node1->i_xtime1, &node2->i_xtime2)
      |
      node1->i_xtime1 =
      - timespec_trunc(attr1->ia_xtime1,
      + timespec64_trunc(attr1->ia_xtime1,
      ...)
      |
      - attr1->ia_xtime1 = timespec_trunc(attr2->ia_xtime2,
      + attr1->ia_xtime1 =  timespec64_trunc(attr2->ia_xtime2,
      ...)
      |
      - ktime_get_real_ts(&attr1->ia_xtime1)
      + ktime_get_real_ts64(&attr1->ia_xtime1)
      |
      - ktime_get_real_ts(&attr.ia_xtime1)
      + ktime_get_real_ts64(&attr.ia_xtime1)
      )
      
      @ depends on patch @
      struct inode *node;
      struct iattr *attr;
      identifier fn;
      identifier i_xtime =~ "^i_[acm]time$";
      identifier ia_xtime =~ "^ia_[acm]time$";
      expression e;
      @@
      (
      - fn(node->i_xtime);
      + fn(timespec64_to_timespec(node->i_xtime));
      |
       fn(...,
      - node->i_xtime);
      + timespec64_to_timespec(node->i_xtime));
      |
      - e = fn(attr->ia_xtime);
      + e = fn(timespec64_to_timespec(attr->ia_xtime));
      )
      
      @ depends on patch forall @
      struct inode *node;
      struct iattr *attr;
      identifier i_xtime =~ "^i_[acm]time$";
      identifier ia_xtime =~ "^ia_[acm]time$";
      identifier fn;
      @@
      {
      + struct timespec ts;
      <+...
      (
      + ts = timespec64_to_timespec(node->i_xtime);
      fn (...,
      - &node->i_xtime,
      + &ts,
      ...);
      |
      + ts = timespec64_to_timespec(attr->ia_xtime);
      fn (...,
      - &attr->ia_xtime,
      + &ts,
      ...);
      )
      ...+>
      }
      
      @ depends on patch forall @
      struct inode *node;
      struct iattr *attr;
      struct kstat *stat;
      identifier ia_xtime =~ "^ia_[acm]time$";
      identifier i_xtime =~ "^i_[acm]time$";
      identifier xtime =~ "^[acm]time$";
      identifier fn, ret;
      @@
      {
      + struct timespec ts;
      <+...
      (
      + ts = timespec64_to_timespec(node->i_xtime);
      ret = fn (...,
      - &node->i_xtime,
      + &ts,
      ...);
      |
      + ts = timespec64_to_timespec(node->i_xtime);
      ret = fn (...,
      - &node->i_xtime);
      + &ts);
      |
      + ts = timespec64_to_timespec(attr->ia_xtime);
      ret = fn (...,
      - &attr->ia_xtime,
      + &ts,
      ...);
      |
      + ts = timespec64_to_timespec(attr->ia_xtime);
      ret = fn (...,
      - &attr->ia_xtime);
      + &ts);
      |
      + ts = timespec64_to_timespec(stat->xtime);
      ret = fn (...,
      - &stat->xtime);
      + &ts);
      )
      ...+>
      }
      
      @ depends on patch @
      struct inode *node;
      struct inode *node2;
      identifier i_xtime1 =~ "^i_[acm]time$";
      identifier i_xtime2 =~ "^i_[acm]time$";
      identifier i_xtime3 =~ "^i_[acm]time$";
      struct iattr *attrp;
      struct iattr *attrp2;
      struct iattr attr ;
      identifier ia_xtime1 =~ "^ia_[acm]time$";
      identifier ia_xtime2 =~ "^ia_[acm]time$";
      struct kstat *stat;
      struct kstat stat1;
      struct timespec64 ts;
      identifier xtime =~ "^[acmb]time$";
      expression e;
      @@
      (
      ( node->i_xtime2 \| attrp->ia_xtime2 \| attr.ia_xtime2 \) = node->i_xtime1  ;
      |
       node->i_xtime2 = \( node2->i_xtime1 \| timespec64_trunc(...) \);
      |
       node->i_xtime2 = node->i_xtime1 = node->i_xtime3 = \(ts \| current_time(...) \);
      |
       node->i_xtime1 = node->i_xtime3 = \(ts \| current_time(...) \);
      |
       stat->xtime = node2->i_xtime1;
      |
       stat1.xtime = node2->i_xtime1;
      |
      ( node->i_xtime2 \| attrp->ia_xtime2 \) = attrp->ia_xtime1  ;
      |
      ( attrp->ia_xtime1 \| attr.ia_xtime1 \) = attrp2->ia_xtime2;
      |
      - e = node->i_xtime1;
      + e = timespec64_to_timespec( node->i_xtime1 );
      |
      - e = attrp->ia_xtime1;
      + e = timespec64_to_timespec( attrp->ia_xtime1 );
      |
      node->i_xtime1 = current_time(...);
      |
       node->i_xtime2 = node->i_xtime1 = node->i_xtime3 =
      - e;
      + timespec_to_timespec64(e);
      |
       node->i_xtime1 = node->i_xtime3 =
      - e;
      + timespec_to_timespec64(e);
      |
      - node->i_xtime1 = e;
      + node->i_xtime1 = timespec_to_timespec64(e);
      )
      Signed-off-by: NDeepa Dinamani <deepa.kernel@gmail.com>
      Cc: <anton@tuxera.com>
      Cc: <balbi@kernel.org>
      Cc: <bfields@fieldses.org>
      Cc: <darrick.wong@oracle.com>
      Cc: <dhowells@redhat.com>
      Cc: <dsterba@suse.com>
      Cc: <dwmw2@infradead.org>
      Cc: <hch@lst.de>
      Cc: <hirofumi@mail.parknet.co.jp>
      Cc: <hubcap@omnibond.com>
      Cc: <jack@suse.com>
      Cc: <jaegeuk@kernel.org>
      Cc: <jaharkes@cs.cmu.edu>
      Cc: <jslaby@suse.com>
      Cc: <keescook@chromium.org>
      Cc: <mark@fasheh.com>
      Cc: <miklos@szeredi.hu>
      Cc: <nico@linaro.org>
      Cc: <reiserfs-devel@vger.kernel.org>
      Cc: <richard@nod.at>
      Cc: <sage@redhat.com>
      Cc: <sfrench@samba.org>
      Cc: <swhiteho@redhat.com>
      Cc: <tj@kernel.org>
      Cc: <trond.myklebust@primarydata.com>
      Cc: <tytso@mit.edu>
      Cc: <viro@zeniv.linux.org.uk>
      95582b00
  24. 01 6月, 2018 1 次提交
    • C
      f2fs: clean up symbol namespace · 4d57b86d
      Chao Yu 提交于
      As Ted reported:
      
      "Hi, I was looking at f2fs's sources recently, and I noticed that there
      is a very large number of non-static symbols which don't have a f2fs
      prefix.  There's well over a hundred (see attached below).
      
      As one example, in fs/f2fs/dir.c there is:
      
      unsigned char get_de_type(struct f2fs_dir_entry *de)
      
      This function is clearly only useful for f2fs, but it has a generic
      name.  This means that if any other file system tries to have the same
      symbol name, there will be a symbol conflict and the kernel would not
      successfully build.  It also means that when someone is looking f2fs
      sources, it's not at all obvious whether a function such as
      read_data_page(), invalidate_blocks(), is a generic kernel function
      found in the fs, mm, or block layers, or a f2fs specific function.
      
      You might want to fix this at some point.  Hopefully Kent's bcachefs
      isn't similarly using genericly named functions, since that might
      cause conflicts with f2fs's functions --- but just as this would be a
      problem that we would rightly insist that Kent fix, this is something
      that we should have rightly insisted that f2fs should have fixed
      before it was integrated into the mainline kernel.
      
      acquire_orphan_inode
      add_ino_entry
      add_orphan_inode
      allocate_data_block
      allocate_new_segments
      alloc_nid
      alloc_nid_done
      alloc_nid_failed
      available_free_memory
      ...."
      
      This patch adds "f2fs_" prefix for all non-static symbols in order to:
      a) avoid conflict with other kernel generic symbols;
      b) to indicate the function is f2fs specific one instead of generic
      one;
      Reported-by: NTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      4d57b86d