Bug 203233

Summary: kernel BUG at fs/f2fs/segment.c:2102!
Product: File System Reporter: Jungyeon (jungyeon)
Component: f2fsAssignee: Default virtual assignee for f2fs (filesystem_f2fs)
Status: RESOLVED CODE_FIX    
Severity: normal CC: chao
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.0.0 Subsystem:
Regression: No Bisected commit-id:
Attachments: The (compressed) crafted image which causes crash
poc_13.c
run.sh

Description Jungyeon 2019-04-09 23:07:58 UTC
Created attachment 282237 [details]
The (compressed) crafted image which causes crash

- Overview
When mounting the attached crafted image and running program, following errors are reported.
Additionally, it hangs on sync after running program.

The image is intentionally fuzzed from a normal f2fs image for testing.
Compile options for F2FS are as follows.
CONFIG_F2FS_FS=y
CONFIG_F2FS_STAT_FS=y
CONFIG_F2FS_FS_XATTR=y
CONFIG_F2FS_FS_POSIX_ACL=y
# CONFIG_F2FS_FS_SECURITY is not set
CONFIG_F2FS_CHECK_FS=y
# CONFIG_F2FS_FS_ENCRYPTION is not set
# CONFIG_F2FS_FAULT_INJECTION is not set

- Reproduces
cc poc_13.c
mkdir test
mount -t f2fs tmp.img test
cp a.out test
cd test
sudo ./a.out
sync

- Kernel messages
[   35.628135] F2FS-fs (sdb): Mounted with checkpoint version = 7548c2d6
[   35.643236] F2FS-fs (sdb): Bitmap was wrongly set, blk:4608
[   35.644093] ------------[ cut here ]------------
[   35.644095] kernel BUG at fs/f2fs/segment.c:2102!
[   35.644737] invalid opcode: 0000 [#1] SMP PTI
[   35.645342] CPU: 0 PID: 1952 Comm: a.out Not tainted 5.0.0 #5
[   35.646128] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   35.647438] RIP: 0010:update_sit_entry+0x394/0x410
[   35.648101] Code: 10 81 c1 93 48 c7 c6 7b 8a be 93 e8 16 01 fe ff 0f 0b 48 8b 3b 89 e9 48 c7 c2 50 81 c1 93 48 c7 c6 7b 8a be 93 e8 fc 00 fe ff <0f> 0b 48 8b 3b 41 83 e0 01 89 e9 48 c7 c2 70 81 c1 93 48 c7 c6 7b
[   35.650553] RSP: 0018:ffffb18e00d339d8 EFLAGS: 00010286
[   35.651241] RAX: 0000000000000000 RBX: ffff9202765e8800 RCX: 0000000000000000
[   35.652213] RDX: 0000000000000000 RSI: ffff920277a15418 RDI: ffff920277a15418
[   35.653152] RBP: 0000000000001200 R08: 000000000009d0a4 R09: 0000000000000005
[   35.654094] R10: 0000000000000002 R11: ffffb18e00d3381d R12: 0000000000000001
[   35.655028] R13: ffff9202765e9830 R14: 0000000000000001 R15: 0000000000000000
[   35.655967] FS:  00007f65e82f2700(0000) GS:ffff920277a00000(0000) knlGS:0000000000000000
[   35.657039] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   35.657837] CR2: 00007f65e7e0d4c0 CR3: 0000000235150005 CR4: 00000000001606f0
[   35.658794] Call Trace:
[   35.659136]  f2fs_allocate_data_block+0x16f/0x660
[   35.659759]  do_write_page+0x62/0x170
[   35.660269]  f2fs_do_write_node_page+0x33/0xa0
[   35.660864]  __write_node_page+0x270/0x4e0
[   35.661417]  f2fs_sync_node_pages+0x5df/0x670
[   35.661998]  ? writeback_single_inode+0xd1/0x100
[   35.662613]  ? iput+0x66/0x1e0
[   35.663024]  f2fs_write_checkpoint+0x372/0x1400
[   35.663626]  ? xa_load+0x54/0xa0
[   35.664076]  ? blk_finish_plug+0x22/0x30
[   35.664601]  ? f2fs_fill_dentries+0x19d/0x1d0
[   35.665182]  ? f2fs_sync_fs+0xa3/0x130
[   35.665693]  f2fs_sync_fs+0xa3/0x130
[   35.666178]  ? touch_atime+0xc1/0xd0
[   35.666655]  f2fs_do_sync_file+0x1a6/0x810
[   35.667200]  do_fsync+0x33/0x60
[   35.667636]  __x64_sys_fsync+0xb/0x10
[   35.668143]  do_syscall_64+0x43/0xf0
[   35.668624]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   35.669294] RIP: 0033:0x7f65e7e0d4d9
[   35.669783] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[   35.672241] RSP: 002b:00007fffed3c90b8 EFLAGS: 00000203 ORIG_RAX: 000000000000004a
[   35.673243] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f65e7e0d4d9
[   35.674205] RDX: 00007f65e7e0d4d9 RSI: 0000000000000928 RDI: 0000000000000003
[   35.675142] RBP: 00007fffed3cd200 R08: 00007fffed3cd2e8 R09: 00007fffed3cd2e8
[   35.676080] R10: 00007fffed3cd2e8 R11: 0000000000000203 R12: 00000000004004e0
[   35.677064] R13: 00007fffed3cd2e0 R14: 0000000000000000 R15: 0000000000000000
[   35.678018] Modules linked in:
[   35.678439] ---[ end trace ea48b3729c06467c ]---
[   35.679060] RIP: 0010:update_sit_entry+0x394/0x410
[   35.679693] Code: 10 81 c1 93 48 c7 c6 7b 8a be 93 e8 16 01 fe ff 0f 0b 48 8b 3b 89 e9 48 c7 c2 50 81 c1 93 48 c7 c6 7b 8a be 93 e8 fc 00 fe ff <0f> 0b 48 8b 3b 41 83 e0 01 89 e9 48 c7 c2 70 81 c1 93 48 c7 c6 7b
[   35.682210] RSP: 0018:ffffb18e00d339d8 EFLAGS: 00010286
[   35.682930] RAX: 0000000000000000 RBX: ffff9202765e8800 RCX: 0000000000000000
[   35.683873] RDX: 0000000000000000 RSI: ffff920277a15418 RDI: ffff920277a15418
[   35.684838] RBP: 0000000000001200 R08: 000000000009d0a4 R09: 0000000000000005
[   35.685794] R10: 0000000000000002 R11: ffffb18e00d3381d R12: 0000000000000001
[   35.686751] R13: ffff9202765e9830 R14: 0000000000000001 R15: 0000000000000000
[   35.687688] FS:  00007f65e82f2700(0000) GS:ffff920277a00000(0000) knlGS:0000000000000000
[   35.688751] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   35.689550] CR2: 00007f65e7e0d4c0 CR3: 0000000235150005 CR4: 00000000001606f0
[   35.690539] WARNING: CPU: 0 PID: 1952 at kernel/exit.c:781 do_exit+0x4a/0xbf0
[   35.691504] Modules linked in:
[   35.691916] CPU: 0 PID: 1952 Comm: a.out Tainted: G      D           5.0.0 #5
[   35.692855] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   35.694124] RIP: 0010:do_exit+0x4a/0xbf0
[   35.694647] Code: 04 25 28 00 00 00 48 89 44 24 30 31 c0 e8 7e 6c 06 00 48 8b 83 40 07 00 00 48 85 c0 74 0e 48 8b 10 48 39 d0 0f 84 6b 07 00 00 <0f> 0b 65 44 8b 25 ec 21 5b 6d 41 81 e4 00 ff 1f 00 44 89 64 24 0c
[   35.697087] RSP: 0018:ffffb18e00d33ee8 EFLAGS: 00010216
[   35.697788] RAX: ffffb18e00d33d70 RBX: ffff92026bbca880 RCX: 00000000ffffffff
[   35.698723] RDX: ffff920275fcc048 RSI: 0000000000000000 RDI: ffffffff93e4e6c0
[   35.699670] RBP: 000000000000000b R08: 0000000000000000 R09: 0000000000000005
[   35.700616] R10: 000000000000002b R11: ffffb18e00d33705 R12: 0000000000000246
[   35.701574] R13: 0000000000000004 R14: 0000000000000002 R15: ffffffff92d37994
[   35.702511] FS:  00007f65e82f2700(0000) GS:ffff920277a00000(0000) knlGS:0000000000000000
[   35.703591] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   35.704352] CR2: 00007f65e7e0d4c0 CR3: 0000000235150005 CR4: 00000000001606f0
[   35.705364] Call Trace:
[   35.705728]  ? do_fsync+0x33/0x60
[   35.706170]  ? update_sit_entry+0x394/0x410
[   35.706724]  rewind_stack_do_exit+0x17/0x20
[   35.707278] ---[ end trace ea48b3729c06467d ]---

- Error location
2062 static void update_sit_entry(struct f2fs_sb_info *sbi, block_t blkaddr, int del)
2063 {
2064     struct seg_entry *se;
2065     unsigned int segno, offset;
2066     long int new_vblocks;
2067     bool exist;
2068 #ifdef CONFIG_F2FS_CHECK_FS
2069     bool mir_exist;
2070 #endif
2071 
...
2086     /* Update valid block bitmap */
2087     if (del > 0) {
2088         exist = f2fs_test_and_set_bit(offset, se->cur_valid_map);
2089 #ifdef CONFIG_F2FS_CHECK_FS
2090         mir_exist = f2fs_test_and_set_bit(offset,
2091                         se->cur_valid_map_mir);
2092         if (unlikely(exist != mir_exist)) {
2093             f2fs_msg(sbi->sb, KERN_ERR, "Inconsistent error "
2094                 "when setting bitmap, blk:%u, old bit:%d",
2095                 blkaddr, exist);
2096             f2fs_bug_on(sbi, 1);
2097         }
2098 #endif
2099         if (unlikely(exist)) {
2100             f2fs_msg(sbi->sb, KERN_ERR,
2101                 "Bitmap was wrongly set, blk:%u", blkaddr);
*2102             f2fs_bug_on(sbi, 1);
2103             se->valid_blocks--;
2104             del = 0;
2105         }
2106
Comment 1 Jungyeon 2019-04-09 23:08:14 UTC
Created attachment 282239 [details]
poc_13.c
Comment 2 Chao Yu 2019-04-15 14:53:45 UTC
Fixed with

f2fs: fix to do sanity check on valid block count of segment
Comment 3 Jungyeon 2019-05-15 16:00:21 UTC
- Reproduces
gcc poc_13.c
./run.sh f2fs

- Kernel messages
[   52.504977] F2FS-fs (sdb): Bitmap was wrongly set, blk:4608                  
[   52.506452] kernel BUG at fs/f2fs/segment.c:2133!                                       
[   52.507469] invalid opcode: 0000 [#1] SMP PTI                
[   52.508375] CPU: 0 PID: 934 Comm: a.out Not tainted 5.1.0 #1                 
[   52.509505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   52.511437] RIP: 0010:update_sit_entry+0x35d/0x3e0
[   52.512414] Code: c0 a9 48 c7 c6 03 1e bd a9 e8 0f 1c fe ff 0f 0b 8b 0c 24 48 8b 7d 00 48 c7 c2 e0 27 c0 a9 48 c7 c6 03 1e bd a9 e8 f3 1b fe ff <0f> 0b 8b 0c 24 48 8b 7d 00 41 83 e0
01 48 c7 c2 00 28 c0 a9 48 c7                 
[   52.516335] RSP: 0018:ffffbad9c0fd79f0 EFLAGS: 00010286
[   52.517395] RAX: 0000000000000000 RBX: ffff98d7f2542e40 RCX: 0000000000000000
[   52.518867] RDX: 0000000000000000 RSI: ffff98d7f7a163d8 RDI: ffff98d7f7a163d8
[   52.520323] RBP: ffff98d7eba14800 R08: 000000000007b491 R09: 00000000000001b6
[   52.521900] R10: 0000000000000007 R11: ffffbad9c0fd7835 R12: ffff98d7eba15030
[   52.523466] R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
[   52.524917] FS:  00007f87eb8c5700(0000) GS:ffff98d7f7a00000(0000) knlGS:0000000000000000
[   52.526600] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   52.527796] CR2: 00007ffc596d1000 CR3: 0000000233450005 CR4: 00000000001606f0
[   52.529260] Call Trace:
[   52.529813]  ? bvec_alloc+0x81/0xe0
[   52.530558]  f2fs_allocate_data_block+0x16c/0x5a0
[   52.531539]  do_write_page+0x57/0x100
[   52.532310]  f2fs_do_write_node_page+0x33/0xa0
[   52.533401]  __write_node_page+0x270/0x4e0
[   52.534231]  f2fs_sync_node_pages+0x5df/0x670
[   52.535081]  ? writeback_single_inode+0xd1/0x100
[   52.536013]  ? iput+0x66/0x1e0
[   52.536639]  f2fs_write_checkpoint+0x364/0x13a0
[   52.537582]  ? blk_finish_plug+0x22/0x30
[   52.538416]  ? f2fs_fill_dentries+0x1dc/0x230
[   52.539314]  ? f2fs_sync_fs+0xa3/0x130
[   52.540091]  f2fs_sync_fs+0xa3/0x130
[   52.540849]  ? touch_atime+0xc1/0xd0
[   52.541607]  f2fs_do_sync_file+0x1a6/0x810
[   52.542482]  do_fsync+0x33/0x60
[   52.543133]  __x64_sys_fsync+0xb/0x10
[   52.543872]  do_syscall_64+0x43/0x110
[   52.544629]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   52.545872] RIP: 0033:0x7f87eb3e04d9
[   52.546645] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d
8f 29 2c 00 f7 d8 64 89 01 48
[   52.550584] RSP: 002b:00007ffc596cebd8 EFLAGS: 00000203 ORIG_RAX: 000000000000004a
[   52.552157] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f87eb3e04d9
[   52.553758] RDX: 00007f87eb3e04d9 RSI: 0000000000000928 RDI: 0000000000000003
[   52.555250] RBP: 00007ffc596d2d20 R08: 00007ffc596d2e08 R09: 00007ffc596d2e08
[   52.556728] R10: 00007ffc596d2e08 R11: 0000000000000203 R12: 00000000004004e0
[   52.558211] R13: 00007ffc596d2e00 R14: 0000000000000000 R15: 0000000000000000
[   52.559752] Modules linked in:
[   52.560433] ---[ end trace dd205425e9f03f2e ]---
[   52.561419] RIP: 0010:update_sit_entry+0x35d/0x3e0
[   52.562457] Code: c0 a9 48 c7 c6 03 1e bd a9 e8 0f 1c fe ff 0f 0b 8b 0c 24 48 8b 7d 00 48 c7 c2 e0 27 c0 a9 48 c7 c6 03 1e bd a9 e8 f3 1b fe ff <0f> 0b 8b 0c 24 48 8b 7d 00 41 83 e0
01 48 c7 c2 00 28 c0 a9 48 c7
[   52.566484] RSP: 0018:ffffbad9c0fd79f0 EFLAGS: 00010286
[   52.567626] RAX: 0000000000000000 RBX: ffff98d7f2542e40 RCX: 0000000000000000
[   52.569126] RDX: 0000000000000000 RSI: ffff98d7f7a163d8 RDI: ffff98d7f7a163d8
[   52.570620] RBP: ffff98d7eba14800 R08: 000000000007b491 R09: 00000000000001b6
[   52.572242] R10: 0000000000000007 R11: ffffbad9c0fd7835 R12: ffff98d7eba15030
[   52.573750] R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
[   52.575236] FS:  00007f87eb8c5700(0000) GS:ffff98d7f7a00000(0000) knlGS:0000000000000000
[   52.576915] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   52.578241] CR2: 00007ffc596d1000 CR3: 0000000233450005 CR4: 00000000001606f0
[   52.579763] WARNING: CPU: 0 PID: 934 at kernel/exit.c:782 do_exit+0x4a/0xbf0
[   52.581300] Modules linked in:
[   52.581980] CPU: 0 PID: 934 Comm: a.out Tainted: G      D           5.1.0 #1
[   52.583461] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   52.585442] RIP: 0010:do_exit+0x4a/0xbf0
[   52.586375] Code: 04 25 28 00 00 00 48 89 44 24 30 31 c0 e8 ce 81 06 00 48 8b 83 40 07 00 00 48 85 c0 74 0e 48 8b 10 48 39 d0 0f 84 6b 07 00 00 <0f> 0b 65 44 8b 25 f4 01 5b 57 41 81
e4 00 ff 1f 00 44 89 64 24 0c
[   52.590248] RSP: 0018:ffffbad9c0fd7ee8 EFLAGS: 00010212
[   52.591439] RAX: ffffbad9c0fd7d80 RBX: ffff98d7f661ec00 RCX: 00000000ffffffff
[   52.592877] RDX: ffff98d7ebfa4048 RSI: 0000000000000000 RDI: ffffffffa9e4aec0
[   52.594367] RBP: 000000000000000b R08: 0000000000000000 R09: 00000000000001ef
[   52.595829] R10: 000000000000002b R11: ffffbad9c0fd7725 R12: 0000000000000246
[   52.597319] R13: 0000000000000004 R14: 0000000000000002 R15: ffffffffa8d4a7cd
[   52.598979] FS:  00007f87eb8c5700(0000) GS:ffff98d7f7a00000(0000) knlGS:0000000000000000
[   52.600670] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   52.601871] CR2: 00007ffc596d1000 CR3: 0000000233450005 CR4: 00000000001606f0
[   52.603353] Call Trace:
[   52.603887]  ? do_fsync+0x33/0x60
[   52.604630]  ? update_sit_entry+0x35d/0x3e0
[   52.605611]  rewind_stack_do_exit+0x17/0x20
[   52.606610] ---[ end trace dd205425e9f03f2f ]---
[   52.609523] a.out (934) used greatest stack depth: 13072 bytes left
./run.sh: line 10:   933 Segmentation fault      (core dumped) sudo ./a.out

- Error location
the same location
Comment 4 Jungyeon 2019-05-15 16:00:42 UTC
Created attachment 282767 [details]
run.sh