Bug 215765

Summary: kernel NULL pointer dereference at fs/f2fs/dir.c:f2fs_add_regular_entry() when mount and operate on corrupted image
Product: File System Reporter: Wenqing Liu (wenqingliu0120)
Component: f2fsAssignee: Default virtual assignee for f2fs (filesystem_f2fs)
Status: RESOLVED CODE_FIX    
Severity: normal CC: chao, wenqingliu0120
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.17 Subsystem:
Regression: No Bisected commit-id:
Attachments: corrupted image and .config

Description Wenqing Liu 2022-03-28 14:41:28 UTC
Created attachment 300632 [details]
corrupted image and .config

- Overview 
kernel NULL pointer dereference at fs/f2fs/dir.c:f2fs_add_regular_entry() when mount and operate on corrupted image

- Reproduce 
tested on kernel 5.17

# mkdir mnt
# mount tmp40.img mount
# ls mnt

- Kernel dump
[  131.000658] loop0: detected capacity change from 0 to 131072
[  131.147683] F2FS-fs (loop0): Mounted with checkpoint version = 7548c462
[  132.640535] BUG: kernel NULL pointer dereference, address: 0000000000000000
[  132.640656] #PF: supervisor instruction fetch in kernel mode
[  132.640709] #PF: error_code(0x0010) - not-present page
[  132.640755] PGD 0 P4D 0 
[  132.640784] Oops: 0010 [#1] PREEMPT SMP NOPTI
[  132.640829] CPU: 3 PID: 1251 Comm: ls Not tainted 5.17.0 #1
[  132.640882] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[  132.640955] RIP: 0010:0x0
[  132.641003] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[  132.641123] RSP: 0018:ffffc184c04fb9e0 EFLAGS: 00010246
[  132.641174] RAX: 0000000000000000 RBX: ffffed6584a0ef80 RCX: 000000000000003b
[  132.641236] RDX: 0017ffffc0000005 RSI: ffffa093e83be000 RDI: ffffed6584a0ef80
[  132.641296] RBP: ffffa093e83be950 R08: 0000000000000000 R09: 000000000000003b
[  132.641358] R10: 000000000000003d R11: 000000000000003b R12: ffffed6584a0ef80
[  132.641418] R13: ffffed6584a0ef80 R14: ffffa093c5492340 R15: ffffc184c04fbac0
[  132.641480] FS:  00007fd9bbdc7040(0000) GS:ffffa095b5d80000(0000) knlGS:0000000000000000
[  132.641550] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  132.641600] CR2: ffffffffffffffd6 CR3: 000000010213e003 CR4: 0000000000370ee0
[  132.641671] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  132.641745] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  132.641806] Call Trace:
[  132.641832]  <TASK>
[  132.641855]  folio_mark_dirty+0x33/0x50
[  132.641906]  f2fs_add_regular_entry+0x541/0xad0 [f2fs]
[  132.642440]  f2fs_add_dentry+0x6c/0xb0 [f2fs]
[  132.642583]  f2fs_do_add_link+0x182/0x230 [f2fs]
[  132.642717]  __recover_dot_dentries+0x2d6/0x470 [f2fs]
[  132.642865]  f2fs_lookup+0x5af/0x6a0 [f2fs]
[  132.643000]  __lookup_slow+0xac/0x200
[  132.643043]  lookup_slow+0x45/0x70
[  132.643080]  walk_component+0x16c/0x250
[  132.643121]  path_lookupat+0x8b/0x1f0
[  132.643160]  filename_lookup+0xef/0x250
[  132.643204]  ? __check_object_size+0xc2/0x190
[  132.643265]  ? user_path_at_empty+0x46/0x70
[  132.643307]  user_path_at_empty+0x46/0x70
[  132.643349]  vfs_statx+0x98/0x190
[  132.643388]  __do_sys_newlstat+0x41/0x90
[  132.643433]  ? fpregs_assert_state_consistent+0x1e/0x40
[  132.643484]  ? exit_to_user_mode_prepare+0x38/0x1a0
[  132.643536]  __x64_sys_newlstat+0x1a/0x30
[  132.643578]  do_syscall_64+0x37/0xb0
[  132.643615]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  132.643666] RIP: 0033:0x7fd9bb69f7c5
[  132.643703] Code: c9 b6 2d 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 06 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 91 b6 2d 00 f7 d8 64 89
[  132.647032] RSP: 002b:00007ffdd3099a08 EFLAGS: 00000246 ORIG_RAX: 0000000000000006
[  132.648731] RAX: ffffffffffffffda RBX: 00005628315da0e8 RCX: 00007fd9bb69f7c5
[  132.651089] RDX: 00005628315da100 RSI: 00005628315da100 RDI: 00007ffdd3099a10
[  132.652883] RBP: 00007ffdd3099e00 R08: 0000000000000000 R09: 00005628315def9c
[  132.654519] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdd3099a10
[  132.656120] R13: 0000000000000000 R14: 0000000000000003 R15: 00005628315da100
[  132.657749]  </TASK>
[  132.659376] Modules linked in: f2fs crc32_generic iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi xfs input_leds joydev serio_raw qemu_fw_cfg autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear hid_generic usbhid hid qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul psmouse ghash_clmulni_intel aesni_intel crypto_simd cryptd
[  132.665794] CR2: 0000000000000000
[  132.666980] ---[ end trace 0000000000000000 ]---
[  132.668162] RIP: 0010:0x0
[  132.669083] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[  132.670020] RSP: 0018:ffffc184c04fb9e0 EFLAGS: 00010246
[  132.670932] RAX: 0000000000000000 RBX: ffffed6584a0ef80 RCX: 000000000000003b
[  132.671866] RDX: 0017ffffc0000005 RSI: ffffa093e83be000 RDI: ffffed6584a0ef80
[  132.672797] RBP: ffffa093e83be950 R08: 0000000000000000 R09: 000000000000003b
[  132.673641] R10: 000000000000003d R11: 000000000000003b R12: ffffed6584a0ef80
[  132.674374] R13: ffffed6584a0ef80 R14: ffffa093c5492340 R15: ffffc184c04fbac0
[  132.675131] FS:  00007fd9bbdc7040(0000) GS:ffffa095b5d80000(0000) knlGS:0000000000000000
[  132.675895] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  132.676702] CR2: ffffffffffffffd6 CR3: 000000010213e003 CR4: 0000000000370ee0
[  132.677500] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  132.678279] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Comment 1 Chao Yu 2022-03-29 03:40:56 UTC
Hi Wenqing,

Thanks for the report! Could you please test w/ below patch?

https://lore.kernel.org/linux-f2fs-devel/20220328160253.3102-1-chao@kernel.org/T/#u
Comment 2 Wenqing Liu 2022-03-29 17:27:41 UTC
(In reply to Chao Yu from comment #1)
> Hi Wenqing,
> 
> Thanks for the report! Could you please test w/ below patch?
> 
> https://lore.kernel.org/linux-f2fs-devel/20220328160253.3102-1-chao@kernel.
> org/T/#u

Thanks Chao, I tested it on 5.17.1, the NULL pointer dereference didn't appear with the patched kernel.