Bug 215894

Summary: kernel BUG at fs/f2fs/segment.c:2291!
Product: File System Reporter: bughunter (yanming)
Component: f2fsAssignee: Default virtual assignee for f2fs (filesystem_f2fs)
Status: RESOLVED CODE_FIX    
Severity: normal CC: chao
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.17 Subsystem:
Regression: No Bisected commit-id:
Attachments: case.c

Description bughunter 2022-04-27 05:11:33 UTC 
Created attachment 300817 [details]
case.c

I have encountered a bug in F2FS file system in kernel v5.17.

I have uploaded the system call sequence as case.c, and a fuzzed image can be found in google net disk (https://drive.google.com/file/d/10KcRiyQCdCiTWfKmkv2wxgSSk1581sqE/view?usp=sharing).

The kernel should enable CONFIG_KASAN=y and CONFIG_KASAN_INLINE=y. You can reproduce the bug by running the following commands:

gcc -o case case.c
losetup /dev/loop0 case.img
mount -o "background_gc=sync,disable_roll_forward,nouser_xattr,disable_ext_identify,nobarrier,fastboot,mode=adaptive,grpquota,noquota,alloc_mode=reuse,test_dummy_encryption" -t f2fs /dev/loop0 /root/mnt
./case

The kernel message is shown below:

6,799,86360296,-;loop0: detected capacity change from 0 to 262144
4,800,86395847,-;F2FS-fs (loop0): Test dummy encryption mount option ignored
5,801,86398197,-;F2FS-fs (loop0): Disable nat_bits due to incorrect cp_ver (7347879550090329573, 6600135115475369443)
5,802,86424567,-;F2FS-fs (loop0): Mounted with checkpoint version = 237dbde5
4,803,86455701,-;------------[ cut here ]------------
2,804,86455706,-;kernel BUG at fs/f2fs/segment.c:2291!
4,805,86455720,-;invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
4,806,86455727,-;CPU: 6 PID: 1079 Comm: case Not tainted 5.17.0 #2
4,807,86455733,-;Hardware name: Dell Inc. OptiPlex 9020/03CPWF, BIOS A14 09/14/2015
4,808,86455738,-;RIP: 0010:update_sit_entry+0xa30/0x1050
4,809,86455746,-;Code: c9 0f 95 c1 40 84 ce 0f 85 79 05 00 00 83 e0 07 38 c2 0f 9e c1 84 d2 0f 95 c0 84 c1 0f 85 64 05 00 00 8b 43 48 e9 66 f6 ff ff <0f> 0b 44 89 4c 24 10 4c 89 44 24 08 e8 bf 2c 4b ff 44 8b 4c 24 10
4,810,86455755,-;RSP: 0018:ffff88810991fba8 EFLAGS: 00010246
4,811,86455761,-;RAX: 0000000000000200 RBX: ffff8881246cbe80 RCX: 0000000000000009
4,812,86455766,-;RDX: 00000000000001ff RSI: 00000000fff00000 RDI: ffff888115b0c454
4,813,86455770,-;RBP: ffff888115b0c000 R08: ffffffffffffffff R09: 00000000fff00000
4,814,86455775,-;R10: ffff888131d74267 R11: ffffed10263ae84c R12: 0000000000000000
4,815,86455779,-;R13: 00000000ffffffff R14: 00000000007ff7f8 R15: 00000000ffffffff
4,816,86455783,-;FS:  00007f4253e76540(0000) GS:ffff8881d5780000(0000) knlGS:0000000000000000
4,817,86455789,-;CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
4,818,86455793,-;CR2: 00007f4253d9b750 CR3: 00000001115e0002 CR4: 00000000001706e0
4,819,86455798,-;Call Trace:
4,820,86455801,-; <TASK>
4,821,86455804,-; ? update_segment_mtime+0x129/0x500
4,822,86455809,-; ? down_write_killable+0x120/0x120
4,823,86455815,-; f2fs_invalidate_blocks+0x193/0x2d0
4,824,86455821,-; f2fs_fallocate+0x2593/0x4a70
4,825,86455826,-; ? may_open_dev+0xd0/0xd0
4,826,86455833,-; ? __f2fs_ioc_move_range+0xd70/0xd70
4,827,86455837,-; ? __inode_security_revalidate+0x98/0xc0
4,828,86455843,-; ? selinux_file_permission+0x32d/0x410
4,829,86455849,-; ? security_file_permission+0x4e/0x580
4,830,86455854,-; vfs_fallocate+0x2a5/0xac0
4,831,86455860,-; ksys_fallocate+0x35/0x70
4,832,86455864,-; __x64_sys_fallocate+0x8e/0xf0
4,833,86455869,-; ? syscall_exit_to_user_mode+0x1d/0x40
4,834,86455875,-; do_syscall_64+0x3b/0x90
4,835,86455880,-; entry_SYSCALL_64_after_hwframe+0x44/0xae
4,836,86455886,-;RIP: 0033:0x7f4253d9b76d
4,837,86455890,-;Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f3 36 0d 00 f7 d8 64 89 01 48
4,838,86455898,-;RSP: 002b:00007fffa875d298 EFLAGS: 00000207 ORIG_RAX: 000000000000011d
4,839,86455904,-;RAX: ffffffffffffffda RBX: 00005652598f1630 RCX: 00007f4253d9b76d
4,840,86455909,-;RDX: 0000000000134419 RSI: 0000000000000011 RDI: 0000000000000003
4,841,86455913,-;RBP: 00007fffa8b5d440 R08: 00007fffa8b5d538 R09: 00007fffa8b5d538
4,842,86455918,-;R10: 0000000000147c62 R11: 0000000000000207 R12: 00005652598f10a0
4,843,86455922,-;R13: 00007fffa8b5d530 R14: 0000000000000000 R15: 0000000000000000
4,844,86455927,-; </TASK>
4,845,86455930,-;Modules linked in: x86_pkg_temp_thermal efivarfs
4,846,86455939,-;---[ end trace 0000000000000000 ]---
4,847,86455942,-;RIP: 0010:update_sit_entry+0xa30/0x1050
4,848,86455947,-;Code: c9 0f 95 c1 40 84 ce 0f 85 79 05 00 00 83 e0 07 38 c2 0f 9e c1 84 d2 0f 95 c0 84 c1 0f 85 64 05 00 00 8b 43 48 e9 66 f6 ff ff <0f> 0b 44 89 4c 24 10 4c 89 44 24 08 e8 bf 2c 4b ff 44 8b 4c 24 10
4,849,86455955,-;RSP: 0018:ffff88810991fba8 EFLAGS: 00010246
4,850,86455959,-;RAX: 0000000000000200 RBX: ffff8881246cbe80 RCX: 0000000000000009
4,851,86455964,-;RDX: 00000000000001ff RSI: 00000000fff00000 RDI: ffff888115b0c454
4,852,86455968,-;RBP: ffff888115b0c000 R08: ffffffffffffffff R09: 00000000fff00000
4,853,86455972,-;R10: ffff888131d74267 R11: ffffed10263ae84c R12: 0000000000000000
4,854,86455977,-;R13: 00000000ffffffff R14: 00000000007ff7f8 R15: 00000000ffffffff
4,855,86455981,-;FS:  00007f4253e76540(0000) GS:ffff8881d5780000(0000) knlGS:0000000000000000
4,856,86455986,-;CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
4,857,86455990,-;CR2: 00007f4253d9b750 CR3: 00000001115e0002 CR4: 00000000001706e0
Comment 1 bughunter 2022-04-27 11:50:47 UTC 
Thank you for the prompt reply, this bug has been fixed after adding the patch!