203171 – PF error: at __remove_dirty_segment+0x61/0xd0

Bug 203171 - PF error: at __remove_dirty_segment+0x61/0xd0

Summary: PF error: at __remove_dirty_segment+0x61/0xd0

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	f2fs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	Default virtual assignee for f2fs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-04-06 01:46 UTC by Jungyeon
Modified:	2019-07-08 18:39 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	5.0.0
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (69.28 KB, application/zip) 2019-04-06 01:46 UTC, Jungyeon	Details
poc_06.c (5.67 KB, text/x-csrc) 2019-04-16 23:54 UTC, Jungyeon	Details
run.sh (243 bytes, application/x-shellscript) 2019-04-16 23:55 UTC, Jungyeon	Details
Add an attachment (proposed patch, testcase, etc.)

Description Jungyeon 2019-04-06 01:46:33 UTC

Created attachment 282157 [details]
The (compressed) crafted image which causes crash

- Overview
When mounting the attached crafted image, I got this error.

- Produces
mkdir test
mount -t f2fs tmp.img test

- Messages
[ 107.646001] F2FS-fs (sdb): Can't find valid F2FS filesystem in 2th superblock
[ 107.654882] BUG: unable to handle kernel paging request at 000006e800000f08
[ 107.655922] #PF error: [WRITE]
[ 107.656383] PGD 0 P4D 0 
[ 107.656768] Oops: 0002 [#1] SMP PTI
[ 107.657289] CPU: 0 PID: 1038 Comm: mount Not tainted 5.0.0 #3
[ 107.658127] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 107.659500] RIP: 0010:__remove_dirty_segment+0x61/0xd0
[ 107.660255] Code: 48 8b 97 88 00 00 00 4c 8d 0c 80 49 c1 e1 03 48 8b 12 48 8b 52 68 42 0f b6 14 0a 83 e2 3f 49 89 d0 41 83 e0 3f 4e 8b 44 c1 08 <3e> 49 0f b3 00 72 42 44 8b 87 d8 03 00 00 48 8b 87 88 00 00 00 41
[ 107.662940] RSP: 0018:ffffb834c11179b0 EFLAGS: 00010202
[ 107.663705] RAX: 0000000000000008 RBX: ffff9478ef52d000 RCX: ffff9478e8d6d9c0
[ 107.664741] RDX: 000000000000001c RSI: 0000000000000008 RDI: ffff9478ef52d000
[ 107.665775] RBP: ffffb834c11179b0 R08: 000006e800000f08 R09: 0000000000000140
[ 107.666809] R10: 0000000000000000 R11: 0000000000000007 R12: 0000000000000008
[ 107.667843] R13: ffff9478e8d6da08 R14: 0000000000000002 R15: ffff9478f014d4e0
[ 107.668878] FS: 00007fe3e3e75840(0000) GS:ffff9478f7a00000(0000) knlGS:0000000000000000
[ 107.670049] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 107.670886] CR2: 000006e800000f08 CR3: 000000022e59c004 CR4: 00000000001606f0
[ 107.671924] Call Trace:
[ 107.672302] change_curseg+0xe7/0x250
[ 107.672872] f2fs_do_replace_block+0xf8/0x510
[ 107.673511] f2fs_replace_block+0x4b/0x80
[ 107.674098] recover_data+0xac9/0x1c90
[ 107.674647] f2fs_recover_fsync_data+0x68f/0x800
[ 107.675325] ? proc_create_single_data+0x41/0x50
[ 107.676002] f2fs_fill_super+0x1bdd/0x1d50
[ 107.676608] ? snprintf+0x45/0x70
[ 107.677100] mount_bdev+0x17b/0x1b0
[ 107.677612] ? f2fs_commit_super+0x190/0x190
[ 107.678232] ? mount_bdev+0x17b/0x1b0
[ 107.678767] ? f2fs_commit_super+0x190/0x190
[ 107.679387] f2fs_mount+0x15/0x20
[ 107.679877] mount_fs+0x51/0x170
[ 107.680360] vfs_kern_mount+0x67/0x120
[ 107.680909] do_mount+0x208/0xd20
[ 107.681398] ? __check_object_size+0x151/0x1b0
[ 107.682048] ? memdup_user+0x4f/0x70
[ 107.682570] ksys_mount+0x83/0xd0
[ 107.683055] __x64_sys_mount+0x25/0x30
[ 107.683606] do_syscall_64+0x5a/0x110
[ 107.684148] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 107.684884] RIP: 0033:0x7fe3e3754b9a
[ 107.685406] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
[ 107.688056] RSP: 002b:00007ffef116fae8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[ 107.689143] RAX: ffffffffffffffda RBX: 0000000002342030 RCX: 00007fe3e3754b9a
[ 107.690165] RDX: 0000000002342210 RSI: 0000000002344f40 RDI: 0000000002342230
[ 107.691186] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
[ 107.692213] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000002342230
[ 107.693236] R13: 0000000002342210 R14: 0000000000000000 R15: 0000000000000003
[ 107.694260] Modules linked in:
[ 107.694715] CR2: 000006e800000f08
[ 107.695220] ---[ end trace 206927c7f0048e33 ]---
[ 107.695909] RIP: 0010:__remove_dirty_segment+0x61/0xd0
[ 107.696661] Code: 48 8b 97 88 00 00 00 4c 8d 0c 80 49 c1 e1 03 48 8b 12 48 8b 52 68 42 0f b6 14 0a 83 e2 3f 49 89 d0 41 83 e0 3f 4e 8b 44 c1 08 <3e> 49 0f b3 00 72 42 44 8b 87 d8 03 00 00 48 8b 87 88 00 00 00 41
[ 107.699327] RSP: 0018:ffffb834c11179b0 EFLAGS: 00010202
[ 107.700093] RAX: 0000000000000008 RBX: ffff9478ef52d000 RCX: ffff9478e8d6d9c0
[ 107.701125] RDX: 000000000000001c RSI: 0000000000000008 RDI: ffff9478ef52d000
[ 107.702171] RBP: ffffb834c11179b0 R08: 000006e800000f08 R09: 0000000000000140
[ 107.703201] R10: 0000000000000000 R11: 0000000000000007 R12: 0000000000000008
[ 107.704243] R13: ffff9478e8d6da08 R14: 0000000000000002 R15: ffff9478f014d4e0
[ 107.705280] FS: 00007fe3e3e75840(0000) GS:ffff9478f7a00000(0000) knlGS:0000000000000000
[ 107.706452] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 107.707325] CR2: 000006e800000f08 CR3: 000000022e59c004 CR4: 00000000001606f0

Comment 1 Jungyeon 2019-04-16 23:54:56 UTC

Created attachment 282361 [details]
poc_06.c

Comment 2 Jungyeon 2019-04-16 23:55:26 UTC

Created attachment 282363 [details]
run.sh

Note You need to log in before you can comment on or make changes to this bug.