Bug 203219 - kernel BUG at fs/f2fs/node.c:1183! and hangs on sync
Summary: kernel BUG at fs/f2fs/node.c:1183! and hangs on sync
Status: RESOLVED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: f2fs (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Default virtual assignee for f2fs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-09 21:10 UTC by Jungyeon
Modified: 2019-05-16 14:10 UTC (History)
1 user (show)

See Also:
Kernel Version: 5.0.0
Tree: Mainline
Regression: No


Attachments
The (compressed) crafted image which causes crash (65.70 KB, application/zip)
2019-04-09 21:10 UTC, Jungyeon
Details
poc_06.c (1.57 KB, text/x-csrc)
2019-04-09 21:11 UTC, Jungyeon
Details

Description Jungyeon 2019-04-09 21:10:41 UTC
Created attachment 282215 [details]
The (compressed) crafted image which causes crash

- Overview
When mounting the attached crafted image and running program, I got this error.
Additionally, it hangs on sync after running the program.

The image is intentionally fuzzed from a normal f2fs image for testing and I enabled option CONFIG_F2FS_CHECK_FS on.

- Reproduces
cc poc_06.c
mkdir test
mount -t f2fs tmp.img test
cp a.out test
cd test
sudo ./a.out
sync

- Messages
[   54.959546] kernel BUG at fs/f2fs/node.c:1183!
[   54.960445] invalid opcode: 0000 [#1] SMP PTI
[   54.961320] CPU: 0 PID: 1905 Comm: a.out Not tainted 5.0.0 #4
[   54.962460] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   54.964292] RIP: 0010:f2fs_remove_inode_page+0x294/0x2d0
[   54.965300] Code: 48 85 ff 74 1b 48 3b 7c 24 18 74 14 48 8b 47 08 48 8d 50 ff a8 01 48 0f 45 fa 3e ff 4f 34 74 21 b8 fb ff ff ff e9 cb fd ff ff <0f> 0b 48 89 df 89 44 24 04 e8 3e f3 e2 ff 8b 44 24 04 e9 1e ff ff
[   54.968963] RSP: 0018:ffff9aa700d0bd70 EFLAGS: 00010202
[   54.969971] RAX: ffff8b3c7f891000 RBX: ffff8b3c6cfdd980 RCX: ffff8b3c6cfdd980
[   54.971366] RDX: 0000000000000000 RSI: ffff8b3c7e1f4168 RDI: ffff9aa700d0bd78
[   54.972799] RBP: 0000000000000000 R08: 0000000000000006 R09: ffff8b3c7e1f416c
[   54.974201] R10: 0000000000000000 R11: ffff8b3c7e9c2ab0 R12: ffff8b3c7e9c2800
[   54.975630] R13: 0000000000000000 R14: ffff8b3c7e9c2908 R15: 00007ffe06227910
[   54.977004] FS:  00007f71f6034700(0000) GS:ffff8b3c7fc00000(0000) knlGS:0000000000000000
[   54.978570] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   54.979711] CR2: 00007f71f5b4f4c0 CR3: 0000000231524006 CR4: 00000000001606f0
[   54.981085] Call Trace:
[   54.981582]  f2fs_evict_inode+0x2a3/0x3a0
[   54.982443]  evict+0xba/0x180
[   54.983075]  __dentry_kill+0xbe/0x160
[   54.983792]  dentry_kill+0x46/0x180
[   54.984477]  dput+0xbb/0x100
[   54.985050]  do_renameat2+0x3c9/0x550
[   54.985765]  __x64_sys_rename+0x17/0x20
[   54.986535]  do_syscall_64+0x43/0xf0
[   54.987250]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   54.988230] RIP: 0033:0x7f71f5b4f4d9
[   54.988927] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[   54.992536] RSP: 002b:00007ffe06227868 EFLAGS: 00000217 ORIG_RAX: 0000000000000052
[   54.994008] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f71f5b4f4d9
[   54.995460] RDX: 00007f71f5b4f4d9 RSI: 00007ffe062278d0 RDI: 00007ffe06227910
[   54.996846] RBP: 00007ffe0622b950 R08: 00007ffe0622ba38 R09: 00007ffe0622ba38
[   54.998198] R10: 00007ffe0622ba38 R11: 0000000000000217 R12: 00000000004004e0
[   54.999652] R13: 00007ffe0622ba30 R14: 0000000000000000 R15: 0000000000000000
[   55.001040] Modules linked in:
[   55.001667] ---[ end trace 179922f700648628 ]---
[   55.002616] RIP: 0010:f2fs_remove_inode_page+0x294/0x2d0
[   55.003667] Code: 48 85 ff 74 1b 48 3b 7c 24 18 74 14 48 8b 47 08 48 8d 50 ff a8 01 48 0f 45 fa 3e ff 4f 34 74 21 b8 fb ff ff ff e9 cb fd ff ff <0f> 0b 48 89 df 89 44 24 04 e8 3e f3 e2 ff 8b 44 24 04 e9 1e ff ff
[   55.007226] RSP: 0018:ffff9aa700d0bd70 EFLAGS: 00010202
[   55.008243] RAX: ffff8b3c7f891000 RBX: ffff8b3c6cfdd980 RCX: ffff8b3c6cfdd980
[   55.009633] RDX: 0000000000000000 RSI: ffff8b3c7e1f4168 RDI: ffff9aa700d0bd78
[   55.011027] RBP: 0000000000000000 R08: 0000000000000006 R09: ffff8b3c7e1f416c
[   55.012403] R10: 0000000000000000 R11: ffff8b3c7e9c2ab0 R12: ffff8b3c7e9c2800
[   55.013803] R13: 0000000000000000 R14: ffff8b3c7e9c2908 R15: 00007ffe06227910
[   55.015249] FS:  00007f71f6034700(0000) GS:ffff8b3c7fc00000(0000) knlGS:0000000000000000
[   55.016790] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   55.017892] CR2: 00007f71f5b4f4c0 CR3: 0000000231524006 CR4: 00000000001606f0

- Error location
1156 int f2fs_remove_inode_page(struct inode *inode)
1157 {
1158     struct dnode_of_data dn;
1159     int err;
1160 
1161     set_new_dnode(&dn, inode, NULL, NULL, inode->i_ino);
1162     err = f2fs_get_dnode_of_data(&dn, 0, LOOKUP_NODE);
1163     if (err)
1164         return err;
1165 
1166     err = f2fs_truncate_xattr_node(inode);
1167     if (err) {
1168         f2fs_put_dnode(&dn);
1169         return err;
1170     }
1171 
1172     /* remove potential inline_data blocks */
1173     if (S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) ||
1174                 S_ISLNK(inode->i_mode))
1175         f2fs_truncate_data_blocks_range(&dn, 1);
1176 
1177     /* 0 is possible, after f2fs_new_inode() has failed */
1178     if (unlikely(f2fs_cp_error(F2FS_I_SB(inode)))) {
1179         f2fs_put_dnode(&dn);
1180         return -EIO;
1181     }
1182     f2fs_bug_on(F2FS_I_SB(inode),
*1183             inode->i_blocks != 0 && inode->i_blocks != 8);
1184 
1185     /* will put inode & node pages */
1186     err = truncate_node(&dn);
1187     if (err) {
1188         f2fs_put_dnode(&dn);
1189         return err;
1190     }
1191     return 0;
1192 }
Comment 1 Jungyeon 2019-04-09 21:11:00 UTC
Created attachment 282217 [details]
poc_06.c
Comment 2 Chao Yu 2019-04-15 14:51:38 UTC
Fixed with

f2fs: fix to avoid panic in f2fs_remove_inode_page()

Note You need to log in before you can comment on or make changes to this bug.