203229 – kernel BUG at fs/f2fs/recovery.c:591! and hangs on sync

Bug 203229 - kernel BUG at fs/f2fs/recovery.c:591! and hangs on sync

Summary: kernel BUG at fs/f2fs/recovery.c:591! and hangs on sync

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	f2fs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	Default virtual assignee for f2fs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-04-09 22:51 UTC by Jungyeon
Modified:	2019-05-16 14:11 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	5.0.0
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (67.09 KB, application/zip) 2019-04-09 22:51 UTC, Jungyeon	Details
Add an attachment (proposed patch, testcase, etc.)

Description Jungyeon 2019-04-09 22:51:51 UTC

Created attachment 282231 [details]
The (compressed) crafted image which causes crash

- Overview
When mounting the attached crafted image, following errors are reported.
Additionally, it hangs on sync after trying to mount it.

The image is intentionally fuzzed from a normal f2fs image for testing.
Compile options for F2FS are as follows.
CONFIG_F2FS_FS=y
CONFIG_F2FS_STAT_FS=y
CONFIG_F2FS_FS_XATTR=y
CONFIG_F2FS_FS_POSIX_ACL=y
# CONFIG_F2FS_FS_SECURITY is not set
CONFIG_F2FS_CHECK_FS=y
# CONFIG_F2FS_FS_ENCRYPTION is not set
# CONFIG_F2FS_FAULT_INJECTION is not set

- Reproduces
mkdir test
mount -t f2fs tmp.img test
sync

- Kernel message
[   22.820057] F2FS-fs (sdb): invalid crc value
[   22.823032] WARNING: CPU: 0 PID: 1879 at fs/f2fs/node.c:2586 f2fs_recover_inode_page+0x3ca/0x3f0
[   22.823034] Modules linked in:
[   22.823037] CPU: 0 PID: 1879 Comm: mount Not tainted 5.0.0 #5
[   22.823037] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   22.823039] RIP: 0010:f2fs_recover_inode_page+0x3ca/0x3f0
[   22.823041] Code: ff ff 48 8b 8a 74 01 00 00 48 89 88 74 01 00 00 8b 92 7c 01 00 00 89 90 7c 01 00 00 e9 87 fe ff ff 41 c6 84 24 e8 05 00 00 00 <0f> 0b e9 16 ff ff ff b8 ea ff ff ff e9 77 ff ff ff 41 03 94 24 10
[   22.823042] RSP: 0018:ffffae6380cf3bd8 EFLAGS: 00010297
[   22.823043] RAX: 0000000000007f00 RBX: fffff90a48d85740 RCX: 0000000000000008
[   22.823044] RDX: 0000000000007f01 RSI: 0000000000000020 RDI: ffffa3c5f6109de8
[   22.823044] RBP: ffffae6380cf3c30 R08: 0000000000000000 R09: ffffffff93332f01
[   22.823045] R10: ffffa3c5eeb4b078 R11: 0000000000000001 R12: ffffa3c5f6109800
[   22.823046] R13: 0000000000000009 R14: 0000000231b8d000 R15: 0000000000000009
[   22.823048] FS:  00007f8c9c06b840(0000) GS:ffffa3c5f7a00000(0000) knlGS:0000000000000000
[   22.823050] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   22.823051] CR2: 00007ffc7f26dfcc CR3: 0000000235d64001 CR4: 00000000001606f0
[   22.823052] Call Trace:
[   22.823070]  f2fs_recover_fsync_data+0x6cf/0x710
[   22.823076]  ? proc_create_single_data+0x37/0x50
[   22.823078]  f2fs_fill_super+0x1043/0x1aa0
[   22.823080]  ? f2fs_commit_super+0x180/0x180
[   22.823086]  mount_bdev+0x16d/0x1a0
[   22.823088]  mount_fs+0x4a/0x170
[   22.823092]  vfs_kern_mount+0x5d/0x100
[   22.823095]  do_mount+0x200/0xcf0
[   22.823100]  ? memdup_user+0x39/0x60
[   22.823101]  ksys_mount+0x79/0xc0
[   22.823103]  __x64_sys_mount+0x1c/0x20
[   22.823106]  do_syscall_64+0x43/0xf0
[   22.823112]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   22.823114] RIP: 0033:0x7f8c9b94ab9a
[   22.823115] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
[   22.823116] RSP: 002b:00007ffc7f26f7f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   22.823117] RAX: ffffffffffffffda RBX: 0000000000dc2050 RCX: 00007f8c9b94ab9a
[   22.823118] RDX: 0000000000dc2230 RSI: 0000000000dc2f20 RDI: 0000000000dc2250
[   22.823119] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
[   22.823119] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000000dc2250
[   22.823120] R13: 0000000000dc2230 R14: 0000000000000000 R15: 0000000000000003
[   22.823122] ---[ end trace f9a70503bb3dfdc3 ]---
[   22.823142] ------------[ cut here ]------------
[   22.823143] kernel BUG at fs/f2fs/recovery.c:591!
[   22.824026] invalid opcode: 0000 [#1] SMP PTI
[   22.824618] CPU: 0 PID: 1879 Comm: mount Tainted: G        W         5.0.0 #5
[   22.825553] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   22.826799] RIP: 0010:recover_data+0x12d8/0x1780
[   22.827411] Code: 00 3e 80 48 49 08 e9 17 fc ff ff 4c 89 f7 e8 2f 56 e9 ff e9 0f f8 ff ff 48 8d 7c 24 70 e8 b0 80 fe ff 85 c0 0f 84 ee f5 ff ff <0f> 0b 48 8b 7c 24 78 48 89 7c 24 38 e8 57 e3 71 00 48 8b 7c 24 38
[   22.829889] RSP: 0018:ffffae6380cf3b18 EFLAGS: 00010286
[   22.830576] RAX: 00000000ffffffe4 RBX: ffffa3c5f6109800 RCX: ffffa3c5f2978000
[   22.831529] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffa3c5eebc0cc0
[   22.832488] RBP: 0000000000000230 R08: 0000000000000001 R09: 0000000000000009
[   22.833430] R10: fffff90a48d85740 R11: fffff90a40000000 R12: 0000000000001000
[   22.834365] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000001000041
[   22.835320] FS:  00007f8c9c06b840(0000) GS:ffffa3c5f7a00000(0000) knlGS:0000000000000000
[   22.836374] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   22.837159] CR2: 00007ffc7f26dfcc CR3: 0000000235d64001 CR4: 00000000001606f0
[   22.838093] Call Trace:
[   22.838428]  ? mark_page_accessed+0x9c/0x110
[   22.839024]  ? pagecache_get_page+0x177/0x210
[   22.839610]  f2fs_recover_fsync_data+0x613/0x710
[   22.840223]  ? proc_create_single_data+0x37/0x50
[   22.840858]  f2fs_fill_super+0x1043/0x1aa0
[   22.841402]  ? f2fs_commit_super+0x180/0x180
[   22.841966]  mount_bdev+0x16d/0x1a0
[   22.842455]  mount_fs+0x4a/0x170
[   22.842887]  vfs_kern_mount+0x5d/0x100
[   22.843386]  do_mount+0x200/0xcf0
[   22.843828]  ? memdup_user+0x39/0x60
[   22.844302]  ksys_mount+0x79/0xc0
[   22.844771]  __x64_sys_mount+0x1c/0x20
[   22.845268]  do_syscall_64+0x43/0xf0
[   22.845746]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   22.846412] RIP: 0033:0x7f8c9b94ab9a
[   22.846888] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
[   22.849339] RSP: 002b:00007ffc7f26f7f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   22.850330] RAX: ffffffffffffffda RBX: 0000000000dc2050 RCX: 00007f8c9b94ab9a
[   22.851285] RDX: 0000000000dc2230 RSI: 0000000000dc2f20 RDI: 0000000000dc2250
[   22.852218] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
[   22.853154] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000000dc2250
[   22.854108] R13: 0000000000dc2230 R14: 0000000000000000 R15: 0000000000000003
[   22.855058] Modules linked in:
[   22.855476] ---[ end trace f9a70503bb3dfdc4 ]---
[   22.856095] RIP: 0010:recover_data+0x12d8/0x1780
[   22.856715] Code: 00 3e 80 48 49 08 e9 17 fc ff ff 4c 89 f7 e8 2f 56 e9 ff e9 0f f8 ff ff 48 8d 7c 24 70 e8 b0 80 fe ff 85 c0 0f 84 ee f5 ff ff <0f> 0b 48 8b 7c 24 78 48 89 7c 24 38 e8 57 e3 71 00 48 8b 7c 24 38
[   22.859167] RSP: 0018:ffffae6380cf3b18 EFLAGS: 00010286
[   22.859873] RAX: 00000000ffffffe4 RBX: ffffa3c5f6109800 RCX: ffffa3c5f2978000
[   22.860818] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffa3c5eebc0cc0
[   22.861781] RBP: 0000000000000230 R08: 0000000000000001 R09: 0000000000000009
[   22.862717] R10: fffff90a48d85740 R11: fffff90a40000000 R12: 0000000000001000
[   22.863655] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000001000041
[   22.864592] FS:  00007f8c9c06b840(0000) GS:ffffa3c5f7a00000(0000) knlGS:0000000000000000
[   22.865657] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   22.866418] CR2: 00007ffc7f26dfcc CR3: 0000000235d64001 CR4: 00000000001606f0
[   22.868476] mount (1879) used greatest stack depth: 13320 bytes left

Comment 1 Chao Yu 2019-04-15 14:53:24 UTC

Fixed with

f2fs: fix to do sanity check on valid node/block count

Note You need to log in before you can comment on or make changes to this bug.