Created attachment 282251 [details] The (compressed) crafted image which causes crash - Overview When mounting the attached crafted image, following errors are reported. Additionally, it hangs on sync after trying to mount it. The image is intentionally fuzzed from a normal f2fs image for testing. Compile options for F2FS are as follows. CONFIG_F2FS_FS=y CONFIG_F2FS_STAT_FS=y CONFIG_F2FS_FS_XATTR=y CONFIG_F2FS_FS_POSIX_ACL=y # CONFIG_F2FS_FS_SECURITY is not set CONFIG_F2FS_CHECK_FS=y # CONFIG_F2FS_FS_ENCRYPTION is not set # CONFIG_F2FS_FAULT_INJECTION is not set - Reproduces mkdir test mount -t f2fs tmp.img test sync - Kernel Messages [ 35.663703] F2FS-fs (sdb): Can't find valid F2FS filesystem in 2th superblock [ 35.675530] kernel BUG at fs/f2fs/segment.c:3222! [ 35.676360] invalid opcode: 0000 [#1] SMP PTI [ 35.676946] CPU: 0 PID: 1905 Comm: mount Not tainted 5.0.0 #5 [ 35.677703] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 35.678962] RIP: 0010:f2fs_do_replace_block+0x432/0x4e0 [ 35.679652] Code: ba 01 00 00 00 44 89 e6 4c 89 f7 e8 a8 c5 ff ff e9 10 fd ff ff 49 8b 46 10 8b 40 48 e9 76 fe ff ff 49 8b 46 10 e9 c1 fc ff ff <0f> 0b 49 8b 56 10 8b 52 48 e9 9b fd ff ff 49 8b 46 10 8b 40 48 e9 [ 35.682147] RSP: 0018:ffffa8de80cfba88 EFLAGS: 00010202 [ 35.682836] RAX: ffff9c11abeaa880 RBX: 0000000000000003 RCX: 0000000000000009 [ 35.683780] RDX: 0000000000000000 RSI: 0000000000001000 RDI: ffff9c11abb58c20 [ 35.684717] RBP: ffff9c11b3012800 R08: ffff9c11abb58c00 R09: 0000000000000000 [ 35.685659] R10: 0000000000000009 R11: fffffa1340000000 R12: 0000000000001000 [ 35.686590] R13: 0000000000000000 R14: ffff9c11b3010000 R15: ffff9c11abb583c0 [ 35.687530] FS: 00007fd333db1840(0000) GS:ffff9c11b7a00000(0000) knlGS:0000000000000000 [ 35.688625] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 35.689424] CR2: 00007ffffc4fbf38 CR3: 000000022bb1c006 CR4: 00000000001606f0 [ 35.690365] Call Trace: [ 35.690694] f2fs_replace_block+0x45/0x70 [ 35.691224] recover_data+0xaf3/0x1780 [ 35.691725] f2fs_recover_fsync_data+0x613/0x710 [ 35.692354] ? proc_create_single_data+0x37/0x50 [ 35.692974] f2fs_fill_super+0x1043/0x1aa0 [ 35.693525] ? f2fs_commit_super+0x180/0x180 [ 35.694094] mount_bdev+0x16d/0x1a0 [ 35.694564] mount_fs+0x4a/0x170 [ 35.695002] vfs_kern_mount+0x5d/0x100 [ 35.695522] do_mount+0x200/0xcf0 [ 35.695972] ? memdup_user+0x39/0x60 [ 35.696459] ksys_mount+0x79/0xc0 [ 35.696921] __x64_sys_mount+0x1c/0x20 [ 35.697448] do_syscall_64+0x43/0xf0 [ 35.697927] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 35.698592] RIP: 0033:0x7fd333690b9a [ 35.699087] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 [ 35.701525] RSP: 002b:00007ffffc4fd838 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 35.702524] RAX: ffffffffffffffda RBX: 0000000001144050 RCX: 00007fd333690b9a [ 35.703483] RDX: 0000000001144230 RSI: 0000000001144f20 RDI: 0000000001144250 [ 35.704477] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 [ 35.705410] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000001144250 [ 35.706362] R13: 0000000001144230 R14: 0000000000000000 R15: 0000000000000003 [ 35.707307] Modules linked in: [ 35.707728] ---[ end trace 4f87466a0fe9a69b ]--- [ 35.708357] RIP: 0010:f2fs_do_replace_block+0x432/0x4e0 [ 35.709048] Code: ba 01 00 00 00 44 89 e6 4c 89 f7 e8 a8 c5 ff ff e9 10 fd ff ff 49 8b 46 10 8b 40 48 e9 76 fe ff ff 49 8b 46 10 e9 c1 fc ff ff <0f> 0b 49 8b 56 10 8b 52 48 e9 9b fd ff ff 49 8b 46 10 8b 40 48 e9 [ 35.711516] RSP: 0018:ffffa8de80cfba88 EFLAGS: 00010202 [ 35.712224] RAX: ffff9c11abeaa880 RBX: 0000000000000003 RCX: 0000000000000009 [ 35.713210] RDX: 0000000000000000 RSI: 0000000000001000 RDI: ffff9c11abb58c20 [ 35.714148] RBP: ffff9c11b3012800 R08: ffff9c11abb58c00 R09: 0000000000000000 [ 35.715082] R10: 0000000000000009 R11: fffffa1340000000 R12: 0000000000001000 [ 35.716029] R13: 0000000000000000 R14: ffff9c11b3010000 R15: ffff9c11abb583c0 [ 35.716969] FS: 00007fd333db1840(0000) GS:ffff9c11b7a00000(0000) knlGS:0000000000000000 [ 35.718028] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 35.718808] CR2: 00007ffffc4fbf38 CR3: 000000022bb1c006 CR4: 00000000001606f0 [ 35.720470] mount (1905) used greatest stack depth: 13176 bytes left - Error location 3187 void f2fs_do_replace_block(struct f2fs_sb_info *sbi, struct f2fs_summary *sum, 3188 block_t old_blkaddr, block_t new_blkaddr, 3189 bool recover_curseg, bool recover_newaddr) 3190 { 3191 struct sit_info *sit_i = SIT_I(sbi); 3192 struct curseg_info *curseg; 3193 unsigned int segno, old_cursegno; 3194 struct seg_entry *se; 3195 int type; 3196 unsigned short old_blkoff; 3197 3198 segno = GET_SEGNO(sbi, new_blkaddr); 3199 se = get_seg_entry(sbi, segno); 3200 type = se->type; 3201 3202 down_write(&SM_I(sbi)->curseg_lock); 3203 3204 if (!recover_curseg) { 3205 /* for recovery flow */ 3206 if (se->valid_blocks == 0 && !IS_CURSEG(sbi, segno)) { 3207 if (old_blkaddr == NULL_ADDR) 3208 type = CURSEG_COLD_DATA; 3209 else 3210 type = CURSEG_WARM_DATA; 3211 } 3212 } else { 3213 if (IS_CURSEG(sbi, segno)) { 3214 /* se->type is volatile as SSR allocation */ 3215 type = __f2fs_get_curseg(sbi, segno); 3216 f2fs_bug_on(sbi, type == NO_CHECK_TYPE); 3217 } else { 3218 type = CURSEG_WARM_DATA; 3219 } 3220 } 3221 *3222 f2fs_bug_on(sbi, !IS_DATASEG(type)); 3223 curseg = CURSEG_I(sbi, type);
f2fs: introduce DATA_GENERIC_ENHANCE