Bug 215231 - kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image
Summary: kernel NULL pointer dereference triggered in folio_mark_dirty() when mount an...
Status: RESOLVED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: f2fs (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Default virtual assignee for f2fs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-06 04:12 UTC by Wenqing Liu
Modified: 2021-12-12 04:05 UTC (History)
2 users (show)

See Also:
Kernel Version: 5.16-rc3, 5.15.X
Tree: Mainline
Regression: No


Attachments
crafted image and .config file (269.68 KB, application/zip)
2021-12-06 04:12 UTC, Wenqing Liu
Details

Description Wenqing Liu 2021-12-06 04:12:56 UTC
Created attachment 299909 [details]
crafted image and .config file

- Overview 
kernel NULL pointer dereference triggered  in folio_mark_dirty() when mount and operate on a crafted f2fs image

- Reproduce 
tested on kernel 5.16-rc3, 5.15.X under root

# mkdir mnt
# mount -t f2fs tmp1.img mnt
# touch tmp
# cp tmp mnt

- Kernel dump
[   41.932734] F2FS-fs (loop0): sanity_check_inode: inode (ino=49) extent info [5942, 4294180864, 4] is incorrect, run fsck to fix
[   41.932743] F2FS-fs (loop0): Inconsistent error blkaddr:5942, sit bitmap:0
[   41.932811] ------------[ cut here ]------------
[   41.932811] WARNING: CPU: 0 PID: 910 at fs/f2fs/checkpoint.c:154 f2fs_is_valid_blkaddr+0x1d6/0x390 [f2fs]
[   41.932824] Modules linked in: f2fs crc32_generic joydev input_leds serio_raw qemu_fw_cfg iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel hid_generic psmouse usbhid hid aesni_intel crypto_simd cryptd
[   41.932840] CPU: 0 PID: 910 Comm: cp Tainted: G        W         5.16.0-rc3 #2
[   41.932842] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[   41.932842] RIP: 0010:f2fs_is_valid_blkaddr+0x1d6/0x390 [f2fs]
[   41.932853] Code: fe ff ff 83 fb 07 0f 85 bb fe ff ff 0f b6 c8 89 ea 48 c7 c6 c8 1b 70 a0 4c 89 e7 88 04 24 e8 31 52 ff ff f0 41 80 4c 24 48 04 <0f> 0b 0f b6 04 24 e9 92 fe ff ff 83 fa 09 0f 85 15 01 00 00 48 8b
[   41.932854] RSP: 0018:ffffc90000687968 EFLAGS: 00010206
[   41.932855] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000000001
[   41.932855] RDX: 0000000000000000 RSI: ffffffff8232a839 RDI: 00000000ffffffff
[   41.932856] RBP: 0000000000001736 R08: 0000000000000000 R09: 0000000000000001
[   41.932857] R10: 00000009cb0c1476 R11: 0000000000000001 R12: ffff888110275000
[   41.932857] R13: 0000000000004000 R14: ffff888105f460f0 R15: ffff888110f4a000
[   41.932858] FS:  00007f3530f15800(0000) GS:ffff8882f5c00000(0000) knlGS:0000000000000000
[   41.932859] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   41.932860] CR2: 0000562fdc7b15c8 CR3: 000000010319c002 CR4: 0000000000370ef0
[   41.932862] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   41.932863] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   41.932863] Call Trace:
[   41.932864]  <TASK>
[   41.932865]  f2fs_iget+0xeee/0x11b0 [f2fs]
[   41.932874]  do_garbage_collect+0xf0f/0x16a0 [f2fs]
[   41.932886]  ? _raw_spin_lock+0x13/0x30
[   41.932888]  f2fs_gc+0x1d3/0xd90 [f2fs]
[   41.932899]  ? _raw_spin_unlock+0x16/0x30
[   41.932901]  ? f2fs_balance_fs+0x13a/0x570 [f2fs]
[   41.932915]  f2fs_balance_fs+0x13a/0x570 [f2fs]
[   41.932927]  ? _raw_spin_lock+0x13/0x30
[   41.932929]  ? __d_instantiate+0x34/0xf0
[   41.932931]  f2fs_create+0x285/0x840 [f2fs]
[   41.932940]  path_openat+0xe6d/0x1040
[   41.932943]  do_filp_open+0xc5/0x140
[   41.932945]  ? __check_object_size+0xd4/0x1a0
[   41.932948]  ? _raw_spin_unlock+0x16/0x30
[   41.932949]  ? do_sys_openat2+0x23a/0x310
[   41.932950]  do_sys_openat2+0x23a/0x310
[   41.932952]  do_sys_open+0x57/0x80
[   41.932953]  do_syscall_64+0x37/0xb0
[   41.932955]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   41.932956] RIP: 0033:0x7f35303e4d5e
[   41.932957] Code: 25 00 00 41 00 3d 00 00 41 00 74 48 48 8d 05 91 0c 2e 00 8b 00 85 c0 75 69 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 0f 87 a6 00 00 00 48 8b 4c 24 28 64 48 33 0c 25
[   41.932958] RSP: 002b:00007ffe4b2cb810 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[   41.932959] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f35303e4d5e
[   41.932960] RDX: 00000000000000c1 RSI: 0000561d23a37cc0 RDI: 00000000ffffff9c
[   41.932961] RBP: 00007ffe4b2cbcb0 R08: 00007ffe4b2cbe70 R09: 0000000000000000
[   41.932961] R10: 00000000000001a4 R11: 0000000000000246 R12: 00007ffe4b2cbe70
[   41.932962] R13: 0000000000000000 R14: 00007ffe4b2cbe00 R15: 00007ffe4b2cc7b4
[   41.932963]  </TASK>
[   41.932964] ---[ end trace 1bf4370a7a01de20 ]---
[   41.932965] F2FS-fs (loop0): sanity_check_inode: inode (ino=49) extent info [5942, 4294180864, 4] is incorrect, run fsck to fix
[   41.933060] F2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=31340049, run fsck to fix.
[   41.934251] BUG: kernel NULL pointer dereference, address: 0000000000000000
[   41.934338] #PF: supervisor instruction fetch in kernel mode
[   41.934409] #PF: error_code(0x0010) - not-present page
[   41.934484] PGD 0 P4D 0 
[   41.934561] Oops: 0010 [#1] PREEMPT SMP NOPTI
[   41.934646] CPU: 1 PID: 910 Comm: cp Tainted: G        W         5.16.0-rc3 #2
[   41.934741] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[   41.934893] RIP: 0010:0x0
[   41.935041] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[   41.935174] RSP: 0018:ffffc90000687928 EFLAGS: 00010246
[   41.935314] RAX: 0000000000000000 RBX: ffffea000478be40 RCX: 0000000000000001
[   41.935456] RDX: 0017ffffc0000015 RSI: 0000000000000000 RDI: ffffea000478be40
[   41.935604] RBP: ffff888105f44680 R08: ffffc90000687808 R09: 0000000000000000
[   41.935818] R10: 000000003ee1af28 R11: 0000000000000001 R12: 00000000fffffffe
[   41.935993] R13: ffffea000478be68 R14: 0017ffffc0000015 R15: ffff888105f44680
[   41.936163] FS:  00007f3530f15800(0000) GS:ffff8882f5c80000(0000) knlGS:0000000000000000
[   41.936344] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   41.936540] CR2: ffffffffffffffd6 CR3: 000000010319c006 CR4: 0000000000370ee0
[   41.936738] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   41.936950] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   41.937254] Call Trace:
[   41.937470]  <TASK>
[   41.937683]  folio_mark_dirty+0x33/0x50
[   41.937935]  move_data_page+0x2dd/0x460 [f2fs]
[   41.938188]  do_garbage_collect+0xc18/0x16a0 [f2fs]
[   41.938412]  ? _raw_spin_lock+0x13/0x30
[   41.938628]  f2fs_gc+0x1d3/0xd90 [f2fs]
[   41.938856]  ? _raw_spin_unlock+0x16/0x30
[   41.939078]  ? f2fs_balance_fs+0x13a/0x570 [f2fs]
[   41.939321]  f2fs_balance_fs+0x13a/0x570 [f2fs]
[   41.939568]  ? _raw_spin_lock+0x13/0x30
[   41.939802]  ? __d_instantiate+0x34/0xf0
[   41.940040]  f2fs_create+0x285/0x840 [f2fs]
[   41.940290]  path_openat+0xe6d/0x1040
[   41.940536]  do_filp_open+0xc5/0x140
[   41.940782]  ? __check_object_size+0xd4/0x1a0
[   41.941034]  ? _raw_spin_unlock+0x16/0x30
[   41.941288]  ? do_sys_openat2+0x23a/0x310
[   41.941582]  do_sys_openat2+0x23a/0x310
[   41.941842]  do_sys_open+0x57/0x80
[   41.942290]  do_syscall_64+0x37/0xb0
[   41.942607]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   41.942881] RIP: 0033:0x7f35303e4d5e
[   41.943156] Code: 25 00 00 41 00 3d 00 00 41 00 74 48 48 8d 05 91 0c 2e 00 8b 00 85 c0 75 69 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 0f 87 a6 00 00 00 48 8b 4c 24 28 64 48 33 0c 25
[   41.943761] RSP: 002b:00007ffe4b2cb810 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[   41.944078] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f35303e4d5e
[   41.944403] RDX: 00000000000000c1 RSI: 0000561d23a37cc0 RDI: 00000000ffffff9c
[   41.944762] RBP: 00007ffe4b2cbcb0 R08: 00007ffe4b2cbe70 R09: 0000000000000000
[   41.945195] R10: 00000000000001a4 R11: 0000000000000246 R12: 00007ffe4b2cbe70
[   41.945631] R13: 0000000000000000 R14: 00007ffe4b2cbe00 R15: 00007ffe4b2cc7b4
[   41.946058]  </TASK>
[   41.946479] Modules linked in: f2fs crc32_generic joydev input_leds serio_raw qemu_fw_cfg iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel hid_generic psmouse usbhid hid aesni_intel crypto_simd cryptd
[   41.948320] CR2: 0000000000000000
[   41.948750] ---[ end trace 1bf4370a7a01de21 ]---
[   41.949238] RIP: 0010:0x0
[   41.949648] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[   41.950064] RSP: 0018:ffffc90000687928 EFLAGS: 00010246
[   41.950408] RAX: 0000000000000000 RBX: ffffea000478be40 RCX: 0000000000000001
[   41.950754] RDX: 0017ffffc0000015 RSI: 0000000000000000 RDI: ffffea000478be40
[   41.951098] RBP: ffff888105f44680 R08: ffffc90000687808 R09: 0000000000000000
[   41.951439] R10: 000000003ee1af28 R11: 0000000000000001 R12: 00000000fffffffe
[   41.951778] R13: ffffea000478be68 R14: 0017ffffc0000015 R15: ffff888105f44680
[   41.952118] FS:  00007f3530f15800(0000) GS:ffff8882f5c80000(0000) knlGS:0000000000000000
[   41.952555] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   41.953157] CR2: ffffffffffffffd6 CR3: 000000010319c006 CR4: 0000000000370ee0
[   41.953687] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   41.954237] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Comment 2 Wenqing Liu 2021-12-07 04:49:33 UTC
Thank you for your prompt reply.The bug disappeared after patched the kernel with the fixes.
Comment 3 Chao Yu 2021-12-12 04:05:23 UTC
Thanks for the verification. :)

Note You need to log in before you can comment on or make changes to this bug.