Created attachment 300632 [details] corrupted image and .config - Overview kernel NULL pointer dereference at fs/f2fs/dir.c:f2fs_add_regular_entry() when mount and operate on corrupted image - Reproduce tested on kernel 5.17 # mkdir mnt # mount tmp40.img mount # ls mnt - Kernel dump [ 131.000658] loop0: detected capacity change from 0 to 131072 [ 131.147683] F2FS-fs (loop0): Mounted with checkpoint version = 7548c462 [ 132.640535] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 132.640656] #PF: supervisor instruction fetch in kernel mode [ 132.640709] #PF: error_code(0x0010) - not-present page [ 132.640755] PGD 0 P4D 0 [ 132.640784] Oops: 0010 [#1] PREEMPT SMP NOPTI [ 132.640829] CPU: 3 PID: 1251 Comm: ls Not tainted 5.17.0 #1 [ 132.640882] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 132.640955] RIP: 0010:0x0 [ 132.641003] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. [ 132.641123] RSP: 0018:ffffc184c04fb9e0 EFLAGS: 00010246 [ 132.641174] RAX: 0000000000000000 RBX: ffffed6584a0ef80 RCX: 000000000000003b [ 132.641236] RDX: 0017ffffc0000005 RSI: ffffa093e83be000 RDI: ffffed6584a0ef80 [ 132.641296] RBP: ffffa093e83be950 R08: 0000000000000000 R09: 000000000000003b [ 132.641358] R10: 000000000000003d R11: 000000000000003b R12: ffffed6584a0ef80 [ 132.641418] R13: ffffed6584a0ef80 R14: ffffa093c5492340 R15: ffffc184c04fbac0 [ 132.641480] FS: 00007fd9bbdc7040(0000) GS:ffffa095b5d80000(0000) knlGS:0000000000000000 [ 132.641550] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 132.641600] CR2: ffffffffffffffd6 CR3: 000000010213e003 CR4: 0000000000370ee0 [ 132.641671] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 132.641745] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 132.641806] Call Trace: [ 132.641832] <TASK> [ 132.641855] folio_mark_dirty+0x33/0x50 [ 132.641906] f2fs_add_regular_entry+0x541/0xad0 [f2fs] [ 132.642440] f2fs_add_dentry+0x6c/0xb0 [f2fs] [ 132.642583] f2fs_do_add_link+0x182/0x230 [f2fs] [ 132.642717] __recover_dot_dentries+0x2d6/0x470 [f2fs] [ 132.642865] f2fs_lookup+0x5af/0x6a0 [f2fs] [ 132.643000] __lookup_slow+0xac/0x200 [ 132.643043] lookup_slow+0x45/0x70 [ 132.643080] walk_component+0x16c/0x250 [ 132.643121] path_lookupat+0x8b/0x1f0 [ 132.643160] filename_lookup+0xef/0x250 [ 132.643204] ? __check_object_size+0xc2/0x190 [ 132.643265] ? user_path_at_empty+0x46/0x70 [ 132.643307] user_path_at_empty+0x46/0x70 [ 132.643349] vfs_statx+0x98/0x190 [ 132.643388] __do_sys_newlstat+0x41/0x90 [ 132.643433] ? fpregs_assert_state_consistent+0x1e/0x40 [ 132.643484] ? exit_to_user_mode_prepare+0x38/0x1a0 [ 132.643536] __x64_sys_newlstat+0x1a/0x30 [ 132.643578] do_syscall_64+0x37/0xb0 [ 132.643615] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 132.643666] RIP: 0033:0x7fd9bb69f7c5 [ 132.643703] Code: c9 b6 2d 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 06 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 91 b6 2d 00 f7 d8 64 89 [ 132.647032] RSP: 002b:00007ffdd3099a08 EFLAGS: 00000246 ORIG_RAX: 0000000000000006 [ 132.648731] RAX: ffffffffffffffda RBX: 00005628315da0e8 RCX: 00007fd9bb69f7c5 [ 132.651089] RDX: 00005628315da100 RSI: 00005628315da100 RDI: 00007ffdd3099a10 [ 132.652883] RBP: 00007ffdd3099e00 R08: 0000000000000000 R09: 00005628315def9c [ 132.654519] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdd3099a10 [ 132.656120] R13: 0000000000000000 R14: 0000000000000003 R15: 00005628315da100 [ 132.657749] </TASK> [ 132.659376] Modules linked in: f2fs crc32_generic iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi xfs input_leds joydev serio_raw qemu_fw_cfg autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear hid_generic usbhid hid qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul psmouse ghash_clmulni_intel aesni_intel crypto_simd cryptd [ 132.665794] CR2: 0000000000000000 [ 132.666980] ---[ end trace 0000000000000000 ]--- [ 132.668162] RIP: 0010:0x0 [ 132.669083] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. [ 132.670020] RSP: 0018:ffffc184c04fb9e0 EFLAGS: 00010246 [ 132.670932] RAX: 0000000000000000 RBX: ffffed6584a0ef80 RCX: 000000000000003b [ 132.671866] RDX: 0017ffffc0000005 RSI: ffffa093e83be000 RDI: ffffed6584a0ef80 [ 132.672797] RBP: ffffa093e83be950 R08: 0000000000000000 R09: 000000000000003b [ 132.673641] R10: 000000000000003d R11: 000000000000003b R12: ffffed6584a0ef80 [ 132.674374] R13: ffffed6584a0ef80 R14: ffffa093c5492340 R15: ffffc184c04fbac0 [ 132.675131] FS: 00007fd9bbdc7040(0000) GS:ffffa095b5d80000(0000) knlGS:0000000000000000 [ 132.675895] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 132.676702] CR2: ffffffffffffffd6 CR3: 000000010213e003 CR4: 0000000000370ee0 [ 132.677500] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 132.678279] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Hi Wenqing, Thanks for the report! Could you please test w/ below patch? https://lore.kernel.org/linux-f2fs-devel/20220328160253.3102-1-chao@kernel.org/T/#u
(In reply to Chao Yu from comment #1) > Hi Wenqing, > > Thanks for the report! Could you please test w/ below patch? > > https://lore.kernel.org/linux-f2fs-devel/20220328160253.3102-1-chao@kernel. > org/T/#u Thanks Chao, I tested it on 5.17.1, the NULL pointer dereference didn't appear with the patched kernel.