Bug 215894 - kernel BUG at fs/f2fs/segment.c:2291!
Summary: kernel BUG at fs/f2fs/segment.c:2291!
Status: RESOLVED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: f2fs (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Default virtual assignee for f2fs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-27 05:11 UTC by bughunter
Modified: 2022-04-28 07:52 UTC (History)
1 user (show)

See Also:
Kernel Version: 5.17
Subsystem:
Regression: No
Bisected commit-id:

Attachments
case.c (2.85 KB, text/plain)
2022-04-27 05:11 UTC, bughunter 		Details
Add an attachment (proposed patch, testcase, etc.)

Description bughunter 2022-04-27 05:11:33 UTC 
Created attachment 300817 [details]
case.c

I have encountered a bug in F2FS file system in kernel v5.17.

I have uploaded the system call sequence as case.c, and a fuzzed image can be found in google net disk (https://drive.google.com/file/d/10KcRiyQCdCiTWfKmkv2wxgSSk1581sqE/view?usp=sharing).

The kernel should enable CONFIG_KASAN=y and CONFIG_KASAN_INLINE=y. You can reproduce the bug by running the following commands:

gcc -o case case.c
losetup /dev/loop0 case.img
mount -o "background_gc=sync,disable_roll_forward,nouser_xattr,disable_ext_identify,nobarrier,fastboot,mode=adaptive,grpquota,noquota,alloc_mode=reuse,test_dummy_encryption" -t f2fs /dev/loop0 /root/mnt
./case

The kernel message is shown below:

6,799,86360296,-;loop0: detected capacity change from 0 to 262144
4,800,86395847,-;F2FS-fs (loop0): Test dummy encryption mount option ignored
5,801,86398197,-;F2FS-fs (loop0): Disable nat_bits due to incorrect cp_ver (7347879550090329573, 6600135115475369443)
5,802,86424567,-;F2FS-fs (loop0): Mounted with checkpoint version = 237dbde5
4,803,86455701,-;------------[ cut here ]------------
2,804,86455706,-;kernel BUG at fs/f2fs/segment.c:2291!
4,805,86455720,-;invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
4,806,86455727,-;CPU: 6 PID: 1079 Comm: case Not tainted 5.17.0 #2
4,807,86455733,-;Hardware name: Dell Inc. OptiPlex 9020/03CPWF, BIOS A14 09/14/2015
4,808,86455738,-;RIP: 0010:update_sit_entry+0xa30/0x1050
4,809,86455746,-;Code: c9 0f 95 c1 40 84 ce 0f 85 79 05 00 00 83 e0 07 38 c2 0f 9e c1 84 d2 0f 95 c0 84 c1 0f 85 64 05 00 00 8b 43 48 e9 66 f6 ff ff <0f> 0b 44 89 4c 24 10 4c 89 44 24 08 e8 bf 2c 4b ff 44 8b 4c 24 10
4,810,86455755,-;RSP: 0018:ffff88810991fba8 EFLAGS: 00010246
4,811,86455761,-;RAX: 0000000000000200 RBX: ffff8881246cbe80 RCX: 0000000000000009
4,812,86455766,-;RDX: 00000000000001ff RSI: 00000000fff00000 RDI: ffff888115b0c454
4,813,86455770,-;RBP: ffff888115b0c000 R08: ffffffffffffffff R09: 00000000fff00000
4,814,86455775,-;R10: ffff888131d74267 R11: ffffed10263ae84c R12: 0000000000000000
4,815,86455779,-;R13: 00000000ffffffff R14: 00000000007ff7f8 R15: 00000000ffffffff
4,816,86455783,-;FS:  00007f4253e76540(0000) GS:ffff8881d5780000(0000) knlGS:0000000000000000
4,817,86455789,-;CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
4,818,86455793,-;CR2: 00007f4253d9b750 CR3: 00000001115e0002 CR4: 00000000001706e0
4,819,86455798,-;Call Trace:
4,820,86455801,-; <TASK>
4,821,86455804,-; ? update_segment_mtime+0x129/0x500
4,822,86455809,-; ? down_write_killable+0x120/0x120
4,823,86455815,-; f2fs_invalidate_blocks+0x193/0x2d0
4,824,86455821,-; f2fs_fallocate+0x2593/0x4a70
4,825,86455826,-; ? may_open_dev+0xd0/0xd0
4,826,86455833,-; ? __f2fs_ioc_move_range+0xd70/0xd70
4,827,86455837,-; ? __inode_security_revalidate+0x98/0xc0
4,828,86455843,-; ? selinux_file_permission+0x32d/0x410
4,829,86455849,-; ? security_file_permission+0x4e/0x580
4,830,86455854,-; vfs_fallocate+0x2a5/0xac0
4,831,86455860,-; ksys_fallocate+0x35/0x70
4,832,86455864,-; __x64_sys_fallocate+0x8e/0xf0
4,833,86455869,-; ? syscall_exit_to_user_mode+0x1d/0x40
4,834,86455875,-; do_syscall_64+0x3b/0x90
4,835,86455880,-; entry_SYSCALL_64_after_hwframe+0x44/0xae
4,836,86455886,-;RIP: 0033:0x7f4253d9b76d
4,837,86455890,-;Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f3 36 0d 00 f7 d8 64 89 01 48
4,838,86455898,-;RSP: 002b:00007fffa875d298 EFLAGS: 00000207 ORIG_RAX: 000000000000011d
4,839,86455904,-;RAX: ffffffffffffffda RBX: 00005652598f1630 RCX: 00007f4253d9b76d
4,840,86455909,-;RDX: 0000000000134419 RSI: 0000000000000011 RDI: 0000000000000003
4,841,86455913,-;RBP: 00007fffa8b5d440 R08: 00007fffa8b5d538 R09: 00007fffa8b5d538
4,842,86455918,-;R10: 0000000000147c62 R11: 0000000000000207 R12: 00005652598f10a0
4,843,86455922,-;R13: 00007fffa8b5d530 R14: 0000000000000000 R15: 0000000000000000
4,844,86455927,-; </TASK>
4,845,86455930,-;Modules linked in: x86_pkg_temp_thermal efivarfs
4,846,86455939,-;---[ end trace 0000000000000000 ]---
4,847,86455942,-;RIP: 0010:update_sit_entry+0xa30/0x1050
4,848,86455947,-;Code: c9 0f 95 c1 40 84 ce 0f 85 79 05 00 00 83 e0 07 38 c2 0f 9e c1 84 d2 0f 95 c0 84 c1 0f 85 64 05 00 00 8b 43 48 e9 66 f6 ff ff <0f> 0b 44 89 4c 24 10 4c 89 44 24 08 e8 bf 2c 4b ff 44 8b 4c 24 10
4,849,86455955,-;RSP: 0018:ffff88810991fba8 EFLAGS: 00010246
4,850,86455959,-;RAX: 0000000000000200 RBX: ffff8881246cbe80 RCX: 0000000000000009
4,851,86455964,-;RDX: 00000000000001ff RSI: 00000000fff00000 RDI: ffff888115b0c454
4,852,86455968,-;RBP: ffff888115b0c000 R08: ffffffffffffffff R09: 00000000fff00000
4,853,86455972,-;R10: ffff888131d74267 R11: ffffed10263ae84c R12: 0000000000000000
4,854,86455977,-;R13: 00000000ffffffff R14: 00000000007ff7f8 R15: 00000000ffffffff
4,855,86455981,-;FS:  00007f4253e76540(0000) GS:ffff8881d5780000(0000) knlGS:0000000000000000
4,856,86455986,-;CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
4,857,86455990,-;CR2: 00007f4253d9b750 CR3: 00000001115e0002 CR4: 00000000001706e0
Comment 1 bughunter 2022-04-27 11:50:47 UTC 
Thank you for the prompt reply, this bug has been fixed after adding the patch!
Note You need to log in before you can comment on or make changes to this bug.