215904 – kernel BUG at fs/f2fs/inode.c:825!

Bug 215904 - kernel BUG at fs/f2fs/inode.c:825!

Summary: kernel BUG at fs/f2fs/inode.c:825!

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	f2fs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	Default virtual assignee for f2fs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-04-27 14:27 UTC by bughunter
Modified:	2022-05-03 00:56 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	5.17
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
case.c (3.23 KB, text/x-csrc) 2022-04-27 14:27 UTC, bughunter	Details
Add an attachment (proposed patch, testcase, etc.)

Description bughunter 2022-04-27 14:27:27 UTC

Created attachment 300828 [details]
case.c

I have encountered a bug in F2FS file system in kernel v5.17.

I have uploaded the system call sequence as case.c, and a fuzzed image can be found in google net disk (https://drive.google.com/file/d/1jtULqt8XBvtgyzC2eZAz8-6scMcKX6eZ/view?usp=sharing).

The kernel should enable CONFIG_KASAN=y and CONFIG_KASAN_INLINE=y. You can reproduce the bug by running the following commands:

gcc -o case case.c
losetup /dev/loop0 case.img
mount -o "disable_ext_identify,inline_data,inline_dentry,flush_merge,nobarrier,mode=adaptive,noquota,alloc_mode=reuse" -t f2fs /dev/loop0 /root/mnt
./case

The kernel message is shown below:

4,20635,429868223,-;------------[ cut here ]------------
2,20636,429868228,-;kernel BUG at fs/f2fs/inode.c:825!
4,20637,429868236,-;invalid opcode: 0000 [#2] PREEMPT SMP KASAN PTI
4,20638,429868243,-;CPU: 2 PID: 4549 Comm: umount Tainted: G      D W         5.17.0 #4
4,20639,429868249,-;Hardware name: Dell Inc. OptiPlex 9020/03CPWF, BIOS A14 09/14/2015
4,20640,429868253,-;RIP: 0010:f2fs_evict_inode+0x10b0/0x1510
4,20641,429868260,-;Code: fc ff df 4c 89 f2 48 c1 ea 03 80 3c 02 00 0f 85 33 04 00 00 41 8b 77 40 ba 01 00 00 00 48 89 ef e8 75 c0 05 00 e9 db fd ff ff <0f> 0b 48 8d 7d 48 be 08 00 00 00 e8 d0 6f 57 ff f0 80 4d 49 10 e9
4,20642,429868267,-;RSP: 0018:ffff88812cb27af0 EFLAGS: 00010202
4,20643,429868273,-;RAX: 0000000000000042 RBX: ffff88814af40000 RCX: ffffffffb3e4a495
4,20644,429868278,-;RDX: 1ffff1102bd53356 RSI: 0000000000000008 RDI: ffff88815ea99ab0
4,20645,429868284,-;RBP: ffff888110ece000 R08: 0000000000000001 R09: ffffed102bd53357
4,20646,429868288,-;R10: ffff88815ea99ab7 R11: ffffed102bd53356 R12: ffff88815ea99ab0
4,20647,429868293,-;R13: ffff888110ece048 R14: ffff88815ea99878 R15: ffff88815ea99838
4,20648,429868298,-;FS:  00007f2e62b1b840(0000) GS:ffff8881d5680000(0000) knlGS:0000000000000000
4,20649,429868304,-;CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
4,20650,429868309,-;CR2: 000056521bb81000 CR3: 0000000117f70003 CR4: 00000000001706e0
4,20651,429868313,-;Call Trace:
4,20652,429868317,-; <TASK>
4,20653,429868322,-; evict+0x282/0x4e0
4,20654,429868328,-; __dentry_kill+0x2b2/0x4d0
4,20655,429868334,-; ? shrink_lock_dentry.part.0+0x7c/0x200
4,20656,429868341,-; shrink_dentry_list+0x17c/0x4f0
4,20657,429868348,-; shrink_dcache_parent+0x143/0x1e0
4,20658,429868355,-; ? shrink_dcache_sb+0x280/0x280
4,20659,429868361,-; ? rwsem_spin_on_owner+0x1d0/0x1d0
4,20660,429868368,-; ? f2fs_get_sectors_written+0x370/0x370
4,20661,429868375,-; do_one_tree+0x9/0x30
4,20662,429868381,-; shrink_dcache_for_umount+0x51/0x120
4,20663,429868388,-; generic_shutdown_super+0x5c/0x3a0
4,20664,429868395,-; kill_block_super+0x90/0xd0
4,20665,429868401,-; kill_f2fs_super+0x225/0x310
4,20666,429868407,-; ? kasan_quarantine_put+0x46/0x160
4,20667,429868413,-; ? f2fs_dquot_commit+0xb0/0xb0
4,20668,429868419,-; ? kfree+0x8f/0x2b0
4,20669,429868425,-; ? unregister_shrinker+0x194/0x250
4,20670,429868432,-; deactivate_locked_super+0x78/0xc0
4,20671,429868438,-; cleanup_mnt+0x2b7/0x480
4,20672,429868444,-; ? call_rcu+0x21c/0x820
4,20673,429868450,-; task_work_run+0xc8/0x150
4,20674,429868457,-; exit_to_user_mode_prepare+0x14a/0x150
4,20675,429868464,-; syscall_exit_to_user_mode+0x1d/0x40
4,20676,429868471,-; do_syscall_64+0x48/0x90
4,20677,429868477,-; entry_SYSCALL_64_after_hwframe+0x44/0xae
4,20678,429868483,-;RIP: 0033:0x7f2e62d7a19b
4,20679,429868488,-;Code: cc 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 90 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c5 cc 0c 00 f7 d8 64 89 01 48
4,20680,429868494,-;RSP: 002b:00007ffd8e9f9438 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
4,20681,429868500,-;RAX: 0000000000000000 RBX: 00007f2e62eac204 RCX: 00007f2e62d7a19b
4,20682,429868505,-;RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000557ec0ea7740
4,20683,429868509,-;RBP: 0000557ec0ea7530 R08: 0000000000000000 R09: 00007ffd8e9f81e0
4,20684,429868512,-;R10: 00007f2e62e98379 R11: 0000000000000246 R12: 0000557ec0ea7740
4,20685,429868514,-;R13: 0000000000000000 R14: 0000557ec0ea7628 R15: 0000000000000000
4,20686,429868517,-; </TASK>
4,20687,429868519,-;Modules linked in: x86_pkg_temp_thermal efivarfs
4,20688,429868526,-;---[ end trace 0000000000000000 ]---

Comment 1 Chao Yu 2022-04-30 09:35:44 UTC

Could you please try below patch? I doubt the root cause is the same as bug 215895.

https://lore.kernel.org/linux-f2fs-devel/20220428024940.12102-1-chao@kernel.org/T/#u

Comment 2 bughunter 2022-04-30 10:37:15 UTC

Yes, you're right! This bug is caused by the same reason as the previous one.

Comment 3 Chao Yu 2022-04-30 13:24:48 UTC

(In reply to bughunter from comment #2)
> Yes, you're right! This bug is caused by the same reason as the previous one.

Sorry, after adding umount command in your testcase, I can reproduce this issue, and I figure out below patch...

https://lore.kernel.org/linux-f2fs-devel/20220430131924.10218-1-chao@kernel.org/T/#u

Comment 4 bughunter 2022-04-30 14:25:29 UTC

I also forgot to umount the image...

Finally, this bug disappears :) Thank you very much!

Note You need to log in before you can comment on or make changes to this bug.