The root cause is shrink_dcache_sb after sbi has been freed. So call shrink_dcache_sb before free sbi and other resources.
================================================================== BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5 Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729 PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted 4.19.195-00002-g67dceea04431-dirty #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 Call Trace: dump_stack+0xe5/0x14b ? f2fs_evict_inode+0x31c/0xde5 print_address_description+0x6c/0x237 ? f2fs_evict_inode+0x31c/0xde5 kasan_report.cold+0x88/0x2a3 f2fs_evict_inode+0x31c/0xde5 ? full_proxy_open.cold+0x12/0x12 evict+0x2cd/0x5f0 iput+0x3d9/0x6f0 dentry_unlink_inode+0x273/0x330 __dentry_kill+0x340/0x5e0 dentry_kill+0xb7/0x740 shrink_dentry_list+0x256/0x660 shrink_dcache_sb+0x11f/0x1d0 ? shrink_dentry_list+0x660/0x660 ? __kasan_slab_free+0x144/0x180 f2fs_fill_super+0x2a34/0x4a80 ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 ? wait_for_completion+0x3c0/0x3c0 ? set_blocksize+0x230/0x2b0 mount_bdev+0x2c1/0x370 ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6 mount_fs+0x4c/0x1c0 vfs_kern_mount.part.0+0x60/0x3d0 do_mount+0x367/0x2570 ? kasan_unpoison_shadow+0x33/0x40 ? copy_mount_string+0x40/0x40 ? kmem_cache_alloc_trace+0x13f/0x2b0 ? _copy_from_user+0x94/0x100 ? copy_mount_options+0x1f1/0x2e0 ksys_mount+0xa0/0x100 __x64_sys_mount+0xbf/0x160 do_syscall_64+0xc2/0x190 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x47938e Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0 RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000 R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00 Allocated by task 8729: kasan_kmalloc+0xc2/0xe0 kmem_cache_alloc_trace+0x13f/0x2b0 f2fs_fill_super+0x124/0x4a80 mount_bdev+0x2c1/0x370 mount_fs+0x4c/0x1c0 vfs_kern_mount.part.0+0x60/0x3d0 do_mount+0x367/0x2570 ksys_mount+0xa0/0x100 __x64_sys_mount+0xbf/0x160 do_syscall_64+0xc2/0x190 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8729: __kasan_slab_free+0x12f/0x180 kfree+0xfa/0x2a0 f2fs_fill_super+0x2a00/0x4a80 mount_bdev+0x2c1/0x370 mount_fs+0x4c/0x1c0 vfs_kern_mount.part.0+0x60/0x3d0 do_mount+0x367/0x2570 ksys_mount+0xa0/0x100 __x64_sys_mount+0xbf/0x160 do_syscall_64+0xc2/0x190 entry_SYSCALL_64_after_hwframe+0x49/0xbe Signed-off-by: Jack Qiu <[email protected]> --- fs/f2fs/super.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index 8fecd3050ccd..b041625e06ce 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) free_compress_inode: f2fs_destroy_compress_inode(sbi); free_root_inode: + if (retry_cnt > 0 && skip_recovery) + shrink_dcache_sb(sb); dput(sb->s_root); sb->s_root = NULL; free_node_inode: @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) /* give only one another chance */ if (retry_cnt > 0 && skip_recovery) { retry_cnt--; - shrink_dcache_sb(sb); goto try_onemore; } return err; -- 2.17.1 _______________________________________________ Linux-f2fs-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
