On 2021/7/23 11:29, Chao Yu wrote:
> On 2021/7/23 11:27, Jack Qiu wrote:
>> On 2021/7/23 10:51, Chao Yu wrote:
>>> On 2021/7/23 10:41, Jack Qiu wrote:
>>>> On 2021/7/22 22:05, Chao Yu wrote:
>>>>> On 2021/7/22 12:41, Jack Qiu wrote:
>>>>>> The root cause is shrink_dcache_sb after sbi has been freed.
>>>>>> So call shrink_dcache_sb before free sbi and other resources.
>>>>>>
>>>>>> ==================================================================
>>>>>> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
>>>>>> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729
>>>>>>
>>>>>> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
>>>>>> 4.19.195-00002-g67dceea04431-dirty #31
>>>>>
>>>>> Does this bug below to 4.19.195?
>>>
>>> I mean whether this bug exists in mainline? Not sure, I just doubt maybe
>>> we have fixed this issue, but forgot to backport it to 4.19 stable kernel.
>>>
>> Got it.
>>>>>
>>>> Yes, I believe ed2e621a95d704e6a4e904cc00524e8cbddda0c2 causes this bug.
>>>>
>>>> git describe --contains ed2e621a95d704e6a4e904cc00524e8cbddda0c2
>>>> v3.17-rc4~27^2~17
>>>>
>>>> @@ -1126,6 +1130,13 @@ static int f2fs_fill_super(struct super_block *sb,
>>>> void *data, int silent)
>>>> brelse(raw_super_buf);
>>>> free_sbi:
>>>> kfree(sbi); --- free sbi
>>>> +
>>>> + /* give only one another chance */
>>>> + if (retry) {
>>>> + retry = !retry;
>>>> + shrink_dcache_sb(sb); --- call f2fs_evict_inode(root
>>>> inode), it will access sbi
>>>> + goto try_onemore;
>>>> + }
>>>> return err;
>>>> }
>>>>
>>>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>>>>>> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
>>>>>> 04/01/2014
>>>>>> Call Trace:
>>>>>> dump_stack+0xe5/0x14b
>>>>>> ? f2fs_evict_inode+0x31c/0xde5
>>>>>> print_address_description+0x6c/0x237
>>>>>> ? f2fs_evict_inode+0x31c/0xde5
>>>>>> kasan_report.cold+0x88/0x2a3
>>>>>> f2fs_evict_inode+0x31c/0xde5
>>>>>> ? full_proxy_open.cold+0x12/0x12
>>>>>> evict+0x2cd/0x5f0
>>>>>> iput+0x3d9/0x6f0
>>>>>> dentry_unlink_inode+0x273/0x330
>>>>>> __dentry_kill+0x340/0x5e0
>>>>>> dentry_kill+0xb7/0x740
>>>>>> shrink_dentry_list+0x256/0x660
>>>>>> shrink_dcache_sb+0x11f/0x1d0
>>>>>> ? shrink_dentry_list+0x660/0x660
>>>>>> ? __kasan_slab_free+0x144/0x180
>>>>>> f2fs_fill_super+0x2a34/0x4a80
>>>>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>>>> ? wait_for_completion+0x3c0/0x3c0
>>>>>> ? set_blocksize+0x230/0x2b0
>>>>>> mount_bdev+0x2c1/0x370
>>>>>> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
>>>>>> mount_fs+0x4c/0x1c0
>>>>>> vfs_kern_mount.part.0+0x60/0x3d0
>>>>>> do_mount+0x367/0x2570
>>>>>> ? kasan_unpoison_shadow+0x33/0x40
>>>>>> ? copy_mount_string+0x40/0x40
>>>>>> ? kmem_cache_alloc_trace+0x13f/0x2b0
>>>>>> ? _copy_from_user+0x94/0x100
>>>>>> ? copy_mount_options+0x1f1/0x2e0
>>>>>> ksys_mount+0xa0/0x100
>>>>>> __x64_sys_mount+0xbf/0x160
>>>>>> do_syscall_64+0xc2/0x190
>>>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>>> RIP: 0033:0x47938e
>>>>>> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
>>>>>> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
>>>>>> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
>>>>>> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>>>>> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
>>>>>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
>>>>>> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
>>>>>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
>>>>>> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00
>>>>>>
>>>>>> Allocated by task 8729:
>>>>>> kasan_kmalloc+0xc2/0xe0
>>>>>> kmem_cache_alloc_trace+0x13f/0x2b0
>>>>>> f2fs_fill_super+0x124/0x4a80
>>>>>> mount_bdev+0x2c1/0x370
>>>>>> mount_fs+0x4c/0x1c0
>>>>>> vfs_kern_mount.part.0+0x60/0x3d0
>>>>>> do_mount+0x367/0x2570
>>>>>> ksys_mount+0xa0/0x100
>>>>>> __x64_sys_mount+0xbf/0x160
>>>>>> do_syscall_64+0xc2/0x190
>>>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>>>
>>>>>> Freed by task 8729:
>>>>>> __kasan_slab_free+0x12f/0x180
>>>>>> kfree+0xfa/0x2a0
>>>>>> f2fs_fill_super+0x2a00/0x4a80
>>>>>> mount_bdev+0x2c1/0x370
>>>>>> mount_fs+0x4c/0x1c0
>>>>>> vfs_kern_mount.part.0+0x60/0x3d0
>>>>>> do_mount+0x367/0x2570
>>>>>> ksys_mount+0xa0/0x100
>>>>>> __x64_sys_mount+0xbf/0x160
>>>>>> do_syscall_64+0xc2/0x190
>>>>>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>>>
>>>>>> Signed-off-by: Jack Qiu <[email protected]>
>>>>>> ---
>>>>>> fs/f2fs/super.c | 3 ++-
>>>>>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>>>>>> index 8fecd3050ccd..b041625e06ce 100644
>>>>>> --- a/fs/f2fs/super.c
>>>>>> +++ b/fs/f2fs/super.c
>>>>>> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb,
>>>>>> void *data, int silent)
>>>>>> free_compress_inode:
>>>>>> f2fs_destroy_compress_inode(sbi);
>>>>>> free_root_inode:
>>>>>> + if (retry_cnt > 0 && skip_recovery)
>>>>>> + shrink_dcache_sb(sb);
>>>>>
>>>>> Compare to 4.19, last f2fs adds evict_inodes() before
>>>>> f2fs_unregister_sysfs(),
>>>> Can not find *evict_inodes*, could you please elaborate more detail?
>>>
>>> Could you please check whether below patch can fix this issue?
>>>
>>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=812a95977fd2f0d1f220c716a98
>>>
>>> Thanks,
>>>
>> I will test it.
>
> Could you please test on 5.14-rc1 first?
>
> Thanks,
>
Ok.
>>
>> Thansk,
>>>>> could you please check whether this can fix the issue?
>>>> I have run the test more than 1 day w/ this patch, it will fail in 1 hour
>>>> before.
>>>> I believe this patch can fix *this* issue. But I'm not quite familiar with
>>>> shrink_dcache_sb,
>>>> maybe I miss other scenario. If you have other comment, please let me know.
>>>>
>>>> Thanks,
>>>>>
>>>>> Thanks,
>>>>>
>>>>>> dput(sb->s_root);
>>>>>> sb->s_root = NULL;
>>>>>> free_node_inode:
>>>>>> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb,
>>>>>> void *data, int silent)
>>>>>> /* give only one another chance */
>>>>>> if (retry_cnt > 0 && skip_recovery) {
>>>>>> retry_cnt--;
>>>>>> - shrink_dcache_sb(sb);
>>>>>> goto try_onemore;
>>>>>> }
>>>>>> return err;
>>>>>> --
>>>>>> 2.17.1
>>>>>>
>>>>> .
>>>>
>>> .
>>
> .
_______________________________________________
Linux-f2fs-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
