Re: [f2fs-dev] [PATCH 4/4] fsck.f2fs: avoid uncessary recalculation
On 2022/11/10 22:07, Sheng Yong wrote: There is no need to recalculate ADDRS_PER_INODE and ADDRS_PER_BLOCK, especially in a for loop. Signed-off-by: Sheng Yong --- fsck/fsck.c | 19 +-- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/fsck/fsck.c b/fsck/fsck.c index ebc60ad..ec096f2 100644 --- a/fsck/fsck.c +++ b/fsck/fsck.c @@ -706,7 +706,7 @@ void fsck_chk_inode_blk(struct f2fs_sb_info *sbi, u32 nid, int ofs; char *en; u32 namelen; - unsigned int idx = 0; + unsigned int addrs, idx = 0; unsigned short i_gc_failures; int need_fix = 0; int ret; @@ -932,17 +932,16 @@ check_next: } /* check data blocks in inode */ + addrs = ADDRS_PER_INODE(_blk->i); if (cur_qtype != -1) { + unsigned int addrs_per_blk = ADDRS_PER_BLOCK(_blk->i); qf_szchk_type[cur_qtype] = QF_SZCHK_REGFILE; - qf_maxsize[cur_qtype] = (ADDRS_PER_INODE(_blk->i) + - 2 * ADDRS_PER_BLOCK(_blk->i) + - 2 * ADDRS_PER_BLOCK(_blk->i) * - NIDS_PER_BLOCK + - (u64) ADDRS_PER_BLOCK(_blk->i) * - NIDS_PER_BLOCK * NIDS_PER_BLOCK) * F2FS_BLKSIZE; - } - for (idx = 0; idx < ADDRS_PER_INODE(_blk->i); - idx++, child.pgofs++) { + qf_maxsize[cur_qtype] = (addrs + 2 * addrs_per_blk + u64(addrs + 2 * addrs_per_blk + Otherwise, the result may overflow... Thanks, + 2 * addrs_per_blk * NIDS_PER_BLOCK + + (u64) addrs_per_blk * NIDS_PER_BLOCK * + NIDS_PER_BLOCK) * F2FS_BLKSIZE; + } + for (idx = 0; idx < addrs; idx++, child.pgofs++) { block_t blkaddr = le32_to_cpu(node_blk->i.i_addr[ofs + idx]); /* check extent info */ ___ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
Re: [f2fs-dev] [PATCH 3/4] fsck.f2fs: fix potential overflow of copying i_name
On 2022/11/10 22:07, Sheng Yong wrote: If i_namelen is corrupted, there may be an overflow when doing memcpy. Signed-off-by: Sheng Yong Reviewed-by: Chao Yu Thanks, ___ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
Re: [f2fs-dev] [PATCH 2/4] fsck.f2fs: add parentheses for SB_MASK
On 2022/11/10 22:07, Sheng Yong wrote: Signed-off-by: Sheng Yong Reviewed-by: Chao Yu Thanks, ___ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
Re: [f2fs-dev] [PATCH v3 14/23] f2fs: Convert f2fs_write_cache_pages() to use filemap_get_folios_tag()
On 2022/10/18 4:24, Vishal Moola (Oracle) wrote: Converted the function to use a folio_batch instead of pagevec. This is in preparation for the removal of find_get_pages_range_tag(). Also modified f2fs_all_cluster_page_ready to take in a folio_batch instead of pagevec. This does NOT support large folios. The function currently Vishal, It looks this patch tries to revert Fengnan's change: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01fc4b9a6ed8eacb64e5609bab7ac963e1c7e486 How about doing some tests to evaluate its performance effect? +Cc Fengnan Chang Thanks, only utilizes folios of size 1 so this shouldn't cause any issues right now. Signed-off-by: Vishal Moola (Oracle) --- fs/f2fs/compress.c | 13 + fs/f2fs/data.c | 69 +- fs/f2fs/f2fs.h | 5 ++-- 3 files changed, 47 insertions(+), 40 deletions(-) diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c index d315c2de136f..7af6c923e0aa 100644 --- a/fs/f2fs/compress.c +++ b/fs/f2fs/compress.c @@ -842,10 +842,11 @@ bool f2fs_cluster_can_merge_page(struct compress_ctx *cc, pgoff_t index) return is_page_in_cluster(cc, index); } -bool f2fs_all_cluster_page_ready(struct compress_ctx *cc, struct page **pages, - int index, int nr_pages, bool uptodate) +bool f2fs_all_cluster_page_ready(struct compress_ctx *cc, + struct folio_batch *fbatch, + int index, int nr_folios, bool uptodate) { - unsigned long pgidx = pages[index]->index; + unsigned long pgidx = fbatch->folios[index]->index; int i = uptodate ? 0 : 1; /* @@ -855,13 +856,13 @@ bool f2fs_all_cluster_page_ready(struct compress_ctx *cc, struct page **pages, if (uptodate && (pgidx % cc->cluster_size)) return false; - if (nr_pages - index < cc->cluster_size) + if (nr_folios - index < cc->cluster_size) return false; for (; i < cc->cluster_size; i++) { - if (pages[index + i]->index != pgidx + i) + if (fbatch->folios[index + i]->index != pgidx + i) return false; - if (uptodate && !PageUptodate(pages[index + i])) + if (uptodate && !folio_test_uptodate(fbatch->folios[index + i])) return false; } diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c index a71e818cd67b..7511578b73c3 100644 --- a/fs/f2fs/data.c +++ b/fs/f2fs/data.c @@ -2938,7 +2938,7 @@ static int f2fs_write_cache_pages(struct address_space *mapping, { int ret = 0; int done = 0, retry = 0; - struct page *pages[F2FS_ONSTACK_PAGES]; + struct folio_batch fbatch; struct f2fs_sb_info *sbi = F2FS_M_SB(mapping); struct bio *bio = NULL; sector_t last_block; @@ -2959,7 +2959,7 @@ static int f2fs_write_cache_pages(struct address_space *mapping, .private = NULL, }; #endif - int nr_pages; + int nr_folios; pgoff_t index; pgoff_t end;/* Inclusive */ pgoff_t done_index; @@ -2969,6 +2969,8 @@ static int f2fs_write_cache_pages(struct address_space *mapping, int submitted = 0; int i; + folio_batch_init(); + if (get_dirty_pages(mapping->host) <= SM_I(F2FS_M_SB(mapping))->min_hot_blocks) set_inode_flag(mapping->host, FI_HOT_DATA); @@ -2994,13 +2996,13 @@ static int f2fs_write_cache_pages(struct address_space *mapping, tag_pages_for_writeback(mapping, index, end); done_index = index; while (!done && !retry && (index <= end)) { - nr_pages = find_get_pages_range_tag(mapping, , end, - tag, F2FS_ONSTACK_PAGES, pages); - if (nr_pages == 0) + nr_folios = filemap_get_folios_tag(mapping, , end, + tag, ); + if (nr_folios == 0) break; - for (i = 0; i < nr_pages; i++) { - struct page *page = pages[i]; + for (i = 0; i < nr_folios; i++) { + struct folio *folio = fbatch.folios[i]; bool need_readd; readd: need_readd = false; @@ -3017,7 +3019,7 @@ static int f2fs_write_cache_pages(struct address_space *mapping, } if (!f2fs_cluster_can_merge_page(, - page->index)) { + folio->index)) { ret = f2fs_write_multi_pages(, , wbc, io_type); if (!ret) @@ -3026,27 +3028,28 @@ static int f2fs_write_cache_pages(struct
Re: [f2fs-dev] [PATCH v6] f2fs: support errors=remount-ro|continue|panic mountoption
On 2022/11/8 9:17, Chao Yu wrote: Jaegeuk, On 2022/11/8 5:49, Jaegeuk Kim wrote: Chao, Could you please run xfstests since I met some issues with this? I had to drop this to test other patches. Oops, I ran xfstests on v5, I didn't see any issus... and in v6 I just rebase codes on ("f2fs: fix to avoid accessing uninitialized spinlock"), there is no critial changes. I did test w/ this patch on top of last dev-test branch, however, I don't see any hang backtrace... Could you please provide xfstest option to me? e.g. F2FS_MOUNT_OPTIONS/F2FS_MKFS_OPTIONS Did you keep any kernel/xfstest logs? If it is easier to reproduce the bug in your environment, could you please provide the log? Thanks, Thanks, On 11/06, Chao Yu wrote: This patch supports errors=remount-ro|continue|panic mount option. Signed-off-by: Chao Yu Signed-off-by: Yangtao Li Signed-off-by: Jaegeuk Kim --- v6: - rebase the code Documentation/filesystems/f2fs.rst | 4 + fs/f2fs/checkpoint.c | 7 +- fs/f2fs/f2fs.h | 18 +++- fs/f2fs/file.c | 5 -- fs/f2fs/gc.c | 2 +- fs/f2fs/super.c | 135 ++--- 6 files changed, 147 insertions(+), 24 deletions(-) diff --git a/Documentation/filesystems/f2fs.rst b/Documentation/filesystems/f2fs.rst index 6e67c5e6c7c3..1d73bc91b9ae 100644 --- a/Documentation/filesystems/f2fs.rst +++ b/Documentation/filesystems/f2fs.rst @@ -343,6 +343,10 @@ memory=%s Control memory mode. This supports "normal" and "low" modes. Because of the nature of low memory devices, in this mode, f2fs will try to save memory sometimes by sacrificing performance. "normal" mode is the default mode and same as before. +errors=%s Specify f2fs behavior on critical errors. This supports modes: + "panic", "continue" and "remount-ro", respectively, trigger + panic immediately, continue without doing anything, and remount + the partition in read-only mode (default behavior). Debugfs Entries diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c index 56f7d0d6a8b2..913cea4ebea4 100644 --- a/fs/f2fs/checkpoint.c +++ b/fs/f2fs/checkpoint.c @@ -30,12 +30,9 @@ void f2fs_stop_checkpoint(struct f2fs_sb_info *sbi, bool end_io, unsigned char reason) { f2fs_build_fault_attr(sbi, 0, 0); - set_ckpt_flags(sbi, CP_ERROR_FLAG); - if (!end_io) { + if (!end_io) f2fs_flush_merged_writes(sbi); - - f2fs_handle_stop(sbi, reason); - } + f2fs_handle_critical_error(sbi, reason, end_io); } /* diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h index 04ef4cce3d7f..af9e114d03a6 100644 --- a/fs/f2fs/f2fs.h +++ b/fs/f2fs/f2fs.h @@ -161,6 +161,7 @@ struct f2fs_mount_info { int fs_mode; /* fs mode: LFS or ADAPTIVE */ int bggc_mode; /* bggc mode: off, on or sync */ int memory_mode; /* memory mode */ + int errors; /* errors parameter */ int discard_unit; /* * discard command's offset/size should * be aligned to this unit: block, @@ -1381,7 +1382,11 @@ enum { MEMORY_MODE_LOW, /* memory mode for low memry devices */ }; - +enum errors_option { + MOUNT_ERRORS_READONLY, /* remount fs ro on errors */ + MOUNT_ERRORS_CONTINUE, /* continue on errors */ + MOUNT_ERRORS_PANIC, /* panic on errors */ +}; static inline int f2fs_test_bit(unsigned int nr, char *addr); static inline void f2fs_set_bit(unsigned int nr, char *addr); @@ -1818,7 +1823,13 @@ struct f2fs_sb_info { struct workqueue_struct *post_read_wq; /* post read workqueue */ - unsigned char errors[MAX_F2FS_ERRORS]; /* error flags */ + /* + * If we are in irq context, let's update error information into + * on-disk superblock in the work. + */ + struct work_struct s_error_work; + unsigned char errors[MAX_F2FS_ERRORS]; /* error flags */ + unsigned char stop_reason[MAX_STOP_REASON]; /* stop reason */ spinlock_t error_lock; /* protect errors array */ bool error_dirty; /* errors of sb is dirty */ @@ -3563,7 +3574,8 @@ int f2fs_enable_quota_files(struct f2fs_sb_info *sbi, bool rdonly); int f2fs_quota_sync(struct super_block *sb, int type); loff_t max_file_blocks(struct inode *inode); void f2fs_quota_off_umount(struct super_block *sb); -void f2fs_handle_stop(struct f2fs_sb_info *sbi, unsigned char reason); +void f2fs_handle_critical_error(struct f2fs_sb_info *sbi, unsigned char reason, + bool irq_context); void f2fs_handle_error(struct f2fs_sb_info *sbi, unsigned char error); int f2fs_commit_super(struct f2fs_sb_info *sbi, bool recover); int f2fs_sync_fs(struct
[f2fs-dev] [BUG REPORT] f2fs: use-after-free during garbage collection
Hi Chao & Jaegeuk, There is a KASAN report[0] that shows invalid memory access(use-after-free) in f2fs garbage collection process, and this issue is fixed by a recent f2fs patch set[1]. The KASAN report is caused by an abnormal sum->ofs_in_node value 0xc3f1 in the first check. And the investigation indicates that the f2fs_summary_block address range is not from f2fs_kzalloc() in build_curseg(). The memory allocation/free happens in non-f2fs thread, such as network. So I guess the f2fs subsystem is accessing memory that's not belong to f2fs in some cases. With the below commit merged into mainline recently, this use-after-free issue disappears. But there is another thread blocked issue as below. The patch c6ad7fd16657 check the valid ofs_in_node and stop further gc. I am not sure whether it is expected that the f2fs_summary_block address in gc thread is not from allocation in build_curseg(). Because I am not familiar with f2fs. Could you help comment on my question and new issue? Is there any work in progress to fix the new blocked issue? Thanks! [0] https://syzkaller.appspot.com/bug?id=4cbcff00422ea402c2e5be2bc041a8f4196d608c [1] c6ad7fd16657 f2fs: fix to do sanity check on summary info Log of new issue: [ 250.167041][ T58] INFO: task kworker/u16:1:11 blocked for more than 122 seconds. [ 250.169071][ T58] Not tainted 6.1.0-rc4+gc0daf896 #3 [ 250.170443][ T58] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 250.172487][ T58] task:kworker/u16:1 state:D stack:0 pid:11 ppid:2 flags:0x4000 [ 250.174678][ T58] Workqueue: writeback wb_workfn (flush-7:0) [ 250.176128][ T58] Call Trace: [ 250.176908][ T58] [ 250.177638][ T58] __schedule+0x8b7/0x1940 [ 250.178736][ T58] ? io_schedule_timeout+0x150/0x150 [ 250.180013][ T58] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 250.181541][ T58] ? kthread_data+0x5d/0xd0 [ 250.182615][ T58] schedule+0xec/0x1b0 [ 250.183582][ T58] io_schedule+0xcd/0x150 [ 250.184619][ T58] folio_wait_bit_common+0x35d/0x910 [ 250.185919][ T58] ? filemap_map_pages+0x1230/0x1230 [ 250.187214][ T58] ? add_gc_inode+0xc9/0x2e0 [ 250.188323][ T58] ? do_garbage_collect+0x2b47/0x3730 [ 250.189597][ T58] ? f2fs_gc+0x816/0x1df0 [ 250.190629][ T58] ? f2fs_balance_fs+0x391/0x420 [ 250.191803][ T58] ? f2fs_write_inode+0x598/0xe20 [ 250.193009][ T58] ? __writeback_single_inode+0x7b8/0xac0 [ 250.194369][ T58] ? writeback_sb_inodes+0x585/0xea0 [ 250.195623][ T58] ? wb_writeback+0x25c/0x8a0 [ 250.196737][ T58] ? wb_workfn+0x277/0xed0 [ 250.197831][ T58] ? folio_unlock+0x60/0x60 [ 250.198943][ T58] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 250.200438][ T58] ? xas_load+0x64/0x2e0 [ 250.201459][ T58] __filemap_get_folio+0x84c/0x900 [ 250.202685][ T58] ? filemap_add_folio+0x1c0/0x1c0 [ 250.203937][ T58] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 250.205454][ T58] pagecache_get_page+0x36/0x130 [ 250.206634][ T58] __get_node_page.part.0+0xa7/0x960 [ 250.207918][ T58] f2fs_get_node_page+0x10f/0x190 [ 250.209119][ T58] do_garbage_collect+0x1bbc/0x3730 [ 250.210377][ T58] ? ra_data_block+0x860/0x860 [ 250.211522][ T58] f2fs_gc+0x816/0x1df0 [ 250.212510][ T58] ? f2fs_start_bidx_of_node+0x50/0x50 [ 250.213816][ T58] ? map_id_up+0x1a3/0x320 [ 250.214872][ T58] ? down_write+0xf7/0x170 [ 250.215931][ T58] ? down_write_killable+0x180/0x180 [ 250.217213][ T58] ? has_not_enough_free_secs.constprop.0+0x6d8/0x840 [ 250.218824][ T58] f2fs_balance_fs+0x391/0x420 [ 250.219963][ T58] ? f2fs_balance_fs_bg+0xf70/0xf70 [ 250.221205][ T58] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 250.222688][ T58] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 250.224174][ T58] ? folio_unlock+0x3c/0x60 [ 250.225274][ T58] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 250.226990][ T58] ? f2fs_update_inode_page+0x1d4/0x4c0 [ 250.228357][ T58] f2fs_write_inode+0x598/0xe20 [ 250.229522][ T58] ? _raw_spin_lock_bh+0x110/0x110 [ 250.230760][ T58] ? __kasan_check_write+0x14/0x20 [ 250.232017][ T58] ? _raw_spin_lock+0x8b/0x110 [ 250.233177][ T58] __writeback_single_inode+0x7b8/0xac0 [ 250.234503][ T58] writeback_sb_inodes+0x585/0xea0 [ 250.235727][ T58] ? sync_inode_metadata+0xf0/0xf0 [ 250.236951][ T58] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 250.238464][ T58] ? queue_io+0x23d/0x450 [ 250.239484][ T58] wb_writeback+0x25c/0x8a0 [ 250.240566][ T58] ? __writeback_inodes_wb+0x270/0x270 [ 250.241865][ T58] ? _raw_spin_lock+0x110/0x110 [ 250.243027][ T58] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 250.244510][ T58] ? kthread_data+0x5d/0xd0 [ 250.245581][ T58] wb_workfn+0x277/0xed0 [ 250.246594][ T58] ? __kasan_check_read+0x11/0x20 [ 250.247841][ T58] ? psi_group_change+0x716/0xc20 [ 250.249055][ T58] ?
Re: [f2fs-dev] [PATCH v2 1/2] f2fs: fix to enable compress for newly created file if extension matches
On 2022/11/12 9:27, Jaegeuk Kim wrote: Does thes make sense? https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git/commit/?h=dev-test=608460dfae20b9d23aa222f7448710a086778222 https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git/commit/?h=dev-test=962379487b5cb9f3b85ea367b130c2c6ca584edf Hi, Jaegeuk, Absolutely. Thanks for addressing it. Second one is needed to address build error. Sorry for missing adding a hunk of that patch :( The above 2 commits are already tested, shall I resend a new patchset? thanks, shengyong On 11/11, Sheng Yong wrote: If compress_extension is set, and a newly created file matches the extension, the file could be marked as compression file. However, if inline_data is also enabled, there is no chance to check its extension since f2fs_should_compress() always returns false. This patch moves set_compress_inode(), which do extension check, in f2fs_should_compress() to check extensions before setting inline data flag. Fixes: 7165841d578e ("f2fs: fix to check inline_data during compressed inode conversion") Signed-off-by: Sheng Yong --- fs/f2fs/namei.c | 27 +-- 1 file changed, 13 insertions(+), 14 deletions(-) --- v1->v2: add filename parameter for f2fs_new_inode, and move set_compress_inode into f2fs_new_inode diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c index e104409c3a0e5..36e251f438568 100644 --- a/fs/f2fs/namei.c +++ b/fs/f2fs/namei.c @@ -22,8 +22,12 @@ #include "acl.h" #include +static void set_compress_inode(struct f2fs_sb_info *sbi, struct inode *inode, + const unsigned char *name); + static struct inode *f2fs_new_inode(struct user_namespace *mnt_userns, - struct inode *dir, umode_t mode) + struct inode *dir, umode_t mode, + const char *name) { struct f2fs_sb_info *sbi = F2FS_I_SB(dir); nid_t ino; @@ -119,6 +123,8 @@ static struct inode *f2fs_new_inode(struct user_namespace *mnt_userns, if ((F2FS_I(dir)->i_flags & F2FS_COMPR_FL) && f2fs_may_compress(inode)) set_compress_context(inode); + if (name) + set_compress_inode(sbi, inode, name); } /* Should enable inline_data after compression set */ @@ -293,8 +299,7 @@ static void set_compress_inode(struct f2fs_sb_info *sbi, struct inode *inode, unsigned char noext_cnt = F2FS_OPTION(sbi).nocompress_ext_cnt; int i, cold_count, hot_count; - if (!f2fs_sb_has_compression(sbi) || - F2FS_I(inode)->i_flags & F2FS_NOCOMP_FL || + if (F2FS_I(inode)->i_flags & F2FS_NOCOMP_FL || !f2fs_may_compress(inode) || (!ext_cnt && !noext_cnt)) return; @@ -326,10 +331,6 @@ static void set_compress_inode(struct f2fs_sb_info *sbi, struct inode *inode, for (i = 0; i < ext_cnt; i++) { if (!is_extension_exist(name, ext[i], false)) continue; - - /* Do not use inline_data with compression */ - stat_dec_inline_inode(inode); - clear_inode_flag(inode, FI_INLINE_DATA); set_compress_context(inode); return; } @@ -352,15 +353,13 @@ static int f2fs_create(struct user_namespace *mnt_userns, struct inode *dir, if (err) return err; - inode = f2fs_new_inode(mnt_userns, dir, mode); + inode = f2fs_new_inode(mnt_userns, dir, mode, dentry->d_name.name); if (IS_ERR(inode)) return PTR_ERR(inode); if (!test_opt(sbi, DISABLE_EXT_IDENTIFY)) set_file_temperature(sbi, inode, dentry->d_name.name); - set_compress_inode(sbi, inode, dentry->d_name.name); - inode->i_op = _file_inode_operations; inode->i_fop = _file_operations; inode->i_mapping->a_ops = _dblock_aops; @@ -689,7 +688,7 @@ static int f2fs_symlink(struct user_namespace *mnt_userns, struct inode *dir, if (err) return err; - inode = f2fs_new_inode(mnt_userns, dir, S_IFLNK | S_IRWXUGO); + inode = f2fs_new_inode(mnt_userns, dir, S_IFLNK | S_IRWXUGO, NULL); if (IS_ERR(inode)) return PTR_ERR(inode); @@ -760,7 +759,7 @@ static int f2fs_mkdir(struct user_namespace *mnt_userns, struct inode *dir, if (err) return err; - inode = f2fs_new_inode(mnt_userns, dir, S_IFDIR | mode); + inode = f2fs_new_inode(mnt_userns, dir, S_IFDIR | mode, NULL); if (IS_ERR(inode)) return PTR_ERR(inode); @@ -817,7 +816,7 @@ static int f2fs_mknod(struct user_namespace *mnt_userns, struct inode *dir, if (err) return err; - inode =
[f2fs-dev] [syzbot] KASAN: use-after-free Read in do_garbage_collect
Hello, syzbot found the following issue on: HEAD commit:fef7fd48922d Merge tag 'scsi-fixes' of git://git.kernel.or.. git tree: upstream console+strace: https://syzkaller.appspot.com/x/log.txt?x=16e17f6688 kernel config: https://syzkaller.appspot.com/x/.config?x=37dfef4b6dcee4a dashboard link: https://syzkaller.appspot.com/bug?extid=f8f3dfa4abc489e768a1 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1699ef5188 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14705e7188 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/3f2148d0d19b/disk-fef7fd48.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/8b46b3d5f02f/vmlinux-fef7fd48.xz kernel image: https://storage.googleapis.com/syzbot-assets/b3ffcc7c8d30/bzImage-fef7fd48.xz mounted in repro: https://storage.googleapis.com/syzbot-assets/1445ad299ad6/mount_0.gz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+f8f3dfa4abc489e76...@syzkaller.appspotmail.com == BUG: KASAN: slab-out-of-bounds in data_blkaddr fs/f2fs/f2fs.h:2891 [inline] BUG: KASAN: slab-out-of-bounds in is_alive fs/f2fs/gc.c:1117 [inline] BUG: KASAN: slab-out-of-bounds in gc_data_segment fs/f2fs/gc.c:1520 [inline] BUG: KASAN: slab-out-of-bounds in do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734 Read of size 4 at addr 888076557568 by task kworker/u4:3/52 CPU: 1 PID: 52 Comm: kworker/u4:3 Not tainted 6.1.0-rc4-syzkaller-00362-gfef7fd48922d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: writeback wb_workfn (flush-7:0) Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbb/0x1f0 mm/kasan/report.c:495 data_blkaddr fs/f2fs/f2fs.h:2891 [inline] is_alive fs/f2fs/gc.c:1117 [inline] gc_data_segment fs/f2fs/gc.c:1520 [inline] do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734 f2fs_gc+0x88c/0x20a0 fs/f2fs/gc.c:1831 f2fs_balance_fs+0x544/0x6b0 fs/f2fs/segment.c:410 f2fs_write_inode+0x57e/0xe20 fs/f2fs/inode.c:753 write_inode fs/fs-writeback.c:1440 [inline] __writeback_single_inode+0xcfc/0x1440 fs/fs-writeback.c:1652 writeback_sb_inodes+0x54d/0xf90 fs/fs-writeback.c:1870 wb_writeback+0x2c5/0xd70 fs/fs-writeback.c:2044 wb_do_writeback fs/fs-writeback.c:2187 [inline] wb_workfn+0x2dc/0x12f0 fs/fs-writeback.c:2227 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 Allocated by task 3607: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 kasan_set_track+0x21/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x7e/0x80 mm/kasan/common.c:325 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] kmem_cache_alloc_bulk+0x3e9/0x830 mm/slub.c:3854 mt_alloc_bulk lib/maple_tree.c:157 [inline] mas_alloc_nodes+0x309/0x810 lib/maple_tree.c:1251 mas_node_count_gfp lib/maple_tree.c:1310 [inline] mas_preallocate+0x1b7/0x360 lib/maple_tree.c:5717 __vma_adjust+0x18e/0x1ae0 mm/mmap.c:716 vma_adjust include/linux/mm.h:2663 [inline] __split_vma+0x295/0x5c0 mm/mmap.c:2240 do_mas_align_munmap+0x27e/0xee0 mm/mmap.c:2341 do_mas_munmap+0x26a/0x2b0 mm/mmap.c:2502 __vm_munmap+0x14f/0x290 mm/mmap.c:2779 __do_sys_munmap mm/mmap.c:2804 [inline] __se_sys_munmap mm/mmap.c:2801 [inline] __x64_sys_munmap+0x55/0x80 mm/mmap.c:2801 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 3607: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 kasan_set_track+0x21/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2a/0x40 mm/kasan/generic.c:511 kasan_slab_free mm/kasan/common.c:236 [inline] kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750 slab_free mm/slub.c:3661 [inline] kmem_cache_free_bulk.part.0+0x205/0x780 mm/slub.c:3779 mt_free_bulk lib/maple_tree.c:163 [inline] mas_destroy+0x394/0x5c0 lib/maple_tree.c:5767 mas_store_prealloc+0xec/0x150 lib/maple_tree.c:5701 __vma_adjust+0x772/0x1ae0 mm/mmap.c:811 vma_adjust include/linux/mm.h:2663 [inline] __split_vma+0x295/0x5c0 mm/mmap.c:2240 do_mas_align_munmap+0x27e/0xee0 mm/mmap.c:2341 do_mas_munmap+0x26a/0x2b0 mm/mmap.c:2502 __vm_munmap+0x14f/0x290 mm/mmap.c:2779 __do_sys_munmap mm/mmap.c:2804 [inline] __se_sys_munmap mm/mmap.c:2801 [inline] __x64_sys_munmap+0x55/0x80 mm/mmap.c:2801