[f2fs-dev] [Bug 203197] New: kernel read fault at __is_cp_guaranteed

Tue, 09 Apr 2019 04:33:31 -0700 

https://bugzilla.kernel.org/show_bug.cgi?id=203197

            Bug ID: 203197
           Summary: kernel read fault at __is_cp_guaranteed
           Product: File System
           Version: 2.5
    Kernel Version: 5.0.0
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: f2fs
          Assignee: filesystem_f...@kernel-bugs.kernel.org
          Reporter: jungy...@gatech.edu
        Regression: No

Created attachment 282189
  --> https://bugzilla.kernel.org/attachment.cgi?id=282189&action=edit
The (compressed) crafted image which causes crash & program

- Overview
When mounting the attached crafted image and running program, I got this error.
The image is intentionally fuzzed from a normal f2fs image for testing.

- Produces
cc poc_07.c
./run.sh f2fs

- Messages
[ 20.290851] BUG: unable to handle kernel NULL pointer dereference at
000000000000002e
[ 20.291962] #PF error: [normal kernel read fault]
[ 20.292640] PGD 800000023283a067 P4D 800000023283a067 PUD 234087067 PMD 0 
[ 20.293602] Oops: 0000 [#1] SMP PTI
[ 20.294134] CPU: 0 PID: 1094 Comm: apport Not tainted 5.0.0-rc8+ #9
[ 20.295020] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 20.296331] RIP: 0010:__rb_insert_augmented+0x30/0x220
[ 20.297050] Code: 41 55 41 54 53 49 89 fc 49 89 f6 48 83 ec 08 84 d2 48 8b 3f
74 03 4c 89 21 48 85 ff 0f 84 4c 01 00 00 48 8b 1f f6 c3 01 75 45 <48> 8b 43 08
48 89 da 48 39 f8 0f 84 a0 00 00 00 48 85 c0 74 3d f6
[ 20.299663] RSP: 0018:ffffa144410b7cb0 EFLAGS: 00010246
[ 20.300390] RAX: 0000000000000000 RBX: 0000000000000026 RCX: ffff9115b21723b0
[ 20.301375] RDX: 0000000000000000 RSI: ffff9115b21723a8 RDI: ffff9115af598780
[ 20.302398] RBP: ffffa144410b7cd8 R08: ffffffff8d81b860 R09: ffff9115af598780
[ 20.303387] R10: 0000000000000000 R11: ffff9115aa8060c8 R12: ffff9115aa806120
[ 20.304375] R13: ffff9115b4efa020 R14: ffff9115b21723a8 R15: ffff9115b21723b8
[ 20.305365] FS: 0000000000000000(0000) GS:ffff9115b7a00000(0000)
knlGS:0000000000000000
[ 20.306522] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 20.307317] CR2: 000000000000002e CR3: 000000022f5c8006 CR4: 00000000001606f0
[ 20.308301] Call Trace:
[ 20.308656] vma_interval_tree_insert+0x84/0x90
[ 20.309292] __vma_link_file+0x46/0x50
[ 20.309820] vma_link+0x74/0xc0
[ 20.310309] mmap_region+0x43f/0x610
[ 20.310815] do_mmap+0x46e/0x610
[ 20.311274] ? ima_file_mmap+0x61/0x90
[ 20.311804] vm_mmap_pgoff+0xcc/0x120
[ 20.312322] ksys_mmap_pgoff+0x1cb/0x290
[ 20.312876] __x64_sys_mmap+0x33/0x40
[ 20.313394] do_syscall_64+0x5a/0x110
[ 20.313915] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 20.314663] RIP: 0033:0x7f5b857824ba
[ 20.315168] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9
49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0
ff ff 77 4e 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
[ 20.317740] RSP: 002b:00007ffc4b7909f8 EFLAGS: 00000246 ORIG_RAX:
0000000000000009
[ 20.318831] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f5b857824ba
[ 20.319810] RDX: 0000000000000005 RSI: 0000000000228068 RDI: 0000000000000000
[ 20.320789] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
[ 20.321771] R10: 0000000000000802 R11: 0000000000000246 R12: 0000000000000000
[ 20.322792] R13: 0000000000228068 R14: 0000000000000802 R15: 0000000000000000
[ 20.323776] Modules linked in:
[ 20.324210] CR2: 000000000000002e
[ 20.324695] ---[ end trace e553cf509f875842 ]---
[ 20.325346] RIP: 0010:__rb_insert_augmented+0x30/0x220
[ 20.326092] Code: 41 55 41 54 53 49 89 fc 49 89 f6 48 83 ec 08 84 d2 48 8b 3f
74 03 4c 89 21 48 85 ff 0f 84 4c 01 00 00 48 8b 1f f6 c3 01 75 45 <48> 8b 43 08
48 89 da 48 39 f8 0f 84 a0 00 00 00 48 85 c0 74 3d f6
[ 20.328680] RSP: 0018:ffffa144410b7cb0 EFLAGS: 00010246
[ 20.329410] RAX: 0000000000000000 RBX: 0000000000000026 RCX: ffff9115b21723b0
[ 20.330456] RDX: 0000000000000000 RSI: ffff9115b21723a8 RDI: ffff9115af598780
[ 20.331469] RBP: ffffa144410b7cd8 R08: ffffffff8d81b860 R09: ffff9115af598780
[ 20.332458] R10: 0000000000000000 R11: ffff9115aa8060c8 R12: ffff9115aa806120
[ 20.333444] R13: ffff9115b4efa020 R14: ffff9115b21723a8 R15: ffff9115b21723b8
[ 20.334481] FS: 0000000000000000(0000) GS:ffff9115b7a00000(0000)
knlGS:0000000000000000
[ 20.335601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 20.336401] CR2: 000000000000002e CR3: 000000022f5c8006 CR4: 00000000001606f0

wait a little bit...

[ 34.969989] general protection fault: 0000 [#2] SMP PTI
[ 34.970784] CPU: 0 PID: 1095 Comm: systemd-cgroups Tainted: G D 5.0.0-rc8+ #9
[ 34.971981] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 34.973320] RIP: 0010:vma_interval_tree_insert+0x2c/0x90
[ 34.974126] Code: 44 00 00 48 8b 47 08 48 2b 07 49 89 fb 4c 8b 97 98 00 00 00
48 89 f1 ba 01 00 00 00 45 31 c9 48 c1 e8 0c 4d 8d 44 02 ff eb 1d <4c> 39 40 18
73 04 4c 89 40 18 4c 3b 50 40 48 8d 48 10 72 06 48 8d
[ 34.976747] RSP: 0018:ffffa1444155bd08 EFLAGS: 00010286
[ 34.977486] RAX: c5ffff9115ab8436 RBX: ffff9115b4e51cf8 RCX: ffff9115ab843431
[ 34.978531] RDX: 0000000000000000 RSI: ffff9115b5b21730 RDI: ffff9115ab2b9bb8
[ 34.979571] RBP: ffffa1444155bd10 R08: 00000000000001c5 R09: ffff9115ab843421
[ 34.980610] R10: 00000000000001c4 R11: ffff9115ab2b9bb8 R12: ffff9115b4e51c80
[ 34.981650] R13: ffff9115b4e51898 R14: 0000000000000000 R15: 0000000000000000
[ 34.982716] FS: 00007ff7107dd840(0000) GS:ffff9115b7a00000(0000)
knlGS:0000000000000000
[ 34.983890] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 34.984729] CR2: 00007ff70fc3e280 CR3: 000000023299e004 CR4: 00000000001606f0
[ 34.985773] Call Trace:
[ 34.986147] ? __vma_link_file+0x46/0x50
[ 34.986729] __vma_adjust+0x111/0x7b0
[ 34.987273] ? kmem_cache_alloc+0x3a/0x170
[ 34.987880] __split_vma+0x18c/0x1a0
[ 34.988412] split_vma+0x1b/0x30
[ 34.988893] mprotect_fixup+0x2a7/0x360
[ 34.989464] ? common_file_perm+0x47/0x140
[ 34.990073] ? common_mmap+0x4b/0x50
[ 34.990604] ? apparmor_file_mprotect+0x2d/0x30
[ 34.991272] do_mprotect_pkey+0x214/0x380
[ 34.991865] __x64_sys_mprotect+0x1f/0x30
[ 34.992467] do_syscall_64+0x5a/0x110
[ 34.993009] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 34.993772] RIP: 0033:0x7ff7105df557
[ 34.994304] Code: ff 66 90 b8 0b 00 00 00 0f 05 48 3d 01 f0 ff ff 73 01 c3 48
8d 0d d9 bb 20 00 f7 d8 89 01 48 83 c8 ff c3 b8 0a 00 00 00 0f 05 <48> 3d 01 f0
ff ff 73 01 c3 48 8d 0d b9 bb 20 00 f7 d8 89 01 48 83
[ 34.996989] RSP: 002b:00007ffe23ac78b8 EFLAGS: 00000206 ORIG_RAX:
000000000000000a
[ 34.998085] RAX: ffffffffffffffda RBX: 00007ff70fbd27b8 RCX: 00007ff7105df557
[ 34.999086] RDX: 0000000000000001 RSI: 0000000000004000 RDI: 00007ff70ff73000
[ 35.000119] RBP: 00007ffe23ac79e0 R08: 0000000000000000 R09: 00007ff7107eb700
[ 35.001120] R10: 0000000000000003 R11: 0000000000000206 R12: 00007ff7107e0000
[ 35.002191] R13: 00007ff70fbb3000 R14: 00007ff70fbd27a0 R15: 00000000003c4018
[ 35.003190] Modules linked in:
[ 35.003643] ---[ end trace e553cf509f875843 ]---
[ 35.004304] RIP: 0010:__rb_insert_augmented+0x30/0x220
[ 35.005034] Code: 41 55 41 54 53 49 89 fc 49 89 f6 48 83 ec 08 84 d2 48 8b 3f
74 03 4c 89 21 48 85 ff 0f 84 4c 01 00 00 48 8b 1f f6 c3 01 75 45 <48> 8b 43 08
48 89 da 48 39 f8 0f 84 a0 00 00 00 48 85 c0 74 3d f6
[ 35.007704] RSP: 0018:ffffa144410b7cb0 EFLAGS: 00010246
[ 35.008466] RAX: 0000000000000000 RBX: 0000000000000026 RCX: ffff9115b21723b0
[ 35.009472] RDX: 0000000000000000 RSI: ffff9115b21723a8 RDI: ffff9115af598780
[ 35.010520] RBP: ffffa144410b7cd8 R08: ffffffff8d81b860 R09: ffff9115af598780
[ 35.011528] R10: 0000000000000000 R11: ffff9115aa8060c8 R12: ffff9115aa806120
[ 35.012536] R13: ffff9115b4efa020 R14: ffff9115b21723a8 R15: ffff9115b21723b8
[ 35.013588] FS: 00007ff7107dd840(0000) GS:ffff9115b7a00000(0000)
knlGS:0000000000000000
[ 35.014746] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 35.015561] CR2: 00007ff70fc3e280 CR3: 000000023299e004 CR4: 00000000001606f0

- Possible reason
The address of inode (F2FS_I_SB) is not accessible. (in my case, it is 0xa034)
It seems that this is because the given address of page is not appropriate. 

   │33      static bool __is_cp_guaranteed(struct page *page)
   │34      {
   │35              struct address_space *mapping = page->mapping;
   │36              struct inode *inode;
   │37              struct f2fs_sb_info *sbi;
   │38              
   │39              if (!mapping)
   │40                      return false;
   │41              
   │42              inode = mapping->host;
  >│43              sbi = F2FS_I_SB(inode);
   │44              
   │45              if (inode->i_ino == F2FS_META_INO(sbi) ||
   │46                              inode->i_ino ==  F2FS_NODE_INO(sbi) ||
   │47                              S_ISDIR(inode->i_mode) ||
   │48                              (S_ISREG(inode->i_mode) && 
   │49                              (f2fs_is_atomic_file(inode) ||
IS_NOQUOTA(inode))) ||
   │50                              is_cold_data(page))
   │51                      return true; 
   │52              return false; 
   │53      }

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Reply via email to