OSDN Git Service
Guenter Roeck [Sun, 1 Jul 2018 20:57:06 +0000 (13:57 -0700)]
f2fs: Replace strncpy with memcpy
gcc 8.1.0 complains:
fs/f2fs/namei.c: In function 'f2fs_update_extension_list':
fs/f2fs/namei.c:257:3: warning:
'strncpy' output truncated before terminating nul copying
as many bytes from a string as its length
fs/f2fs/namei.c:249:3: warning:
'strncpy' output truncated before terminating nul copying
as many bytes from a string as its length
Using strncpy() is indeed less than perfect since the length of data to
be copied has already been determined with strlen(). Replace strncpy()
with memcpy() to address the warning and optimize the code a little.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Gao Xiang [Sat, 30 Jun 2018 15:57:03 +0000 (23:57 +0800)]
f2fs: avoid the global name 'fault_name'
Non-prefix global name 'fault_name' will pollute global
namespace, fix it.
Refer to:
https://lists.01.org/pipermail/kbuild-all/2018-June/049660.html
To: Jaegeuk Kim <jaegeuk@kernel.org>
To: Chao Yu <yuchao0@huawei.com>
Cc: linux-f2fs-devel@lists.sourceforge.net
Cc: linux-kernel@vger.kernel.org
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Sat, 30 Jun 2018 10:13:40 +0000 (18:13 +0800)]
f2fs: fix to do sanity check with reserved blkaddr of inline inode
As Wen Xu reported in bugzilla, after image was injected with random data
by fuzzing, inline inode would contain invalid reserved blkaddr, then
during inline conversion, we will encounter illegal memory accessing
reported by KASAN, the root cause of this is when writing out converted
inline page, we will use invalid reserved blkaddr to update sit bitmap,
result in accessing memory beyond sit bitmap boundary.
In order to fix this issue, let's do sanity check with reserved block
address of inline inode to avoid above condition.
https://bugzilla.kernel.org/show_bug.cgi?id=200179
[ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0
[ 1428.846618] Read of size 4 at addr
ffff880194483540 by task a.out/2741
[ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G W 4.17.0+ #1
[ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1428.846860] Call Trace:
[ 1428.846868] dump_stack+0x71/0xab
[ 1428.846875] print_address_description+0x6b/0x290
[ 1428.846881] kasan_report+0x28e/0x390
[ 1428.846888] ? update_sit_entry+0x80/0x7f0
[ 1428.846898] update_sit_entry+0x80/0x7f0
[ 1428.846906] f2fs_allocate_data_block+0x6db/0xc70
[ 1428.846914] ? f2fs_get_node_info+0x14f/0x590
[ 1428.846920] do_write_page+0xc8/0x150
[ 1428.846928] f2fs_outplace_write_data+0xfe/0x210
[ 1428.846935] ? f2fs_do_write_node_page+0x170/0x170
[ 1428.846941] ? radix_tree_tag_clear+0xff/0x130
[ 1428.846946] ? __mod_node_page_state+0x22/0xa0
[ 1428.846951] ? inc_zone_page_state+0x54/0x100
[ 1428.846956] ? __test_set_page_writeback+0x336/0x5d0
[ 1428.846964] f2fs_convert_inline_page+0x407/0x6d0
[ 1428.846971] ? f2fs_read_inline_data+0x3b0/0x3b0
[ 1428.846978] ? __get_node_page+0x335/0x6b0
[ 1428.846987] f2fs_convert_inline_inode+0x41b/0x500
[ 1428.846994] ? f2fs_convert_inline_page+0x6d0/0x6d0
[ 1428.847000] ? kasan_unpoison_shadow+0x31/0x40
[ 1428.847005] ? kasan_kmalloc+0xa6/0xd0
[ 1428.847024] f2fs_file_mmap+0x79/0xc0
[ 1428.847029] mmap_region+0x58b/0x880
[ 1428.847037] ? arch_get_unmapped_area+0x370/0x370
[ 1428.847042] do_mmap+0x55b/0x7a0
[ 1428.847048] vm_mmap_pgoff+0x16f/0x1c0
[ 1428.847055] ? vma_is_stack_for_current+0x50/0x50
[ 1428.847062] ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
[ 1428.847068] ? do_sys_open+0x206/0x2a0
[ 1428.847073] ? __fget+0xb4/0x100
[ 1428.847079] ksys_mmap_pgoff+0x278/0x360
[ 1428.847085] ? find_mergeable_anon_vma+0x50/0x50
[ 1428.847091] do_syscall_64+0x73/0x160
[ 1428.847098] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.847102] RIP: 0033:0x7fb1430766ba
[ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
[ 1428.847162] RSP: 002b:
00007ffc651d9388 EFLAGS:
00000246 ORIG_RAX:
0000000000000009
[ 1428.847167] RAX:
ffffffffffffffda RBX:
0000000000000001 RCX:
00007fb1430766ba
[ 1428.847170] RDX:
0000000000000001 RSI:
0000000000001000 RDI:
0000000000000000
[ 1428.847173] RBP:
0000000000000003 R08:
0000000000000003 R09:
0000000000000000
[ 1428.847176] R10:
0000000000008002 R11:
0000000000000246 R12:
0000000000000000
[ 1428.847179] R13:
0000000000001000 R14:
0000000000008002 R15:
0000000000000000
[ 1428.847252] Allocated by task 2683:
[ 1428.847372] kasan_kmalloc+0xa6/0xd0
[ 1428.847380] kmem_cache_alloc+0xc8/0x1e0
[ 1428.847385] getname_flags+0x73/0x2b0
[ 1428.847390] user_path_at_empty+0x1d/0x40
[ 1428.847395] vfs_statx+0xc1/0x150
[ 1428.847401] __do_sys_newlstat+0x7e/0xd0
[ 1428.847405] do_syscall_64+0x73/0x160
[ 1428.847411] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.847466] Freed by task 2683:
[ 1428.847566] __kasan_slab_free+0x137/0x190
[ 1428.847571] kmem_cache_free+0x85/0x1e0
[ 1428.847575] filename_lookup+0x191/0x280
[ 1428.847580] vfs_statx+0xc1/0x150
[ 1428.847585] __do_sys_newlstat+0x7e/0xd0
[ 1428.847590] do_syscall_64+0x73/0x160
[ 1428.847596] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.847648] The buggy address belongs to the object at
ffff880194483300
which belongs to the cache names_cache of size 4096
[ 1428.847946] The buggy address is located 576 bytes inside of
4096-byte region [
ffff880194483300,
ffff880194484300)
[ 1428.848234] The buggy address belongs to the page:
[ 1428.848366] page:
ffffea0006512000 count:1 mapcount:0 mapping:
ffff8801f3586380 index:0x0 compound_mapcount: 0
[ 1428.848606] flags: 0x17fff8000008100(slab|head)
[ 1428.848737] raw:
017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380
[ 1428.848931] raw:
0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[ 1428.849122] page dumped because: kasan: bad access detected
[ 1428.849305] Memory state around the buggy address:
[ 1428.849436]
ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.849620]
ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.849804] >
ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.849985] ^
[ 1428.850120]
ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.850303]
ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.850498] ==================================================================
Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Fri, 29 Jun 2018 05:55:22 +0000 (13:55 +0800)]
f2fs: fix to do sanity check with node footer and iblocks
This patch adds to do sanity check with below fields of inode to
avoid reported panic.
- node footer
- iblocks
https://bugzilla.kernel.org/show_bug.cgi?id=200223
- Overview
BUG() triggered in f2fs_truncate_inode_blocks() when un-mounting a mounted f2fs image after writing to it
- Reproduce
- POC (poc.c)
static void activity(char *mpoint) {
char *foo_bar_baz;
int err;
static int buf[8192];
memset(buf, 0, sizeof(buf));
err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
// open / write / read
int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777);
if (fd >= 0) {
write(fd, (char *)buf, 517);
write(fd, (char *)buf, sizeof(buf));
close(fd);
}
}
int main(int argc, char *argv[]) {
activity(argv[1]);
return 0;
}
- Kernel meesage
[ 552.479723] F2FS-fs (loop0): Mounted with checkpoint version = 2
[ 556.451891] ------------[ cut here ]------------
[ 556.451899] kernel BUG at fs/f2fs/node.c:987!
[ 556.452920] invalid opcode: 0000 [#1] SMP KASAN PTI
[ 556.453936] CPU: 1 PID: 1310 Comm: umount Not tainted 4.18.0-rc1+ #4
[ 556.455213] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 556.457140] RIP: 0010:f2fs_truncate_inode_blocks+0x4a7/0x6f0
[ 556.458280] Code: e8 ae ea ff ff 41 89 c7 c1 e8 1f 84 c0 74 0a 41 83 ff fe 0f 85 35 ff ff ff 81 85 b0 fe ff ff fb 03 00 00 e9 f7 fd ff ff 0f 0b <0f> 0b e8 62 b7 9a 00 48 8b bd a0 fe ff ff e8 56 54 ae ff 48 8b b5
[ 556.462015] RSP: 0018:
ffff8801f292f808 EFLAGS:
00010286
[ 556.463068] RAX:
ffffed003e73242d RBX:
ffff8801f292f958 RCX:
ffffffffb88b81bc
[ 556.464479] RDX:
0000000000000000 RSI:
0000000000000004 RDI:
ffff8801f3992164
[ 556.465901] RBP:
ffff8801f292f980 R08:
ffffed003e73242d R09:
ffffed003e73242d
[ 556.467311] R10:
0000000000000001 R11:
ffffed003e73242c R12:
00000000fffffc64
[ 556.468706] R13:
ffff8801f3992000 R14:
0000000000000058 R15:
00000000ffff8801
[ 556.470117] FS:
00007f8029297840(0000) GS:
ffff8801f6f00000(0000) knlGS:
0000000000000000
[ 556.471702] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 556.472838] CR2:
000055f5f57305d8 CR3:
00000001f18b0000 CR4:
00000000000006e0
[ 556.474265] Call Trace:
[ 556.474782] ? f2fs_alloc_nid_failed+0xf0/0xf0
[ 556.475686] ? truncate_nodes+0x980/0x980
[ 556.476516] ? pagecache_get_page+0x21f/0x2f0
[ 556.477412] ? __asan_loadN+0xf/0x20
[ 556.478153] ? __get_node_page+0x331/0x5b0
[ 556.478992] ? reweight_entity+0x1e6/0x3b0
[ 556.479826] f2fs_truncate_blocks+0x55e/0x740
[ 556.480709] ? f2fs_truncate_data_blocks+0x20/0x20
[ 556.481689] ? __radix_tree_lookup+0x34/0x160
[ 556.482630] ? radix_tree_lookup+0xd/0x10
[ 556.483445] f2fs_truncate+0xd4/0x1a0
[ 556.484206] f2fs_evict_inode+0x5ce/0x630
[ 556.485032] evict+0x16f/0x290
[ 556.485664] iput+0x280/0x300
[ 556.486300] dentry_unlink_inode+0x165/0x1e0
[ 556.487169] __dentry_kill+0x16a/0x260
[ 556.487936] dentry_kill+0x70/0x250
[ 556.488651] shrink_dentry_list+0x125/0x260
[ 556.489504] shrink_dcache_parent+0xc1/0x110
[ 556.490379] ? shrink_dcache_sb+0x200/0x200
[ 556.491231] ? bit_wait_timeout+0xc0/0xc0
[ 556.492047] do_one_tree+0x12/0x40
[ 556.492743] shrink_dcache_for_umount+0x3f/0xa0
[ 556.493656] generic_shutdown_super+0x43/0x1c0
[ 556.494561] kill_block_super+0x52/0x80
[ 556.495341] kill_f2fs_super+0x62/0x70
[ 556.496105] deactivate_locked_super+0x6f/0xa0
[ 556.497004] deactivate_super+0x5e/0x80
[ 556.497785] cleanup_mnt+0x61/0xa0
[ 556.498492] __cleanup_mnt+0x12/0x20
[ 556.499218] task_work_run+0xc8/0xf0
[ 556.499949] exit_to_usermode_loop+0x125/0x130
[ 556.500846] do_syscall_64+0x138/0x170
[ 556.501609] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 556.502659] RIP: 0033:0x7f8028b77487
[ 556.503384] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
[ 556.507137] RSP: 002b:
00007fff9f2e3598 EFLAGS:
00000246 ORIG_RAX:
00000000000000a6
[ 556.508637] RAX:
0000000000000000 RBX:
0000000000ebd030 RCX:
00007f8028b77487
[ 556.510069] RDX:
0000000000000001 RSI:
0000000000000000 RDI:
0000000000ec41e0
[ 556.511481] RBP:
0000000000ec41e0 R08:
0000000000000000 R09:
0000000000000014
[ 556.512892] R10:
00000000000006b2 R11:
0000000000000246 R12:
00007f802908083c
[ 556.514320] R13:
0000000000000000 R14:
0000000000ebd210 R15:
00007fff9f2e3820
[ 556.515745] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[ 556.529276] ---[ end trace
4ce02f25ff7d3df5 ]---
[ 556.530340] RIP: 0010:f2fs_truncate_inode_blocks+0x4a7/0x6f0
[ 556.531513] Code: e8 ae ea ff ff 41 89 c7 c1 e8 1f 84 c0 74 0a 41 83 ff fe 0f 85 35 ff ff ff 81 85 b0 fe ff ff fb 03 00 00 e9 f7 fd ff ff 0f 0b <0f> 0b e8 62 b7 9a 00 48 8b bd a0 fe ff ff e8 56 54 ae ff 48 8b b5
[ 556.535330] RSP: 0018:
ffff8801f292f808 EFLAGS:
00010286
[ 556.536395] RAX:
ffffed003e73242d RBX:
ffff8801f292f958 RCX:
ffffffffb88b81bc
[ 556.537824] RDX:
0000000000000000 RSI:
0000000000000004 RDI:
ffff8801f3992164
[ 556.539290] RBP:
ffff8801f292f980 R08:
ffffed003e73242d R09:
ffffed003e73242d
[ 556.540709] R10:
0000000000000001 R11:
ffffed003e73242c R12:
00000000fffffc64
[ 556.542131] R13:
ffff8801f3992000 R14:
0000000000000058 R15:
00000000ffff8801
[ 556.543579] FS:
00007f8029297840(0000) GS:
ffff8801f6f00000(0000) knlGS:
0000000000000000
[ 556.545180] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 556.546338] CR2:
000055f5f57305d8 CR3:
00000001f18b0000 CR4:
00000000000006e0
[ 556.547809] ==================================================================
[ 556.549248] BUG: KASAN: stack-out-of-bounds in arch_tlb_gather_mmu+0x52/0x170
[ 556.550672] Write of size 8 at addr
ffff8801f292fd10 by task umount/1310
[ 556.552338] CPU: 1 PID: 1310 Comm: umount Tainted: G D 4.18.0-rc1+ #4
[ 556.553886] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 556.555756] Call Trace:
[ 556.556264] dump_stack+0x7b/0xb5
[ 556.556944] print_address_description+0x70/0x290
[ 556.557903] kasan_report+0x291/0x390
[ 556.558649] ? arch_tlb_gather_mmu+0x52/0x170
[ 556.559537] __asan_store8+0x57/0x90
[ 556.560268] arch_tlb_gather_mmu+0x52/0x170
[ 556.561110] tlb_gather_mmu+0x12/0x40
[ 556.561862] exit_mmap+0x123/0x2a0
[ 556.562555] ? __ia32_sys_munmap+0x50/0x50
[ 556.563384] ? exit_aio+0x98/0x230
[ 556.564079] ? __x32_compat_sys_io_submit+0x260/0x260
[ 556.565099] ? taskstats_exit+0x1f4/0x640
[ 556.565925] ? kasan_check_read+0x11/0x20
[ 556.566739] ? mm_update_next_owner+0x322/0x380
[ 556.567652] mmput+0x8b/0x1d0
[ 556.568260] do_exit+0x43a/0x1390
[ 556.568937] ? mm_update_next_owner+0x380/0x380
[ 556.569855] ? deactivate_super+0x5e/0x80
[ 556.570668] ? cleanup_mnt+0x61/0xa0
[ 556.571395] ? __cleanup_mnt+0x12/0x20
[ 556.572156] ? task_work_run+0xc8/0xf0
[ 556.572917] ? exit_to_usermode_loop+0x125/0x130
[ 556.573861] rewind_stack_do_exit+0x17/0x20
[ 556.574707] RIP: 0033:0x7f8028b77487
[ 556.575428] Code: Bad RIP value.
[ 556.576106] RSP: 002b:
00007fff9f2e3598 EFLAGS:
00000246 ORIG_RAX:
00000000000000a6
[ 556.577599] RAX:
0000000000000000 RBX:
0000000000ebd030 RCX:
00007f8028b77487
[ 556.579020] RDX:
0000000000000001 RSI:
0000000000000000 RDI:
0000000000ec41e0
[ 556.580422] RBP:
0000000000ec41e0 R08:
0000000000000000 R09:
0000000000000014
[ 556.581833] R10:
00000000000006b2 R11:
0000000000000246 R12:
00007f802908083c
[ 556.583252] R13:
0000000000000000 R14:
0000000000ebd210 R15:
00007fff9f2e3820
[ 556.584983] The buggy address belongs to the page:
[ 556.585961] page:
ffffea0007ca4bc0 count:0 mapcount:0 mapping:
0000000000000000 index:0x0
[ 556.587540] flags: 0x2ffff0000000000()
[ 556.588296] raw:
02ffff0000000000 0000000000000000 dead000000000200 0000000000000000
[ 556.589822] raw:
0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 556.591359] page dumped because: kasan: bad access detected
[ 556.592786] Memory state around the buggy address:
[ 556.593753]
ffff8801f292fc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 556.595191]
ffff8801f292fc80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
[ 556.596613] >
ffff8801f292fd00: 00 00 f3 00 00 00 00 f3 f3 00 00 00 00 f4 f4 f4
[ 556.598044] ^
[ 556.598797]
ffff8801f292fd80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[ 556.600225]
ffff8801f292fe00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4
[ 556.601647] ==================================================================
- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/node.c#L987
case NODE_DIND_BLOCK:
err = truncate_nodes(&dn, nofs, offset[1], 3);
cont = 0;
break;
default:
BUG(); <---
}
Reported-by Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Yunlei He [Wed, 27 Jun 2018 06:46:21 +0000 (14:46 +0800)]
f2fs: Allocate and stat mem used by free nid bitmap more accurately
This patch used f2fs_bitmap_size macro to calculate mem used by
free nid bitmap, and stat used mem including aligned part.
Signed-off-by: Yunlei He <heyunlei@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Wed, 27 Jun 2018 10:05:54 +0000 (18:05 +0800)]
f2fs: fix to do sanity check with user_block_count
This patch fixs to do sanity check with user_block_count.
- Overview
Divide zero in utilization when mount() a corrupted f2fs image
- Reproduce (4.18 upstream kernel)
- Kernel message
[ 564.099503] F2FS-fs (loop0): invalid crc value
[ 564.101991] divide error: 0000 [#1] SMP KASAN PTI
[ 564.103103] CPU: 1 PID: 1298 Comm: f2fs_discard-7: Not tainted 4.18.0-rc1+ #4
[ 564.104584] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 564.106624] RIP: 0010:issue_discard_thread+0x248/0x5c0
[ 564.107692] Code: ff ff 48 8b bd e8 fe ff ff 41 8b 9d 4c 04 00 00 e8 cd b8 ad ff 41 8b 85 50 04 00 00 31 d2 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <48> f7 f3 83 f8 50 7e 16 41 c7 86 7c ff ff ff 01 00 00 00 41 c7 86
[ 564.111686] RSP: 0018:
ffff8801f3117dc0 EFLAGS:
00010206
[ 564.112775] RAX:
0000000000000384 RBX:
0000000000000000 RCX:
ffffffffb88c1e03
[ 564.114250] RDX:
0000000000000000 RSI:
dffffc0000000000 RDI:
ffff8801e3aa4850
[ 564.115706] RBP:
ffff8801f3117f00 R08:
1ffffffff751a1d0 R09:
fffffbfff751a1d0
[ 564.117177] R10:
0000000000000001 R11:
fffffbfff751a1d0 R12:
00000000fffffffc
[ 564.118634] R13:
ffff8801e3aa4400 R14:
ffff8801f3117ed8 R15:
ffff8801e2050000
[ 564.120094] FS:
0000000000000000(0000) GS:
ffff8801f6f00000(0000) knlGS:
0000000000000000
[ 564.121748] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 564.122923] CR2:
000000000202b078 CR3:
00000001f11ac000 CR4:
00000000000006e0
[ 564.124383] Call Trace:
[ 564.124924] ? __issue_discard_cmd+0x480/0x480
[ 564.125882] ? __sched_text_start+0x8/0x8
[ 564.126756] ? __kthread_parkme+0xcb/0x100
[ 564.127620] ? kthread_blkcg+0x70/0x70
[ 564.128412] kthread+0x180/0x1d0
[ 564.129105] ? __issue_discard_cmd+0x480/0x480
[ 564.130029] ? kthread_associate_blkcg+0x150/0x150
[ 564.131033] ret_from_fork+0x35/0x40
[ 564.131794] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[ 564.141798] ---[ end trace
4ce02f25ff7d3df5 ]---
[ 564.142773] RIP: 0010:issue_discard_thread+0x248/0x5c0
[ 564.143885] Code: ff ff 48 8b bd e8 fe ff ff 41 8b 9d 4c 04 00 00 e8 cd b8 ad ff 41 8b 85 50 04 00 00 31 d2 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <48> f7 f3 83 f8 50 7e 16 41 c7 86 7c ff ff ff 01 00 00 00 41 c7 86
[ 564.147776] RSP: 0018:
ffff8801f3117dc0 EFLAGS:
00010206
[ 564.148856] RAX:
0000000000000384 RBX:
0000000000000000 RCX:
ffffffffb88c1e03
[ 564.150424] RDX:
0000000000000000 RSI:
dffffc0000000000 RDI:
ffff8801e3aa4850
[ 564.151906] RBP:
ffff8801f3117f00 R08:
1ffffffff751a1d0 R09:
fffffbfff751a1d0
[ 564.153463] R10:
0000000000000001 R11:
fffffbfff751a1d0 R12:
00000000fffffffc
[ 564.154915] R13:
ffff8801e3aa4400 R14:
ffff8801f3117ed8 R15:
ffff8801e2050000
[ 564.156405] FS:
0000000000000000(0000) GS:
ffff8801f6f00000(0000) knlGS:
0000000000000000
[ 564.158070] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 564.159279] CR2:
000000000202b078 CR3:
00000001f11ac000 CR4:
00000000000006e0
[ 564.161043] ==================================================================
[ 564.162587] BUG: KASAN: stack-out-of-bounds in from_kuid_munged+0x1d/0x50
[ 564.163994] Read of size 4 at addr
ffff8801f3117c84 by task f2fs_discard-7:/1298
[ 564.165852] CPU: 1 PID: 1298 Comm: f2fs_discard-7: Tainted: G D 4.18.0-rc1+ #4
[ 564.167593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 564.169522] Call Trace:
[ 564.170057] dump_stack+0x7b/0xb5
[ 564.170778] print_address_description+0x70/0x290
[ 564.171765] kasan_report+0x291/0x390
[ 564.172540] ? from_kuid_munged+0x1d/0x50
[ 564.173408] __asan_load4+0x78/0x80
[ 564.174148] from_kuid_munged+0x1d/0x50
[ 564.174962] do_notify_parent+0x1f5/0x4f0
[ 564.175808] ? send_sigqueue+0x390/0x390
[ 564.176639] ? css_set_move_task+0x152/0x340
[ 564.184197] do_exit+0x1290/0x1390
[ 564.184950] ? __issue_discard_cmd+0x480/0x480
[ 564.185884] ? mm_update_next_owner+0x380/0x380
[ 564.186829] ? __sched_text_start+0x8/0x8
[ 564.187672] ? __kthread_parkme+0xcb/0x100
[ 564.188528] ? kthread_blkcg+0x70/0x70
[ 564.189333] ? kthread+0x180/0x1d0
[ 564.190052] ? __issue_discard_cmd+0x480/0x480
[ 564.190983] rewind_stack_do_exit+0x17/0x20
[ 564.192190] The buggy address belongs to the page:
[ 564.193213] page:
ffffea0007cc45c0 count:0 mapcount:0 mapping:
0000000000000000 index:0x0
[ 564.194856] flags: 0x2ffff0000000000()
[ 564.195644] raw:
02ffff0000000000 0000000000000000 dead000000000200 0000000000000000
[ 564.197247] raw:
0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 564.198826] page dumped because: kasan: bad access detected
[ 564.200299] Memory state around the buggy address:
[ 564.201306]
ffff8801f3117b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 564.202779]
ffff8801f3117c00: 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3
[ 564.204252] >
ffff8801f3117c80: f3 f3 f3 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
[ 564.205742] ^
[ 564.206424]
ffff8801f3117d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 564.207908]
ffff8801f3117d80: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
[ 564.209389] ==================================================================
[ 564.231795] F2FS-fs (loop0): Mounted with checkpoint version = 2
- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.h#L586
return div_u64((u64)valid_user_blocks(sbi) * 100,
sbi->user_block_count);
Missing checks on sbi->user_block_count.
Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 25 Jun 2018 15:29:49 +0000 (23:29 +0800)]
f2fs: fix to do sanity check with extra_attr feature
If FI_EXTRA_ATTR is set in inode by fuzzing, inode.i_addr[0] will be
parsed as inode.i_extra_isize, then in __recover_inline_status, inline
data address will beyond boundary of page, result in accessing invalid
memory.
So in this condition, during reading inode page, let's do sanity check
with EXTRA_ATTR feature of fs and extra_attr bit of inode, if they're
inconsistent, deny to load this inode.
- Overview
Out-of-bound access in f2fs_iget() when mounting a corrupted f2fs image
- Reproduce
The following message will be got in KASAN build of 4.18 upstream kernel.
[ 819.392227] ==================================================================
[ 819.393901] BUG: KASAN: slab-out-of-bounds in f2fs_iget+0x736/0x1530
[ 819.395329] Read of size 4 at addr
ffff8801f099c968 by task mount/1292
[ 819.397079] CPU: 1 PID: 1292 Comm: mount Not tainted 4.18.0-rc1+ #4
[ 819.397082] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 819.397088] Call Trace:
[ 819.397124] dump_stack+0x7b/0xb5
[ 819.397154] print_address_description+0x70/0x290
[ 819.397159] kasan_report+0x291/0x390
[ 819.397163] ? f2fs_iget+0x736/0x1530
[ 819.397176] check_memory_region+0x139/0x190
[ 819.397182] __asan_loadN+0xf/0x20
[ 819.397185] f2fs_iget+0x736/0x1530
[ 819.397197] f2fs_fill_super+0x1b4f/0x2b40
[ 819.397202] ? f2fs_fill_super+0x1b4f/0x2b40
[ 819.397208] ? f2fs_commit_super+0x1b0/0x1b0
[ 819.397227] ? set_blocksize+0x90/0x140
[ 819.397241] mount_bdev+0x1c5/0x210
[ 819.397245] ? f2fs_commit_super+0x1b0/0x1b0
[ 819.397252] f2fs_mount+0x15/0x20
[ 819.397256] mount_fs+0x60/0x1a0
[ 819.397267] ? alloc_vfsmnt+0x309/0x360
[ 819.397272] vfs_kern_mount+0x6b/0x1a0
[ 819.397282] do_mount+0x34a/0x18c0
[ 819.397300] ? lockref_put_or_lock+0xcf/0x160
[ 819.397306] ? copy_mount_string+0x20/0x20
[ 819.397318] ? memcg_kmem_put_cache+0x1b/0xa0
[ 819.397324] ? kasan_check_write+0x14/0x20
[ 819.397334] ? _copy_from_user+0x6a/0x90
[ 819.397353] ? memdup_user+0x42/0x60
[ 819.397359] ksys_mount+0x83/0xd0
[ 819.397365] __x64_sys_mount+0x67/0x80
[ 819.397388] do_syscall_64+0x78/0x170
[ 819.397403] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 819.397422] RIP: 0033:0x7f54c667cb9a
[ 819.397424] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
[ 819.397483] RSP: 002b:
00007ffd8f46cd08 EFLAGS:
00000202 ORIG_RAX:
00000000000000a5
[ 819.397496] RAX:
ffffffffffffffda RBX:
0000000000dfa030 RCX:
00007f54c667cb9a
[ 819.397498] RDX:
0000000000dfa210 RSI:
0000000000dfbf30 RDI:
0000000000e02ec0
[ 819.397501] RBP:
0000000000000000 R08:
0000000000000000 R09:
0000000000000013
[ 819.397503] R10:
00000000c0ed0000 R11:
0000000000000202 R12:
0000000000e02ec0
[ 819.397505] R13:
0000000000dfa210 R14:
0000000000000000 R15:
0000000000000003
[ 819.397866] Allocated by task 139:
[ 819.398702] save_stack+0x46/0xd0
[ 819.398705] kasan_kmalloc+0xad/0xe0
[ 819.398709] kasan_slab_alloc+0x11/0x20
[ 819.398713] kmem_cache_alloc+0xd1/0x1e0
[ 819.398717] dup_fd+0x50/0x4c0
[ 819.398740] copy_process.part.37+0xbed/0x32e0
[ 819.398744] _do_fork+0x16e/0x590
[ 819.398748] __x64_sys_clone+0x69/0x80
[ 819.398752] do_syscall_64+0x78/0x170
[ 819.398756] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 819.399097] Freed by task 159:
[ 819.399743] save_stack+0x46/0xd0
[ 819.399747] __kasan_slab_free+0x13c/0x1a0
[ 819.399750] kasan_slab_free+0xe/0x10
[ 819.399754] kmem_cache_free+0x89/0x1e0
[ 819.399757] put_files_struct+0x132/0x150
[ 819.399761] exit_files+0x62/0x70
[ 819.399766] do_exit+0x47b/0x1390
[ 819.399770] do_group_exit+0x86/0x130
[ 819.399774] __x64_sys_exit_group+0x2c/0x30
[ 819.399778] do_syscall_64+0x78/0x170
[ 819.399782] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 819.400115] The buggy address belongs to the object at
ffff8801f099c680
which belongs to the cache files_cache of size 704
[ 819.403234] The buggy address is located 40 bytes to the right of
704-byte region [
ffff8801f099c680,
ffff8801f099c940)
[ 819.405689] The buggy address belongs to the page:
[ 819.406709] page:
ffffea0007c26700 count:1 mapcount:0 mapping:
ffff8801f69a3340 index:0xffff8801f099d380 compound_mapcount: 0
[ 819.408984] flags: 0x2ffff0000008100(slab|head)
[ 819.409932] raw:
02ffff0000008100 ffffea00077fb600 0000000200000002 ffff8801f69a3340
[ 819.411514] raw:
ffff8801f099d380 0000000080130000 00000001ffffffff 0000000000000000
[ 819.413073] page dumped because: kasan: bad access detected
[ 819.414539] Memory state around the buggy address:
[ 819.415521]
ffff8801f099c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 819.416981]
ffff8801f099c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 819.418454] >
ffff8801f099c900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 819.419921] ^
[ 819.421265]
ffff8801f099c980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 819.422745]
ffff8801f099ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 819.424206] ==================================================================
[ 819.425668] Disabling lock debugging due to kernel taint
[ 819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3
The kernel still mounts the image. If you run the following program on the mounted folder mnt,
(poc.c)
static void activity(char *mpoint) {
char *foo_bar_baz;
int err;
static int buf[8192];
memset(buf, 0, sizeof(buf));
err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);
int fd = open(foo_bar_baz, O_RDONLY, 0);
if (fd >= 0) {
read(fd, (char *)buf, 11);
close(fd);
}
}
int main(int argc, char *argv[]) {
activity(argv[1]);
return 0;
}
You can get kernel crash:
[ 819.457463] F2FS-fs (loop0): Mounted with checkpoint version = 3
[ 918.028501] BUG: unable to handle kernel paging request at
ffffed0048000d82
[ 918.044020] PGD
23ffee067 P4D
23ffee067 PUD
23fbef067 PMD 0
[ 918.045207] Oops: 0000 [#1] SMP KASAN PTI
[ 918.046048] CPU: 0 PID: 1309 Comm: poc Tainted: G B 4.18.0-rc1+ #4
[ 918.047573] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 918.049552] RIP: 0010:check_memory_region+0x5e/0x190
[ 918.050565] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0
[ 918.054322] RSP: 0018:
ffff8801e3a1f258 EFLAGS:
00010202
[ 918.055400] RAX:
ffffed0048000d82 RBX:
ffff880240006c11 RCX:
ffffffffb8867d14
[ 918.056832] RDX:
0000000000000000 RSI:
0000000000000002 RDI:
ffff880240006c10
[ 918.058253] RBP:
ffff8801e3a1f268 R08:
1ffff10048000d82 R09:
ffffed0048000d82
[ 918.059717] R10:
0000000000000001 R11:
ffffed0048000d82 R12:
ffffed0048000d83
[ 918.061159] R13:
ffff8801e3a1f390 R14:
0000000000000000 R15:
ffff880240006c08
[ 918.062614] FS:
00007fac9732c700(0000) GS:
ffff8801f6e00000(0000) knlGS:
0000000000000000
[ 918.064246] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 918.065412] CR2:
ffffed0048000d82 CR3:
00000001df77a000 CR4:
00000000000006f0
[ 918.066882] Call Trace:
[ 918.067410] __asan_loadN+0xf/0x20
[ 918.068149] f2fs_find_target_dentry+0xf4/0x270
[ 918.069083] ? __get_node_page+0x331/0x5b0
[ 918.069925] f2fs_find_in_inline_dir+0x24b/0x310
[ 918.070881] ? f2fs_recover_inline_data+0x4c0/0x4c0
[ 918.071905] ? unwind_next_frame.part.5+0x34f/0x490
[ 918.072901] ? unwind_dump+0x290/0x290
[ 918.073695] ? is_bpf_text_address+0xe/0x20
[ 918.074566] __f2fs_find_entry+0x599/0x670
[ 918.075408] ? kasan_unpoison_shadow+0x36/0x50
[ 918.076315] ? kasan_kmalloc+0xad/0xe0
[ 918.077100] ? memcg_kmem_put_cache+0x55/0xa0
[ 918.077998] ? f2fs_find_target_dentry+0x270/0x270
[ 918.079006] ? d_set_d_op+0x30/0x100
[ 918.079749] ? __d_lookup_rcu+0x69/0x2e0
[ 918.080556] ? __d_alloc+0x275/0x450
[ 918.081297] ? kasan_check_write+0x14/0x20
[ 918.082135] ? memset+0x31/0x40
[ 918.082820] ? fscrypt_setup_filename+0x1ec/0x4c0
[ 918.083782] ? d_alloc_parallel+0x5bb/0x8c0
[ 918.084640] f2fs_find_entry+0xe9/0x110
[ 918.085432] ? __f2fs_find_entry+0x670/0x670
[ 918.086308] ? kasan_check_write+0x14/0x20
[ 918.087163] f2fs_lookup+0x297/0x590
[ 918.087902] ? f2fs_link+0x2b0/0x2b0
[ 918.088646] ? legitimize_path.isra.29+0x61/0xa0
[ 918.089589] __lookup_slow+0x12e/0x240
[ 918.090371] ? may_delete+0x2b0/0x2b0
[ 918.091123] ? __nd_alloc_stack+0xa0/0xa0
[ 918.091944] lookup_slow+0x44/0x60
[ 918.092642] walk_component+0x3ee/0xa40
[ 918.093428] ? is_bpf_text_address+0xe/0x20
[ 918.094283] ? pick_link+0x3e0/0x3e0
[ 918.095047] ? in_group_p+0xa5/0xe0
[ 918.095771] ? generic_permission+0x53/0x1e0
[ 918.096666] ? security_inode_permission+0x1d/0x70
[ 918.097646] ? inode_permission+0x7a/0x1f0
[ 918.098497] link_path_walk+0x2a2/0x7b0
[ 918.099298] ? apparmor_capget+0x3d0/0x3d0
[ 918.100140] ? walk_component+0xa40/0xa40
[ 918.100958] ? path_init+0x2e6/0x580
[ 918.101695] path_openat+0x1bb/0x2160
[ 918.102471] ? __save_stack_trace+0x92/0x100
[ 918.103352] ? save_stack+0xb5/0xd0
[ 918.104070] ? vfs_unlink+0x250/0x250
[ 918.104822] ? save_stack+0x46/0xd0
[ 918.105538] ? kasan_slab_alloc+0x11/0x20
[ 918.106370] ? kmem_cache_alloc+0xd1/0x1e0
[ 918.107213] ? getname_flags+0x76/0x2c0
[ 918.107997] ? getname+0x12/0x20
[ 918.108677] ? do_sys_open+0x14b/0x2c0
[ 918.109450] ? __x64_sys_open+0x4c/0x60
[ 918.110255] ? do_syscall_64+0x78/0x170
[ 918.111083] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 918.112148] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 918.113204] ? f2fs_empty_inline_dir+0x1e0/0x1e0
[ 918.114150] ? timespec64_trunc+0x5c/0x90
[ 918.114993] ? wb_io_lists_depopulated+0x1a/0xc0
[ 918.115937] ? inode_io_list_move_locked+0x102/0x110
[ 918.116949] do_filp_open+0x12b/0x1d0
[ 918.117709] ? may_open_dev+0x50/0x50
[ 918.118475] ? kasan_kmalloc+0xad/0xe0
[ 918.119246] do_sys_open+0x17c/0x2c0
[ 918.119983] ? do_sys_open+0x17c/0x2c0
[ 918.120751] ? filp_open+0x60/0x60
[ 918.121463] ? task_work_run+0x4d/0xf0
[ 918.122237] __x64_sys_open+0x4c/0x60
[ 918.123001] do_syscall_64+0x78/0x170
[ 918.123759] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 918.124802] RIP: 0033:0x7fac96e3e040
[ 918.125537] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 09 27 2d 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 7e e0 01 00 48 89 04 24
[ 918.129341] RSP: 002b:
00007fff1b37f848 EFLAGS:
00000246 ORIG_RAX:
0000000000000002
[ 918.130870] RAX:
ffffffffffffffda RBX:
0000000000000000 RCX:
00007fac96e3e040
[ 918.132295] RDX:
0000000000000000 RSI:
0000000000000000 RDI:
000000000122d080
[ 918.133748] RBP:
00007fff1b37f9b0 R08:
00007fac9710bbd8 R09:
0000000000000001
[ 918.135209] R10:
000000000000069d R11:
0000000000000246 R12:
0000000000400c20
[ 918.136650] R13:
00007fff1b37fab0 R14:
0000000000000000 R15:
0000000000000000
[ 918.138093] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[ 918.147924] CR2:
ffffed0048000d82
[ 918.148619] ---[ end trace
4ce02f25ff7d3df5 ]---
[ 918.149563] RIP: 0010:check_memory_region+0x5e/0x190
[ 918.150576] Code: f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 32 <41> 80 39 00 75 23 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 c0
[ 918.154360] RSP: 0018:
ffff8801e3a1f258 EFLAGS:
00010202
[ 918.155411] RAX:
ffffed0048000d82 RBX:
ffff880240006c11 RCX:
ffffffffb8867d14
[ 918.156833] RDX:
0000000000000000 RSI:
0000000000000002 RDI:
ffff880240006c10
[ 918.158257] RBP:
ffff8801e3a1f268 R08:
1ffff10048000d82 R09:
ffffed0048000d82
[ 918.159722] R10:
0000000000000001 R11:
ffffed0048000d82 R12:
ffffed0048000d83
[ 918.161149] R13:
ffff8801e3a1f390 R14:
0000000000000000 R15:
ffff880240006c08
[ 918.162587] FS:
00007fac9732c700(0000) GS:
ffff8801f6e00000(0000) knlGS:
0000000000000000
[ 918.164203] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 918.165356] CR2:
ffffed0048000d82 CR3:
00000001df77a000 CR4:
00000000000006f0
Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 25 Jun 2018 12:33:24 +0000 (20:33 +0800)]
f2fs: fix to correct return value of f2fs_trim_fs
We should account trimmed block number from __wait_all_discard_cmd
in __issue_discard_cmd_range, otherwise trimmed blocks returned
by f2fs_trim_fs will be wrong, this patch fixes it.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Sat, 23 Jun 2018 03:25:19 +0000 (11:25 +0800)]
f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
This patch adds to do sanity check with {sit,nat}_ver_bitmap_bytesize
during mount, in order to avoid accessing across cache boundary with
this abnormal bitmap size.
- Overview
buffer overrun in build_sit_info() when mounting a crafted f2fs image
- Reproduce
- Kernel message
[ 548.580867] F2FS-fs (loop0): Invalid log blocks per segment (8201)
[ 548.580877] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
[ 548.584979] ==================================================================
[ 548.586568] BUG: KASAN: use-after-free in kmemdup+0x36/0x50
[ 548.587715] Read of size 64 at addr
ffff8801e9c265ff by task mount/1295
[ 548.589428] CPU: 1 PID: 1295 Comm: mount Not tainted 4.18.0-rc1+ #4
[ 548.589432] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 548.589438] Call Trace:
[ 548.589474] dump_stack+0x7b/0xb5
[ 548.589487] print_address_description+0x70/0x290
[ 548.589492] kasan_report+0x291/0x390
[ 548.589496] ? kmemdup+0x36/0x50
[ 548.589509] check_memory_region+0x139/0x190
[ 548.589514] memcpy+0x23/0x50
[ 548.589518] kmemdup+0x36/0x50
[ 548.589545] f2fs_build_segment_manager+0x8fa/0x3410
[ 548.589551] ? __asan_loadN+0xf/0x20
[ 548.589560] ? f2fs_sanity_check_ckpt+0x1be/0x240
[ 548.589566] ? f2fs_flush_sit_entries+0x10c0/0x10c0
[ 548.589587] ? __put_user_ns+0x40/0x40
[ 548.589604] ? find_next_bit+0x57/0x90
[ 548.589610] f2fs_fill_super+0x194b/0x2b40
[ 548.589617] ? f2fs_commit_super+0x1b0/0x1b0
[ 548.589637] ? set_blocksize+0x90/0x140
[ 548.589651] mount_bdev+0x1c5/0x210
[ 548.589655] ? f2fs_commit_super+0x1b0/0x1b0
[ 548.589667] f2fs_mount+0x15/0x20
[ 548.589672] mount_fs+0x60/0x1a0
[ 548.589683] ? alloc_vfsmnt+0x309/0x360
[ 548.589688] vfs_kern_mount+0x6b/0x1a0
[ 548.589699] do_mount+0x34a/0x18c0
[ 548.589710] ? lockref_put_or_lock+0xcf/0x160
[ 548.589716] ? copy_mount_string+0x20/0x20
[ 548.589728] ? memcg_kmem_put_cache+0x1b/0xa0
[ 548.589734] ? kasan_check_write+0x14/0x20
[ 548.589740] ? _copy_from_user+0x6a/0x90
[ 548.589744] ? memdup_user+0x42/0x60
[ 548.589750] ksys_mount+0x83/0xd0
[ 548.589755] __x64_sys_mount+0x67/0x80
[ 548.589781] do_syscall_64+0x78/0x170
[ 548.589797] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 548.589820] RIP: 0033:0x7f76fc331b9a
[ 548.589821] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
[ 548.589880] RSP: 002b:
00007ffd4f0a0e48 EFLAGS:
00000206 ORIG_RAX:
00000000000000a5
[ 548.589890] RAX:
ffffffffffffffda RBX:
000000000146c030 RCX:
00007f76fc331b9a
[ 548.589892] RDX:
000000000146c210 RSI:
000000000146df30 RDI:
0000000001474ec0
[ 548.589895] RBP:
0000000000000000 R08:
0000000000000000 R09:
0000000000000013
[ 548.589897] R10:
00000000c0ed0000 R11:
0000000000000206 R12:
0000000001474ec0
[ 548.589900] R13:
000000000146c210 R14:
0000000000000000 R15:
0000000000000003
[ 548.590242] The buggy address belongs to the page:
[ 548.591243] page:
ffffea0007a70980 count:0 mapcount:0 mapping:
0000000000000000 index:0x0
[ 548.592886] flags: 0x2ffff0000000000()
[ 548.593665] raw:
02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
[ 548.595258] raw:
0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 548.603713] page dumped because: kasan: bad access detected
[ 548.605203] Memory state around the buggy address:
[ 548.606198]
ffff8801e9c26480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 548.607676]
ffff8801e9c26500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 548.609157] >
ffff8801e9c26580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 548.610629] ^
[ 548.612088]
ffff8801e9c26600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 548.613674]
ffff8801e9c26680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 548.615141] ==================================================================
[ 548.616613] Disabling lock debugging due to kernel taint
[ 548.622871] WARNING: CPU: 1 PID: 1295 at mm/page_alloc.c:4065 __alloc_pages_slowpath+0xe4a/0x1420
[ 548.622878] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[ 548.623217] CPU: 1 PID: 1295 Comm: mount Tainted: G B 4.18.0-rc1+ #4
[ 548.623219] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 548.623226] RIP: 0010:__alloc_pages_slowpath+0xe4a/0x1420
[ 548.623227] Code: ff ff 01 89 85 c8 fe ff ff e9 91 fc ff ff 41 89 c5 e9 5c fc ff ff 0f 0b 89 f8 25 ff ff f7 ff 89 85 8c fe ff ff e9 d5 f2 ff ff <0f> 0b e9 65 f2 ff ff 65 8b 05 38 81 d2 47 f6 c4 01 74 1c 65 48 8b
[ 548.623281] RSP: 0018:
ffff8801f28c7678 EFLAGS:
00010246
[ 548.623284] RAX:
0000000000000000 RBX:
00000000006040c0 RCX:
ffffffffb82f73b7
[ 548.623287] RDX:
1ffff1003e518eeb RSI:
000000000000000c RDI:
0000000000000000
[ 548.623290] RBP:
ffff8801f28c7880 R08:
0000000000000000 R09:
ffffed0047fff2c5
[ 548.623292] R10:
0000000000000001 R11:
ffffed0047fff2c4 R12:
ffff8801e88de040
[ 548.623295] R13:
00000000006040c0 R14:
000000000000000c R15:
ffff8801f28c7938
[ 548.623299] FS:
00007f76fca51840(0000) GS:
ffff8801f6f00000(0000) knlGS:
0000000000000000
[ 548.623302] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 548.623304] CR2:
00007f19b9171760 CR3:
00000001ed952000 CR4:
00000000000006e0
[ 548.623317] Call Trace:
[ 548.623325] ? kasan_check_read+0x11/0x20
[ 548.623330] ? __zone_watermark_ok+0x92/0x240
[ 548.623336] ? get_page_from_freelist+0x1c3/0x1d90
[ 548.623347] ? _raw_spin_lock_irqsave+0x2a/0x60
[ 548.623353] ? warn_alloc+0x250/0x250
[ 548.623358] ? save_stack+0x46/0xd0
[ 548.623361] ? kasan_kmalloc+0xad/0xe0
[ 548.623366] ? __isolate_free_page+0x2a0/0x2a0
[ 548.623370] ? mount_fs+0x60/0x1a0
[ 548.623374] ? vfs_kern_mount+0x6b/0x1a0
[ 548.623378] ? do_mount+0x34a/0x18c0
[ 548.623383] ? ksys_mount+0x83/0xd0
[ 548.623387] ? __x64_sys_mount+0x67/0x80
[ 548.623391] ? do_syscall_64+0x78/0x170
[ 548.623396] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 548.623401] __alloc_pages_nodemask+0x3c5/0x400
[ 548.623407] ? __alloc_pages_slowpath+0x1420/0x1420
[ 548.623412] ? __mutex_lock_slowpath+0x20/0x20
[ 548.623417] ? kvmalloc_node+0x31/0x80
[ 548.623424] alloc_pages_current+0x75/0x110
[ 548.623436] kmalloc_order+0x24/0x60
[ 548.623442] kmalloc_order_trace+0x24/0xb0
[ 548.623448] __kmalloc_track_caller+0x207/0x220
[ 548.623455] ? f2fs_build_node_manager+0x399/0xbb0
[ 548.623460] kmemdup+0x20/0x50
[ 548.623465] f2fs_build_node_manager+0x399/0xbb0
[ 548.623470] f2fs_fill_super+0x195e/0x2b40
[ 548.623477] ? f2fs_commit_super+0x1b0/0x1b0
[ 548.623481] ? set_blocksize+0x90/0x140
[ 548.623486] mount_bdev+0x1c5/0x210
[ 548.623489] ? f2fs_commit_super+0x1b0/0x1b0
[ 548.623495] f2fs_mount+0x15/0x20
[ 548.623498] mount_fs+0x60/0x1a0
[ 548.623503] ? alloc_vfsmnt+0x309/0x360
[ 548.623508] vfs_kern_mount+0x6b/0x1a0
[ 548.623513] do_mount+0x34a/0x18c0
[ 548.623518] ? lockref_put_or_lock+0xcf/0x160
[ 548.623523] ? copy_mount_string+0x20/0x20
[ 548.623528] ? memcg_kmem_put_cache+0x1b/0xa0
[ 548.623533] ? kasan_check_write+0x14/0x20
[ 548.623537] ? _copy_from_user+0x6a/0x90
[ 548.623542] ? memdup_user+0x42/0x60
[ 548.623547] ksys_mount+0x83/0xd0
[ 548.623552] __x64_sys_mount+0x67/0x80
[ 548.623557] do_syscall_64+0x78/0x170
[ 548.623562] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 548.623566] RIP: 0033:0x7f76fc331b9a
[ 548.623567] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
[ 548.623632] RSP: 002b:
00007ffd4f0a0e48 EFLAGS:
00000206 ORIG_RAX:
00000000000000a5
[ 548.623636] RAX:
ffffffffffffffda RBX:
000000000146c030 RCX:
00007f76fc331b9a
[ 548.623639] RDX:
000000000146c210 RSI:
000000000146df30 RDI:
0000000001474ec0
[ 548.623641] RBP:
0000000000000000 R08:
0000000000000000 R09:
0000000000000013
[ 548.623643] R10:
00000000c0ed0000 R11:
0000000000000206 R12:
0000000001474ec0
[ 548.623646] R13:
000000000146c210 R14:
0000000000000000 R15:
0000000000000003
[ 548.623650] ---[ end trace
4ce02f25ff7d3df5 ]---
[ 548.623656] F2FS-fs (loop0): Failed to initialize F2FS node manager
[ 548.627936] F2FS-fs (loop0): Invalid log blocks per segment (8201)
[ 548.627940] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
[ 548.635835] F2FS-fs (loop0): Failed to initialize F2FS node manager
- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.c#L3578
sit_i->sit_bitmap = kmemdup(src_bitmap, bitmap_size, GFP_KERNEL);
Buffer overrun happens when doing memcpy. I suspect there is missing (inconsistent) checks on bitmap_size.
Reported by Wen Xu (wen.xu@gatech.edu) from SSLab, Gatech.
Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Fri, 22 Jun 2018 16:12:36 +0000 (00:12 +0800)]
f2fs: fix to do sanity check with secs_per_zone
As Wen Xu reported in below link:
https://bugzilla.kernel.org/show_bug.cgi?id=200183
- Overview
Divide zero in reset_curseg() when mounting a crafted f2fs image
- Reproduce
- Kernel message
[ 588.281510] divide error: 0000 [#1] SMP KASAN PTI
[ 588.282701] CPU: 0 PID: 1293 Comm: mount Not tainted 4.18.0-rc1+ #4
[ 588.284000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 588.286178] RIP: 0010:reset_curseg+0x94/0x1a0
[ 588.298166] RSP: 0018:
ffff8801e88d7940 EFLAGS:
00010246
[ 588.299360] RAX:
0000000000000014 RBX:
ffff8801e1d46d00 RCX:
ffffffffb88bf60b
[ 588.300809] RDX:
0000000000000000 RSI:
dffffc0000000000 RDI:
ffff8801e1d46d64
[ 588.305272] R13:
0000000000000000 R14:
0000000000000014 R15:
0000000000000000
[ 588.306822] FS:
00007fad85008840(0000) GS:
ffff8801f6e00000(0000) knlGS:
0000000000000000
[ 588.308456] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 588.309623] CR2:
0000000001705078 CR3:
00000001f30f8000 CR4:
00000000000006f0
[ 588.311085] Call Trace:
[ 588.311637] f2fs_build_segment_manager+0x103f/0x3410
[ 588.316136] ? f2fs_commit_super+0x1b0/0x1b0
[ 588.317031] ? set_blocksize+0x90/0x140
[ 588.319473] f2fs_mount+0x15/0x20
[ 588.320166] mount_fs+0x60/0x1a0
[ 588.320847] ? alloc_vfsmnt+0x309/0x360
[ 588.321647] vfs_kern_mount+0x6b/0x1a0
[ 588.322432] do_mount+0x34a/0x18c0
[ 588.323175] ? strndup_user+0x46/0x70
[ 588.323937] ? copy_mount_string+0x20/0x20
[ 588.324793] ? memcg_kmem_put_cache+0x1b/0xa0
[ 588.325702] ? kasan_check_write+0x14/0x20
[ 588.326562] ? _copy_from_user+0x6a/0x90
[ 588.327375] ? memdup_user+0x42/0x60
[ 588.328118] ksys_mount+0x83/0xd0
[ 588.328808] __x64_sys_mount+0x67/0x80
[ 588.329607] do_syscall_64+0x78/0x170
[ 588.330400] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 588.331461] RIP: 0033:0x7fad848e8b9a
[ 588.336022] RSP: 002b:
00007ffd7c5b6be8 EFLAGS:
00000206 ORIG_RAX:
00000000000000a5
[ 588.337547] RAX:
ffffffffffffffda RBX:
00000000016f8030 RCX:
00007fad848e8b9a
[ 588.338999] RDX:
00000000016f8210 RSI:
00000000016f9f30 RDI:
0000000001700ec0
[ 588.340442] RBP:
0000000000000000 R08:
0000000000000000 R09:
0000000000000013
[ 588.341887] R10:
00000000c0ed0000 R11:
0000000000000206 R12:
0000000001700ec0
[ 588.343341] R13:
00000000016f8210 R14:
0000000000000000 R15:
0000000000000003
[ 588.354891] ---[ end trace
4ce02f25ff7d3df5 ]---
[ 588.355862] RIP: 0010:reset_curseg+0x94/0x1a0
[ 588.360742] RSP: 0018:
ffff8801e88d7940 EFLAGS:
00010246
[ 588.361812] RAX:
0000000000000014 RBX:
ffff8801e1d46d00 RCX:
ffffffffb88bf60b
[ 588.363485] RDX:
0000000000000000 RSI:
dffffc0000000000 RDI:
ffff8801e1d46d64
[ 588.365213] RBP:
ffff8801e88d7968 R08:
ffffed003c32266f R09:
ffffed003c32266f
[ 588.366661] R10:
0000000000000001 R11:
ffffed003c32266e R12:
ffff8801f0337700
[ 588.368110] R13:
0000000000000000 R14:
0000000000000014 R15:
0000000000000000
[ 588.370057] FS:
00007fad85008840(0000) GS:
ffff8801f6e00000(0000) knlGS:
0000000000000000
[ 588.372099] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 588.373291] CR2:
0000000001705078 CR3:
00000001f30f8000 CR4:
00000000000006f0
- Location
https://elixir.bootlin.com/linux/latest/source/fs/f2fs/segment.c#L2147
curseg->zone = GET_ZONE_FROM_SEG(sbi, curseg->segno);
If secs_per_zone is corrupted due to fuzzing test, it will cause divide
zero operation when using GET_ZONE_FROM_SEG macro, so we should do more
sanity check with secs_per_zone during mount to avoid this issue.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Fri, 22 Jun 2018 08:06:59 +0000 (16:06 +0800)]
f2fs: disable f2fs_check_rb_tree_consistence
If there is millions of discard entries cached in rb tree, each
sanity check of it can cause very long latency as held cmd_lock
blocking other lock grabbers.
In other aspect, we have enabled the check very long time, as
we see, there is no such inconsistent condition caused by bugs.
But still we do not choose to kill it directly, instead, adding
an flag to disable the check now, if there is related code change,
we can reuse it to detect bugs.
Signed-off-by: Yunlei He <heyunlei@huawei.com>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Tue, 5 Jun 2018 09:44:11 +0000 (17:44 +0800)]
f2fs: introduce and spread verify_blkaddr
This patch introduces verify_blkaddr to check meta/data block address
with valid range to detect bug earlier.
In addition, once we encounter an invalid blkaddr, notice user to run
fsck to fix, and let the kernel panic.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Arnd Bergmann [Wed, 20 Jun 2018 08:02:19 +0000 (10:02 +0200)]
f2fs: use timespec64 for inode timestamps
The on-disk representation and the vfs both use 64-bit tv_sec values,
so let's change the last missing piece in the middle.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Thu, 21 Jun 2018 14:38:28 +0000 (22:38 +0800)]
f2fs: fix to wait on page writeback before updating page
In error path of f2fs_move_rehashed_dirents, inode page could be writeback
state, so we should wait on inode page writeback before updating it.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Thu, 21 Jun 2018 18:29:43 +0000 (11:29 -0700)]
f2fs: assign REQ_RAHEAD to bio for ->readpages
As Jens reported, we'd better assign REQ_RAHEAD to bio by the fact that
->readpages is called only from read-ahead.
In Documentation/filesystems/vfs.txt,
readpages: called by the VM to read pages associated with the address_space
object. This is essentially just a vector version of
readpage. Instead of just one page, several pages are
requested.
readpages is only used for read-ahead, so read errors are
ignored. If anything goes wrong, feel free to give up.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Yunlei He [Thu, 21 Jun 2018 06:49:06 +0000 (14:49 +0800)]
f2fs: fix a hungtask problem caused by congestion_wait
This patch fix hungtask problem which can be reproduced as follow:
Thread 0~3:
while true
do
touch /xxx/test/file_xxx
done
Thread 4 write a new checkpoint every three seconds.
In the meantime, fio start 16 threads for randwrite.
With my debug info, cycles num will exceed 1000 in function
f2fs_sync_dirty_inodes, and most of cycle will be dropped
into congestion_wait() and sleep more than 20ms. Cycles num
reduced to 3 with this patch.
Signed-off-by: Yunlei He <heyunlei@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Dan Carpenter [Wed, 20 Jun 2018 10:39:53 +0000 (13:39 +0300)]
f2fs: Fix uninitialized return in f2fs_ioc_shutdown()
"ret" can be uninitialized on the success path when "in ==
F2FS_GOING_DOWN_FULLSYNC".
Fixes:
60b2b4ee2bc0 ("f2fs: Fix deadlock in shutdown ioctl")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Thu, 21 Jun 2018 04:27:21 +0000 (21:27 -0700)]
f2fs: don't issue discard commands in online discard is on
Actually, we don't need to issue discard commands, if discard is on, as
mentioned in the comment.
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Fri, 15 Jun 2018 06:45:57 +0000 (14:45 +0800)]
f2fs: fix to propagate return value of scan_nat_page()
As Anatoly Trosinenko reported in bugzilla:
How to reproduce:
1. Compile the
73fcb1a370c76 version of the kernel using the config attached
2. Unpack and mount the attached filesystem image as F2FS
3. The kernel will BUG() on mount (BUGs are explicitly enabled in config)
[ 2.233612] F2FS-fs (sda): Found nat_bits in checkpoint
[ 2.248422] ------------[ cut here ]------------
[ 2.248857] kernel BUG at fs/f2fs/node.c:1967!
[ 2.249760] invalid opcode: 0000 [#1] SMP NOPTI
[ 2.250219] Modules linked in:
[ 2.251848] CPU: 0 PID: 944 Comm: mount Not tainted 4.17.0-rc5+ #1
[ 2.252331] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 2.253305] RIP: 0010:build_free_nids+0x337/0x3f0
[ 2.253672] RSP: 0018:
ffffae7fc0857c50 EFLAGS:
00000246
[ 2.254080] RAX:
00000000ffffffff RBX:
0000000000000123 RCX:
0000000000000001
[ 2.254638] RDX:
ffff9aa7063d5c00 RSI:
0000000000000122 RDI:
ffff9aa705852e00
[ 2.255190] RBP:
ffff9aa705852e00 R08:
0000000000000001 R09:
ffff9aa7059090c0
[ 2.255719] R10:
0000000000000000 R11:
0000000000000000 R12:
ffff9aa705852e00
[ 2.256242] R13:
ffff9aa7063ad000 R14:
ffff9aa705919000 R15:
0000000000000123
[ 2.256809] FS:
00000000023078c0(0000) GS:
ffff9aa707800000(0000) knlGS:
0000000000000000
[ 2.258654] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 2.259153] CR2:
00000000005511ae CR3:
0000000005872000 CR4:
00000000000006f0
[ 2.259801] Call Trace:
[ 2.260583] build_node_manager+0x5cd/0x600
[ 2.260963] f2fs_fill_super+0x66a/0x17c0
[ 2.261300] ? f2fs_commit_super+0xe0/0xe0
[ 2.261622] mount_bdev+0x16e/0x1a0
[ 2.261899] mount_fs+0x30/0x150
[ 2.262398] vfs_kern_mount.part.28+0x4f/0xf0
[ 2.262743] do_mount+0x5d0/0xc60
[ 2.263010] ? _copy_from_user+0x37/0x60
[ 2.263313] ? memdup_user+0x39/0x60
[ 2.263692] ksys_mount+0x7b/0xd0
[ 2.263960] __x64_sys_mount+0x1c/0x20
[ 2.264268] do_syscall_64+0x43/0xf0
[ 2.264560] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 2.265095] RIP: 0033:0x48d31a
[ 2.265502] RSP: 002b:
00007ffc6fe60a08 EFLAGS:
00000246 ORIG_RAX:
00000000000000a5
[ 2.266089] RAX:
ffffffffffffffda RBX:
0000000000008000 RCX:
000000000048d31a
[ 2.266607] RDX:
00007ffc6fe62fa5 RSI:
00007ffc6fe62f9d RDI:
00007ffc6fe62f94
[ 2.267130] RBP:
00000000023078a0 R08:
0000000000000000 R09:
0000000000000000
[ 2.267670] R10:
0000000000008000 R11:
0000000000000246 R12:
0000000000000000
[ 2.268192] R13:
0000000000000000 R14:
00007ffc6fe60c78 R15:
0000000000000000
[ 2.268767] Code: e8 5f c3 ff ff 83 c3 01 41 83 c7 01 81 fb c7 01 00 00 74 48 44 39 7d 04 76 42 48 63 c3 48 8d 04 c0 41 8b 44 06 05 83 f8 ff 75 c1 <0f> 0b 49 8b 45 50 48 8d b8 b0 00 00 00 e8 37 59 69 00 b9 01 00
[ 2.270434] RIP: build_free_nids+0x337/0x3f0 RSP:
ffffae7fc0857c50
[ 2.271426] ---[ end trace
ab20c06cd3c8fde4 ]---
During loading NAT entries, we will do sanity check, once the entry info
is corrupted, it will cause BUG_ON directly to protect user data from
being overwrited.
In this case, it will be better to just return failure on mount() instead
of panic, so that user can get hint from kmsg and try fsck for recovery
immediately rather than after an abnormal reboot.
https://bugzilla.kernel.org/show_bug.cgi?id=199769
Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Weichao Guo [Fri, 9 Mar 2018 15:10:21 +0000 (23:10 +0800)]
f2fs: support in-memory inode checksum when checking consistency
Enable in-memory inode checksum to protect metadata blocks from
in-memory scribbles when checking consistency, which has no
performance requirements.
Signed-off-by: Weichao Guo <guoweichao@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 11 Jun 2018 10:02:02 +0000 (18:02 +0800)]
f2fs: fix error path of fill_super
In fill_super, if root inode's attribute is incorrect, we need to
call f2fs_destroy_stats to release stats memory.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 11 Jun 2018 10:02:01 +0000 (18:02 +0800)]
f2fs: relocate readdir_ra configure initialization
readdir_ra is sysfs configuration instead of mount option, so it should
not be initialized in default_options(), otherwise after remount, it can
be reset to be enabled which may not as user wish, so let's move it to
f2fs_tuning_parameters().
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Wed, 6 Jun 2018 15:55:02 +0000 (23:55 +0800)]
f2fs: move s_res{u,g}id initialization to default_options()
Let default_options() initialize s_res{u,g}id with default value like
other options.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Wed, 6 Jun 2018 15:55:01 +0000 (23:55 +0800)]
f2fs: don't acquire orphan ino during recovery
During orphan inode recovery, checkpoint should never succeed due to
SBI_POR_DOING flag, so we don't need acquire orphan ino which only be
used by checkpoint.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Sun, 15 Jul 2018 00:58:08 +0000 (09:58 +0900)]
f2fs: avoid potential deadlock in f2fs_sbi_store
[ 155.018460] ======================================================
[ 155.021431] WARNING: possible circular locking dependency detected
[ 155.024339] 4.18.0-rc3+ #5 Tainted: G OE
[ 155.026879] ------------------------------------------------------
[ 155.029783] umount/2901 is trying to acquire lock:
[ 155.032187]
00000000c4282f1f (kn->count#130){++++}, at: kernfs_remove+0x1f/0x30
[ 155.035439]
[ 155.035439] but task is already holding lock:
[ 155.038892]
0000000056e4307b (&type->s_umount_key#41){++++}, at: deactivate_super+0x33/0x50
[ 155.042602]
[ 155.042602] which lock already depends on the new lock.
[ 155.042602]
[ 155.047465]
[ 155.047465] the existing dependency chain (in reverse order) is:
[ 155.051354]
[ 155.051354] -> #1 (&type->s_umount_key#41){++++}:
[ 155.054768] f2fs_sbi_store+0x61/0x460 [f2fs]
[ 155.057083] kernfs_fop_write+0x113/0x1a0
[ 155.059277] __vfs_write+0x36/0x180
[ 155.061250] vfs_write+0xbe/0x1b0
[ 155.063179] ksys_write+0x55/0xc0
[ 155.065068] do_syscall_64+0x60/0x1b0
[ 155.067071] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 155.069529]
[ 155.069529] -> #0 (kn->count#130){++++}:
[ 155.072421] __kernfs_remove+0x26f/0x2e0
[ 155.074452] kernfs_remove+0x1f/0x30
[ 155.076342] kobject_del.part.5+0xe/0x40
[ 155.078354] f2fs_put_super+0x12d/0x290 [f2fs]
[ 155.080500] generic_shutdown_super+0x6c/0x110
[ 155.082655] kill_block_super+0x21/0x50
[ 155.084634] kill_f2fs_super+0x9c/0xc0 [f2fs]
[ 155.086726] deactivate_locked_super+0x3f/0x70
[ 155.088826] cleanup_mnt+0x3b/0x70
[ 155.090584] task_work_run+0x93/0xc0
[ 155.092367] exit_to_usermode_loop+0xf0/0x100
[ 155.094466] do_syscall_64+0x162/0x1b0
[ 155.096312] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 155.098603]
[ 155.098603] other info that might help us debug this:
[ 155.098603]
[ 155.102418] Possible unsafe locking scenario:
[ 155.102418]
[ 155.105134] CPU0 CPU1
[ 155.107037] ---- ----
[ 155.108910] lock(&type->s_umount_key#41);
[ 155.110674] lock(kn->count#130);
[ 155.113010] lock(&type->s_umount_key#41);
[ 155.115608] lock(kn->count#130);
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Thu, 21 Jun 2018 20:46:23 +0000 (13:46 -0700)]
f2fs: indicate shutdown f2fs to allow unmount successfully
Once we shutdown f2fs, we have to flush stale pages in order to unmount
the system. In order to make stable, we need to stop fault injection as well.
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Thu, 12 Jul 2018 01:30:42 +0000 (18:30 -0700)]
f2fs: keep meta pages in cp_error state
It turns out losing meta pages in shutdown period makes f2fs very unstable
so that I could see many unexpected error conditions.
Let's keep meta pages for fault injection and sudden power-off tests.
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Fri, 6 Jul 2018 23:47:34 +0000 (16:47 -0700)]
f2fs: do checkpoint in kill_sb
When unmounting f2fs in force mode, we can get it stuck by io_schedule()
by some pending IOs in meta_inode.
io_schedule+0xd/0x30
wait_on_page_bit_common+0xc6/0x130
__filemap_fdatawait_range+0xbd/0x100
filemap_fdatawait_keep_errors+0x15/0x40
sync_inodes_sb+0x1cf/0x240
sync_filesystem+0x52/0x90
generic_shutdown_super+0x1d/0x110
kill_f2fs_super+0x28/0x80 [f2fs]
deactivate_locked_super+0x35/0x60
cleanup_mnt+0x36/0x70
task_work_run+0x79/0xa0
exit_to_usermode_loop+0x62/0x70
do_syscall_64+0xdb/0xf0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
0xffffffffffffffff
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Sat, 30 Jun 2018 01:55:12 +0000 (18:55 -0700)]
f2fs: allow wrong configured dio to buffered write
This fixes to support dio having unaligned buffers as buffered writes.
xfs_io -f -d -c "pwrite 0 512" $testfile
-> okay
xfs_io -f -d -c "pwrite 1 512" $testfile
-> EINVAL
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Fri, 29 Jun 2018 02:34:40 +0000 (19:34 -0700)]
f2fs: flush journal nat entries for nat_bits during unmount
Let's flush journal nat entries for speed up in the next run.
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Kees Cook [Tue, 12 Jun 2018 21:28:35 +0000 (14:28 -0700)]
treewide: Use array_size in f2fs_kvzalloc()
The f2fs_kvzalloc() function has no 2-factor argument form, so
multiplication factors need to be wrapped in array_size(). This patch
replaces cases of:
f2fs_kvzalloc(handle, a * b, gfp)
with:
f2fs_kvzalloc(handle, array_size(a, b), gfp)
as well as handling cases of:
f2fs_kvzalloc(handle, a * b * c, gfp)
with:
f2fs_kvzalloc(handle, array3_size(a, b, c), gfp)
This does, however, attempt to ignore constant size factors like:
f2fs_kvzalloc(handle, 4 * 1024, gfp)
though any constants defined via macros get caught up in the conversion.
Any factors with a sizeof() of "unsigned char", "char", and "u8" were
dropped, since they're redundant.
The Coccinelle script used for this was:
// Fix redundant parens around sizeof().
@@
expression HANDLE;
type TYPE;
expression THING, E;
@@
(
f2fs_kvzalloc(HANDLE,
- (sizeof(TYPE)) * E
+ sizeof(TYPE) * E
, ...)
|
f2fs_kvzalloc(HANDLE,
- (sizeof(THING)) * E
+ sizeof(THING) * E
, ...)
)
// Drop single-byte sizes and redundant parens.
@@
expression HANDLE;
expression COUNT;
typedef u8;
typedef __u8;
@@
(
f2fs_kvzalloc(HANDLE,
- sizeof(u8) * (COUNT)
+ COUNT
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(__u8) * (COUNT)
+ COUNT
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(char) * (COUNT)
+ COUNT
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(unsigned char) * (COUNT)
+ COUNT
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(u8) * COUNT
+ COUNT
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(__u8) * COUNT
+ COUNT
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(char) * COUNT
+ COUNT
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(unsigned char) * COUNT
+ COUNT
, ...)
)
// 2-factor product with sizeof(type/expression) and identifier or constant.
@@
expression HANDLE;
type TYPE;
expression THING;
identifier COUNT_ID;
constant COUNT_CONST;
@@
(
f2fs_kvzalloc(HANDLE,
- sizeof(TYPE) * (COUNT_ID)
+ array_size(COUNT_ID, sizeof(TYPE))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(TYPE) * COUNT_ID
+ array_size(COUNT_ID, sizeof(TYPE))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(TYPE) * (COUNT_CONST)
+ array_size(COUNT_CONST, sizeof(TYPE))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(TYPE) * COUNT_CONST
+ array_size(COUNT_CONST, sizeof(TYPE))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(THING) * (COUNT_ID)
+ array_size(COUNT_ID, sizeof(THING))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(THING) * COUNT_ID
+ array_size(COUNT_ID, sizeof(THING))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(THING) * (COUNT_CONST)
+ array_size(COUNT_CONST, sizeof(THING))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(THING) * COUNT_CONST
+ array_size(COUNT_CONST, sizeof(THING))
, ...)
)
// 2-factor product, only identifiers.
@@
expression HANDLE;
identifier SIZE, COUNT;
@@
f2fs_kvzalloc(HANDLE,
- SIZE * COUNT
+ array_size(COUNT, SIZE)
, ...)
// 3-factor product with 1 sizeof(type) or sizeof(expression), with
// redundant parens removed.
@@
expression HANDLE;
expression THING;
identifier STRIDE, COUNT;
type TYPE;
@@
(
f2fs_kvzalloc(HANDLE,
- sizeof(TYPE) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(TYPE) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(TYPE) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(TYPE) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(THING) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(THING) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(THING) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(THING) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
)
// 3-factor product with 2 sizeof(variable), with redundant parens removed.
@@
expression HANDLE;
expression THING1, THING2;
identifier COUNT;
type TYPE1, TYPE2;
@@
(
f2fs_kvzalloc(HANDLE,
- sizeof(TYPE1) * sizeof(TYPE2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(THING1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(THING1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(TYPE1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
|
f2fs_kvzalloc(HANDLE,
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
)
// 3-factor product, only identifiers, with redundant parens removed.
@@
expression HANDLE;
identifier STRIDE, SIZE, COUNT;
@@
(
f2fs_kvzalloc(HANDLE,
- (COUNT) * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kvzalloc(HANDLE,
- COUNT * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kvzalloc(HANDLE,
- COUNT * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kvzalloc(HANDLE,
- (COUNT) * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kvzalloc(HANDLE,
- COUNT * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kvzalloc(HANDLE,
- (COUNT) * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kvzalloc(HANDLE,
- (COUNT) * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kvzalloc(HANDLE,
- COUNT * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
)
// Any remaining multi-factor products, first at least 3-factor products
// when they're not all constants...
@@
expression HANDLE;
expression E1, E2, E3;
constant C1, C2, C3;
@@
(
f2fs_kvzalloc(HANDLE, C1 * C2 * C3, ...)
|
f2fs_kvzalloc(HANDLE,
- E1 * E2 * E3
+ array3_size(E1, E2, E3)
, ...)
)
// And then all remaining 2 factors products when they're not all constants.
@@
expression HANDLE;
expression E1, E2;
constant C1, C2;
@@
(
f2fs_kvzalloc(HANDLE, C1 * C2, ...)
|
f2fs_kvzalloc(HANDLE,
- E1 * E2
+ array_size(E1, E2)
, ...)
)
Signed-off-by: Kees Cook <keescook@chromium.org>
Kees Cook [Tue, 12 Jun 2018 21:28:23 +0000 (14:28 -0700)]
treewide: Use array_size() in f2fs_kzalloc()
The f2fs_kzalloc() function has no 2-factor argument form, so
multiplication factors need to be wrapped in array_size(). This patch
replaces cases of:
f2fs_kzalloc(handle, a * b, gfp)
with:
f2fs_kzalloc(handle, array_size(a, b), gfp)
as well as handling cases of:
f2fs_kzalloc(handle, a * b * c, gfp)
with:
f2fs_kzalloc(handle, array3_size(a, b, c), gfp)
This does, however, attempt to ignore constant size factors like:
f2fs_kzalloc(handle, 4 * 1024, gfp)
though any constants defined via macros get caught up in the conversion.
Any factors with a sizeof() of "unsigned char", "char", and "u8" were
dropped, since they're redundant.
The Coccinelle script used for this was:
// Fix redundant parens around sizeof().
@@
expression HANDLE;
type TYPE;
expression THING, E;
@@
(
f2fs_kzalloc(HANDLE,
- (sizeof(TYPE)) * E
+ sizeof(TYPE) * E
, ...)
|
f2fs_kzalloc(HANDLE,
- (sizeof(THING)) * E
+ sizeof(THING) * E
, ...)
)
// Drop single-byte sizes and redundant parens.
@@
expression HANDLE;
expression COUNT;
typedef u8;
typedef __u8;
@@
(
f2fs_kzalloc(HANDLE,
- sizeof(u8) * (COUNT)
+ COUNT
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(__u8) * (COUNT)
+ COUNT
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(char) * (COUNT)
+ COUNT
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(unsigned char) * (COUNT)
+ COUNT
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(u8) * COUNT
+ COUNT
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(__u8) * COUNT
+ COUNT
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(char) * COUNT
+ COUNT
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(unsigned char) * COUNT
+ COUNT
, ...)
)
// 2-factor product with sizeof(type/expression) and identifier or constant.
@@
expression HANDLE;
type TYPE;
expression THING;
identifier COUNT_ID;
constant COUNT_CONST;
@@
(
f2fs_kzalloc(HANDLE,
- sizeof(TYPE) * (COUNT_ID)
+ array_size(COUNT_ID, sizeof(TYPE))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(TYPE) * COUNT_ID
+ array_size(COUNT_ID, sizeof(TYPE))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(TYPE) * (COUNT_CONST)
+ array_size(COUNT_CONST, sizeof(TYPE))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(TYPE) * COUNT_CONST
+ array_size(COUNT_CONST, sizeof(TYPE))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(THING) * (COUNT_ID)
+ array_size(COUNT_ID, sizeof(THING))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(THING) * COUNT_ID
+ array_size(COUNT_ID, sizeof(THING))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(THING) * (COUNT_CONST)
+ array_size(COUNT_CONST, sizeof(THING))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(THING) * COUNT_CONST
+ array_size(COUNT_CONST, sizeof(THING))
, ...)
)
// 2-factor product, only identifiers.
@@
expression HANDLE;
identifier SIZE, COUNT;
@@
f2fs_kzalloc(HANDLE,
- SIZE * COUNT
+ array_size(COUNT, SIZE)
, ...)
// 3-factor product with 1 sizeof(type) or sizeof(expression), with
// redundant parens removed.
@@
expression HANDLE;
expression THING;
identifier STRIDE, COUNT;
type TYPE;
@@
(
f2fs_kzalloc(HANDLE,
- sizeof(TYPE) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(TYPE) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(TYPE) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(TYPE) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(THING) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(THING) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(THING) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(THING) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
)
// 3-factor product with 2 sizeof(variable), with redundant parens removed.
@@
expression HANDLE;
expression THING1, THING2;
identifier COUNT;
type TYPE1, TYPE2;
@@
(
f2fs_kzalloc(HANDLE,
- sizeof(TYPE1) * sizeof(TYPE2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(THING1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(THING1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(TYPE1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
|
f2fs_kzalloc(HANDLE,
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
)
// 3-factor product, only identifiers, with redundant parens removed.
@@
expression HANDLE;
identifier STRIDE, SIZE, COUNT;
@@
(
f2fs_kzalloc(HANDLE,
- (COUNT) * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kzalloc(HANDLE,
- COUNT * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kzalloc(HANDLE,
- COUNT * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kzalloc(HANDLE,
- (COUNT) * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kzalloc(HANDLE,
- COUNT * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kzalloc(HANDLE,
- (COUNT) * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kzalloc(HANDLE,
- (COUNT) * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kzalloc(HANDLE,
- COUNT * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
)
// Any remaining multi-factor products, first at least 3-factor products
// when they're not all constants...
@@
expression HANDLE;
expression E1, E2, E3;
constant C1, C2, C3;
@@
(
f2fs_kzalloc(HANDLE, C1 * C2 * C3, ...)
|
f2fs_kzalloc(HANDLE,
- E1 * E2 * E3
+ array3_size(E1, E2, E3)
, ...)
)
// And then all remaining 2 factors products when they're not all constants.
@@
expression HANDLE;
expression E1, E2;
constant C1, C2;
@@
(
f2fs_kzalloc(HANDLE, C1 * C2, ...)
|
f2fs_kzalloc(HANDLE,
- E1 * E2
+ array_size(E1, E2)
, ...)
)
Signed-off-by: Kees Cook <keescook@chromium.org>
Kees Cook [Tue, 12 Jun 2018 21:28:16 +0000 (14:28 -0700)]
treewide: Use array_size() in f2fs_kmalloc()
The f2fs_kmalloc() function has no 2-factor argument form, so
multiplication factors need to be wrapped in array_size(). This patch
replaces cases of:
f2fs_kmalloc(handle, a * b, gfp)
with:
f2fs_kmalloc(handle, array_size(a, b), gfp)
as well as handling cases of:
f2fs_kmalloc(handle, a * b * c, gfp)
with:
f2fs_kmalloc(handle, array3_size(a, b, c), gfp)
This does, however, attempt to ignore constant size factors like:
f2fs_kmalloc(handle, 4 * 1024, gfp)
though any constants defined via macros get caught up in the conversion.
Any factors with a sizeof() of "unsigned char", "char", and "u8" were
dropped, since they're redundant.
The Coccinelle script used for this was:
// Fix redundant parens around sizeof().
@@
expression HANDLE;
type TYPE;
expression THING, E;
@@
(
f2fs_kmalloc(HANDLE,
- (sizeof(TYPE)) * E
+ sizeof(TYPE) * E
, ...)
|
f2fs_kmalloc(HANDLE,
- (sizeof(THING)) * E
+ sizeof(THING) * E
, ...)
)
// Drop single-byte sizes and redundant parens.
@@
expression HANDLE;
expression COUNT;
typedef u8;
typedef __u8;
@@
(
f2fs_kmalloc(HANDLE,
- sizeof(u8) * (COUNT)
+ COUNT
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(__u8) * (COUNT)
+ COUNT
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(char) * (COUNT)
+ COUNT
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(unsigned char) * (COUNT)
+ COUNT
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(u8) * COUNT
+ COUNT
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(__u8) * COUNT
+ COUNT
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(char) * COUNT
+ COUNT
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(unsigned char) * COUNT
+ COUNT
, ...)
)
// 2-factor product with sizeof(type/expression) and identifier or constant.
@@
expression HANDLE;
type TYPE;
expression THING;
identifier COUNT_ID;
constant COUNT_CONST;
@@
(
f2fs_kmalloc(HANDLE,
- sizeof(TYPE) * (COUNT_ID)
+ array_size(COUNT_ID, sizeof(TYPE))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(TYPE) * COUNT_ID
+ array_size(COUNT_ID, sizeof(TYPE))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(TYPE) * (COUNT_CONST)
+ array_size(COUNT_CONST, sizeof(TYPE))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(TYPE) * COUNT_CONST
+ array_size(COUNT_CONST, sizeof(TYPE))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(THING) * (COUNT_ID)
+ array_size(COUNT_ID, sizeof(THING))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(THING) * COUNT_ID
+ array_size(COUNT_ID, sizeof(THING))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(THING) * (COUNT_CONST)
+ array_size(COUNT_CONST, sizeof(THING))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(THING) * COUNT_CONST
+ array_size(COUNT_CONST, sizeof(THING))
, ...)
)
// 2-factor product, only identifiers.
@@
expression HANDLE;
identifier SIZE, COUNT;
@@
f2fs_kmalloc(HANDLE,
- SIZE * COUNT
+ array_size(COUNT, SIZE)
, ...)
// 3-factor product with 1 sizeof(type) or sizeof(expression), with
// redundant parens removed.
@@
expression HANDLE;
expression THING;
identifier STRIDE, COUNT;
type TYPE;
@@
(
f2fs_kmalloc(HANDLE,
- sizeof(TYPE) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(TYPE) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(TYPE) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(TYPE) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(THING) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(THING) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(THING) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(THING) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
)
// 3-factor product with 2 sizeof(variable), with redundant parens removed.
@@
expression HANDLE;
expression THING1, THING2;
identifier COUNT;
type TYPE1, TYPE2;
@@
(
f2fs_kmalloc(HANDLE,
- sizeof(TYPE1) * sizeof(TYPE2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(THING1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(THING1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(TYPE1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
|
f2fs_kmalloc(HANDLE,
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
)
// 3-factor product, only identifiers, with redundant parens removed.
@@
expression HANDLE;
identifier STRIDE, SIZE, COUNT;
@@
(
f2fs_kmalloc(HANDLE,
- (COUNT) * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kmalloc(HANDLE,
- COUNT * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kmalloc(HANDLE,
- COUNT * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kmalloc(HANDLE,
- (COUNT) * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kmalloc(HANDLE,
- COUNT * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kmalloc(HANDLE,
- (COUNT) * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kmalloc(HANDLE,
- (COUNT) * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
f2fs_kmalloc(HANDLE,
- COUNT * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
)
// Any remaining multi-factor products, first at least 3-factor products
// when they're not all constants...
@@
expression HANDLE;
expression E1, E2, E3;
constant C1, C2, C3;
@@
(
f2fs_kmalloc(HANDLE, C1 * C2 * C3, ...)
|
f2fs_kmalloc(HANDLE,
- E1 * E2 * E3
+ array3_size(E1, E2, E3)
, ...)
)
// And then all remaining 2 factors products when they're not all constants.
@@
expression HANDLE;
expression E1, E2;
constant C1, C2;
@@
(
f2fs_kmalloc(HANDLE, C1 * C2, ...)
|
f2fs_kmalloc(HANDLE,
- E1 * E2
+ array_size(E1, E2)
, ...)
)
Signed-off-by: Kees Cook <keescook@chromium.org>
Kees Cook [Mon, 7 May 2018 23:47:02 +0000 (16:47 -0700)]
overflow.h: Add allocation size calculation helpers
In preparation for replacing unchecked overflows for memory allocations,
this creates helpers for the 3 most common calculations:
array_size(a, b): 2-dimensional array
array3_size(a, b, c): 3-dimensional array
struct_size(ptr, member, n): struct followed by n-many trailing members
Each of these return SIZE_MAX on overflow instead of wrapping around.
(Additionally renames a variable named "array_size" to avoid future
collision.)
Co-developed-by: Matthew Wilcox <mawilcox@microsoft.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Chao Yu [Mon, 4 Jun 2018 15:20:51 +0000 (23:20 +0800)]
f2fs: fix to clear FI_VOLATILE_FILE correctly
Thread A Thread B
- f2fs_release_file
- clear_inode_flag(FI_VOLATILE_FILE)
- wb_writeback
- writeback_sb_inodes
- __writeback_single_inode
- do_writepages
- f2fs_write_data_pages
- __write_data_page
all volatile file's pages
are writebacked to storage
- set_inode_flag(FI_DROP_CACHE)
- filemap_fdatawrite
There is a hole that mm can flush all dirty pages of volatile file as
inode is not tagged with both FI_VOLATILE_FILE and FI_DROP_CACHE flags,
we should never writeback the page #0 and also it's unneeded to writeback
other pages.
This patch adjusts to relocate clear_inode_flag(FI_VOLATILE_FILE), so that
FI_VOLATILE_FILE flag can be remained before all dirty pages were dropped
to avoid issue.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 4 Jun 2018 15:20:36 +0000 (23:20 +0800)]
f2fs: let sync node IO interrupt async one
Although mixed sync/async IOs can have continuous LBA, as they have
different IO priority, block IO scheduler will add them into different
queues and commit them separately, result in splited IOs which causes
wrose performance.
This patch gives high priority to synchronous IO of nodes, means that
once synchronous flow starts, it can interrupt asynchronous writeback
flow of system flusher, so more big IOs can be expected.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 4 Jun 2018 15:20:35 +0000 (23:20 +0800)]
f2fs: don't change wbc->sync_mode
We should never falsify wbc->sync_mode passed from mm, otherwise
mm can trigger writeback with wrong IO priority.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 4 Jun 2018 15:20:17 +0000 (23:20 +0800)]
f2fs: fix to update mtime correctly
If we change system time to the past, get_mtime() will return a
overflowed time, and SIT_I(sbi)->max_mtime will be udpated
incorrectly, this patch fixes the two issues.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
youngjun yoo [Tue, 29 May 2018 19:34:58 +0000 (04:34 +0900)]
fs: f2fs: insert space around that ':' and ', '
clean up checkpatch error:
ERROR: space required after that ':'
ERROR: space required after that ','
Signed-off-by: youngjun yoo <youngjun.willow@gmail.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
youngjun yoo [Tue, 29 May 2018 19:33:07 +0000 (04:33 +0900)]
fs: f2fs: add missing blank lines after declarations
clean up checkpatch warning:
WARNING: Missing a blank line after declarations
Signed-off-by: youngjun yoo <youngjun.willow@gmail.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
youngjun yoo [Tue, 29 May 2018 19:21:14 +0000 (04:21 +0900)]
fs: f2fs: changed variable type of offset "unsigned" to "loff_t"
clean up checkpatch warning:
WARNING: Prefer 'unsigned int' to bare use of 'unsigned'
Signed-off-by: youngjun yoo <youngjun.willow@gmail.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Tue, 29 May 2018 16:20:41 +0000 (00:20 +0800)]
f2fs: clean up symbol namespace
As Ted reported:
"Hi, I was looking at f2fs's sources recently, and I noticed that there
is a very large number of non-static symbols which don't have a f2fs
prefix. There's well over a hundred (see attached below).
As one example, in fs/f2fs/dir.c there is:
unsigned char get_de_type(struct f2fs_dir_entry *de)
This function is clearly only useful for f2fs, but it has a generic
name. This means that if any other file system tries to have the same
symbol name, there will be a symbol conflict and the kernel would not
successfully build. It also means that when someone is looking f2fs
sources, it's not at all obvious whether a function such as
read_data_page(), invalidate_blocks(), is a generic kernel function
found in the fs, mm, or block layers, or a f2fs specific function.
You might want to fix this at some point. Hopefully Kent's bcachefs
isn't similarly using genericly named functions, since that might
cause conflicts with f2fs's functions --- but just as this would be a
problem that we would rightly insist that Kent fix, this is something
that we should have rightly insisted that f2fs should have fixed
before it was integrated into the mainline kernel.
acquire_orphan_inode
add_ino_entry
add_orphan_inode
allocate_data_block
allocate_new_segments
alloc_nid
alloc_nid_done
alloc_nid_failed
available_free_memory
...."
This patch adds "f2fs_" prefix for all non-static symbols in order to:
a) avoid conflict with other kernel generic symbols;
b) to indicate the function is f2fs specific one instead of generic
one;
Reported-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Tue, 29 May 2018 16:20:40 +0000 (00:20 +0800)]
f2fs: make set_de_type() static
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Tue, 29 May 2018 16:20:39 +0000 (00:20 +0800)]
f2fs: make __f2fs_write_data_pages() static
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 28 May 2018 15:47:19 +0000 (23:47 +0800)]
f2fs: fix to avoid accessing cross the boundary
Configure io_bits with 2 and enable LFS mode, generic/017 reports below dmesg:
BUG: unable to handle kernel NULL pointer dereference at
00000039
*pdpt =
000000002fcb2001 *pde =
0000000000000000
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: crc32_generic zram f2fs(O) bnep rfcomm bluetooth ecdh_generic snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi pcbc snd_seq joydev aesni_intel aes_i586 snd_seq_device snd_timer crypto_simd cryptd snd soundcore i2c_piix4 serio_raw mac_hid video parport_pc ppdev lp parport hid_generic usbhid psmouse hid e1000
CPU: 2 PID: 20779 Comm: xfs_io Tainted: G O 4.17.0-rc2 #38
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
EIP: is_checkpointed_data+0x84/0xd0 [f2fs]
EFLAGS:
00010207 CPU: 2
EAX:
00000000 EBX:
f5cd7000 ECX:
fffffe32 EDX:
00000039
ESI:
000001cd EDI:
ec95fb6c EBP:
e264bd80 ESP:
e264bd6c
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
CR0:
80050033 CR2:
00000039 CR3:
2fe55660 CR4:
000406f0
Call Trace:
__exchange_data_block+0xb3f/0x1000 [f2fs]
f2fs_fallocate+0xab9/0x16b0 [f2fs]
vfs_fallocate+0x17c/0x2d0
ksys_fallocate+0x42/0x70
sys_fallocate+0x31/0x40
do_fast_syscall_32+0xaa/0x22c
entry_SYSENTER_32+0x4c/0x7b
EIP: 0xb7f98c51
EFLAGS:
00000293 CPU: 2
EAX:
ffffffda EBX:
00000003 ECX:
00000008 EDX:
01001000
ESI:
00000000 EDI:
00001000 EBP:
00000000 ESP:
bfc0357c
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
Code: 00 00 d3 e8 8b 4d ec 2b 02 8b 55 f0 6b c0 1c 03 41 70 29 d6 8b 93 d0 06 00 00 8b 40 0c 83 ea 01 21 d6 89 f2 89 f1 c1 ea 03 f7 d1 <0f> be 14 10 83 e1 07 b8 01 00 00 00 d3 e0 85 c2 89 f8 0f 95 c3
EIP: is_checkpointed_data+0x84/0xd0 [f2fs] SS:ESP: 0068:
e264bd6c
CR2:
0000000000000039
---[ end trace
9a4d4087cce6080a ]---
This is because in recovery flow of __exchange_data_block, we didn't pass olen to
__roll_back_blkaddrs, instead we passed len, which indicates wrong array size, result
in copying random block address into dnode page.
Later, once that random block address was accessed by is_checkpointed_data, it can
cause NULL pointer dereference.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 28 May 2018 15:47:18 +0000 (23:47 +0800)]
f2fs: fix to let caller retry allocating block address
Configure io_bits with 2 and enable LFS mode, generic/013 reports below dmesg:
BUG: unable to handle kernel NULL pointer dereference at
00000104
*pdpt =
0000000029b7b001 *pde =
0000000000000000
Oops: 0002 [#1] PREEMPT SMP
Modules linked in: crc32_generic zram f2fs(O) rfcomm bnep bluetooth ecdh_generic snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq pcbc joydev snd_seq_device aesni_intel snd_timer aes_i586 snd crypto_simd cryptd soundcore i2c_piix4 serio_raw mac_hid video parport_pc ppdev lp parport hid_generic psmouse usbhid hid e1000
CPU: 0 PID: 11161 Comm: fsstress Tainted: G O 4.17.0-rc2 #38
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
EIP: f2fs_submit_page_write+0x28d/0x550 [f2fs]
EFLAGS:
00010206 CPU: 0
EAX:
e863dcd8 EBX:
00000000 ECX:
00000100 EDX:
00000200
ESI:
e863dcf4 EDI:
f6f82768 EBP:
e863dbb0 ESP:
e863db74
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
CR0:
80050033 CR2:
00000104 CR3:
29a62020 CR4:
000406f0
Call Trace:
do_write_page+0x6f/0xc0 [f2fs]
write_data_page+0x4a/0xd0 [f2fs]
do_write_data_page+0x327/0x630 [f2fs]
__write_data_page+0x34b/0x820 [f2fs]
__f2fs_write_data_pages+0x42d/0x8c0 [f2fs]
f2fs_write_data_pages+0x27/0x30 [f2fs]
do_writepages+0x1a/0x70
__filemap_fdatawrite_range+0x94/0xd0
filemap_write_and_wait_range+0x3d/0xa0
__generic_file_write_iter+0x11a/0x1f0
f2fs_file_write_iter+0xdd/0x3b0 [f2fs]
__vfs_write+0xd2/0x150
vfs_write+0x9b/0x190
ksys_write+0x45/0x90
sys_write+0x16/0x20
do_fast_syscall_32+0xaa/0x22c
entry_SYSENTER_32+0x4c/0x7b
EIP: 0xb7fc8c51
EFLAGS:
00000246 CPU: 0
EAX:
ffffffda EBX:
00000003 ECX:
09cde000 EDX:
00001000
ESI:
00000003 EDI:
00001000 EBP:
00000000 ESP:
bfbded38
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
Code: e8 f9 77 34 c9 8b 45 e0 8b 80 b8 00 00 00 39 45 d8 0f 84 bb 02 00 00 8b 45 e0 8b 80 b8 00 00 00 8d 50 d8 8b 08 89 55 f0 8b 50 04 <89> 51 04 89 0a c7 00 00 01 00 00 c7 40 04 00 02 00 00 8b 45 dc
EIP: f2fs_submit_page_write+0x28d/0x550 [f2fs] SS:ESP: 0068:
e863db74
CR2:
0000000000000104
---[ end trace
4cac79c0d1305ee6 ]---
allocate_data_block will submit all sequential pending IOs sorted by a
FIFO list, If we failed to submit other user's IO due to unaligned write,
we will retry to allocate new block address for current IO, then it will
initialize fio.list again, if fio was in the list before, it can break
FIFO list, result in above panic.
Thread A Thread B
- do_write_page
- allocate_data_block
- list_add_tail
: fioA cached in FIFO list.
- do_write_page
- allocate_data_block
- list_add_tail
: fioB cached in FIFO list.
- f2fs_submit_page_write
: fail to submit IO
- allocate_data_block
- INIT_LIST_HEAD
- f2fs_submit_page_write
- list_del <-- NULL pointer dereference
This patch adds fio.retry parameter to indicate failure status for each
IO, and avoid bailing out if there is still pending IO in FIFO list for
fixing.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Anatoly Pugachev [Sun, 27 May 2018 23:06:37 +0000 (02:06 +0300)]
disable loading f2fs module on PAGE_SIZE > 4KB
The following patch disables loading of f2fs module on architectures
which have PAGE_SIZE > 4096 , since it is impossible to mount f2fs on
such architectures , log messages are:
mount: /mnt: wrong fs type, bad option, bad superblock on
/dev/vdiskb1, missing codepage or helper program, or other error.
/dev/vdiskb1: F2FS filesystem,
UUID=
1d8b9ca4-2389-4910-af3b-
10998969f09c, volume name ""
May 15 18:03:13 ttip kernel: F2FS-fs (vdiskb1): Invalid
page_cache_size (8192), supports only 4KB
May 15 18:03:13 ttip kernel: F2FS-fs (vdiskb1): Can't find valid F2FS
filesystem in 1th superblock
May 15 18:03:13 ttip kernel: F2FS-fs (vdiskb1): Invalid
page_cache_size (8192), supports only 4KB
May 15 18:03:13 ttip kernel: F2FS-fs (vdiskb1): Can't find valid F2FS
filesystem in 2th superblock
May 15 18:03:13 ttip kernel: F2FS-fs (vdiskb1): Invalid
page_cache_size (8192), supports only 4KB
which was introduced by git commit
5c9b469295fb6b10d98923eab5e79c4edb80ed20
tested on git kernel
4.17.0-rc6-00309-gec30dcf7f425
with patch applied:
modprobe: ERROR: could not insert 'f2fs': Invalid argument
May 28 01:40:28 v215 kernel: F2FS not supported on PAGE_SIZE(8192) != 4096
Signed-off-by: Anatoly Pugachev <matorola@gmail.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 28 May 2018 08:59:27 +0000 (16:59 +0800)]
f2fs: fix error path of move_data_page
This patch fixes error path of move_data_page:
- clear cold data flag if it fails to write page.
- redirty page for non-ENOMEM case.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 28 May 2018 08:59:26 +0000 (16:59 +0800)]
f2fs: don't drop dentry pages after fs shutdown
As description in commit "f2fs: don't drop any page on f2fs_cp_error()
case":
"We still provide readdir() after shtudown, so we should keep pages to
avoid additional IOs."
In order to provider lastest directory structure, let's keep dentry
pages in cache after fs shutdown.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 28 May 2018 08:57:32 +0000 (16:57 +0800)]
f2fs: fix to avoid race during access gc_thread pointer
Thread A Thread B
- f2fs_remount
- stop_gc_thread
- f2fs_sbi_store
sbi->gc_thread = NULL;
access sbi->gc_thread->gc_*
Previously, we allocate memory for sbi->gc_thread based on background
gc thread mount option, the memory can be released if we turn off
that mount option, but still there are several places access gc_thread
pointer without considering race condition, result in NULL point
dereference.
In order to fix this issue, use sb->s_umount to exclude those operations.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Sat, 26 May 2018 10:03:35 +0000 (18:03 +0800)]
f2fs: clean up with clear_radix_tree_dirty_tag
Introduce clear_radix_tree_dirty_tag to include common codes for cleanup.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Sat, 26 May 2018 10:03:34 +0000 (18:03 +0800)]
f2fs: fix to don't trigger writeback during recovery
- f2fs_fill_super
- recover_fsync_data
- recover_data
- del_fsync_inode
- iput
- iput_final
- write_inode_now
- f2fs_write_inode
- f2fs_balance_fs
- f2fs_balance_fs_bg
- sync_dirty_inodes
With data_flush mount option, during recovery, in order to avoid entering
above writeback flow, let's detect recovery status and do skip in
f2fs_balance_fs_bg.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Yunlei He <heyunlei@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Sheng Yong [Tue, 8 May 2018 09:51:34 +0000 (17:51 +0800)]
f2fs: clear discard_wake earlier
If SBI_NEED_FSCK is set, discard_wake will never be cleared. As a
result, the condition of wait_event_interruptible_timeout() is always
true, which gets discard thread run too frequently.
Signed-off-by: Sheng Yong <shengyong1@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Yunlei He [Sun, 8 Apr 2018 07:11:11 +0000 (15:11 +0800)]
f2fs: let discard thread wait a little longer if dev is busy
This patch modify discard thread wait policy as below:
issued io_interrupted wait time(ms)
1. 8 0 50
2. (0,8) 1 50
3. 0 1 500 (dev is busy)
4. 0 0 60000 (no candidates)
Signed-off-by: Yunlei He <heyunlei@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 7 May 2018 12:28:54 +0000 (20:28 +0800)]
f2fs: avoid stucking GC due to atomic write
f2fs doesn't allow abuse on atomic write class interface, so except
limiting in-mem pages' total memory usage capacity, we need to limit
atomic-write usage as well when filesystem is seriously fragmented,
otherwise we may run into infinite loop during foreground GC because
target blocks in victim segment are belong to atomic opened file for
long time.
Now, we will detect failure due to atomic write in foreground GC, if
the count exceeds threshold, we will drop all atomic written data in
cache, by this, I expect it can keep our system running safely to
prevent Dos attack.
In addition, his patch adds to show GC skip information in debugfs,
now it just shows count of skipped caused by atomic write.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Mon, 7 May 2018 21:22:40 +0000 (14:22 -0700)]
f2fs: introduce sbi->gc_mode to determine the policy
This is to avoid sbi->gc_thread pointer access.
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Sat, 26 May 2018 01:00:13 +0000 (09:00 +0800)]
f2fs: keep migration IO order in LFS mode
For non-migration IO, we will keep order of data/node blocks' submitting
as allocation sequence by sorting IOs in per log io_list list, but for
migration IO, it could be out-of-order.
In LFS mode, we should keep all IOs including migration IO be ordered,
so that this patch fixes to add an additional lock to keep submitting
order.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Yunlong Song <yunlong.song@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 23 Apr 2018 02:36:13 +0000 (10:36 +0800)]
f2fs: fix to wait page writeback during revoking atomic write
After revoking atomic write, related LBA can be reused by others, so we
need to wait page writeback before reusing the LBA, in order to avoid
interference between old atomic written in-flight IO and new IO.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Sahitya Tummala [Fri, 18 May 2018 06:21:52 +0000 (11:51 +0530)]
f2fs: Fix deadlock in shutdown ioctl
f2fs_ioc_shutdown() ioctl gets stuck in the below path
when issued with F2FS_GOING_DOWN_FULLSYNC option.
__switch_to+0x90/0xc4
percpu_down_write+0x8c/0xc0
freeze_super+0xec/0x1e4
freeze_bdev+0xc4/0xcc
f2fs_ioctl+0xc0c/0x1ce0
f2fs_compat_ioctl+0x98/0x1f0
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Wed, 23 May 2018 14:25:09 +0000 (22:25 +0800)]
f2fs: detect synchronous writeback more earlier
This patch changes to detect synchronous writeback more earlier before,
in order to avoid unnecessary page writeback before exiting asynchronous
writeback.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jan Kara [Thu, 16 Nov 2017 01:35:19 +0000 (17:35 -0800)]
mm: remove nr_pages argument from pagevec_lookup_{,range}_tag()
All users of pagevec_lookup() and pagevec_lookup_range() now pass
PAGEVEC_SIZE as a desired number of pages. Just drop the argument.
Link: http://lkml.kernel.org/r/20171009151359.31984-15-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Kara [Thu, 16 Nov 2017 01:35:16 +0000 (17:35 -0800)]
ceph: use pagevec_lookup_range_nr_tag()
Use new function for looking up pages since nr_pages argument from
pagevec_lookup_range_tag() is going away.
Link: http://lkml.kernel.org/r/20171009151359.31984-14-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Kara [Thu, 16 Nov 2017 01:35:12 +0000 (17:35 -0800)]
mm: add variant of pagevec_lookup_range_tag() taking number of pages
Currently pagevec_lookup_range_tag() takes number of pages to look up
but most users don't need this. Create a new function
pagevec_lookup_range_nr_tag() that takes maximum number of pages to
lookup for Ceph which wants this functionality so that we can drop
nr_pages argument from pagevec_lookup_range_tag().
Link: http://lkml.kernel.org/r/20171009151359.31984-13-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Kara [Thu, 16 Nov 2017 01:35:09 +0000 (17:35 -0800)]
mm: use pagevec_lookup_range_tag() in write_cache_pages()
Use pagevec_lookup_range_tag() in write_cache_pages() as it is
interested only in pages from given range. Remove unnecessary code
resulting from this.
Link: http://lkml.kernel.org/r/20171009151359.31984-12-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Kara [Thu, 16 Nov 2017 01:35:05 +0000 (17:35 -0800)]
mm: use pagevec_lookup_range_tag() in __filemap_fdatawait_range()
Use pagevec_lookup_range_tag() in __filemap_fdatawait_range() as it is
interested only in pages from given range. Remove unnecessary code
resulting from this.
Link: http://lkml.kernel.org/r/20171009151359.31984-11-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Kara [Thu, 16 Nov 2017 01:35:02 +0000 (17:35 -0800)]
nilfs2: use pagevec_lookup_range_tag()
We want only pages from given range in nilfs_lookup_dirty_data_buffers().
Use pagevec_lookup_range_tag() instead of pagevec_lookup_tag() and
remove unnecessary code.
Link: http://lkml.kernel.org/r/20171009151359.31984-10-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Cc: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Kara [Thu, 16 Nov 2017 01:34:58 +0000 (17:34 -0800)]
gfs2: use pagevec_lookup_range_tag()
We want only pages from given range in gfs2_write_cache_jdata(). Use
pagevec_lookup_range_tag() instead of pagevec_lookup_tag() and remove
unnecessary code.
Link: http://lkml.kernel.org/r/20171009151359.31984-9-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Kara [Thu, 16 Nov 2017 01:34:55 +0000 (17:34 -0800)]
f2fs: use find_get_pages_tag() for looking up single page
__get_first_dirty_index() wants to lookup only the first dirty page
after given index. There's no point in using pagevec_lookup_tag() for
that. Just use find_get_pages_tag() directly.
Link: http://lkml.kernel.org/r/20171009151359.31984-8-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Kara [Thu, 16 Nov 2017 01:34:51 +0000 (17:34 -0800)]
f2fs: simplify page iteration loops
In several places we want to iterate over all tagged pages in a mapping.
However the code was apparently copied from places that iterate only
over a limited range and thus it checks for index <= end, optimizes the
case where we are coming close to range end which is all pointless when
end == ULONG_MAX. So just remove this dead code.
[akpm@linux-foundation.org: fix warnings]
Link: http://lkml.kernel.org/r/20171009151359.31984-7-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Cc: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Kara [Thu, 16 Nov 2017 01:34:48 +0000 (17:34 -0800)]
f2fs: use pagevec_lookup_range_tag()
We want only pages from given range in f2fs_write_cache_pages(). Use
pagevec_lookup_range_tag() instead of pagevec_lookup_tag() and remove
unnecessary code.
Link: http://lkml.kernel.org/r/20171009151359.31984-6-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Kara [Thu, 16 Nov 2017 01:34:44 +0000 (17:34 -0800)]
ext4: use pagevec_lookup_range_tag()
We want only pages from given range in ext4_writepages(). Use
pagevec_lookup_range_tag() instead of pagevec_lookup_tag() and remove
unnecessary code.
Link: http://lkml.kernel.org/r/20171009151359.31984-5-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Kara [Thu, 16 Nov 2017 01:34:41 +0000 (17:34 -0800)]
ceph: use pagevec_lookup_range_tag()
We want only pages from given range in ceph_writepages_start(). Use
pagevec_lookup_range_tag() instead of pagevec_lookup_tag() and remove
unnecessary code.
Link: http://lkml.kernel.org/r/20171009151359.31984-4-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
Cc: Ilya Dryomov <idryomov@gmail.com>
Cc: "Yan, Zheng" <zyan@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Kara [Thu, 16 Nov 2017 01:34:37 +0000 (17:34 -0800)]
btrfs: use pagevec_lookup_range_tag()
We want only pages from given range in btree_write_cache_pages() and
extent_write_cache_pages(). Use pagevec_lookup_range_tag() instead of
pagevec_lookup_tag() and remove unnecessary code.
Link: http://lkml.kernel.org/r/20171009151359.31984-3-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: David Sterba <dsterba@suse.com>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: David Sterba <dsterba@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Kara [Thu, 16 Nov 2017 01:34:33 +0000 (17:34 -0800)]
mm: implement find_get_pages_range_tag()
Patch series "Ranged pagevec tagged lookup", v3.
In this series I provide a ranged variant of pagevec_lookup_tag() and
use it in places where it makes sense. This series removes some common
code and it also has a potential for speeding up some operations
similarly as for pagevec_lookup_range() (but for now I can think of only
artificial cases where this happens).
This patch (of 16):
Implement a variant of find_get_pages_tag() that stops iterating at
given index. Lots of users of this function (through pagevec_lookup())
actually want a range lookup and all of them are currently open-coding
this.
Also create corresponding pagevec_lookup_range_tag() function.
Link: http://lkml.kernel.org/r/20171009151359.31984-2-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Bob Peterson <rpeterso@redhat.com>
Cc: Chao Yu <yuchao0@huawei.com>
Cc: David Howells <dhowells@redhat.com>
Cc: David Sterba <dsterba@suse.com>
Cc: Ilya Dryomov <idryomov@gmail.com>
Cc: Jaegeuk Kim <jaegeuk@kernel.org>
Cc: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Cc: Steve French <sfrench@samba.org>
Cc: "Theodore Ts'o" <tytso@mit.edu>
Cc: "Yan, Zheng" <zyan@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Chao Yu [Wed, 23 May 2018 14:25:08 +0000 (22:25 +0800)]
f2fs: clean up with is_valid_blkaddr()
- rename is_valid_blkaddr() to is_valid_meta_blkaddr() for readability.
- introduce is_valid_blkaddr() for cleanup.
No logic change in this patch.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Tue, 15 May 2018 10:59:55 +0000 (18:59 +0800)]
f2fs: fix to initialize min_mtime with ULLONG_MAX
Since sit_i.min_mtime's type is unsigned long long, so we should
initialize it with max value of the type ULLONG_MAX instead of
LLONG_MAX.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Tue, 8 May 2018 06:06:03 +0000 (14:06 +0800)]
f2fs: fix to let checkpoint guarantee atomic page persistence
1. thread A: commit_inmem_pages submit data into block layer, but
haven't waited it writeback.
2. thread A: commit_inmem_pages update related node.
3. thread B: do checkpoint, flush all nodes to disk.
4. SPOR
Then, atomic file becomes corrupted since nodes is flushed before data.
This patch fixes to treat atomic page as checkpoint guaranteed one,
then in checkpoint, we can make sure all atomic page can be writebacked
with metadata of atomic file.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 7 May 2018 12:28:52 +0000 (20:28 +0800)]
f2fs: fix to initialize i_current_depth according to inode type
i_current_depth is used only for directory inode, but its space is
shared with i_gc_failures field used for regular inode, in order to
avoid affecting i_gc_failures' value, this patch fixes to initialize
the union's fields according to inode type.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Thu, 26 Apr 2018 09:05:51 +0000 (17:05 +0800)]
Revert "f2fs: add ovp valid_blocks check for bg gc victim to fg_gc"
For extreme case:
10 section, op = 10%, no_fggc_threshold = 90%
All section usage: 85% 85% 85% 85% 90% 90% 95% 95% 95% 95%
During foreground GC, if we skip select dirty section whose usage
is larger than no_fggc_threshold, we can only recycle 80% invalid
space from four 85% usage sections and two 90% usage sections,
result in encountering out-of-space issue.
This reverts commit
e93b9865251a0503d83fd570e7d5a7c8bc351715 to
fix this issue, besides, we keep the logic that we scan all dirty
section when searching a victim, so that GC can select victim with
least valid blocks.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Sat, 5 May 2018 01:04:22 +0000 (18:04 -0700)]
f2fs: don't drop any page on f2fs_cp_error() case
We still provide readdir() after shtudown, so we should keep pages to avoid
additional IOs.
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Colin Ian King [Mon, 30 Apr 2018 15:27:44 +0000 (16:27 +0100)]
f2fs: fix spelling mistake: "extenstion" -> "extension"
Trivial fix to spelling mistake in extension list text
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Sat, 28 Apr 2018 02:03:22 +0000 (19:03 -0700)]
f2fs: enhance sanity_check_raw_super() to avoid potential overflows
In order to avoid the below overflow issue, we should have checked the
boundaries in superblock before reaching out to allocation. As Linus suggested,
the right place should be sanity_check_raw_super().
Dr Silvio Cesare of InfoSect reported:
There are integer overflows with using the cp_payload superblock field in the
f2fs filesystem potentially leading to memory corruption.
include/linux/f2fs_fs.h
struct f2fs_super_block {
...
__le32 cp_payload;
fs/f2fs/f2fs.h
typedef u32 block_t; /*
* should not change u32, since it is the on-disk block
* address format, __le32.
*/
...
static inline block_t __cp_payload(struct f2fs_sb_info *sbi)
{
return le32_to_cpu(F2FS_RAW_SUPER(sbi)->cp_payload);
}
fs/f2fs/checkpoint.c
block_t start_blk, orphan_blocks, i, j;
...
start_blk = __start_cp_addr(sbi) + 1 + __cp_payload(sbi);
orphan_blocks = __start_sum_addr(sbi) - 1 - __cp_payload(sbi);
+++ integer overflows
...
unsigned int cp_blks = 1 + __cp_payload(sbi);
...
sbi->ckpt = kzalloc(cp_blks * blk_size, GFP_KERNEL);
+++ integer overflow leading to incorrect heap allocation.
int cp_payload_blks = __cp_payload(sbi);
...
ckpt->cp_pack_start_sum = cpu_to_le32(1 + cp_payload_blks +
orphan_blocks);
+++ sign bug and integer overflow
...
for (i = 1; i < 1 + cp_payload_blks; i++)
+++ integer overflow
...
sbi->max_orphans = (sbi->blocks_per_seg - F2FS_CP_PACKS -
NR_CURSEG_TYPE - __cp_payload(sbi)) *
F2FS_ORPHANS_PER_BLOCK;
+++ integer overflow
Reported-by: Greg KH <greg@kroah.com>
Reported-by: Silvio Cesare <silvio.cesare@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Thu, 26 Apr 2018 09:05:50 +0000 (17:05 +0800)]
f2fs: treat volatile file's data as hot one
Volatile file's data will be updated oftenly, so it'd better to place
its data into hot data segment.
In addition, for atomic file, we change to check FI_ATOMIC_FILE instead
of FI_HOT_DATA to make code readability better.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Wed, 25 Apr 2018 09:38:29 +0000 (17:38 +0800)]
f2fs: introduce release_discard_addr() for cleanup
Introduce release_discard_addr() to include common codes for cleanup.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
[Fengguang Wu: declare static function, reported by kbuild test robot]
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Wed, 25 Apr 2018 11:38:17 +0000 (19:38 +0800)]
f2fs: fix potential overflow
In build_sit_entries(), if valid_blocks in SIT block is smaller than
valid_blocks in journal, for below calculation:
sbi->discard_blks += old_valid_blocks - se->valid_blocks;
There will be two times potential overflow:
- old_valid_blocks - se->valid_blocks will overflow, and be a very
large number.
- sbi->discard_blks += result will overflow again, comes out a correct
result accidently.
Anyway, it should be fixed.
Fixes:
d600af236da5 ("f2fs: avoid unneeded loop in build_sit_entries")
Fixes:
1f43e2ad7bff ("f2fs: introduce CP_TRIMMED_FLAG to avoid unneeded discard")
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Tue, 24 Apr 2018 02:55:28 +0000 (10:55 +0800)]
f2fs: rename dio_rwsem to i_gc_rwsem
RW semphore dio_rwsem in struct f2fs_inode_info is introduced to avoid
race between dio and data gc, but now, it is more wildly used to avoid
foreground operation vs data gc. So rename it to i_gc_rwsem to improve
its readability.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Yunlei He [Tue, 24 Apr 2018 03:40:30 +0000 (11:40 +0800)]
f2fs: move mnt_want_write_file after range check
This patch move mnt_want_write_file after range check,
it's needless to check arguments with it.
Signed-off-by: Yunlei He <heyunlei@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Yunlei He [Tue, 24 Apr 2018 03:40:19 +0000 (11:40 +0800)]
f2fs: fix missing clear FI_NO_PREALLOC in some error case
This patch fix missing clear FI_NO_PREALLOC in some error case
Signed-off-by: Yunlei He <heyunlei@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Wed, 25 Apr 2018 04:43:01 +0000 (22:43 -0600)]
f2fs: enforce fsync_mode=strict for renamed directory
This is to give a option for user to be able to recover B/foo in the below
case.
mkdir A
sync()
rename(A, B)
creat (B/foo)
fsync (B/foo)
---crash---
Sugessted-by: Velayudhan Pillai <vijay@cs.utexas.edu>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Wed, 25 Apr 2018 03:34:05 +0000 (21:34 -0600)]
f2fs: sanity check for total valid node blocks
This patch enhances sanity check for SIT entries.
syzbot hit the following crash on upstream commit
83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +0000)
Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
link: https://syzkaller.appspot.com/bug?extid=bf9253040425feb155ad
syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=
5692130282438656
Raw console output: https://syzkaller.appspot.com/x/log.txt?id=
5095924598571008
Kernel config: https://syzkaller.appspot.com/x/.config?id=
1808800213120130118
compiler: gcc (GCC) 8.0.1
20180413 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+bf9253040425feb155ad@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for details.
If you forward the report, please keep this part and the footer.
F2FS-fs (loop0): invalid crc value
F2FS-fs (loop0): Try to recover 1th superblock, ret: 0
F2FS-fs (loop0): Mounted with checkpoint version = d
F2FS-fs (loop0): Bitmap was wrongly cleared, blk:9740
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:1884!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4508 Comm: syz-executor0 Not tainted 4.17.0-rc1+ #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:update_sit_entry+0x1215/0x1590 fs/f2fs/segment.c:1882
RSP: 0018:
ffff8801af526708 EFLAGS:
00010282
RAX:
ffffed0035ea4cc0 RBX:
ffff8801ad454f90 RCX:
0000000000000000
RDX:
0000000000000000 RSI:
ffffffff82eeb87e RDI:
ffffed0035ea4cb6
RBP:
ffff8801af526760 R08:
ffff8801ad4a2480 R09:
ffffed003b5e4f90
R10:
ffffed003b5e4f90 R11:
ffff8801daf27c87 R12:
ffff8801adb8d380
R13:
0000000000000001 R14:
0000000000000008 R15:
00000000ffffffff
FS:
00000000014af940(0000) GS:
ffff8801daf00000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
00007f06bc223000 CR3:
00000001adb02000 CR4:
00000000001406e0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
Call Trace:
allocate_data_block+0x66f/0x2050 fs/f2fs/segment.c:2663
do_write_page+0x105/0x1b0 fs/f2fs/segment.c:2727
write_node_page+0x129/0x350 fs/f2fs/segment.c:2770
__write_node_page+0x7da/0x1370 fs/f2fs/node.c:1398
sync_node_pages+0x18cf/0x1eb0 fs/f2fs/node.c:1652
block_operations+0x429/0xa60 fs/f2fs/checkpoint.c:1088
write_checkpoint+0x3ba/0x5380 fs/f2fs/checkpoint.c:1405
f2fs_sync_fs+0x2fb/0x6a0 fs/f2fs/super.c:1077
__sync_filesystem fs/sync.c:39 [inline]
sync_filesystem+0x265/0x310 fs/sync.c:67
generic_shutdown_super+0xd7/0x520 fs/super.c:429
kill_block_super+0xa4/0x100 fs/super.c:1191
kill_f2fs_super+0x9f/0xd0 fs/f2fs/super.c:3030
deactivate_locked_super+0x97/0x100 fs/super.c:316
deactivate_super+0x188/0x1b0 fs/super.c:347
cleanup_mnt+0xbf/0x160 fs/namespace.c:1174
__cleanup_mnt+0x16/0x20 fs/namespace.c:1181
task_work_run+0x1e4/0x290 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457d97
RSP: 002b:
00007ffd46f9c8e8 EFLAGS:
00000246 ORIG_RAX:
00000000000000a6
RAX:
0000000000000000 RBX:
0000000000000000 RCX:
0000000000457d97
RDX:
00000000014b09a3 RSI:
0000000000000002 RDI:
00007ffd46f9da50
RBP:
00007ffd46f9da50 R08:
0000000000000000 R09:
0000000000000009
R10:
0000000000000005 R11:
0000000000000246 R12:
00000000014b0940
R13:
0000000000000000 R14:
0000000000000002 R15:
000000000000658e
RIP: update_sit_entry+0x1215/0x1590 fs/f2fs/segment.c:1882 RSP:
ffff8801af526708
---[ end trace
f498328bb02610a2 ]---
Reported-and-tested-by: syzbot+bf9253040425feb155ad@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+7d6d31d3bc702f566ce3@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+0a725420475916460f12@syzkaller.appspotmail.com
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Tue, 24 Apr 2018 21:44:16 +0000 (15:44 -0600)]
f2fs: sanity check on sit entry
syzbot hit the following crash on upstream commit
87ef12027b9b1dd0e0b12cf311fbcb19f9d92539 (Wed Apr 18 19:48:17 2018 +0000)
Merge tag 'ceph-for-4.17-rc2' of git://github.com/ceph/ceph-client
link: https://syzkaller.appspot.com/bug?extid=83699adeb2d13579c31e
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=
5805208181407744
syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=
6005073343676416
Raw console output: https://syzkaller.appspot.com/x/log.txt?id=
6555047731134464
Kernel config: https://syzkaller.appspot.com/x/.config?id=
1808800213120130118
compiler: gcc (GCC) 8.0.1
20180413 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+83699adeb2d13579c31e@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for details.
If you forward the report, please keep this part and the footer.
F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop0): invalid crc value
BUG: unable to handle kernel paging request at
ffffed006b2a50c0
PGD
21ffee067 P4D
21ffee067 PUD
21fbeb067 PMD 0
Oops: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4514 Comm: syzkaller989480 Not tainted 4.17.0-rc1+ #8
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:build_sit_entries fs/f2fs/segment.c:3653 [inline]
RIP: 0010:build_segment_manager+0x7ef7/0xbf70 fs/f2fs/segment.c:3852
RSP: 0018:
ffff8801b102e5b0 EFLAGS:
00010a06
RAX:
1ffff1006b2a50c0 RBX:
0000000000000004 RCX:
0000000000000001
RDX:
0000000000000000 RSI:
0000000000000001 RDI:
ffff8801ac74243e
RBP:
ffff8801b102f410 R08:
ffff8801acbd46c0 R09:
fffffbfff14d9af8
R10:
fffffbfff14d9af8 R11:
ffff8801acbd46c0 R12:
ffff8801ac742a80
R13:
ffff8801d9519100 R14:
dffffc0000000000 R15:
ffff880359528600
FS:
0000000001e04880(0000) GS:
ffff8801dae00000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
ffffed006b2a50c0 CR3:
00000001ac6ac000 CR4:
00000000001406f0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
Call Trace:
f2fs_fill_super+0x4095/0x7bf0 fs/f2fs/super.c:2803
mount_bdev+0x30c/0x3e0 fs/super.c:1165
f2fs_mount+0x34/0x40 fs/f2fs/super.c:3020
mount_fs+0xae/0x328 fs/super.c:1268
vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
vfs_kern_mount fs/namespace.c:1027 [inline]
do_new_mount fs/namespace.c:2517 [inline]
do_mount+0x564/0x3070 fs/namespace.c:2847
ksys_mount+0x12d/0x140 fs/namespace.c:3063
__do_sys_mount fs/namespace.c:3077 [inline]
__se_sys_mount fs/namespace.c:3074 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3074
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x443d6a
RSP: 002b:
00007ffd312813c8 EFLAGS:
00000297 ORIG_RAX:
00000000000000a5
RAX:
ffffffffffffffda RBX:
0000000020000c00 RCX:
0000000000443d6a
RDX:
0000000020000000 RSI:
0000000020000100 RDI:
00007ffd312813d0
RBP:
0000000000000003 R08:
0000000020016a00 R09:
000000000000000a
R10:
0000000000000000 R11:
0000000000000297 R12:
0000000000000004
R13:
0000000000402c60 R14:
0000000000000000 R15:
0000000000000000
RIP: build_sit_entries fs/f2fs/segment.c:3653 [inline] RSP:
ffff8801b102e5b0
RIP: build_segment_manager+0x7ef7/0xbf70 fs/f2fs/segment.c:3852 RSP:
ffff8801b102e5b0
CR2:
ffffed006b2a50c0
---[ end trace
a2034989e196ff17 ]---
Reported-and-tested-by: syzbot+83699adeb2d13579c31e@syzkaller.appspotmail.com
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Tue, 24 Apr 2018 17:37:18 +0000 (11:37 -0600)]
f2fs: avoid bug_on on corrupted inode
syzbot has tested the proposed patch but the reproducer still triggered crash:
kernel BUG at fs/f2fs/inode.c:LINE!
F2FS-fs (loop1): invalid crc value
F2FS-fs (loop5): Magic Mismatch, valid(0xf2f52010) - read(0x0)
F2FS-fs (loop5): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop5): invalid crc value
------------[ cut here ]------------
kernel BUG at fs/f2fs/inode.c:238!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4886 Comm: syz-executor1 Not tainted 4.17.0-rc1+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:do_read_inode fs/f2fs/inode.c:238 [inline]
RIP: 0010:f2fs_iget+0x3307/0x3ca0 fs/f2fs/inode.c:313
RSP: 0018:
ffff8801c44a70e8 EFLAGS:
00010293
RAX:
ffff8801ce208040 RBX:
ffff8801b3621080 RCX:
ffffffff82eace18
F2FS-fs (loop2): Magic Mismatch, valid(0xf2f52010) - read(0x0)
RDX:
0000000000000000 RSI:
ffffffff82eaf047 RDI:
0000000000000007
RBP:
ffff8801c44a7410 R08:
ffff8801ce208040 R09:
ffffed0039ee4176
R10:
ffffed0039ee4176 R11:
ffff8801cf720bb7 R12:
ffff8801c0efa000
R13:
0000000000000003 R14:
0000000000000000 R15:
0000000000000000
FS:
00007f753aa9d700(0000) GS:
ffff8801daf00000(0000) knlGS:
0000000000000000
------------[ cut here ]------------
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
kernel BUG at fs/f2fs/inode.c:238!
CR2:
0000000001b03018 CR3:
00000001c8b74000 CR4:
00000000001406e0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
Call Trace:
f2fs_fill_super+0x4377/0x7bf0 fs/f2fs/super.c:2842
mount_bdev+0x30c/0x3e0 fs/super.c:1165
f2fs_mount+0x34/0x40 fs/f2fs/super.c:3020
mount_fs+0xae/0x328 fs/super.c:1268
vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
vfs_kern_mount fs/namespace.c:1027 [inline]
do_new_mount fs/namespace.c:2517 [inline]
do_mount+0x564/0x3070 fs/namespace.c:2847
ksys_mount+0x12d/0x140 fs/namespace.c:3063
__do_sys_mount fs/namespace.c:3077 [inline]
__se_sys_mount fs/namespace.c:3074 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3074
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457daa
RSP: 002b:
00007f753aa9cba8 EFLAGS:
00000246 ORIG_RAX:
00000000000000a5
RAX:
ffffffffffffffda RBX:
0000000020000000 RCX:
0000000000457daa
RDX:
0000000020000000 RSI:
0000000020000100 RDI:
00007f753aa9cbf0
RBP:
0000000000000064 R08:
0000000020016a00 R09:
0000000020000000
R10:
0000000000000000 R11:
0000000000000246 R12:
0000000000000003
R13:
0000000000000064 R14:
00000000006fcb80 R15:
0000000000000000
RIP: do_read_inode fs/f2fs/inode.c:238 [inline] RSP:
ffff8801c44a70e8
RIP: f2fs_iget+0x3307/0x3ca0 fs/f2fs/inode.c:313 RSP:
ffff8801c44a70e8
invalid opcode: 0000 [#2] SMP KASAN
---[ end trace
1cbcbec2156680bc ]---
Reported-and-tested-by: syzbot+41a1b341571f0952badb@syzkaller.appspotmail.com
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Jaegeuk Kim [Tue, 24 Apr 2018 05:02:31 +0000 (23:02 -0600)]
f2fs: give message and set need_fsck given broken node id
syzbot hit the following crash on upstream commit
83beed7b2b26f232d782127792dd0cd4362fdc41 (Fri Apr 20 17:56:32 2018 +0000)
Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
link: https://syzkaller.appspot.com/bug?extid=d154ec99402c6f628887
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=
5414336294027264
syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=
5471683234234368
Raw console output: https://syzkaller.appspot.com/x/log.txt?id=
5436660795834368
Kernel config: https://syzkaller.appspot.com/x/.config?id=
1808800213120130118
compiler: gcc (GCC) 8.0.1
20180413 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d154ec99402c6f628887@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for details.
If you forward the report, please keep this part and the footer.
F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop0): invalid crc value
------------[ cut here ]------------
kernel BUG at fs/f2fs/node.c:1185!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4549 Comm: syzkaller704305 Not tainted 4.17.0-rc1+ #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__get_node_page+0xb68/0x16e0 fs/f2fs/node.c:1185
RSP: 0018:
ffff8801d960e820 EFLAGS:
00010293
RAX:
ffff8801d88205c0 RBX:
0000000000000003 RCX:
ffffffff82f6cc06
RDX:
0000000000000000 RSI:
ffffffff82f6d5e8 RDI:
0000000000000004
RBP:
ffff8801d960ec30 R08:
ffff8801d88205c0 R09:
ffffed003b5e46c2
R10:
0000000000000003 R11:
0000000000000003 R12:
ffff8801a86e00c0
R13:
0000000000000001 R14:
ffff8801a86e0530 R15:
ffff8801d9745240
FS:
000000000072c880(0000) GS:
ffff8801daf00000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
00007f3d403209b8 CR3:
00000001d8f3f000 CR4:
00000000001406e0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
Call Trace:
get_node_page fs/f2fs/node.c:1237 [inline]
truncate_xattr_node+0x152/0x2e0 fs/f2fs/node.c:1014
remove_inode_page+0x200/0xaf0 fs/f2fs/node.c:1039
f2fs_evict_inode+0xe86/0x1710 fs/f2fs/inode.c:547
evict+0x4a6/0x960 fs/inode.c:557
iput_final fs/inode.c:1519 [inline]
iput+0x62d/0xa80 fs/inode.c:1545
f2fs_fill_super+0x5f4e/0x7bf0 fs/f2fs/super.c:2849
mount_bdev+0x30c/0x3e0 fs/super.c:1164
f2fs_mount+0x34/0x40 fs/f2fs/super.c:3020
mount_fs+0xae/0x328 fs/super.c:1267
vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
vfs_kern_mount fs/namespace.c:1027 [inline]
do_new_mount fs/namespace.c:2518 [inline]
do_mount+0x564/0x3070 fs/namespace.c:2848
ksys_mount+0x12d/0x140 fs/namespace.c:3064
__do_sys_mount fs/namespace.c:3078 [inline]
__se_sys_mount fs/namespace.c:3075 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x443dea
RSP: 002b:
00007ffcc7882368 EFLAGS:
00000297 ORIG_RAX:
00000000000000a5
RAX:
ffffffffffffffda RBX:
0000000020000c00 RCX:
0000000000443dea
RDX:
0000000020000000 RSI:
0000000020000100 RDI:
00007ffcc7882370
RBP:
0000000000000003 R08:
0000000020016a00 R09:
000000000000000a
R10:
0000000000000000 R11:
0000000000000297 R12:
0000000000000004
R13:
0000000000402ce0 R14:
0000000000000000 R15:
0000000000000000
RIP: __get_node_page+0xb68/0x16e0 fs/f2fs/node.c:1185 RSP:
ffff8801d960e820
---[ end trace
4edbeb71f002bb76 ]---
Reported-and-tested-by: syzbot+d154ec99402c6f628887@syzkaller.appspotmail.com
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Mon, 23 Apr 2018 02:36:14 +0000 (10:36 +0800)]
f2fs: clean up commit_inmem_pages()
This patch moves error handling from commit_inmem_pages() into
__commit_inmem_page() for cleanup, no logic change.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Sheng Yong [Mon, 23 Apr 2018 02:29:13 +0000 (10:29 +0800)]
f2fs: do not check F2FS_INLINE_DOTS in recover
Only dir may have F2FS_INLINE_DOTS flag, so there is no need to check
the flag in recover flow.
Signed-off-by: Sheng Yong <shengyong1@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Sheng Yong [Sat, 21 Apr 2018 06:12:50 +0000 (14:12 +0800)]
f2fs: remove duplicated dquot_initialize and fix error handling
This patch removes duplicated dquot_initialize in recover_orphan_inode(),
and fix the error handling if dquot_initialize fails.
Signed-off-by: Sheng Yong <shengyong1@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Yunlei He [Fri, 13 Apr 2018 03:08:05 +0000 (11:08 +0800)]
f2fs: stop issue discard if something wrong with f2fs
v4->v5: move data corruption check to __submit_discard_cmd, in order to
control discard io submitted more accurately, besides, increase async
thread wait time if data corruption detected.
This patch stop async thread and umount process to issue discard
if something wrong with f2fs, which is similar to fstrim.
Signed-off-by: Yunlei He <heyunlei@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Chao Yu [Wed, 18 Apr 2018 09:45:02 +0000 (17:45 +0800)]
f2fs: fix return value in f2fs_ioc_commit_atomic_write
In f2fs_ioc_commit_atomic_write, if file is volatile, return -EINVAL to
indicate that commit failure.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Yunlei He [Wed, 18 Apr 2018 03:06:39 +0000 (11:06 +0800)]
f2fs: allocate hot_data for atomic write more strictly
If a file not set type as hot, has dirty pages more than
threshold 64 before starting atomic write, may be lose hot
flag.
v1->v2: move set FI_ATOMIC_FILE flag behind flush dirty pages too,
in case of dirty pages before starting atomic use atomic mode to
write back.
Signed-off-by: Yunlei He <heyunlei@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Sheng Yong [Tue, 17 Apr 2018 09:12:27 +0000 (17:12 +0800)]
f2fs: check if inmem_pages list is empty correctly
`cur' will never be NULL, we should check inmem_pages list instead.
Signed-off-by: Sheng Yong <shengyong1@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
OSDN Git Service
