From patchwork Mon May 22 12:42:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chao Yu X-Patchwork-Id: 97429 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp1440100vqo; Mon, 22 May 2023 06:14:16 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5wAcGnHgNogGbGtCQa8Rw2axRCHGzCK1sDqTzuXgQliha63ajwFvNgktypXiww0rd5ITQ9 X-Received: by 2002:a05:6a00:a21:b0:646:9232:df6 with SMTP id p33-20020a056a000a2100b0064692320df6mr15504640pfh.33.1684761255657; Mon, 22 May 2023 06:14:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684761255; cv=none; d=google.com; s=arc-20160816; b=GU8whHS7PfSzhxzuvDgJ28tmes0mUVOC+Ep+cB6sbSjkChEOsZqyKmPFe/g9FzIGCW OyaR5BWt4kzUbC1R3RV5RyeCC46xctLNuoQh73JmfD1bVC4hiCx8DfRcOoqbtNfmuphq npyPT8rMTvN/IAAI9VyKSktlLC0CM3plV9TGdr7432JWm6ixSRdX311iyV166DVsZ/PG Uu6AKtALKycIqak3qcLvL9XifZGXyOcBF6bw+RDqdl2JF8piFbALCPQrx9+2SV3uu+7i 6AYEtqHd6+QtmQzUBGjaKIe5Ues+9zxsxa65PzZ47XPsJH6jcPhiXugPPgL6LF8IANrE bUQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=2NcKq7LQCjvESek6ElJtORxcU6LQ1/RSEwBcMwtpPpE=; b=UCbUAyhr5T7nx1QjUMu3TwON82jm1lak/HIdf4Em1+KD2f252EPtAbde0sviu0mm1a vZ1eAKqcjrNoOcqSyKlEKTQ1DI2TQl23sE7w+2RLwhmkXCEdisI0+HlU/bObmt4rGWjZ d8L/QTmJEnHVzBHYxRsCYsHFkH39R4Ol75QrFT3Yp49a0Kod5gbZC73l0S5zHaxBXNBI VGbgeNV6+E7yJp21gfojqfoeFxAg2KFcROddevu1JWJeafV+nSzfrTmLx0PryEkqw6nl 0lYP3jO3Uyo0/Qib/87W+7GaLa1vKAHbAtomxe3MG/VRwZ2Rq1+4lmbsgsbWJ+rGENc8 Jp/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="qmLv2/2O"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s68-20020a625e47000000b0064aef84eb16si2421778pfb.135.2023.05.22.06.14.02; Mon, 22 May 2023 06:14:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="qmLv2/2O"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233325AbjEVMmS (ORCPT + 99 others); Mon, 22 May 2023 08:42:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45766 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232879AbjEVMmR (ORCPT ); Mon, 22 May 2023 08:42:17 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CC569B9 for ; Mon, 22 May 2023 05:42:14 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6134961C36 for ; Mon, 22 May 2023 12:42:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5293DC433D2; Mon, 22 May 2023 12:42:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1684759333; bh=5Az3KJIIF884tcZh9jkr/Q8eLJXOxNqS+ngKRULYX0E=; h=From:To:Cc:Subject:Date:From; b=qmLv2/2OkCqyKcruM1rbyz0hofWHXIvQKzMvGAbDLrDwkMBCg1Eie1olo0q9IfsF0 4CoeHB0gdQsr73bRl92Nf0GJ//sSoTv+Y1sY6MVC7e9lqtKItPfe5E+G6V1hjuj2tE CFyLBPu1CK3sD2BX6t0VhEMu6PoNgScT3+CWMF3F9g4dBLQY8iS3/H8F4ELa1pFOhb KPfN1o2bTFG2Qaww4Pht9XTEQZHgAqQR5kgHBcTSHbB2XfjZn6OG9Bp8FvhQKVrhFt UMBGrbg2NXLs8NgFz4287QvYGW/UTTkdCylKiiaoiWFkLqm55NG9lI2Q2a63NNq1U2 cqXqaI79ekuUw== From: Chao Yu To: jaegeuk@kernel.org Cc: linux-f2fs-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org, Chao Yu , butt3rflyh4ck Subject: [PATCH] f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io() Date: Mon, 22 May 2023 20:42:03 +0800 Message-Id: <20230522124203.3838360-1-chao@kernel.org> X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1766600218286195018?= X-GMAIL-MSGID: =?utf-8?q?1766600218286195018?= butt3rflyh4ck reports a bug as below: When a thread always calls F2FS_IOC_RESIZE_FS to resize fs, if resize fs is failed, f2fs kernel thread would invoke callback function to update f2fs io info, it would call f2fs_write_end_io and may trigger null-ptr-deref in NODE_MAPPING. general protection fault, probably for non-canonical address KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] RIP: 0010:NODE_MAPPING fs/f2fs/f2fs.h:1972 [inline] RIP: 0010:f2fs_write_end_io+0x727/0x1050 fs/f2fs/data.c:370 bio_endio+0x5af/0x6c0 block/bio.c:1608 req_bio_endio block/blk-mq.c:761 [inline] blk_update_request+0x5cc/0x1690 block/blk-mq.c:906 blk_mq_end_request+0x59/0x4c0 block/blk-mq.c:1023 lo_complete_rq+0x1c6/0x280 drivers/block/loop.c:370 blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1101 __do_softirq+0x1d4/0x8ef kernel/softirq.c:571 run_ksoftirqd kernel/softirq.c:939 [inline] run_ksoftirqd+0x31/0x60 kernel/softirq.c:931 smpboot_thread_fn+0x659/0x9e0 kernel/smpboot.c:164 kthread+0x33e/0x440 kernel/kthread.c:379 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 The root cause is below race case can cause leaving dirty metadata in f2fs after filesystem is remount as ro: Thread A Thread B - f2fs_ioc_resize_fs - f2fs_readonly --- return false - f2fs_resize_fs - f2fs_remount - write_checkpoint - set f2fs as ro - free_segment_range - update meta_inode's data Then during f2fs_put_super() fails to write_checkpoint due to readonly status, and meta_inode's dirty data will be writebacked after node_inode is put, finally write_end_io will access NULL pointer on sbi->node_inode. Thread A IRQ context - f2fs_put_super - write_checkpoint fails - iput(node_inode) - node_inode = NULL - iput(meta_inode) - write_inode_now - f2fs_write_meta_page - f2fs_write_end_io - NODE_MAPPING(sbi) : access NULL pointer on node_inode Fixes: b4b10061ef98 ("f2fs: refactor resize_fs to avoid meta updates in progress") Reported-by: butt3rflyh4ck Closes: https://lore.kernel.org/r/1684480657-2375-1-git-send-email-yangtiezhu@loongson.cn Signed-off-by: Chao Yu --- fs/f2fs/f2fs.h | 2 +- fs/f2fs/file.c | 2 +- fs/f2fs/gc.c | 21 ++++++++++++++++++--- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h index a4bff3b5b887..e3ef321d4fbb 100644 --- a/fs/f2fs/f2fs.h +++ b/fs/f2fs/f2fs.h @@ -3843,7 +3843,7 @@ void f2fs_stop_gc_thread(struct f2fs_sb_info *sbi); block_t f2fs_start_bidx_of_node(unsigned int node_ofs, struct inode *inode); int f2fs_gc(struct f2fs_sb_info *sbi, struct f2fs_gc_control *gc_control); void f2fs_build_gc_manager(struct f2fs_sb_info *sbi); -int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count); +int f2fs_resize_fs(struct file *filp, __u64 block_count); int __init f2fs_create_garbage_collection_cache(void); void f2fs_destroy_garbage_collection_cache(void); /* victim selection function for cleaning and SSR */ diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index 3f77277fd718..c87789dab83a 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -3283,7 +3283,7 @@ static int f2fs_ioc_resize_fs(struct file *filp, unsigned long arg) sizeof(block_count))) return -EFAULT; - return f2fs_resize_fs(sbi, block_count); + return f2fs_resize_fs(filp, block_count); } static int f2fs_ioc_enable_verity(struct file *filp, unsigned long arg) diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index 35b95b3d57ef..8cbe4839f640 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -2195,8 +2195,9 @@ static void update_fs_metadata(struct f2fs_sb_info *sbi, int secs) } } -int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count) +int f2fs_resize_fs(struct file *filp, __u64 block_count) { + struct f2fs_sb_info *sbi = F2FS_I_SB(file_inode(filp)); __u64 old_block_count, shrunk_blocks; struct cp_control cpc = { CP_RESIZE, 0, 0, 0 }; unsigned int secs; @@ -2234,12 +2235,18 @@ int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count) return -EINVAL; } + err = mnt_want_write_file(filp); + if (err) + return err; + shrunk_blocks = old_block_count - block_count; secs = div_u64(shrunk_blocks, BLKS_PER_SEC(sbi)); /* stop other GC */ - if (!f2fs_down_write_trylock(&sbi->gc_lock)) - return -EAGAIN; + if (!f2fs_down_write_trylock(&sbi->gc_lock)) { + err = -EAGAIN; + goto out_drop_write; + } /* stop CP to protect MAIN_SEC in free_segment_range */ f2fs_lock_op(sbi); @@ -2259,10 +2266,18 @@ int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count) out_unlock: f2fs_unlock_op(sbi); f2fs_up_write(&sbi->gc_lock); +out_drop_write: + mnt_drop_write_file(filp); if (err) return err; freeze_super(sbi->sb); + + if (f2fs_readonly(sbi->sb)) { + thaw_super(sbi->sb); + return -EROFS; + } + f2fs_down_write(&sbi->gc_lock); f2fs_down_write(&sbi->cp_global_sem);