lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Sat, 14 Jul 2018 23:06:28 +0300
From:   Anatoly Trosinenko <anatoly.trosinenko@...il.com>
To:     Jaegeuk Kim <jaegeuk@...nel.org>, Chao Yu <yuchao0@...wei.com>
Cc:     linux-f2fs-devel@...ts.sourceforge.net,
        linux-kernel@...r.kernel.org
Subject: F2FS: Hang or deadlock when operating crafted image and then unmounting

How to reproduce:
1) Compile jaegeuk/f2fs.git/dev-test (23fd5bd3e) or v4.18-rc4 with the
attached config
2) Unpack the attached F2FS image (128 Mb)
3) Execute:

echo Mounting...
mount /dev/sda /mnt -t f2fs
echo "=== touch"
touch /mnt/abc
echo "=== umount &; sleep 1"
umount /mnt &
sleep 1
echo "=== stack"
cat /proc/$(pidof umount)/stack

What happens:
Mounting...
[    4.741979] F2FS-fs (sda): Found nat_bits in checkpoint
[    4.764336] F2FS-fs (sda): Mounted with checkpoint version = 1c8a6001
[    4.765047] exe (1007) used greatest stack depth: 13856 bytes left
=== touch
[    4.771440] WARNING: CPU: 0 PID: 1012 at fs/f2fs/inode.c:654
f2fs_evict_inode+0x342/0x350
[    4.771610] Modules linked in:
[    4.771931] CPU: 0 PID: 1012 Comm: init Not tainted 4.18.0-rc3+ #1
[    4.772023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1ubuntu1 04/01/2014
[    4.772188] RIP: 0010:f2fs_evict_inode+0x342/0x350
[    4.772263] Code: be 03 00 00 00 e8 8e 92 d8 ff e9 66 fd ff ff 48
89 df e8 51 b4 00 00 e9 df fd ff ff 0f 0b 3e 41 80 4c 24 48 04 e9 30
fd ff ff <0f> 0b 3e 41 80 4c 24 48 04 e9 c3 fd ff ff 55 53 48 89 fb 48
83 ec
[    4.772635] RSP: 0018:ffffb6208098fae0 EFLAGS: 00000202
[    4.772717] RAX: 000000000c100d02 RBX: ffff9a69c47accf0 RCX: ffff9a69c47ac540
[    4.772805] RDX: 0000000000008000 RSI: 0000000000000001 RDI: ffff9a69c47accf0
[    4.772892] RBP: ffff9a69c47ace00 R08: ffff9a69c4360858 R09: ffff9a69c7922000
[    4.772978] R10: 0000000000000040 R11: 0000000000000000 R12: ffff9a69c7809800
[    4.773065] R13: 0000000000000000 R14: 00000000fffffffb R15: ffffde23001e4880
[    4.773184] FS:  00000000019538c0(0000) GS:ffff9a69c7400000(0000)
knlGS:0000000000000000
[    4.773282] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    4.773356] CR2: 00007ffe5ad48f70 CR3: 000000000786a000 CR4: 00000000000006f0
[    4.773487] Call Trace:
[    4.774005]  evict+0xba/0x180
[    4.774075]  f2fs_iget+0x101/0xcf0
[    4.774141]  f2fs_lookup+0x18e/0x300
[    4.774195]  __lookup_slow+0x92/0x150
[    4.774247]  lookup_slow+0x30/0x50
[    4.774294]  walk_component+0x1bf/0x470
[    4.774351]  ? link_path_walk+0x45c/0x510
[    4.774408]  path_lookupat+0x7f/0x1f0
[    4.774460]  ? cpumask_any_but+0x1f/0x40
[    4.774512]  filename_lookup+0xb1/0x180
[    4.774606]  ? __alloc_pages_nodemask+0xfc/0x220
[    4.774669]  ? _cond_resched+0x10/0x40
[    4.774719]  ? kmem_cache_alloc+0x33/0x170
[    4.774774]  ? do_utimes+0x112/0x150
[    4.774821]  do_utimes+0x112/0x150
[    4.774870]  do_futimesat+0x9c/0xe0
[    4.774921]  ? __do_page_fault+0x25c/0x4b0
[    4.774976]  ? do_syscall_64+0x43/0xf0
[    4.775024]  ? __ia32_sys_futimesat+0x10/0x10
[    4.775078]  do_syscall_64+0x43/0xf0
[    4.775127]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[    4.775307] RIP: 0033:0x489777
[    4.775350] Code: ff 2c 75 cf 42 0f b6 14 28 80 fa 3d 77 c5 49 0f
a3 d4 73 bf 48 83 c4 08 5b 5d 41 5c 41 5d c3 0f 1f 40 00 b8 eb 00 00
00 0f 05 <48> 3d 00 f0 ff ff 77 09 f3 c3 0f 1f 80 00 00 00 00 48 c7 c2
e0 ff
[    4.775663] RSP: 002b:00007ffe5ad49558 EFLAGS: 00000246 ORIG_RAX:
00000000000000eb
[    4.775758] RAX: ffffffffffffffda RBX: 0000000001956258 RCX: 0000000000489777
[    4.775839] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000001956228
[    4.775919] RBP: 0000000000489770 R08: 0000000000000000 R09: 0000000000000000
[    4.775999] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[    4.776083] R13: 0000000000000000 R14: 00000000ffffff2b R15: 0000000000000000
[    4.776206] ---[ end trace d4aea6052b246e31 ]---
touch: /mnt/abc: Input/output error
[    4.778834] init (1012) used greatest stack depth: 13216 bytes left
=== umount &; sleep 1
=== stack
[<0>] f2fs_write_checkpoint+0x122/0x1170
[<0>] kill_f2fs_super+0x89/0xb0
[<0>] deactivate_locked_super+0x35/0x60
[<0>] cleanup_mnt+0x36/0x70
[<0>] task_work_run+0x79/0xa0
[<0>] exit_to_usermode_loop+0x91/0xa0
[<0>] do_syscall_64+0xdb/0xf0
[<0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[<0>] 0xffffffffffffffff

Then QEMU starts consuming CPU -- maybe it is spinlock or this bug is
not deadlock but hang...


Thanks
Anatoly

View attachment "serial-log.txt" of type "text/plain" (23597 bytes)

Download attachment "config" of type "application/octet-stream" (115374 bytes)

Download attachment "f2fs_128mb.img.bz2" of type "application/octet-stream" (21964 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ