[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CABymUCNd36Z6F3miBfSSeaXnyNT5OH_S1j6FBFM=aV_x3dfiug@mail.gmail.com>
Date: Tue, 15 Nov 2022 12:41:30 +0800
From: Jun Nie <jun.nie@...aro.org>
To: Chao Yu <chao@...nel.org>
Cc: jaegeuk@...nel.org, linux-f2fs-devel@...ts.sourceforge.net,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Lee Jones <joneslee@...gle.com>, davem@...emloft.net,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
netdev@...r.kernel.org
Subject: Re: [BUG REPORT] f2fs: use-after-free during garbage collection
Chao Yu <chao@...nel.org> 于2022年11月15日周二 00:02写道:
>
> On 2022/11/14 9:47, Jun Nie wrote:
> > Hi Chao & Jaegeuk,
> >
> > There is a KASAN report[0] that shows invalid memory
> > access(use-after-free) in f2fs garbage collection process, and this
> > issue is fixed by a recent f2fs patch set[1]. The KASAN report is caused
> > by an abnormal sum->ofs_in_node value 0xc3f1 in the first check. And
> > the investigation indicates that the f2fs_summary_block address range
> > is not from f2fs_kzalloc() in build_curseg(). The memory
> > allocation/free happens in non-f2fs thread, such as network. So I
> > guess the f2fs subsystem is accessing memory that's not belong to f2fs
> > in some cases. With the below commit merged into mainline recently,
> > this use-after-free issue disappears. But there is another thread
> > blocked issue as below. The patch c6ad7fd16657 check the valid
> > ofs_in_node and stop further gc. I am not sure whether it is expected
> > that the f2fs_summary_block address in gc thread is not from
> > allocation in build_curseg(). Because I am not familiar with f2fs.
> >
> > Could you help comment on my question and new issue? Is there any work
> > in progress to fix the new blocked issue? Thanks!
>
> Please check below patch:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev-test&id=2272d08781a73b6d7039ed70f6d68d87ac82f256
>
Thanks for the patch! I cherry pick below 3 patches from your branch to mainline
to test the bug. It is not reproduced any more.
b380cedda7c3 f2fs: fix to do sanity check on i_extra_isize in is_alive()
cdcb173c158e f2fs: Fix the race condition of resize flag between resizefs
c316fb60f5fb f2fs: should put a page when checking the summary info
BTW: below log line is repeated endless if cdcb173c158e is missing.
[ 142.766237][ T9] F2FS-fs (loop0): Inconsistent blkaddr offset:
base:9, ofs_in_node:50161, max:923, ino:8, nid:8
Regards,
Jun
> Thanks,
>
> >
> > [0] https://syzkaller.appspot.com/bug?id=4cbcff00422ea402c2e5be2bc041a8f4196d608c
> > [1] c6ad7fd16657 f2fs: fix to do sanity check on summary info
> >
Powered by blists - more mailing lists