| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <62d7f4d3-cc9c-429f-8b7e-0e80e2aa24e4@kernel.org>
Date: Tue, 16 Sep 2025 15:28:30 +0800
From: Chao Yu <chao@...nel.org>
To: wangzijie <wangzijie1@...or.com>
Cc: chao@...nel.org, bintian.wang@...or.com, feng.han@...or.com,
jaegeuk@...nel.org, linux-f2fs-devel@...ts.sourceforge.net,
linux-kernel@...r.kernel.org
Subject: Re: [f2fs-dev] [PATCH v2 2/2] f2fs: fix infinite loop in
__insert_extent_tree()
On 9/16/25 15:09, wangzijie wrote:
>> On 9/16/25 13:22, wangzijie wrote:
>>>> On 09/15, wangzijie wrote:
>>>>> When we get wrong extent info data, and look up extent_node in rb tree,
>>>>> it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by
>>>>> return NULL.
>>>>
>>>> This is the exact buggy case which we should fix the original one. Have
>>>> you seen this error? In that case, can we consider writing some kernel
>>>> message and handle the error properly?
>>>
>>> Hi Jaegeuk,
>>> The original one is the bug I mentioned in the first patch of this patch set
>>> ("f2fs: fix zero-sized extent for precache extents").
>>
>> Zijie,
>>
>> Did you suffer this problem in product? right?
>
> Hi Chao,
> Yes, and I can confirm that infinite loop cases I suffered are caused by the bug I
> mentioned in the first patch of this patch set. But I'm not sure if there are
> other cases that can cause this infinite loop.
>
>>>
>>> When we use a wrong extent_info(zero-sized) to do update, and there exists a
>>> extent_node which has same fofs as the wrong one, we will skip "invalidate all extent
>>> nodes in range [fofs, fofs + len - 1]"(en->ei.fofs = end = tei->fofs + tei->len = tei->fofs),
>>> which cause the infinite loop in __insert_extent_tree().
>>>
>>> So we can add f2fs_bug_on() when there occurs zero-sized extent
>>> in f2fs_update_read_extent_cache_range(), and give up this zero-sized
>>> extent update to handle other unknown buggy cases. Do you think this will be better?
>>>
>>> And do we need to solve this infinite loop?
>>
>> IMO, it's worth to end such loop if there is any corrupted extent in rbtree to
>> avoid kernel hang, no matter it is caused by software bug or hardware flaw
>> potentially.
>>
>> Thanks,
>
> And do you think we need this?
> "add f2fs_bug_on() when there occurs zero-sized extent in f2fs_update_read_extent_cache_range(),
> and give up this zero-sized extent update to handle other unknown buggy cases".
Oh, I was testing below patch..., does this what you want to do?
I think we can keep all your patches, and appending below patch to detect any
potential cases who will update a zero-sized extent.
>From 439d61ef3715fafa5c9f2d1b7f8026cdd2564ca7 Mon Sep 17 00:00:00 2001
From: Chao Yu <chao@...nel.org>
Date: Tue, 16 Sep 2025 11:52:30 +0800
Subject: [PATCH] f2fs: add sanity check on ei.len in
__update_extent_tree_range()
Add a sanity check in __update_extent_tree_range() to detect any
zero-sized extent update.
Signed-off-by: Chao Yu <chao@...nel.org>
---
fs/f2fs/extent_cache.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c
index 199c1e7a83ef..9544323767be 100644
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -664,6 +664,15 @@ static void __update_extent_tree_range(struct inode *inode,
if (!et)
return;
+ if (unlikely(len == 0)) {
+ f2fs_bug_on(sbi, 1);
+ f2fs_err_ratelimited(sbi, "%s: extent len is zero, type: %d, "
+ "extent [%u, %u, %u], age [%llu, %llu]",
+ __func__, type, tei->fofs, tei->blk, tei->len,
+ tei->age, tei->last_blocks);
+ return;
+ }
+
if (type == EX_READ)
trace_f2fs_update_read_extent_tree_range(inode, fofs, len,
tei->blk, 0);
--
2.49.0
>
>
>
>>>
>>>
>>>>>
>>>>> Signed-off-by: wangzijie <wangzijie1@...or.com>
>>>>> ---
>>>>> fs/f2fs/extent_cache.c | 1 +
>>>>> 1 file changed, 1 insertion(+)
>>>>>
>>>>> diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c
>>>>> index 199c1e7a8..6ed6f3d1d 100644
>>>>> --- a/fs/f2fs/extent_cache.c
>>>>> +++ b/fs/f2fs/extent_cache.c
>>>>> @@ -605,6 +605,7 @@ static struct extent_node *__insert_extent_tree(struct f2fs_sb_info *sbi,
>>>>> leftmost = false;
>>>>> } else {
>>>>> f2fs_bug_on(sbi, 1);
>>>>> + return NULL;
>>>>> }
>>>>> }
>>>>>
>>>>> --
>>>>> 2.25.1
>
Powered by blists - more mailing lists