lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <b4a0af34-bd8b-4130-a96f-6aacbe0fb576@kernel.org>
Date: Fri, 17 Oct 2025 17:47:43 +0800
From: Chao Yu <chao@...nel.org>
To: Jaegeuk Kim <jaegeuk@...nel.org>,
 Jan Prusakowski <jprusakowski@...gle.com>
Cc: chao@...nel.org, linux-kernel@...r.kernel.org,
 linux-f2fs-devel@...ts.sourceforge.net
Subject: Re: [f2fs-dev] [PATCH] f2fs: ensure node page reads complete before
 f2fs_put_super() finishes

On 10/17/2025 1:47 AM, Jaegeuk Kim wrote:
> On 10/11, Chao Yu wrote:
>> On 10/11/25 00:02, Jaegeuk Kim wrote:
>>> On 10/09, Chao Yu wrote:
>>>> On 10/6/2025 4:46 PM, Jan Prusakowski via Linux-f2fs-devel wrote:
>>>>> Xfstests generic/335, generic/336 sometimes crash with the following message:
>>>>>
>>>>> F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1
>>>>> ------------[ cut here ]------------
>>>>> kernel BUG at fs/f2fs/super.c:1939!
>>>>> Oops: invalid opcode: 0000 [#1] SMP NOPTI
>>>>> CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G        W           6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none)
>>>>> Tainted: [W]=WARN
>>>>> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
>>>>> RIP: 0010:f2fs_put_super+0x3b3/0x3c0
>>>>> Call Trace:
>>>>>    <TASK>
>>>>>    generic_shutdown_super+0x7e/0x190
>>>>>    kill_block_super+0x1a/0x40
>>>>>    kill_f2fs_super+0x9d/0x190
>>>>>    deactivate_locked_super+0x30/0xb0
>>>>>    cleanup_mnt+0xba/0x150
>>>>>    task_work_run+0x5c/0xa0
>>>>>    exit_to_user_mode_loop+0xb7/0xc0
>>>>>    do_syscall_64+0x1ae/0x1c0
>>>>>    entry_SYSCALL_64_after_hwframe+0x76/0x7e
>>>>>    </TASK>
>>>>> ---[ end trace 0000000000000000 ]---
>>>>>
>>>>> It appears that sometimes it is possible that f2fs_put_super() is called before
>>>>> all node page reads are completed.
>>>>> Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem.
>>>>>
>>>>> Fixes: bf22c3cc8ce7 ("f2fs: fix the panic in do_checkpoint()")
>>>>>
>>>>> Signed-off-by: Jan Prusakowski <jprusakowski@...gle.com>
>>>>> ---
>>>>>    fs/f2fs/super.c | 1 +
>>>>>    1 file changed, 1 insertion(+)
>>>>>
>>>>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
>>>>> index 1e0678e37a30..5c94bc42b8a1 100644
>>>>> --- a/fs/f2fs/super.c
>>>>> +++ b/fs/f2fs/super.c
>>>>> @@ -1976,6 +1976,7 @@ static void f2fs_put_super(struct super_block *sb)
>>>>>    	f2fs_flush_merged_writes(sbi);
>>>>>    	f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA);
>>>>> +	f2fs_wait_on_all_pages(sbi, F2FS_RD_NODE);
>>>>
>>>> Jan,
>>>>
>>>> At this stage, GC and checkpoint are both stopped, why there is still read
>>>> IOs on node page? Who is reading node page? Can you please dig more details
>>>> for this issue?
>>>
>>> We don't actually wait for completing read IOs. So, I think it doesn't matter
>>> the threads are stopped?
>>
>> Read on node page should be synchronous? so if the threads are stopped, there
>> should be no node IOs? Oh, Or there is still pending asynchronous readahead IO
>> on node page after all threads are stopped?
> 
> I remember we submit IOs and wait for its completion when we need by lock_page.

We also support readahead on page from meta_inode and common inode, so how about
waiting for all potential inflight read IOs?

In addtion, f2fs_wait_on_all_pages() is used for write path, how about simplifying
as below?

diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 4c7da160ca27..ea731f8bf19c 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1983,6 +1983,12 @@ static void f2fs_put_super(struct super_block *sb)

  	f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA);

+	/* wait for potential inflight readahead IOs */
+	for (i = F2FS_RD_DATA; i <= F2FS_RD_META; i++) {
+		while (get_pages(sbi, i))
+			io_schedule_timeout(DEFAULT_IO_TIMEOUT);
+	}
+
  	if (err || f2fs_cp_error(sbi)) {
  		truncate_inode_pages_final(NODE_MAPPING(sbi));
  		truncate_inode_pages_final(META_MAPPING(sbi));
-- 
2.40.1

Thanks,

> 
>>
>> Thanks,
>>
>>>
>>>>
>>>> Thanks,
>>>>
>>>>>    	if (err || f2fs_cp_error(sbi)) {
>>>>>    		truncate_inode_pages_final(NODE_MAPPING(sbi));

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ