From: bugzilla-daemon@bugzilla.kernel.org
To: linux-f2fs-devel@lists.sourceforge.net
Subject: [Bug 203197] New: kernel read fault at __is_cp_guaranteed
Date: Tue, 09 Apr 2019 11:32:51 +0000 [thread overview]
Message-ID: <bug-203197-202145@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=203197
Bug ID: 203197
Summary: kernel read fault at __is_cp_guaranteed
Product: File System
Version: 2.5
Kernel Version: 5.0.0
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: f2fs
Assignee: filesystem_f2fs@kernel-bugs.kernel.org
Reporter: jungyeon@gatech.edu
Regression: No
Created attachment 282189
--> https://bugzilla.kernel.org/attachment.cgi?id=282189&action=edit
The (compressed) crafted image which causes crash & program
- Overview
When mounting the attached crafted image and running program, I got this error.
The image is intentionally fuzzed from a normal f2fs image for testing.
- Produces
cc poc_07.c
./run.sh f2fs
- Messages
[ 20.290851] BUG: unable to handle kernel NULL pointer dereference at
000000000000002e
[ 20.291962] #PF error: [normal kernel read fault]
[ 20.292640] PGD 800000023283a067 P4D 800000023283a067 PUD 234087067 PMD 0
[ 20.293602] Oops: 0000 [#1] SMP PTI
[ 20.294134] CPU: 0 PID: 1094 Comm: apport Not tainted 5.0.0-rc8+ #9
[ 20.295020] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 20.296331] RIP: 0010:__rb_insert_augmented+0x30/0x220
[ 20.297050] Code: 41 55 41 54 53 49 89 fc 49 89 f6 48 83 ec 08 84 d2 48 8b 3f
74 03 4c 89 21 48 85 ff 0f 84 4c 01 00 00 48 8b 1f f6 c3 01 75 45 <48> 8b 43 08
48 89 da 48 39 f8 0f 84 a0 00 00 00 48 85 c0 74 3d f6
[ 20.299663] RSP: 0018:ffffa144410b7cb0 EFLAGS: 00010246
[ 20.300390] RAX: 0000000000000000 RBX: 0000000000000026 RCX: ffff9115b21723b0
[ 20.301375] RDX: 0000000000000000 RSI: ffff9115b21723a8 RDI: ffff9115af598780
[ 20.302398] RBP: ffffa144410b7cd8 R08: ffffffff8d81b860 R09: ffff9115af598780
[ 20.303387] R10: 0000000000000000 R11: ffff9115aa8060c8 R12: ffff9115aa806120
[ 20.304375] R13: ffff9115b4efa020 R14: ffff9115b21723a8 R15: ffff9115b21723b8
[ 20.305365] FS: 0000000000000000(0000) GS:ffff9115b7a00000(0000)
knlGS:0000000000000000
[ 20.306522] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 20.307317] CR2: 000000000000002e CR3: 000000022f5c8006 CR4: 00000000001606f0
[ 20.308301] Call Trace:
[ 20.308656] vma_interval_tree_insert+0x84/0x90
[ 20.309292] __vma_link_file+0x46/0x50
[ 20.309820] vma_link+0x74/0xc0
[ 20.310309] mmap_region+0x43f/0x610
[ 20.310815] do_mmap+0x46e/0x610
[ 20.311274] ? ima_file_mmap+0x61/0x90
[ 20.311804] vm_mmap_pgoff+0xcc/0x120
[ 20.312322] ksys_mmap_pgoff+0x1cb/0x290
[ 20.312876] __x64_sys_mmap+0x33/0x40
[ 20.313394] do_syscall_64+0x5a/0x110
[ 20.313915] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 20.314663] RIP: 0033:0x7f5b857824ba
[ 20.315168] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9
49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0
ff ff 77 4e 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
[ 20.317740] RSP: 002b:00007ffc4b7909f8 EFLAGS: 00000246 ORIG_RAX:
0000000000000009
[ 20.318831] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f5b857824ba
[ 20.319810] RDX: 0000000000000005 RSI: 0000000000228068 RDI: 0000000000000000
[ 20.320789] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
[ 20.321771] R10: 0000000000000802 R11: 0000000000000246 R12: 0000000000000000
[ 20.322792] R13: 0000000000228068 R14: 0000000000000802 R15: 0000000000000000
[ 20.323776] Modules linked in:
[ 20.324210] CR2: 000000000000002e
[ 20.324695] ---[ end trace e553cf509f875842 ]---
[ 20.325346] RIP: 0010:__rb_insert_augmented+0x30/0x220
[ 20.326092] Code: 41 55 41 54 53 49 89 fc 49 89 f6 48 83 ec 08 84 d2 48 8b 3f
74 03 4c 89 21 48 85 ff 0f 84 4c 01 00 00 48 8b 1f f6 c3 01 75 45 <48> 8b 43 08
48 89 da 48 39 f8 0f 84 a0 00 00 00 48 85 c0 74 3d f6
[ 20.328680] RSP: 0018:ffffa144410b7cb0 EFLAGS: 00010246
[ 20.329410] RAX: 0000000000000000 RBX: 0000000000000026 RCX: ffff9115b21723b0
[ 20.330456] RDX: 0000000000000000 RSI: ffff9115b21723a8 RDI: ffff9115af598780
[ 20.331469] RBP: ffffa144410b7cd8 R08: ffffffff8d81b860 R09: ffff9115af598780
[ 20.332458] R10: 0000000000000000 R11: ffff9115aa8060c8 R12: ffff9115aa806120
[ 20.333444] R13: ffff9115b4efa020 R14: ffff9115b21723a8 R15: ffff9115b21723b8
[ 20.334481] FS: 0000000000000000(0000) GS:ffff9115b7a00000(0000)
knlGS:0000000000000000
[ 20.335601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 20.336401] CR2: 000000000000002e CR3: 000000022f5c8006 CR4: 00000000001606f0
wait a little bit...
[ 34.969989] general protection fault: 0000 [#2] SMP PTI
[ 34.970784] CPU: 0 PID: 1095 Comm: systemd-cgroups Tainted: G D 5.0.0-rc8+ #9
[ 34.971981] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 34.973320] RIP: 0010:vma_interval_tree_insert+0x2c/0x90
[ 34.974126] Code: 44 00 00 48 8b 47 08 48 2b 07 49 89 fb 4c 8b 97 98 00 00 00
48 89 f1 ba 01 00 00 00 45 31 c9 48 c1 e8 0c 4d 8d 44 02 ff eb 1d <4c> 39 40 18
73 04 4c 89 40 18 4c 3b 50 40 48 8d 48 10 72 06 48 8d
[ 34.976747] RSP: 0018:ffffa1444155bd08 EFLAGS: 00010286
[ 34.977486] RAX: c5ffff9115ab8436 RBX: ffff9115b4e51cf8 RCX: ffff9115ab843431
[ 34.978531] RDX: 0000000000000000 RSI: ffff9115b5b21730 RDI: ffff9115ab2b9bb8
[ 34.979571] RBP: ffffa1444155bd10 R08: 00000000000001c5 R09: ffff9115ab843421
[ 34.980610] R10: 00000000000001c4 R11: ffff9115ab2b9bb8 R12: ffff9115b4e51c80
[ 34.981650] R13: ffff9115b4e51898 R14: 0000000000000000 R15: 0000000000000000
[ 34.982716] FS: 00007ff7107dd840(0000) GS:ffff9115b7a00000(0000)
knlGS:0000000000000000
[ 34.983890] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 34.984729] CR2: 00007ff70fc3e280 CR3: 000000023299e004 CR4: 00000000001606f0
[ 34.985773] Call Trace:
[ 34.986147] ? __vma_link_file+0x46/0x50
[ 34.986729] __vma_adjust+0x111/0x7b0
[ 34.987273] ? kmem_cache_alloc+0x3a/0x170
[ 34.987880] __split_vma+0x18c/0x1a0
[ 34.988412] split_vma+0x1b/0x30
[ 34.988893] mprotect_fixup+0x2a7/0x360
[ 34.989464] ? common_file_perm+0x47/0x140
[ 34.990073] ? common_mmap+0x4b/0x50
[ 34.990604] ? apparmor_file_mprotect+0x2d/0x30
[ 34.991272] do_mprotect_pkey+0x214/0x380
[ 34.991865] __x64_sys_mprotect+0x1f/0x30
[ 34.992467] do_syscall_64+0x5a/0x110
[ 34.993009] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 34.993772] RIP: 0033:0x7ff7105df557
[ 34.994304] Code: ff 66 90 b8 0b 00 00 00 0f 05 48 3d 01 f0 ff ff 73 01 c3 48
8d 0d d9 bb 20 00 f7 d8 89 01 48 83 c8 ff c3 b8 0a 00 00 00 0f 05 <48> 3d 01 f0
ff ff 73 01 c3 48 8d 0d b9 bb 20 00 f7 d8 89 01 48 83
[ 34.996989] RSP: 002b:00007ffe23ac78b8 EFLAGS: 00000206 ORIG_RAX:
000000000000000a
[ 34.998085] RAX: ffffffffffffffda RBX: 00007ff70fbd27b8 RCX: 00007ff7105df557
[ 34.999086] RDX: 0000000000000001 RSI: 0000000000004000 RDI: 00007ff70ff73000
[ 35.000119] RBP: 00007ffe23ac79e0 R08: 0000000000000000 R09: 00007ff7107eb700
[ 35.001120] R10: 0000000000000003 R11: 0000000000000206 R12: 00007ff7107e0000
[ 35.002191] R13: 00007ff70fbb3000 R14: 00007ff70fbd27a0 R15: 00000000003c4018
[ 35.003190] Modules linked in:
[ 35.003643] ---[ end trace e553cf509f875843 ]---
[ 35.004304] RIP: 0010:__rb_insert_augmented+0x30/0x220
[ 35.005034] Code: 41 55 41 54 53 49 89 fc 49 89 f6 48 83 ec 08 84 d2 48 8b 3f
74 03 4c 89 21 48 85 ff 0f 84 4c 01 00 00 48 8b 1f f6 c3 01 75 45 <48> 8b 43 08
48 89 da 48 39 f8 0f 84 a0 00 00 00 48 85 c0 74 3d f6
[ 35.007704] RSP: 0018:ffffa144410b7cb0 EFLAGS: 00010246
[ 35.008466] RAX: 0000000000000000 RBX: 0000000000000026 RCX: ffff9115b21723b0
[ 35.009472] RDX: 0000000000000000 RSI: ffff9115b21723a8 RDI: ffff9115af598780
[ 35.010520] RBP: ffffa144410b7cd8 R08: ffffffff8d81b860 R09: ffff9115af598780
[ 35.011528] R10: 0000000000000000 R11: ffff9115aa8060c8 R12: ffff9115aa806120
[ 35.012536] R13: ffff9115b4efa020 R14: ffff9115b21723a8 R15: ffff9115b21723b8
[ 35.013588] FS: 00007ff7107dd840(0000) GS:ffff9115b7a00000(0000)
knlGS:0000000000000000
[ 35.014746] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 35.015561] CR2: 00007ff70fc3e280 CR3: 000000023299e004 CR4: 00000000001606f0
- Possible reason
The address of inode (F2FS_I_SB) is not accessible. (in my case, it is 0xa034)
It seems that this is because the given address of page is not appropriate.
│33 static bool __is_cp_guaranteed(struct page *page)
│34 {
│35 struct address_space *mapping = page->mapping;
│36 struct inode *inode;
│37 struct f2fs_sb_info *sbi;
│38
│39 if (!mapping)
│40 return false;
│41
│42 inode = mapping->host;
>│43 sbi = F2FS_I_SB(inode);
│44
│45 if (inode->i_ino == F2FS_META_INO(sbi) ||
│46 inode->i_ino == F2FS_NODE_INO(sbi) ||
│47 S_ISDIR(inode->i_mode) ||
│48 (S_ISREG(inode->i_mode) &&
│49 (f2fs_is_atomic_file(inode) ||
IS_NOQUOTA(inode))) ||
│50 is_cold_data(page))
│51 return true;
│52 return false;
│53 }
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
next reply other threads:[~2019-04-09 11:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-09 11:32 bugzilla-daemon [this message]
2019-04-09 14:58 ` [Bug 203197] kernel read fault at __is_cp_guaranteed bugzilla-daemon
2019-04-10 0:55 ` bugzilla-daemon
2019-04-11 1:03 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-203197-202145@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.