From: Chao Yu <chao@kernel.org>
To: Jack Qiu <jack.qiu@huawei.com>, jaegeuk@kernel.org
Cc: linux-f2fs-devel@lists.sourceforge.net
Subject: Re: [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super
Date: Thu, 22 Jul 2021 22:05:47 +0800 [thread overview]
Message-ID: <630147dc-4f73-f985-347a-c4933c312edd@kernel.org> (raw)
In-Reply-To: <20210722044130.44591-1-jack.qiu@huawei.com>
On 2021/7/22 12:41, Jack Qiu wrote:
> The root cause is shrink_dcache_sb after sbi has been freed.
> So call shrink_dcache_sb before free sbi and other resources.
>
> ==================================================================
> BUG: KASAN: use-after-free in f2fs_evict_inode+0x31c/0xde5
> Read of size 4 at addr ffff8881d97f0d50 by task syz-executor.3/8729
>
> PU: 1 PID: 8729 Comm: syz-executor.3 Not tainted
> 4.19.195-00002-g67dceea04431-dirty #31
Does this bug below to 4.19.195?
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31
> 04/01/2014
> Call Trace:
> dump_stack+0xe5/0x14b
> ? f2fs_evict_inode+0x31c/0xde5
> print_address_description+0x6c/0x237
> ? f2fs_evict_inode+0x31c/0xde5
> kasan_report.cold+0x88/0x2a3
> f2fs_evict_inode+0x31c/0xde5
> ? full_proxy_open.cold+0x12/0x12
> evict+0x2cd/0x5f0
> iput+0x3d9/0x6f0
> dentry_unlink_inode+0x273/0x330
> __dentry_kill+0x340/0x5e0
> dentry_kill+0xb7/0x740
> shrink_dentry_list+0x256/0x660
> shrink_dcache_sb+0x11f/0x1d0
> ? shrink_dentry_list+0x660/0x660
> ? __kasan_slab_free+0x144/0x180
> f2fs_fill_super+0x2a34/0x4a80
> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
> ? wait_for_completion+0x3c0/0x3c0
> ? set_blocksize+0x230/0x2b0
> mount_bdev+0x2c1/0x370
> ? f2fs_sanity_check_ckpt.cold+0x2b6/0x2b6
> mount_fs+0x4c/0x1c0
> vfs_kern_mount.part.0+0x60/0x3d0
> do_mount+0x367/0x2570
> ? kasan_unpoison_shadow+0x33/0x40
> ? copy_mount_string+0x40/0x40
> ? kmem_cache_alloc_trace+0x13f/0x2b0
> ? _copy_from_user+0x94/0x100
> ? copy_mount_options+0x1f1/0x2e0
> ksys_mount+0xa0/0x100
> __x64_sys_mount+0xbf/0x160
> do_syscall_64+0xc2/0x190
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x47938e
> Code: 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84
> 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01
> f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fed673b6a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 000000000047938e
> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fed673b6aa0
> RBP: 00007fed673b6ae0 R08: 00007fed673b6ae0 R09: 0000000020000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
> R13: 0000000020000100 R14: 00007fed673b6aa0 R15: 0000000020000b00
>
> Allocated by task 8729:
> kasan_kmalloc+0xc2/0xe0
> kmem_cache_alloc_trace+0x13f/0x2b0
> f2fs_fill_super+0x124/0x4a80
> mount_bdev+0x2c1/0x370
> mount_fs+0x4c/0x1c0
> vfs_kern_mount.part.0+0x60/0x3d0
> do_mount+0x367/0x2570
> ksys_mount+0xa0/0x100
> __x64_sys_mount+0xbf/0x160
> do_syscall_64+0xc2/0x190
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Freed by task 8729:
> __kasan_slab_free+0x12f/0x180
> kfree+0xfa/0x2a0
> f2fs_fill_super+0x2a00/0x4a80
> mount_bdev+0x2c1/0x370
> mount_fs+0x4c/0x1c0
> vfs_kern_mount.part.0+0x60/0x3d0
> do_mount+0x367/0x2570
> ksys_mount+0xa0/0x100
> __x64_sys_mount+0xbf/0x160
> do_syscall_64+0xc2/0x190
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Signed-off-by: Jack Qiu <jack.qiu@huawei.com>
> ---
> fs/f2fs/super.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> index 8fecd3050ccd..b041625e06ce 100644
> --- a/fs/f2fs/super.c
> +++ b/fs/f2fs/super.c
> @@ -4229,6 +4229,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
> free_compress_inode:
> f2fs_destroy_compress_inode(sbi);
> free_root_inode:
> + if (retry_cnt > 0 && skip_recovery)
> + shrink_dcache_sb(sb);
Compare to 4.19, last f2fs adds evict_inodes() before f2fs_unregister_sysfs(),
could you please check whether this can fix the issue?
Thanks,
> dput(sb->s_root);
> sb->s_root = NULL;
> free_node_inode:
> @@ -4285,7 +4287,6 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
> /* give only one another chance */
> if (retry_cnt > 0 && skip_recovery) {
> retry_cnt--;
> - shrink_dcache_sb(sb);
> goto try_onemore;
> }
> return err;
> --
> 2.17.1
>
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
next prev parent reply other threads:[~2021-07-22 14:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-22 4:41 [f2fs-dev] [PATCH -next] f2fs: fix use after free in f2fs_fill_super Jack Qiu
2021-07-22 14:05 ` Chao Yu [this message]
2021-07-23 2:41 ` Jack Qiu
2021-07-23 2:51 ` Chao Yu
2021-07-23 3:27 ` Jack Qiu
2021-07-23 3:29 ` Chao Yu
2021-07-23 3:45 ` Jack Qiu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=630147dc-4f73-f985-347a-c4933c312edd@kernel.org \
--to=chao@kernel.org \
--cc=jack.qiu@huawei.com \
--cc=jaegeuk@kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).