[f2fs-dev] [Bug 220951] New: swapfile activation bug causes data corruption when swapfile < 2MB with fragmented extents

[f2fs-dev] [Bug 220951] New: swapfile activation bug causes data corruption when swapfile < 2MB with fragmented extents

[bugzilla-daemon--- via Linux-f2fs-devel]

https://bugzilla.kernel.org/show_bug.cgi?id=220951

            Bug ID: 220951
           Summary: swapfile activation bug causes data corruption when
                    swapfile < 2MB with fragmented extents
           Product: File System
           Version: 2.5
          Hardware: ARM
                OS: Linux
            Status: NEW
          Severity: high
          Priority: P3
         Component: f2fs
          Assignee: filesystem_f2fs@kernel-bugs.kernel.org
          Reporter: guoxiaolong2008@gmail.com
        Regression: No

When using stress-ng's swap stress test on F2FS filesystem with kernel 6.6+,
the system experiences data corruption leading to either:
1 dm-verity corruption errors and device reboot
2 F2FS node corruption errors and boot hangs

The issue occurs specifically when:
1 Using F2FS filesystem (ext4 is unaffected)
2 Swapfile size is less than F2FS section size (2MB)
3 Swapfile has fragmented physical layout (multiple non-contiguous extents)
4 Kernel version is 6.6+ (6.1 is unaffected)

The root cause is in check_swap_activate() function in fs/f2fs/data.c. When the
first extent of a small swapfile (< 2MB) is not aligned to section boundaries,
the function incorrectly treats it as the last extent, failing to map
subsequent extents. This results in incorrect swap_extent creation where only
the first extent is mapped, causing subsequent swap writes to overwrite wrong
physical locations (other files' data).

Steps to Reproduce
1 Setup a device with F2FS-formatted userdata partition
2 Compile stress-ng from https://github.com/ColinIanKing/stress-ng
3 Run swap stress test: (Android devices)
adb shell "cd /data/stressng; ./stress-ng-64 --metrics-brief --timeout 60
--swap 0"

Log:
1 Ftrace shows in kernel 6.6, only first extent is mapped during second
f2fs_map_blocks call in check_swap_activate():
stress-ng-swap-8990: f2fs_map_blocks: ino=11002, file offset=0, start
blkaddr=0x43143, len=0x1
(Only 4KB mapped, not the full swapfile)
2 in kernel 6.1, both extents are correctly mapped:
stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=0, start
blkaddr=0x13cd4, len=0x1
stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=1, start
blkaddr=0x60c84b, len=0xff

The problematic code is in check_swap_activate():
if ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec ||
    nr_pblocks % blks_per_sec ||
    !f2fs_valid_pinned_area(sbi, pblock)) {
    bool last_extent = false;

    not_aligned++;

    nr_pblocks = roundup(nr_pblocks, blks_per_sec);
    if (cur_lblock + nr_pblocks > sis->max)
        nr_pblocks -= blks_per_sec;

    /* this extent is last one */
    if (!nr_pblocks) {
        nr_pblocks = last_lblock - cur_lblock;
        last_extent = true;
    }

    ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks);
    if (ret) {
        if (ret == -ENOENT)
            ret = -EINVAL;
        goto out;
    }

    if (!last_extent)
        goto retry;
}

When the first extent is unaligned and roundup(nr_pblocks, blks_per_sec)
exceeds sis->max, we subtract blks_per_sec resulting in nr_pblocks = 0. The
code then incorrectly assumes this is the last extent, sets nr_pblocks =
last_lblock - cur_lblock (entire swapfile), and performs migration. After
migration, it doesn't retry mapping, so subsequent extents are never processed.

Only one swap_extent is created starting at the first extent's physical block.
Subsequent swap writes use incorrect sector calculations, overwriting other
files' data.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 220951] swapfile activation bug causes data corruption when swapfile < 2MB with fragmented extents

[bugzilla-daemon--- via Linux-f2fs-devel]

https://bugzilla.kernel.org/show_bug.cgi?id=220951

guoxiaolong2008@gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Kernel Version|                            |6.6

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 220951] swapfile activation bug causes data corruption when swapfile < 2MB with fragmented extents

[bugzilla-daemon--- via Linux-f2fs-devel]

https://bugzilla.kernel.org/show_bug.cgi?id=220951

Chao Yu (chao@kernel.org) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |chao@kernel.org

--- Comment #1 from Chao Yu (chao@kernel.org) ---
Xiaolong,

Thanks for your report and analysis!

I think your analysis is correct, based on that, I made a fix, could you please
have a try?

f2fs: fix to avoid mapping wrong physical block for swapfile

https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=bugfix/common&id=ac3dbe269a28f2d75ae963b3c6066a5259348ed2

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 220951] swapfile activation bug causes data corruption when swapfile < 2MB with fragmented extents

[bugzilla-daemon--- via Linux-f2fs-devel]

https://bugzilla.kernel.org/show_bug.cgi?id=220951

--- Comment #2 from guoxiaolong2008@gmail.com ---
Hi Chao Yu:
Thanks for your fix, I verified the solution and it does work.

stress-ng-swap-7946    [007] .....   346.972372: f2fs_map_blocks: dev =
(254,47), ino = 16800, file offset = 0, start blkaddr = 0x77d0d, len = 0x1,
flags = 2, seg_type = 8, may_create = 0, multidevice = 0, flag = 6, err = 0
  stress-ng-swap-7946    [007] .....   346.972376: f2fs_map_blocks: dev =
(254,47), ino = 16800, file offset = 1, start blkaddr = 0x1f6801, len = 0xff,
flags = 2, seg_type = 8, may_create = 0, multidevice = 0, flag = 6, err = 0

  stress-ng-swap-7946    [007] .....   346.972378: f2fs_map_blocks: dev =
(254,47), ino = 16800, file offset = 0, start blkaddr = 0x77d0d, len = 0x1,
flags = 2, seg_type = 8, may_create = 0, multidevice = 0, flag = 1, err = 0
  stress-ng-swap-7946    [007] .....   346.974392: f2fs_map_blocks: dev =
(254,47), ino = 16800, file offset = 0, start blkaddr = 0x1f6a00, len = 0x100,
flags = 2, seg_type = 8, may_create = 0, multidevice = 0, flag = 1, err = 0

The swapfile can be mapped correctly. 

Thanks.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 220951] swapfile activation bug causes data corruption when swapfile < 2MB with fragmented extents

[bugzilla-daemon--- via Linux-f2fs-devel]

https://bugzilla.kernel.org/show_bug.cgi?id=220951

--- Comment #3 from Chao Yu (chao@kernel.org) ---
Xiaolong,

Thanks for your verfication on the patch! Let me upstream the patch.

Thanks,

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 220951] swapfile activation bug causes data corruption when swapfile < 2MB with fragmented extents

[bugzilla-daemon--- via Linux-f2fs-devel]

https://bugzilla.kernel.org/show_bug.cgi?id=220951

--- Comment #4 from Chao Yu (chao@kernel.org) ---
Will add Reported-and-Tested-by tag of you in the patch, let me know if you
have any concern.

Thanks,

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 220951] swapfile activation bug causes data corruption when swapfile < 2MB with fragmented extents

[bugzilla-daemon--- via Linux-f2fs-devel]

https://bugzilla.kernel.org/show_bug.cgi?id=220951

--- Comment #5 from guoxiaolong2008@gmail.com ---
Hi Chao Yu:
I have no concerns for it
Thanks for your support.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

[f2fs-dev] [Bug 220951] swapfile activation bug causes data corruption when swapfile < 2MB with fragmented extents

[bugzilla-daemon--- via Linux-f2fs-devel]

https://bugzilla.kernel.org/show_bug.cgi?id=220951

Artem S. Tashkinov (aros@gmx.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |CODE_FIX

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel