2024-05-17 03:49:47

by Chao Yu

[permalink] [raw]
Subject: Re: 答复: [External Mail][PATCH] f2fs: f ix panic in f2fs_put_super

On 2024/5/16 18:15, 孙士杰 wrote:
> I didn't get it, if there is no cp_err, f2fs_write_checkpoint() in
> f2fs_put_super() will flush all dirty pages of node_inode, if there is
> cp_err, below flow will keep all dirty pages being truncated, and
> there is sanity check on all types of dirty pages.
>
> ===》
> I understand what you mean, so is it better to modify in this way? Please help to check, thank you

Hi, let's figure out the root cause first?

Thanks,

>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *发件人:* sunshijie <[email protected]>
> *发送时间:* 2024年5月16日 18:13:38
> *收件人:* [email protected]; [email protected]; [email protected]; [email protected]
> *抄送:* 孙士杰
> *主题:* [External Mail][PATCH] f2fs: fix panic in f2fs_put_super
> [外部邮件] 此邮件来源于小米公司外部,请谨慎处理。若对邮件安全性存疑,请将邮件转发给[email protected]进行反馈
>
> When thread A calls kill_f2fs_super, Thread A first executes the code sbi->node_inode = NULL;
> Then thread A may submit a bio to the function iput(sbi->meta_inode);
> Then thread A enters the process D state,
> Now that the bio submitted by thread A is complete, it calls f2fs_write_end_io and may trigger null-ptr-deref in NODE_MAPPING.
>
> Thread A                                          IRQ context
> - f2fs_put_super
>  - sbi->node_inode = NULL;
>  - iput(sbi->meta_inode);
>   - iput_final
>    - write_inode_now
>     - writeback_single_inode
>      - __writeback_single_inode
>       - filemap_fdatawait
>        - filemap_fdatawait_range
>         - __kcfi_typeid_free_transhuge_page
>          - __filemap_fdatawait_range
>           - wait_on_page_writeback
>            - folio_wait_writeback
>             - folio_wait_bit
>              - folio_wait_bit_common
>               - io_schedule
>
>                                                   - __handle_irq_event_percpu
>                                                    - ufs_qcom_mcq_esi_handler
>                                                     - ufshcd_mcq_poll_cqe_nolock
>                                                      - ufshcd_compl_one_cqe
>                                                       - scsi_done
>                                                        - scsi_done_internal
>                                                         - blk_mq_complete_request
>                                                          - scsi_complete
>                                                           - scsi_finish_command
>                                                            - scsi_io_completion
>                                                             - scsi_end_request
>                                                              - blk_update_request
>                                                               - bio_endio
>                                                                - f2fs_write_end_io
>                                                                 - NODE_MAPPING(sbi)
>
> Signed-off-by: sunshijie <[email protected]>
> ---
>  fs/f2fs/super.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
> index adffc9b80a9c..62d4f229f601 100644
> --- a/fs/f2fs/super.c
> +++ b/fs/f2fs/super.c
> @@ -1642,9 +1642,9 @@ static void f2fs_put_super(struct super_block *sb)
>         f2fs_destroy_compress_inode(sbi);
>
>         iput(sbi->node_inode);
> -       sbi->node_inode = NULL;
> -
>         iput(sbi->meta_inode);
> +
> +       sbi->node_inode = NULL;
>         sbi->meta_inode = NULL;
>
>         mutex_unlock(&sbi->umount_mutex);
> --
> 2.34.1
>
> #/******本邮件及其附件含有小米公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件! This e-mail and its attachments contain confidential information from XIAOMI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!******/#