Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp7957605rwn; Wed, 14 Sep 2022 07:02:48 -0700 (PDT) X-Google-Smtp-Source: AA6agR5cR9ZHePy08d3sHM3jZthvteUTxkKfmh9fqEKxX8k7uYDEarMmm+1ZZ6GwhNx9EByijuGq X-Received: by 2002:a17:907:86a5:b0:780:156d:e842 with SMTP id qa37-20020a17090786a500b00780156de842mr4544328ejc.555.1663164167765; Wed, 14 Sep 2022 07:02:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663164167; cv=none; d=google.com; s=arc-20160816; b=itE7/EI1qx8Xz4gNhi3aPrGl4tO7MdxtDMLtE+KHrKIaPWyV1VegBgOfZUpxT76Ybe DfiHhk8bhPj/dZlfqo/CznxrIJ+ptwywjWB+FkTEfCJ7+8Qs9PzoPE6rW6sPUC3YbhV+ q0ag1fiW9lyJm5+VAx8PrMaX0CRMvo/VQYv9q76x8TxKmpjJhtAXYdcbcE1xcxSAFu8a nkkQ8WQFI25SR9vojg48xCXHsHxSYrlIzvX3N33OuXujURNEbrkRrmrxVO0m6b427hfM nUrOVe23mD1WtTLg20gEG/dKId3Gw8xniGaXrqP3HE1ivRVUa4su+Df/C899++Jlzv7L ec9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=dwWOIXwHQary2QX7xEzVo8ui7NMLjHIaERRx49lSE/o=; b=UbMbBdxWQcRIcAqg5qYefxq3L+F9C0pz6t7zJ+fmgkLHIFKjoylY4WgsQKD5OXIsie DvxBem10viRC545kCNzHohkyviEdjQgFZ3NA6qz1/IpNzxUGLfmnyEtC1kt/i52t7m65 trk6X6rodBPSqkMn1TPZ50xrZ62qmHJLKLmMAq0RRJ+fwva0FlNETQDa4Xl7Rd+ceknf vMcxXk70XGnWulk5epNxP54YvwZv3sbsxqtXJiK3ZbCO0Tv2izn3mX1Pb9CZ2VWstHca XFYYTZwrpVXjHyGAmiVFAxBeR5XPIEnqrYr9xJVFB56FuxJc5S4w6UnWImBLbAliw3G/ bGCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pVtpPJ98; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id xh13-20020a170906da8d00b00773db392e1esi12337426ejb.997.2022.09.14.07.02.15; Wed, 14 Sep 2022 07:02:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pVtpPJ98; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229864AbiINNsQ (ORCPT + 99 others); Wed, 14 Sep 2022 09:48:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35518 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229846AbiINNsG (ORCPT ); Wed, 14 Sep 2022 09:48:06 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E97D873925; Wed, 14 Sep 2022 06:47:52 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id A7D3EB81B7A; Wed, 14 Sep 2022 13:47:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F2AEBC433D6; Wed, 14 Sep 2022 13:47:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1663163270; bh=agORPpng31kmjXNgwx2exKAuB9awArf8E2JRoM4XNJI=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=pVtpPJ98TjrKXi7c1H6lUotKDJZAaNlnEa3IfBPMhE8OULfy18kpOMRo8UcSQPz/8 0St95uAdpxrb0YHGRMOw9kPATXG5CYxe+KIOVU1p4RQzbPZSpZJVmyLDd/Xn1YRBBv 2Txfs6g7Czut7cW45V3hcuKhy+lsiotrPwj6MAQE0DxXS2IuZWoBP+S9BWYw2ayEJa 3W+/ZJ67fdlkNfFJWXwtxUqVBFzBb8A7BXzahB9zGRJcSDyvDZWzb0GgvsuXiHgMGi Eqxn3aG6A23p8KN79KEHIZf4EdBuy5717u3sEeFbBfQOqfbgG4R/hzoLJ+yVAeqMPG FXn599B+rwmjA== Message-ID: <2b669973-caf0-75e8-f421-7647dddf03ce@kernel.org> Date: Wed, 14 Sep 2022 21:47:46 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [f2fs-dev] [PATCH] f2fs: fix missing mapping caused by the mount/umount race Content-Language: en-US To: Jaegeuk Kim Cc: syzbot+775a3440817f74fddb8c@syzkaller.appspotmail.com, linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net References: <20220829215206.3082124-1-jaegeuk@kernel.org> From: Chao Yu In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-8.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022/8/31 11:05, Jaegeuk Kim wrote: > On 08/30, Jaegeuk Kim wrote: >> On 08/30, Chao Yu wrote: >>> On 2022/8/30 5:52, Jaegeuk Kim wrote: >>>> Sometimes we can get a cached meta_inode which has no aops yet. Let's set it >>>> all the time to fix the below panic. >>>> >>>> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 >>>> Mem abort info: >>>> ESR = 0x0000000086000004 >>>> EC = 0x21: IABT (current EL), IL = 32 bits >>>> SET = 0, FnV = 0 >>>> EA = 0, S1PTW = 0 >>>> FSC = 0x04: level 0 translation fault >>>> user pgtable: 4k pages, 48-bit VAs, pgdp=0000000109ee4000 >>>> [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 >>>> Internal error: Oops: 86000004 [#1] PREEMPT SMP >>>> Modules linked in: >>>> CPU: 1 PID: 3045 Comm: syz-executor330 Not tainted 6.0.0-rc2-syzkaller-16455-ga41a877bc12d #0 >>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 >>>> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) >>>> pc : 0x0 >>>> lr : folio_mark_dirty+0xbc/0x208 mm/page-writeback.c:2748 >>>> sp : ffff800012783970 >>>> x29: ffff800012783970 x28: 0000000000000000 x27: ffff800012783b08 >>>> x26: 0000000000000001 x25: 0000000000000400 x24: 0000000000000001 >>>> x23: ffff0000c736e000 x22: 0000000000000045 x21: 05ffc00000000015 >>>> x20: ffff0000ca7403b8 x19: fffffc00032ec600 x18: 0000000000000181 >>>> x17: ffff80000c04d6bc x16: ffff80000dbb8658 x15: 0000000000000000 >>>> x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 >>>> x11: ff808000083e9814 x10: 0000000000000000 x9 : ffff8000083e9814 >>>> x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 >>>> x5 : ffff0000cbb19000 x4 : ffff0000cb3d2000 x3 : ffff0000cbb18f80 >>>> x2 : fffffffffffffff0 x1 : fffffc00032ec600 x0 : ffff0000ca7403b8 >>>> Call trace: >>>> 0x0 >>>> set_page_dirty+0x38/0xbc mm/folio-compat.c:62 >>>> f2fs_update_meta_page+0x80/0xa8 fs/f2fs/segment.c:2369 >>>> do_checkpoint+0x794/0xea8 fs/f2fs/checkpoint.c:1522 >>>> f2fs_write_checkpoint+0x3b8/0x568 fs/f2fs/checkpoint.c:1679 >>>> >>>> Cc: stable@vger.kernel.org >>>> Reported-by: syzbot+775a3440817f74fddb8c@syzkaller.appspotmail.com >>>> Signed-off-by: Jaegeuk Kim >>>> --- >>>> fs/f2fs/inode.c | 13 ++++++++----- >>>> 1 file changed, 8 insertions(+), 5 deletions(-) >>>> >>>> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c >>>> index 6d11c365d7b4..1feb0a8a699e 100644 >>>> --- a/fs/f2fs/inode.c >>>> +++ b/fs/f2fs/inode.c >>>> @@ -490,10 +490,7 @@ struct inode *f2fs_iget(struct super_block *sb, unsigned long ino) >>>> if (!inode) >>>> return ERR_PTR(-ENOMEM); >>>> - if (!(inode->i_state & I_NEW)) { >>>> - trace_f2fs_iget(inode); >>>> - return inode; >>>> - } >>>> + /* We can see an old cached inode. Let's set the aops all the time. */ >>> >>> Why an old cached inode (has no I_NEW flag) has NULL a_ops pointer? If it is a bad >>> inode, it should be unhashed before unlock_new_inode(). >> >> I'm trying to dig further tho, it's not a bad inode, nor I_FREEING | I_CLEAR. >> It's very werid that thie meta inode is found in newly created superblock by >> the global hash table. I've checked that the same superblock pointer was used >> in the previous tests, but inode was evictied all the time. > > I'll drop this patch, since it turned out there is a bug in reiserfs which > doesn't free the root inode (ino=2). That leads f2fs to find an ino=2 with > the previous superblock point used by reiserfs. That stale inode has no valid One more question, why stale inode could be remained in inode hash table, shouldn't the stale inode be evicted/unhashed in below path during reiserfs umount: - reiserfs_kill_sb - kill_block_super - generic_shutdown_super - evict_inodes - dispose_list - evict - remove_inode_hash Thanks, > inode that f2fs can use. I tried to find where the root cause is in reiserfs, > but it seems quite hard to catch one. > > - reiserfs_fill_super > - reiserfs_xattr_init > - create_privroot > - xattr_mkdir > - reiserfs_new_inode > - reiserfs_get_unused_objectid returned 0 due to map crash > > It seems the error path doesn't handle the root inode properly. > >> >>> >>> Thanks, >>> >>>> if (ino == F2FS_NODE_INO(sbi) || ino == F2FS_META_INO(sbi)) >>>> goto make_now; >>>> @@ -502,6 +499,11 @@ struct inode *f2fs_iget(struct super_block *sb, unsigned long ino) >>>> goto make_now; >>>> #endif >>>> + if (!(inode->i_state & I_NEW)) { >>>> + trace_f2fs_iget(inode); >>>> + return inode; >>>> + } >>>> + >>>> ret = do_read_inode(inode); >>>> if (ret) >>>> goto bad_inode; >>>> @@ -557,7 +559,8 @@ struct inode *f2fs_iget(struct super_block *sb, unsigned long ino) >>>> file_dont_truncate(inode); >>>> } >>>> - unlock_new_inode(inode); >>>> + if (inode->i_state & I_NEW) >>>> + unlock_new_inode(inode); >>>> trace_f2fs_iget(inode); >>>> return inode; >> >> >> _______________________________________________ >> Linux-f2fs-devel mailing list >> Linux-f2fs-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel