Received-SPF: pass (google.com: domain of linux-kernel+bounces-28434-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Precedence: bulk
MIME-Version: 1.0
References: <20240116141138.1245-1-qwjhust@gmail.com> <CACOAw_yL7fLmjLkK29yEb3hgTqoDO2hntOX5LMHmWjZWWix1ig@mail.gmail.com>
In-Reply-To: <CACOAw_yL7fLmjLkK29yEb3hgTqoDO2hntOX5LMHmWjZWWix1ig@mail.gmail.com>
From: Wenjie Qi <qwjhust@gmail.com>
Date: Wed, 17 Jan 2024 09:39:48 +0800
Message-ID: <CAGFpFsSSg+Xs9TAw8qOadUxj8kYfyc+h3cCu_UJsxXUzMu50vQ@mail.gmail.com>
Subject: Re: [f2fs-dev] [PATCH v1] f2fs: fix NULL pointer dereference in f2fs_submit_page_write()
To: Daeho Jeong <daeho43@gmail.com>
Cc: jaegeuk@kernel.org, chao@kernel.org, 
	linux-f2fs-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org, 
	hustqwj@hust.edu.cn
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello Daeho,
I don't think moving just the "out" label will work.
If a fio is zone end and in_list =3D 1, that fio is missed without being ju=
dged.

On Wed, Jan 17, 2024 at 5:58=E2=80=AFAM Daeho Jeong <daeho43@gmail.com> wro=
te:
>
> On Tue, Jan 16, 2024 at 6:13=E2=80=AFAM Wenjie Qi <qwjhust@gmail.com> wro=
te:
> >
> > BUG: kernel NULL pointer dereference, address: 0000000000000014
> > RIP: 0010:f2fs_submit_page_write+0x6cf/0x780 [f2fs]
> > Call Trace:
> > <TASK>
> > ? show_regs+0x6e/0x80
> > ? __die+0x29/0x70
> > ? page_fault_oops+0x154/0x4a0
> > ? prb_read_valid+0x20/0x30
> > ? __irq_work_queue_local+0x39/0xd0
> > ? irq_work_queue+0x36/0x70
> > ? do_user_addr_fault+0x314/0x6c0
> > ? exc_page_fault+0x7d/0x190
> > ? asm_exc_page_fault+0x2b/0x30
> > ? f2fs_submit_page_write+0x6cf/0x780 [f2fs]
> > ? f2fs_submit_page_write+0x736/0x780 [f2fs]
> > do_write_page+0x50/0x170 [f2fs]
> > f2fs_outplace_write_data+0x61/0xb0 [f2fs]
> > f2fs_do_write_data_page+0x3f8/0x660 [f2fs]
> > f2fs_write_single_data_page+0x5bb/0x7a0 [f2fs]
> > f2fs_write_cache_pages+0x3da/0xbe0 [f2fs]
> > ...
> > It is possible that other threads have added this fio to io->bio
> > and submitted the io->bio before entering f2fs_submit_page_write().
> > At this point io->bio =3D NULL.
> > If is_end_zone_blkaddr(sbi, fio->new_blkaddr) of this fio is true,
> > then an NULL pointer dereference error occurs at bio_get(io->bio).
> > The original code for determining zone end was after "out:",
> > which would have missed some fio who is zone end. I've moved
> >  this code before "skip:" to make sure it's done for each fio.
> >
> > Signed-off-by: Wenjie Qi <qwjhust@gmail.com>
> > ---
> >  fs/f2fs/data.c | 8 ++++----
> >  1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
> > index dce8defdf4c7..4f445906db8b 100644
> > --- a/fs/f2fs/data.c
> > +++ b/fs/f2fs/data.c
> > @@ -1080,10 +1080,6 @@ void f2fs_submit_page_write(struct f2fs_io_info =
*fio)
> >         io->last_block_in_bio =3D fio->new_blkaddr;
> >
> >         trace_f2fs_submit_page_write(fio->page, fio);
> > -skip:
> > -       if (fio->in_list)
> > -               goto next;
> > -out:
> >  #ifdef CONFIG_BLK_DEV_ZONED
> >         if (f2fs_sb_has_blkzoned(sbi) && btype < META &&
> >                         is_end_zone_blkaddr(sbi, fio->new_blkaddr)) {
> > @@ -1096,6 +1092,10 @@ void f2fs_submit_page_write(struct f2fs_io_info =
*fio)
> >                 __submit_merged_bio(io);
> >         }
> >  #endif
> > +skip:
> > +       if (fio->in_list)
> > +               goto next;
> > +out:
>
> How about moving only the "out" label instead of the whole block from
> "skip" to "out"?
>
> >         if (is_sbi_flag_set(sbi, SBI_IS_SHUTDOWN) ||
> >                                 !f2fs_is_checkpoint_ready(sbi))
> >                 __submit_merged_bio(io);
> > --
> > 2.34.1
> >
> >
> >
> > _______________________________________________
> > Linux-f2fs-devel mailing list
> > Linux-f2fs-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel