tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally

Syzbot reported a f2fs bug as below:

------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:1900!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 6527 Comm: syz.5.110 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:f2fs_issue_discard_timeout+0x59b/0x5a0 fs/f2fs/segment.c:1900
Code: d9 80 e1 07 80 c1 03 38 c1 0f 8c d6 fe ff ff 48 89 df e8 a8 5e fa fd e9 c9 fe ff ff e8 4e 46 94 fd 90 0f 0b e8 46 46 94 fd 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
RSP: 0018:ffffc9000494f940 EFLAGS: 00010283
RAX: ffffffff843009ca RBX: 0000000000000001 RCX: 0000000000080000
RDX: ffffc9001ca78000 RSI: 00000000000029f3 RDI: 00000000000029f4
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed100893a431 R12: 1ffff1100893a430
R13: 1ffff1100c2b702c R14: dffffc0000000000 R15: ffff8880449d2160
FS: 00007ffa35fed6c0(0000) GS:ffff88812643d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2b68634000 CR3: 0000000039f62000 CR4: 00000000003526f0
Call Trace:
<TASK>
__f2fs_remount fs/f2fs/super.c:2960 [inline]
f2fs_reconfigure+0x108a/0x1710 fs/f2fs/super.c:5443
reconfigure_super+0x227/0x8a0 fs/super.c:1080
do_remount fs/namespace.c:3391 [inline]
path_mount+0xdc5/0x10e0 fs/namespace.c:4151
do_mount fs/namespace.c:4172 [inline]
__do_sys_mount fs/namespace.c:4361 [inline]
__se_sys_mount+0x31d/0x420 fs/namespace.c:4338
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffa37dbda0a

The root cause is there will be race condition in between f2fs_ioc_fitrim()
and f2fs_remount():

- f2fs_remount - f2fs_ioc_fitrim
- f2fs_issue_discard_timeout
- __issue_discard_cmd
- __drop_discard_cmd
- __wait_all_discard_cmd
- f2fs_trim_fs
- f2fs_write_checkpoint
- f2fs_clear_prefree_segments
- f2fs_issue_discard
- __issue_discard_async
- __queue_discard_cmd
- __update_discard_tree_range
- __insert_discard_cmd
- __create_discard_cmd
: atomic_inc(&dcc->discard_cmd_cnt);
- sanity check on dcc->discard_cmd_cnt (expect discard_cmd_cnt to be zero)

This will only happen when fitrim races w/ remount rw, if we remount to
readonly filesystem, remount will wait until mnt_pcp.mnt_writers to zero,
that means fitrim is not in process at that time.

Cc: stable@kernel.org
Fixes: 2482c4325dfe ("f2fs: detect bug_on in f2fs_wait_discard_bios")
Reported-by: syzbot+62538b67389ee582837a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/69b07d7c.050a0220.8df7.09a1.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

authored by

Chao Yu and committed by
Jaegeuk Kim 6af249c9 68cb1a6b

+12 -7
+1 -1
fs/f2fs/f2fs.h
··· 3988 3988 int f2fs_start_discard_thread(struct f2fs_sb_info *sbi); 3989 3989 void f2fs_drop_discard_cmd(struct f2fs_sb_info *sbi); 3990 3990 void f2fs_stop_discard_thread(struct f2fs_sb_info *sbi); 3991 - bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi); 3991 + bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi, bool need_check); 3992 3992 void f2fs_clear_prefree_segments(struct f2fs_sb_info *sbi, 3993 3993 struct cp_control *cpc); 3994 3994 void f2fs_dirty_to_prefree(struct f2fs_sb_info *sbi);
+3 -3
fs/f2fs/segment.c
··· 1880 1880 * 1881 1881 * Return true if issued all discard cmd or no discard cmd need issue, otherwise return false. 1882 1882 */ 1883 - bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi) 1883 + bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi, bool need_check) 1884 1884 { 1885 1885 struct discard_cmd_control *dcc = SM_I(sbi)->dcc_info; 1886 1886 struct discard_policy dpolicy; ··· 1897 1897 /* just to make sure there is no pending discard commands */ 1898 1898 __wait_all_discard_cmd(sbi, NULL); 1899 1899 1900 - f2fs_bug_on(sbi, atomic_read(&dcc->discard_cmd_cnt)); 1900 + f2fs_bug_on(sbi, need_check && atomic_read(&dcc->discard_cmd_cnt)); 1901 1901 return !dropped; 1902 1902 } 1903 1903 ··· 2367 2367 * Recovery can cache discard commands, so in error path of 2368 2368 * fill_super(), it needs to give a chance to handle them. 2369 2369 */ 2370 - f2fs_issue_discard_timeout(sbi); 2370 + f2fs_issue_discard_timeout(sbi, true); 2371 2371 2372 2372 kfree(dcc); 2373 2373 SM_I(sbi)->dcc_info = NULL;
+8 -3
fs/f2fs/super.c
··· 2009 2009 } 2010 2010 2011 2011 /* be sure to wait for any on-going discard commands */ 2012 - done = f2fs_issue_discard_timeout(sbi); 2012 + done = f2fs_issue_discard_timeout(sbi, true); 2013 2013 if (f2fs_realtime_discard_enable(sbi) && !sbi->discard_blks && done) { 2014 2014 struct cp_control cpc = { 2015 2015 .reason = CP_UMOUNT | CP_TRIMMED, ··· 2152 2152 * will recover after removal of snapshot. 2153 2153 */ 2154 2154 if (test_opt(sbi, DISCARD) && !f2fs_hw_support_discard(sbi)) 2155 - f2fs_issue_discard_timeout(sbi); 2155 + f2fs_issue_discard_timeout(sbi, true); 2156 2156 2157 2157 clear_sbi_flag(F2FS_SB(sb), SBI_IS_FREEZING); 2158 2158 return 0; ··· 2957 2957 need_stop_discard = true; 2958 2958 } else { 2959 2959 f2fs_stop_discard_thread(sbi); 2960 - f2fs_issue_discard_timeout(sbi); 2960 + /* 2961 + * f2fs_ioc_fitrim() won't race w/ "remount ro" 2962 + * so it's safe to check discard_cmd_cnt in 2963 + * f2fs_issue_discard_timeout(). 2964 + */ 2965 + f2fs_issue_discard_timeout(sbi, flags & SB_RDONLY); 2961 2966 need_restart_discard = true; 2962 2967 } 2963 2968 }