• Chao Yu's avatar
    f2fs: fix to clear dirty inode in error path of f2fs_iget() · 546d22f0
    Chao Yu authored
    As Jungyeon reported in bugzilla:
    
    https://bugzilla.kernel.org/show_bug.cgi?id=203217
    
    - Overview
    When mounting the attached crafted image and running program, I got this error.
    Additionally, it hangs on sync after running the program.
    
    The image is intentionally fuzzed from a normal f2fs image for testing and I enabled option CONFIG_F2FS_CHECK_FS on.
    
    - Reproduces
    cc poc_test_05.c
    mkdir test
    mount -t f2fs tmp.img test
    sudo ./a.out
    sync
    
    - Messages
     kernel BUG at fs/f2fs/inode.c:707!
     RIP: 0010:f2fs_evict_inode+0x33f/0x3a0
     Call Trace:
      evict+0xba/0x180
      f2fs_iget+0x598/0xdf0
      f2fs_lookup+0x136/0x320
      __lookup_slow+0x92/0x140
      lookup_slow+0x30/0x50
      walk_component+0x1c1/0x350
      path_lookupat+0x62/0x200
      filename_lookup+0xb3/0x1a0
      do_readlinkat+0x56/0x110
      __x64_sys_readlink+0x16/0x20
      do_syscall_64+0x43/0xf0
      entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    During inode loading, __recover_inline_status() can recovery inode status
    and set inode dirty, once we failed in following process, it will fail
    the check in f2fs_evict_inode, result in trigger BUG_ON().
    
    Let's clear dirty inode in error path of f2fs_iget() to avoid panic.
    Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
    Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
    546d22f0
inode.c 21.7 KB