Bug 200931

Summary: use-after-free in ext4_put_super()
Product: File System Reporter: Wen Xu (wen.xu)
Component: ext4Assignee: fs_ext4 (fs_ext4)
Status: ASSIGNED ---    
Severity: normal CC: tytso, wen.xu
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.18 Tree: Mainline
Regression: No
Attachments: The (compressed) crafted image which causes crash
poc
simplified poc.c
Simplified crafted image

Description Wen Xu 2018-08-25 05:11:07 UTC
Created attachment 278077 [details]
The (compressed) crafted image which causes crash

- Reproduce
# mkdir mnt
# mount -t ext4 1.img mnt
# gcc 1.c
# ./a.out ./mnt
# umount mnt

- Kernel message
[ 1128.973181] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null)
[ 1185.120237] WARNING: CPU: 0 PID: 1483 at fs/inode.c:285 drop_nlink+0x69/0x90
[ 1185.120244] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crct10dif_pclmul crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[ 1185.120666] CPU: 0 PID: 1483 Comm: a.out Not tainted 4.18.0+ #9
[ 1185.120672] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1185.120679] RIP: 0010:drop_nlink+0x69/0x90
[ 1185.120684] Code: e8 7c b5 f8 ff 49 8b 5c 24 28 be 08 00 00 00 48 8d bb 98 04 00 00 e8 26 b9 f8 ff f0 48 ff 83 98 04 00 00 5b 41 5c 41 5d 5d c3 <0f> 0b 4c 89 ef e8 cd b4 f8 ff 41 c7 44 24 48 ff ff ff ff 5b 41 5c
[ 1185.120686] RSP: 0018:ffff8801e62af910 EFLAGS: 00010246
[ 1185.120698] RAX: 0000000000000000 RBX: ffff8801e9dd8ef8 RCX: ffffffffa541eead
[ 1185.120701] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffff8801e9dd8f40
[ 1185.120703] RBP: ffff8801e62af928 R08: ffffed003df57d32 R09: ffffed003df57d32
[ 1185.120706] R10: 0000000000000001 R11: ffffed003df57d31 R12: ffff8801e9dd8ef8
[ 1185.120708] R13: ffff8801e9dd8f40 R14: 0000000000000008 R15: ffff8801e9da9e80
[ 1185.120712] FS:  00007fcb1db54700(0000) GS:ffff8801f7000000(0000) knlGS:0000000000000000
[ 1185.120715] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1185.120717] CR2: 00007ffc43283ebf CR3: 00000001e632c000 CR4: 00000000000006f0
[ 1185.120727] Call Trace:
[ 1185.120752]  ext4_rename+0x7af/0xd00
[ 1185.120758]  ? ext4_tmpfile+0x2d0/0x2d0
[ 1185.120770]  ? lockref_put_or_lock+0x160/0x160
[ 1185.120780]  ? link_path_walk+0x516/0x7b0
[ 1185.120792]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1185.120797]  ? legitimize_path.isra.28+0x61/0xa0
[ 1185.120801]  ? unlazy_walk+0xb8/0x150
[ 1185.120808]  ? kasan_check_write+0x14/0x20
[ 1185.120812]  ? lockref_get+0xb5/0x140
[ 1185.120817]  ext4_rename2+0xa6/0x100
[ 1185.120821]  vfs_rename+0xa70/0xda0
[ 1185.120827]  ? path_mountpoint+0x5b0/0x5b0
[ 1185.120839]  ? security_path_rename+0xcb/0x130
[ 1185.120844]  do_renameat2+0x7d2/0x860
[ 1185.120850]  ? user_path_create+0x40/0x40
[ 1185.120854]  ? may_open_dev+0x50/0x50
[ 1185.120862]  ? fsnotify+0x590/0x7d0
[ 1185.120866]  ? putname+0x80/0x90
[ 1185.120870]  ? __kasan_slab_free+0x151/0x1a0
[ 1185.120874]  ? kasan_slab_free+0xe/0x10
[ 1185.120881]  ? kmem_cache_free+0x89/0x1e0
[ 1185.120885]  ? putname+0x80/0x90
[ 1185.120892]  ? filp_open+0x60/0x60
[ 1185.120896]  ? __ia32_sys_mknod+0x50/0x50
[ 1185.120900]  ? do_sys_ftruncate+0x195/0x200
[ 1185.120905]  __x64_sys_rename+0x3b/0x50
[ 1185.120912]  do_syscall_64+0x78/0x170
[ 1185.120916]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1185.120935] RIP: 0033:0x7fcb1d6704d9
[ 1185.120940] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[ 1185.120942] RSP: 002b:00007ffc43280a58 EFLAGS: 00000207 ORIG_RAX: 0000000000000052
[ 1185.120947] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcb1d6704d9
[ 1185.120949] RDX: 00007fcb1d6704d9 RSI: 00007ffc43280c30 RDI: 00007ffc43280bf0
[ 1185.120952] RBP: 00007ffc43284ed0 R08: 00007ffc43284fb8 R09: 00007ffc43284fb8
[ 1185.120954] R10: 00007ffc43284fb8 R11: 0000000000000207 R12: 0000000000400530
[ 1185.120957] R13: 00007ffc43284fb0 R14: 0000000000000000 R15: 0000000000000000
[ 1185.120961] ---[ end trace 754084f7e4b34756 ]---
[ 1233.429984] EXT4-fs (loop0): Inode 16 (000000005dedb213): orphan list check failed!
[ 1233.431636] 000000005dedb213: 0001f30a 00000004 00000000 00000000  ................
[ 1233.431641] 0000000021b53ceb: 00000001 00002602 00000000 00000000  .....&..........
[ 1233.431650] 000000008c5d364c: 00000000 00000000 00000000 00000000  ................
[ 1233.431655] 000000004186d7d5: 00000000 00000000 00000000 00000000  ................
[ 1233.431660] 000000006db65a73: 00000247 00000000 00000000 00000000  G...............
[ 1233.431664] 000000002c93c63e: 00080000 00000000 00000000 00000000  ................
[ 1233.431669] 00000000c4d506ed: e9dd8e70 ffff8801 e9dd8e70 ffff8801  p.......p.......
[ 1233.431674] 00000000fa0356d5: 00000000 00000000 00000000 00000000  ................
[ 1233.431678] 0000000091b782f0: efabdf78 ffff8801 efabdf78 ffff8801  x.......x.......
[ 1233.431683] 000000002a089815: 00000004 00000000 00000000 00000000  ................
[ 1233.431688] 00000000eb9d11ff: e9dd8eb0 ffff8801 e9dd8eb0 ffff8801  ................
[ 1233.431692] 0000000004e022fc: 00000000 00000000 00000000 00000000  ................
[ 1233.431697] 000000007677b5c8: 00000000 00000000 e9dd8ed8 ffff8801  ................
[ 1233.431701] 000000002e6a43d8: e9dd8ed8 ffff8801 00000000 00000000  ................
[ 1233.431705] 000000003f589dbb: 00000000 00000000 000d8c00 00000000  ................
[ 1233.431710] 00000000350a5c50: 00000000 00000000 00000000 00000000  ................
[ 1233.431714] 0000000082f6b309: ffffffff ffffffff a694b680 ffffffff  ................
[ 1233.431719] 00000000edc23015: efabd500 ffff8801 e9dd9068 ffff8801  ........h.......
[ 1233.431723] 00000000653d76f2: 00000000 00000000 00000010 00000000  ................
[ 1233.431728] 000000007aa73d77: ffffffff 00000000 00000004 00000000  ................
[ 1233.431732] 000000002c163fdf: 5b437ccf 00000000 00000000 00000000  .|C[............
[ 1233.431737] 00000000d30e1735: 5b437ccf 00000000 00000000 00000000  .|C[............
[ 1233.431741] 000000007572f0b6: 5b805879 00000000 00000000 00000000  yX.[............
[ 1233.431746] 000000009f5893db: 00000000 000a0000 00000004 00000000  ................
[ 1233.431750] 00000000521e1048: 00000060 00000000 00000000 00000000  `...............
[ 1233.431755] 000000004ad9b4e0: e9dd8fa0 ffff8801 e9dd8fa0 ffff8801  ................
[ 1233.431759] 00000000568d5650: 00000000 00000000 00000000 00000000  ................
[ 1233.431763] 00000000bfb6f2e8: 00035e3c 00000001 00000000 00000000  <^..............
[ 1233.431768] 0000000034be7c52: 00000000 00000000 00000000 00000000  ................
[ 1233.431772] 00000000dcf3946e: e9dd8fe0 ffff8801 e9dd8fe0 ffff8801  ................
[ 1233.431777] 0000000079a7eabd: 00000000 00000000 00000000 00000000  ................
[ 1233.431781] 000000004c6f90ba: e9dd9000 ffff8801 e9dd9000 ffff8801  ................
[ 1233.431786] 00000000df365673: e9dd9010 ffff8801 e9dd9010 ffff8801  ................
[ 1233.431790] 00000000e60be868: e9dd9020 ffff8801 e9dd9020 ffff8801   ....... .......
[ 1233.431795] 000000006477626b: 00000000 00000000 00000000 00000000  ................
[ 1233.431799] 000000006569550a: 00000003 00000000 00000000 00000000  ................
[ 1233.431804] 0000000086f8b4f7: 00000000 00000000 a694b760 ffffffff  ........`.......
[ 1233.431808] 000000004e22c66f: 00000000 00000000 e9dd8ef8 ffff8801  ................
[ 1233.431813] 00000000f929f7bf: 00000000 00580020 00000000 00000000  .... .X.........
[ 1233.431817] 00000000d32b49c1: 00000000 00000000 00000000 00000000  ................
[ 1233.431821] 00000000bf2e27cc: 00000000 00000000 00000000 00000000  ................
[ 1233.431826] 00000000c31046a4: e9dd90a0 ffff8801 e9dd90a0 ffff8801  ................
[ 1233.431830] 0000000033a2e2b1: 00000000 00000000 00000000 00000000  ................
[ 1233.431834] 00000000989164dc: 00000000 00000000 00000000 00000000  ................
[ 1233.431839] 000000007ed20ecd: 00000000 00000000 a694e3c0 ffffffff  ................
[ 1233.431844] 00000000cba28eac: 00000010 00000000 00000000 006200ca  ..............b.
[ 1233.431848] 00000000e82f1ff2: e9dd90f0 ffff8801 e9dd90f0 ffff8801  ................
[ 1233.431852] 000000006257d8fd: 00000000 00000000 00000000 00000000  ................
[ 1233.431871] 000000009449a89d: e9dd9110 ffff8801 e9dd9110 ffff8801  ................
[ 1233.431877] 00000000708b7ca9: 00000000 00000000 709b874b 00000000  ........K..p....
[ 1233.431881] 000000008a963fc0: 00000000 00000000 00000000 00000000  ................
[ 1233.431885] 0000000095572997: 00000000 00000000 00000000 00000000  ................
[ 1233.431889] 00000000ea473d54: 00000000 00000000 00000000 00000000  ................
[ 1233.431894] 00000000cab08c06: 00000000 00000000 e9dd9168 ffff8801  ........h.......
[ 1233.431898] 00000000d654e3b9: e9dd9168 ffff8801 00000000 00000000  h...............
[ 1233.431903] 00000000553bf873: 00000000 00000000 00000000 00000000  ................
[ 1233.431907] 00000000d5211a3f: 00000000 00000000 e9dd9198 ffff8801  ................
[ 1233.431912] 00000000f7a69e82: e9dd9198 ffff8801 00000000 00000000  ................
[ 1233.431916] 000000006f459b99: 00000000 ffffffff 00000000 00000000  ................
[ 1233.431921] 000000004b0ba2de: 00000000 00000000 e9dd91c8 ffff8801  ................
[ 1233.431925] 00000000a0778393: 00000000 00000000 00000000 00000000  ................
[ 1233.431930] 00000000b39a322a: e9dd91e0 ffff8801 e9dd91e0 ffff8801  ................
[ 1233.431934] 00000000b6ab4bd9: ffffffe0 0000000f e9dd91f8 ffff8801  ................
[ 1233.431939] 00000000222c700b: e9dd91f8 ffff8801 a558cf90 ffffffff  ..........X.....
[ 1233.431943] 00000000ffa1fafc: 00000000 00000000 00000010 00000006  ................
[ 1233.431947] 00000000d688cabe: 00000000 00000000 00000000 00000000  ................
[ 1233.431952] 0000000074de523e: 00000000 00000000 00000000 00000000  ................
[ 1233.431970] CPU: 0 PID: 1530 Comm: umount Tainted: G        W         4.18.0+ #9
[ 1233.431976] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1233.431985] Call Trace:
[ 1233.432035]  dump_stack+0x7b/0xb5
[ 1233.432053]  ext4_destroy_inode+0xb5/0xc0
[ 1233.432066]  destroy_inode+0x6a/0x90
[ 1233.432070]  evict+0x1fe/0x290
[ 1233.432075]  dispose_list+0x7e/0xa0
[ 1233.432080]  evict_inodes+0x24f/0x2a0
[ 1233.432084]  ? dispose_list+0xa0/0xa0
[ 1233.432092]  ? fsnotify_unmount_inodes+0x148/0x160
[ 1233.432104]  generic_shutdown_super+0x71/0x1c0
[ 1233.432109]  kill_block_super+0x52/0x80
[ 1233.432113]  deactivate_locked_super+0x6f/0xa0
[ 1233.432118]  deactivate_super+0x130/0x140
[ 1233.432122]  ? mount_ns+0x100/0x100
[ 1233.432127]  ? fsnotify_grab_connector+0x54/0x80
[ 1233.432132]  cleanup_mnt+0x61/0xa0
[ 1233.432136]  __cleanup_mnt+0x12/0x20
[ 1233.432144]  task_work_run+0xc8/0xf0
[ 1233.432153]  exit_to_usermode_loop+0x12c/0x130
[ 1233.432158]  do_syscall_64+0x138/0x170
[ 1233.432163]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1233.432183] RIP: 0033:0x7f83814cd487
[ 1233.432188] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
[ 1233.432191] RSP: 002b:00007ffec2a2da48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 1233.432200] RAX: 0000000000000000 RBX: 0000000001fa8030 RCX: 00007f83814cd487
[ 1233.432202] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000001faf1e0
[ 1233.432205] RBP: 0000000001faf1e0 R08: 0000000000000000 R09: 0000000000000014
[ 1233.432207] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f83819d683c
[ 1233.432209] R13: 0000000000000000 R14: 0000000001fa8210 R15: 00007ffec2a2dcd0
[ 1233.879755] EXT4-fs (loop0): sb orphan head is 16
[ 1233.880734] sb_info orphan list:
[ 1233.881417] ==================================================================
[ 1233.882839] BUG: KASAN: use-after-free in ext4_put_super+0x5b2/0x650
[ 1233.884104] Read of size 4 at addr ffff8801e9dd8e4c by task umount/1530

[ 1233.885737] CPU: 0 PID: 1530 Comm: umount Tainted: G        W         4.18.0+ #9
[ 1233.885740] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1233.885742] Call Trace:
[ 1233.885765]  dump_stack+0x7b/0xb5
[ 1233.885774]  print_address_description+0x70/0x290
[ 1233.885779]  kasan_report+0x291/0x390
[ 1233.885783]  ? ext4_put_super+0x5b2/0x650
[ 1233.885788]  __asan_load4+0x78/0x80
[ 1233.885792]  ext4_put_super+0x5b2/0x650
[ 1233.885797]  generic_shutdown_super+0xb9/0x1c0
[ 1233.885801]  kill_block_super+0x52/0x80
[ 1233.885806]  deactivate_locked_super+0x6f/0xa0
[ 1233.885810]  deactivate_super+0x130/0x140
[ 1233.885814]  ? mount_ns+0x100/0x100
[ 1233.885819]  ? fsnotify_grab_connector+0x54/0x80
[ 1233.885824]  cleanup_mnt+0x61/0xa0
[ 1233.885827]  __cleanup_mnt+0x12/0x20
[ 1233.885831]  task_work_run+0xc8/0xf0
[ 1233.885836]  exit_to_usermode_loop+0x12c/0x130
[ 1233.885841]  do_syscall_64+0x138/0x170
[ 1233.885845]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1233.885849] RIP: 0033:0x7f83814cd487
[ 1233.885854] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
[ 1233.885856] RSP: 002b:00007ffec2a2da48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 1233.885860] RAX: 0000000000000000 RBX: 0000000001fa8030 RCX: 00007f83814cd487
[ 1233.885863] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000001faf1e0
[ 1233.885865] RBP: 0000000001faf1e0 R08: 0000000000000000 R09: 0000000000000014
[ 1233.885867] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f83819d683c
[ 1233.885870] R13: 0000000000000000 R14: 0000000001fa8210 R15: 00007ffec2a2dcd0

[ 1233.886215] Allocated by task 1483:
[ 1233.886941]  save_stack+0x46/0xd0
[ 1233.886944]  kasan_kmalloc+0xad/0xe0
[ 1233.886948]  kasan_slab_alloc+0x11/0x20
[ 1233.886951]  kmem_cache_alloc+0xc9/0x1e0
[ 1233.886958]  ext4_alloc_inode+0x1f/0x2f0
[ 1233.886961]  alloc_inode+0x35/0xc0
[ 1233.886964]  iget_locked+0x121/0x2a0
[ 1233.886969]  ext4_iget+0xf8/0x1740
[ 1233.886972]  ext4_iget_normal+0x5e/0x70
[ 1233.886976]  ext4_lookup+0x1db/0x330
[ 1233.886981]  __lookup_slow+0x12e/0x240
[ 1233.886984]  lookup_slow+0x44/0x60
[ 1233.886988]  walk_component+0x3f9/0x6b0
[ 1233.886991]  path_lookupat+0x133/0x430
[ 1233.886994]  filename_lookup+0x13c/0x280
[ 1233.886998]  user_path_at_empty+0x36/0x40
[ 1233.887004]  do_fchmodat+0x8f/0x110
[ 1233.887008]  __x64_sys_chmod+0x37/0x40
[ 1233.887011]  do_syscall_64+0x78/0x170
[ 1233.887015]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[ 1233.887339] Freed by task 0:
[ 1233.887938]  save_stack+0x46/0xd0
[ 1233.887942]  __kasan_slab_free+0x13c/0x1a0
[ 1233.887945]  kasan_slab_free+0xe/0x10
[ 1233.887952]  kmem_cache_free+0x89/0x1e0
[ 1233.887956]  ext4_i_callback+0x1c/0x20
[ 1233.887965]  rcu_process_callbacks+0x31c/0x7a0
[ 1233.887970]  __do_softirq+0x120/0x348

[ 1233.888306] The buggy address belongs to the object at ffff8801e9dd8e10
                which belongs to the cache ext4_inode_cache(21:user.slice) of size 1072
[ 1233.903236] The buggy address is located 60 bytes inside of
                1072-byte region [ffff8801e9dd8e10, ffff8801e9dd9240)
[ 1233.905556] The buggy address belongs to the page:
[ 1233.906530] page:ffffea0007a77600 count:1 mapcount:0 mapping:ffff8801e5bde380 index:0x0 compound_mapcount: 0
[ 1233.908498] flags: 0x2ffff0000008100(slab|head)
[ 1233.909421] raw: 02ffff0000008100 dead000000000100 dead000000000200 ffff8801e5bde380
[ 1233.910952] raw: 0000000000000000 00000000000d000d 00000001ffffffff ffff8801ed19a200
[ 1233.912484] page dumped because: kasan: bad access detected
[ 1233.913604] page->mem_cgroup:ffff8801ed19a200

[ 1233.914786] Memory state around the buggy address:
[ 1233.915742]  ffff8801e9dd8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1233.917197]  ffff8801e9dd8d80: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1233.918630] >ffff8801e9dd8e00: fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1233.920063]                                               ^
[ 1233.921205]  ffff8801e9dd8e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1233.922642]  ffff8801e9dd8f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1233.924066] ==================================================================
[ 1233.925518] Disabling lock debugging due to kernel taint
[ 1233.925605]   inode loop0:16 at 0000000032706161: mode 106000, nlink -1, next 0
[ 1233.927107] ------------[ cut here ]------------
[ 1233.927110] kernel BUG at fs/ext4/super.c:977!
[ 1233.928105] invalid opcode: 0000 [#1] SMP KASAN PTI
[ 1233.929117] CPU: 0 PID: 1530 Comm: umount Tainted: G    B   W         4.18.0+ #9
[ 1233.930620] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1233.932497] RIP: 0010:ext4_put_super+0x591/0x650
[ 1233.933436] Code: a0 00 00 00 49 8d 7d 3a e8 fc 23 df ff 4c 89 e7 66 45 89 7d 3a e8 6f 25 df ff 41 f6 46 50 01 0f 85 c1 fb ff ff e9 af fb ff ff <0f> 0b 48 8d 7b 70 e8 54 25 df ff 4c 8b 6b 70 e9 1a fc ff ff 49 8d
[ 1233.937114] RSP: 0018:ffff8801e3db7d10 EFLAGS: 00010206
[ 1233.938168] RAX: ffff8801e9dd8e90 RBX: ffff8801efabdd80 RCX: ffffffffa55b7c40
[ 1233.939576] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8801efabdf78
[ 1233.940983] RBP: ffff8801e3db7d60 R08: ffffed003ee04f49 R09: ffffed003ee04f49
[ 1233.942405] R10: 0000000000000001 R11: ffffed003ee04f48 R12: ffff8801efabdf78
[ 1233.943816] R13: ffff8801e9dd8ef8 R14: ffff8801efabd500 R15: ffff8801efabdf78
[ 1233.945237] FS:  00007f8381bed840(0000) GS:ffff8801f7000000(0000) knlGS:0000000000000000
[ 1233.946833] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1233.947973] CR2: 00005621001b45b8 CR3: 00000001f3040000 CR4: 00000000000006f0
[ 1233.949405] Call Trace:
[ 1233.949918]  generic_shutdown_super+0xb9/0x1c0
[ 1233.950810]  kill_block_super+0x52/0x80
[ 1233.951590]  deactivate_locked_super+0x6f/0xa0
[ 1233.952486]  deactivate_super+0x130/0x140
[ 1233.953313]  ? mount_ns+0x100/0x100
[ 1233.954030]  ? fsnotify_grab_connector+0x54/0x80
[ 1233.954962]  cleanup_mnt+0x61/0xa0
[ 1233.955661]  __cleanup_mnt+0x12/0x20
[ 1233.956388]  task_work_run+0xc8/0xf0
[ 1233.957118]  exit_to_usermode_loop+0x12c/0x130
[ 1233.958023]  do_syscall_64+0x138/0x170
[ 1233.958786]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1233.959799] RIP: 0033:0x7f83814cd487
[ 1233.960525] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
[ 1233.964205] RSP: 002b:00007ffec2a2da48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 1233.965730] RAX: 0000000000000000 RBX: 0000000001fa8030 RCX: 00007f83814cd487
[ 1233.967140] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000001faf1e0
[ 1233.968552] RBP: 0000000001faf1e0 R08: 0000000000000000 R09: 0000000000000014
[ 1233.969975] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f83819d683c
[ 1233.971394] R13: 0000000000000000 R14: 0000000001fa8210 R15: 00007ffec2a2dcd0
[ 1233.972822] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crct10dif_pclmul crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[ 1233.982571] ---[ end trace 754084f7e4b34757 ]---
[ 1233.983513] RIP: 0010:ext4_put_super+0x591/0x650
[ 1233.984487] Code: a0 00 00 00 49 8d 7d 3a e8 fc 23 df ff 4c 89 e7 66 45 89 7d 3a e8 6f 25 df ff 41 f6 46 50 01 0f 85 c1 fb ff ff e9 af fb ff ff <0f> 0b 48 8d 7b 70 e8 54 25 df ff 4c 8b 6b 70 e9 1a fc ff ff 49 8d
[ 1233.988243] RSP: 0018:ffff8801e3db7d10 EFLAGS: 00010206
[ 1233.989304] RAX: ffff8801e9dd8e90 RBX: ffff8801efabdd80 RCX: ffffffffa55b7c40
[ 1233.990736] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8801efabdf78
[ 1233.992191] RBP: ffff8801e3db7d60 R08: ffffed003ee04f49 R09: ffffed003ee04f49
[ 1233.993630] R10: 0000000000000001 R11: ffffed003ee04f48 R12: ffff8801efabdf78
[ 1233.995052] R13: ffff8801e9dd8ef8 R14: ffff8801efabd500 R15: ffff8801efabdf78
[ 1233.996509] FS:  00007f8381bed840(0000) GS:ffff8801f7000000(0000) knlGS:0000000000000000
[ 1234.023241] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1234.024428] CR2: 00005621001b45b8 CR3: 00000001f3040000 CR4: 00000000000006f0

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab.
Comment 1 Wen Xu 2018-08-25 05:11:25 UTC
Created attachment 278079 [details]
poc
Comment 2 Theodore Tso 2018-08-27 02:00:55 UTC
Created attachment 278099 [details]
simplified poc.c
Comment 3 Theodore Tso 2018-08-27 02:01:35 UTC
Created attachment 278101 [details]
Simplified crafted image
Comment 4 Theodore Tso 2018-08-27 02:10:22 UTC
Side note: I understand that the fuzzing algorithm you are using creates increasingly complex poc.c programs and crafted file system images.   The problem is that both have included increasing large amounts of clutter that make it much harder to root cause the failure.

An interesting research idea: is there some way you could automate simplifying the poc.c file?   I just kept on cutting down the program; and if the failure went away, I would add back that line(s).   And if the failure remained, I would try removing the next line(s).   Even a brute-force "try removing operation N; does it fail/succeed"; and just incremently trying to remove each operation, one at a time, to see if the failure goes a way or not, would save me a huge amount of time.

A similar thing could be done for the image.  For example, the corrupted resize inode (#7) in your last couple of images has always been a red herring, and it causes "e2fsck -fn poc.img" to abort.   So the first thing I've done is to run 'debugfs -w -R "clri <7> poc.img' and see if the failure remains.  So far, it always has.  (And unless you are trying to call one of the online resize ioctls, it almost certainly will make no difference.)    Incrementally removing corruptions by using "e2fsck -f poc.img" and then seeing whether or not the failure goes away or not would also be useful --- although that one is actually less of a bother for a human to do by hand.   Slimming down the the poc.c does take a large amount of toil, and if you have some automation framework that could do that automatically, that would be a great time-saver for the kernel developer.   (It's why I haven't had time to look at your bug reports; each one takes the better part of half a day to analyze, and I don't have that much free time.)
Comment 5 Theodore Tso 2018-08-27 02:23:59 UTC
The root cause of the problem is as follows.

Setup: the file system has an inode, inode #16, that has a i_nlink of 1.  However, there are two directory entries (with weird names for no good reason but it makes life more difficult for the bug hunter), which I will call file A and file B that both are hard links to inode #16.

1)  Call chmod(File A, 3072);   This brings Filename A into the dcache

2)  Unlink File B.  This drops the i_nlink to zero; since this means that
there should be no remaining hardlinks to the file --- but i_count > 0, since we have a dcache entry for Filename A --- inode #16 is put on the orphan inode list.

3)  Create a new file, call it File C.

4)  Rename File C on top of File A.   This causes a warning to get issued since there is an attempt to drop i_nlink to a negative value.   That gets ignored so i_nlink stays at 0.  But now i_count gets dropped down to 0, so the inode gets deleted and freed.  But, the inode structure is still on the orphan inode list!

5)  At unmount time, the fact that we still have an inode on the orphan inode list causes a warning to be printed, but it also causes the access to the freed data structure.

The fix is to enforce a check that if new.inode exists, its i_nlink must be > 0.    If it is 0, then something is badly wrong, and we should mark the file system as corrupted and return EFSCORRUPTED.

The problem is obvious once we have the simplified poc.   With the original poc, instead of 4 operations, there are 100 operations, most of which are complete red herrings.
Comment 6 Theodore Tso 2018-08-27 14:32:15 UTC
Patch to fix this can be found here:

http://patchwork.ozlabs.org/patch/962339/