Bug 200069

Summary: BUG() triggered in start_this_handle() (jbd2/transaction.c) when operating and umounting a crafted ext4 image
Product: File System Reporter: Wen Xu (wen.xu)
Component: ext4Assignee: fs_ext4 (fs_ext4)
Status: RESOLVED CODE_FIX    
Severity: normal CC: tytso, wen.xu
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.17 Subsystem:
Regression: No Bisected commit-id:
Attachments: The crafted image which causes kernel panic
poc.c
A simplified image

Description Wen Xu 2018-06-14 03:10:56 UTC
Created attachment 276539 [details]
The crafted image which causes kernel panic

There is no component named "JBD2" to select, so I post to here considering it appears when operating an ext4 image.

- Reproduce
# mkdir mnt
# mount -t ext4 112.img
# gcc -o poc poc.c
# ./poc ./mnt
# umount mnt <--- required

- Kernel message (4.17 upstream kernel)
[   48.128367] EXT4-fs (sda1): mounting ext2 file system using the ext4 subsystem
[   48.147513] EXT4-fs (sda1): mounted filesystem without journal. Opts: (null)
[   49.401332] audit: type=1400 audit(1523910147.644:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default" pid=846 comm="apparmor_parser"
[   49.401370] audit: type=1400 audit(1523910147.644:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-cgns" pid=846 comm="apparmor_parser"
[   49.401401] audit: type=1400 audit(1523910147.644:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-mounting" pid=846 comm="apparmor_parser"
[   49.401425] audit: type=1400 audit(1523910147.644:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-nesting" pid=846 comm="apparmor_parser"
[   49.460390] audit: type=1400 audit(1523910147.704:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=853 comm="apparmor_parser"
[   49.460426] audit: type=1400 audit(1523910147.704:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=853 comm="apparmor_parser"
[   49.460449] audit: type=1400 audit(1523910147.704:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=853 comm="apparmor_parser"
[   49.460472] audit: type=1400 audit(1523910147.704:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=853 comm="apparmor_parser"
[   49.479598] audit: type=1400 audit(1523910147.720:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/lxc-start" pid=854 comm="apparmor_parser"
[   49.491795] audit: type=1400 audit(1523910147.732:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/ubuntu-core-launcher" pid=855 comm="apparmor_parser"
[   49.933811] 8139cp 0000:00:03.0 ens3: link up, 100Mbps, full-duplex, lpa 0x05E1
[   50.741705] Adding 16777212k swap on /dev/mapper/ubuntu--vg-swap_1.  Priority:-2 extents:1 across:16777212k FS
[   51.074831] new mount options do not match the existing superblock, will be ignored
[   54.145372] snd_hda_codec_generic hdaudioC0D0: autoconfig for Generic: line_outs=1 (0x3/0x0/0x0/0x0/0x0) type:line
[   54.145379] snd_hda_codec_generic hdaudioC0D0:    speaker_outs=0 (0x0/0x0/0x0/0x0/0x0)
[   54.145384] snd_hda_codec_generic hdaudioC0D0:    hp_outs=0 (0x0/0x0/0x0/0x0/0x0)
[   54.145405] snd_hda_codec_generic hdaudioC0D0:    mono: mono_out=0x0
[   54.145409] snd_hda_codec_generic hdaudioC0D0:    inputs:
[   54.145415] snd_hda_codec_generic hdaudioC0D0:      Line=0x5
[  103.851606] EXT4-fs (loop0): warning: checktime reached, running e2fsck is recommended
[  103.914444] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null)
[  110.420755] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 46: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=90, rec_len=0, name_len=0
[  110.462652] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 47: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=90, rec_len=0, name_len=0
[  110.486738] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 48: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=0, rec_len=0, name_len=0
[  110.514166] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 50: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=0, rec_len=0, name_len=0
[  110.538125] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 57: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=0, rec_len=3, name_len=0
[  110.561406] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 58: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=2553887680, rec_len=0, name_len=0
[  110.595214] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 59: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=2553887680, rec_len=0, name_len=0
[  110.619184] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 60: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=524287, rec_len=0, name_len=0
[  110.642651] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 61: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=10, rec_len=11, name_len=0
[  110.666303] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 62: comm poc: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=0, rec_len=0, name_len=0
[  128.012230] ------------[ cut here ]------------
[  128.012235] kernel BUG at fs/jbd2/transaction.c:321!
[  128.013206] invalid opcode: 0000 [#1] SMP KASAN PTI
[  128.014033] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 soundcore mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 crypto_simd cryptd 8139cp glue_helper floppy mii pata_acpi
[  128.022517] CPU: 0 PID: 1349 Comm: umount Not tainted 4.16.0-rc1+ #3
[  128.023511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  128.025051] RIP: 0010:start_this_handle+0x427/0x770
[  128.025823] RSP: 0018:ffff8801101b7990 EFLAGS: 00010202
[  128.026661] RAX: 0000000000000000 RBX: ffff88010d80e600 RCX: ffffffff9f5280ee
[  128.027777] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff88010d80e600
[  128.028892] RBP: ffff8801101b7a88 R08: 0000000000000016 R09: 00000000f6920cf8
[  128.030037] R10: 000000006dbd2428 R11: ffffed0022036ed0 R12: ffff880034c3ad00
[  128.031154] R13: 0000000000000039 R14: 0000000000000100 R15: ffff88010d80e624
[  128.032265] FS:  00007fa06b656840(0000) GS:ffff880118200000(0000) knlGS:0000000000000000
[  128.033525] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  128.034441] CR2: 00005591cef19578 CR3: 0000000110a08000 CR4: 00000000000006f0
[  128.035560] Call Trace:
[  128.035967]  ? jbd2_journal_destroy+0x2d5/0x430
[  128.036686]  ? jbd2_journal_free_reserved+0x60/0x60
[  128.037485]  ? kasan_kmalloc+0xad/0xe0
[  128.038116]  ? memcg_kmem_put_cache+0x1b/0x90
[  128.038813]  ? kmem_cache_alloc+0x16b/0x1d0
[  128.039481]  jbd2__journal_start+0x188/0x300
[  128.040165]  __ext4_journal_start_sb+0x89/0x180
[  128.040895]  ? ext4_evict_inode+0x3e6/0x9b0
[  128.041566]  ext4_evict_inode+0x3e6/0x9b0
[  128.042229]  ? ext4_da_write_begin+0x5e0/0x5e0
[  128.042984]  ? pde_put+0x57/0x70
[  128.043539]  evict+0x16f/0x290
[  128.044056]  iput+0x2ab/0x360
[  128.044555]  jbd2_journal_destroy+0x2ed/0x430
[  128.045256]  ? jbd2_mark_journal_empty+0xf0/0xf0
[  128.046018]  ? put_pwq+0x60/0x70
[  128.046542]  ? put_pwq_unlocked+0x2f/0x50
[  128.047185]  ? destroy_workqueue+0x288/0x2c0
[  128.047863]  ext4_put_super+0xc3/0x650
[  128.048472]  generic_shutdown_super+0xb9/0x1c0
[  128.049182]  kill_block_super+0x52/0x80
[  128.049799]  deactivate_locked_super+0x5e/0x90
[  128.050523]  deactivate_super+0x68/0x70
[  128.051149]  cleanup_mnt+0x61/0xa0
[  128.051701]  __cleanup_mnt+0x12/0x20
[  128.052278]  task_work_run+0xba/0xe0
[  128.052868]  exit_to_usermode_loop+0xf2/0x100
[  128.053562]  do_syscall_64+0x1c0/0x1f0
[  128.054208]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[  128.055023] RIP: 0033:0x7fa06af36487
[  128.055622] RSP: 002b:00007ffea17e0428 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[  128.056802] RAX: 0000000000000000 RBX: 0000000000a4e060 RCX: 00007fa06af36487
[  128.057950] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000a55210
[  128.059070] RBP: 0000000000a55210 R08: 0000000000000000 R09: 0000000000000014
[  128.060190] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007fa06b43f83c
[  128.061303] R13: 0000000000000000 R14: 0000000000a4e240 R15: 00007ffea17e06b0
[  128.062432] Code: ff 4c 89 ef e8 ab 61 e4 ff 8b 53 2c 85 d2 75 dc 48 8b b5 28 ff ff ff 4c 89 f7 4c 8b a5 08 ff ff ff e8 8e 44 c1 ff e9 57 fd ff ff <0f> 0b b8 00 fe ff ff 3e 41 0f c1 07 48 8b 85 30 ff ff ff 41 be 
[  128.065395] RIP: start_this_handle+0x427/0x770 RSP: ffff8801101b7990
[  128.066449] ---[ end trace dba765b9dd20747d ]---
[  128.077442] ==================================================================
[  128.078629] BUG: KASAN: stack-out-of-bounds in arch_tlb_gather_mmu+0x52/0x170
[  128.079747] Write of size 8 at addr ffff8801101b7d10 by task umount/1349

[  128.081072] CPU: 0 PID: 1349 Comm: umount Tainted: G      D          4.16.0-rc1+ #3
[  128.082281] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  128.083754] Call Trace:
[  128.084166]  dump_stack+0x63/0x8d
[  128.084703]  print_address_description+0x70/0x290
[  128.085450]  kasan_report+0x290/0x390
[  128.086053]  ? arch_tlb_gather_mmu+0x52/0x170
[  128.086746]  __asan_store8+0x57/0x90
[  128.087317]  arch_tlb_gather_mmu+0x52/0x170
[  128.087980]  tlb_gather_mmu+0x12/0x30
[  128.088563]  exit_mmap+0x102/0x280
[  128.089107]  ? SyS_munmap+0x30/0x30
[  128.089672]  ? exit_aio+0x98/0x1f0
[  128.090232]  ? do_io_submit+0x9d0/0x9d0
[  128.090858]  ? taskstats_exit+0x1f4/0x640
[  128.091514]  ? exit_robust_list+0x6b/0x120
[  128.092177]  ? mm_update_next_owner+0x72/0x320
[  128.092892]  mmput+0x7d/0x1a0
[  128.093373]  do_exit+0x410/0x1330
[  128.093918]  ? mm_update_next_owner+0x320/0x320
[  128.094635]  ? cleanup_mnt+0x61/0xa0
[  128.095204]  ? __cleanup_mnt+0x12/0x20
[  128.095802]  ? task_work_run+0xba/0xe0
[  128.096401]  ? exit_to_usermode_loop+0xf2/0x100
[  128.097117]  ? do_syscall_64+0x1c0/0x1f0
[  128.097760]  rewind_stack_do_exit+0x17/0x20
[  128.098447] RIP: 0033:0x7fa06af36487
[  128.099019] RSP: 002b:00007ffea17e0428 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[  128.100197] RAX: 0000000000000000 RBX: 0000000000a4e060 RCX: 00007fa06af36487
[  128.101305] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000a55210
[  128.102427] RBP: 0000000000a55210 R08: 0000000000000000 R09: 0000000000000014
[  128.103534] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007fa06b43f83c
[  128.104642] R13: 0000000000000000 R14: 0000000000a4e240 R15: 00007ffea17e06b0

[  128.106010] The buggy address belongs to the page:
[  128.106784] page:ffffea0004406dc0 count:0 mapcount:0 mapping:          (null) index:0x0
[  128.108037] flags: 0x2ffff0000000000()
[  128.108646] raw: 02ffff0000000000 0000000000000000 0000000000000000 00000000ffffffff
[  128.109854] raw: 0000000000000000 dead000000000200 0000000000000000 0000000000000000
[  128.111063] page dumped because: kasan: bad access detected

[  128.112179] Memory state around the buggy address:
[  128.112933]  ffff8801101b7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  128.114062]  ffff8801101b7c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
[  128.115180] >ffff8801101b7d00: 00 00 f3 00 00 00 00 00 00 00 00 00 00 f4 f4 f4
[  128.116296]                          ^
[  128.116891]  ffff8801101b7d80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[  128.118024]  ffff8801101b7e00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4
[  128.119144] ==================================================================

- Location
https://elixir.bootlin.com/linux/latest/source/fs/jbd2/transaction.c#L321
	BUG_ON(journal->j_flags & JBD2_UNMOUNT);

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.

Thanks,
Wen
Comment 1 Wen Xu 2018-06-14 03:11:17 UTC
Created attachment 276541 [details]
poc.c
Comment 2 Wen Xu 2018-06-14 03:12:06 UTC
I paste log on 4.16 above, here is the log from latest 4.17

[  200.967406] EXT4-fs (loop0): warning: checktime reached, running e2fsck is recommended
[  201.036729] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null)
[  206.253988] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 46: comm a.out: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=90, rec_len=0, name_len=0
[  206.289919] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 47: comm a.out: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=90, rec_len=0, name_len=0
[  206.318461] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 48: comm a.out: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=0, rec_len=0, name_len=0
[  206.350065] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 50: comm a.out: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=0, rec_len=0, name_len=0
[  206.380015] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 57: comm a.out: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=0, rec_len=3, name_len=0
[  206.403864] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 58: comm a.out: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=2553887680, rec_len=0, name_len=0
[  206.433522] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 59: comm a.out: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=2553887680, rec_len=0, name_len=0
[  206.465441] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 60: comm a.out: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=524287, rec_len=0, name_len=0
[  206.495732] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 61: comm a.out: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=10, rec_len=11, name_len=0
[  206.525387] EXT4-fs error (device loop0): ext4_readdir:239: inode #2: block 62: comm a.out: path /home/test/mnt: bad entry in directory: rec_len is smaller than minimal - offset=0(0), inode=0, rec_len=0, name_len=0
[  210.529765] ------------[ cut here ]------------
[  210.529770] kernel BUG at fs/jbd2/transaction.c:319!
[  210.531101] invalid opcode: 0000 [#1] SMP PTI
[  210.531963] CPU: 0 PID: 1355 Comm: umount Not tainted 4.17.0+ #1
[  210.533155] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  210.534996] RIP: 0010:start_this_handle+0x1ef/0x400
[  210.535952] Code: 4c 89 e7 e8 43 8c 78 00 48 83 7b 50 00 0f 84 f0 00 00 00 c6 43 24 00 4c 89 e7 e8 7c 8c 78 00 48 8b 03 a8 01 0f 84 c7 fe ff ff <0f> 0b b8 00 fe ff ff f0 41 0f c1 04 24 e8 5f 3b 78 00 8b 4b 2c 85
[  210.539619] RSP: 0018:ffffae23c1253bd8 EFLAGS: 00010202
[  210.540650] RAX: 0000000000000039 RBX: ffff982eb4924000 RCX: 0000000000000000
[  210.542031] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff982eb4924024
[  210.543415] RBP: ffffae23c1253c58 R08: ffff982ebfc28d40 R09: ffff982eaeeee800
[  210.544810] R10: fffffffffffffff4 R11: 0000000000000300 R12: ffff982eb4924024
[  210.546194] R13: ffff982eaeeed060 R14: 0000000000000100 R15: 0000000000000000
[  210.547578] FS:  00007feed2341840(0000) GS:ffff982ebfc00000(0000) knlGS:0000000000000000
[  210.549267] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  210.550391] CR2: 00000000011c6368 CR3: 000000022e286000 CR4: 00000000000006f0
[  210.551782] Call Trace:
[  210.552284]  ? schedule+0x36/0x80
[  210.552955]  ? _cond_resched+0x1a/0x50
[  210.553694]  ? kmem_cache_alloc+0x16b/0x1e0
[  210.554518]  jbd2__journal_start+0xdb/0x1f0
[  210.555342]  ? ext4_evict_inode+0x213/0x5d0
[  210.556165]  __ext4_journal_start_sb+0x6d/0x120
[  210.557067]  ext4_evict_inode+0x213/0x5d0
[  210.557862]  evict+0xca/0x1a0
[  210.558458]  iput+0x1ba/0x210
[  210.559053]  jbd2_journal_destroy+0x1c4/0x280
[  210.559915]  ? put_pwq+0x35/0x40
[  210.560570]  ? put_pwq_unlocked+0x22/0x40
[  210.561365]  ext4_put_super+0x6b/0x3d0
[  210.562110]  generic_shutdown_super+0x72/0x120
[  210.562986]  kill_block_super+0x27/0x50
[  210.563747]  deactivate_locked_super+0x48/0x80
[  210.564633]  deactivate_super+0x5a/0x60
[  210.565395]  cleanup_mnt+0x3f/0x80
[  210.566073]  __cleanup_mnt+0x12/0x20
[  210.566786]  task_work_run+0x8a/0xb0
[  210.567500]  exit_to_usermode_loop+0xf0/0x100
[  210.568362]  do_syscall_64+0xda/0x110
[  210.569103]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  210.570091] RIP: 0033:0x7feed1c21487
[  210.570795] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
[  210.574459] RSP: 002b:00007fff1807bab8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[  210.575925] RAX: 0000000000000000 RBX: 00000000011bd030 RCX: 00007feed1c21487
[  210.577323] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000011c41e0
[  210.578712] RBP: 00000000011c41e0 R08: 0000000000000000 R09: 0000000000000014
[  210.580101] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007feed212a83c
[  210.581497] R13: 0000000000000000 R14: 00000000011bd210 R15: 00007fff1807bd40
[  210.582884] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul qxl 8139too drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops aesni_intel ttm drm aes_x86_64 crypto_simd cryptd glue_helper floppy pata_acpi 8139cp mii
[  210.592154] ---[ end trace c0f20d44c9d2c2d4 ]---
[  210.593086] RIP: 0010:start_this_handle+0x1ef/0x400
[  210.594069] Code: 4c 89 e7 e8 43 8c 78 00 48 83 7b 50 00 0f 84 f0 00 00 00 c6 43 24 00 4c 89 e7 e8 7c 8c 78 00 48 8b 03 a8 01 0f 84 c7 fe ff ff <0f> 0b b8 00 fe ff ff f0 41 0f c1 04 24 e8 5f 3b 78 00 8b 4b 2c 85
[  210.597759] RSP: 0018:ffffae23c1253bd8 EFLAGS: 00010202
[  210.598782] RAX: 0000000000000039 RBX: ffff982eb4924000 RCX: 0000000000000000
[  210.600159] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff982eb4924024
[  210.601553] RBP: ffffae23c1253c58 R08: ffff982ebfc28d40 R09: ffff982eaeeee800
[  210.602957] R10: fffffffffffffff4 R11: 0000000000000300 R12: ffff982eb4924024
[  210.604346] R13: ffff982eaeeed060 R14: 0000000000000100 R15: 0000000000000000
[  210.605766] FS:  00007feed2341840(0000) GS:ffff982ebfc00000(0000) knlGS:0000000000000000
[  210.607338] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  210.608451] CR2: 00000000011c6368 CR3: 000000022e286000 CR4: 00000000000006f0
Comment 3 Wen Xu 2018-06-15 14:13:30 UTC
Created attachment 276575 [details]
A simplified image

I feel hard to simplify this corrupted image but meanwhile still keep hitting the BUG(). Right now I just upload a simplified image that leads to this error by poc.c:

[  516.384286] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null)
[  531.719394] jbd2_journal_bmap: journal block not found at offset 7 on loop0-8
[  531.721009] Aborting journal on device loop0-8.
[  531.851971] EXT4-fs error (device loop0): ext4_journal_check_start:61: Detected aborted journal
[  531.854414] EXT4-fs (loop0): Remounting filesystem read-only
Comment 4 Theodore Tso 2018-06-16 20:04:22 UTC
OK, what's going on with this image is the following:

* The s_first_ino is 3 --- it's supposed to be 11, and should never be less than that number.  The kernel currently doesn't check to make sure value of s_first_ino is valid.  This is a recipe for disaster, but what's really triggering the problem is....

* The directory entry for foo/bar/baz points at inode #8 -- the journal inode.

So when the workload unlinks foo/bar/baz, this drops the refcount to zero, and when we unmount the file system and release the journal inode, ext4_evict_inode() tries to delete the journal inode, after we almost completely done with the unmount.  This triggers the BUG_ON at fs/jbd2/transaction.c:319.
Comment 5 Theodore Tso 2018-06-18 12:53:25 UTC
This bug is addressed via:

ext4: add more inode number paranoia checks
     http://patchwork.ozlabs.org/patch/930637/
Comment 6 Theodore Tso 2018-07-02 16:08:49 UTC
This has been assigned CVE-2018-10882

Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1596842