Bug 211951

Summary: WARNING: CPU: 1 PID: 304 at fs/ext4/xattr.c:1643 ext4_xattr_set_entry+0x30e2/0x3830
Product: File System Reporter: Qingyu Li (ieatmuttonchuan)
Component: ext4Assignee: fs_ext4 (fs_ext4)
Status: NEW ---    
Severity: normal CC: ammar
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.11.0-rc7+ Subsystem:
Regression: No Bisected commit-id:
Attachments: poc C file

Description Qingyu Li 2021-02-26 10:07:13 UTC 
Created attachment 295469 [details]
poc C file

Hello,
I found a bug in kernel version 5.11.0-rc7+.
This is the POC.
1.Git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
2.Build kernel with CONFIG_KASAN
3.Run kernel with qemu
```
qemu-system-x86_64 \
	-m 1G \
	-smp 2 \
	-kernel bzImage \
	-append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0" \
	-drive file=stretch.img,format=raw \
	-net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:1569-:22 \
	-net nic,model=e1000 \
	-nographic \
	-enable-kvm
```
4.Compile POC and scp into qemu.
```
gcc ext4_xattr_set_entry.c -static -lpthread
scp -P 1569 a.out root@localhost:~
```
5.Run a.out you will see the dump log.
```

root@syzkaller:~# ./a.out 
[  486.694922] audit: type=1400 audit(1614070631.830:8): avc:  denied  { execmem } for  pid=304 comm="a.out" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[  486.722208] loop0: detected capacity change from 264192 to 0
[  486.843227] EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue. Quota mode: writeback.
[  486.861494] ext4 filesystem being mounted at /root/file0 supports timestamps until 2038 (0x7fffffff)
[  486.913838] EXT4-fs error (device loop0): ext4_mb_generate_buddy:805: group 0, block bitmap and bg descriptor inconsistent: 16384 vs 96 free clusters
[  486.943689] ------------[ cut here ]------------
[  486.945105] WARNING: CPU: 1 PID: 304 at fs/ext4/xattr.c:1643 ext4_xattr_set_entry+0x30e2/0x3830
[  486.947416] Modules linked in:
[  486.947843] CPU: 1 PID: 304 Comm: a.out Not tainted 5.11.0-rc7+ #1
[  486.949327] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  486.949759] RIP: 0010:ext4_xattr_set_entry+0x30e2/0x3830
[  486.951395] Code: 41 bf e4 ff ff ff eb 05 e8 6b 05 9a ff 49 be 00 00 00 00 00 fc ff df 48 8b 2c 24 48 8b 5c 24 68 e9 ae fd ff ff e8 4e 05 9a ff <0f> 0b e9 9a d6 ff ff 4c 89 ff 4c 89 e6 e8 2c 33 df ff 49 8d 7c 24
[  486.953382] RSP: 0018:ffff88800391f718 EFLAGS: 00000293
[  486.953738] RAX: ffffffff86437212 RBX: 0000000000000000 RCX: ffff888005cb3800
[  486.955205] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[  486.955575] RBP: 1ffff11000723f5e R08: ffffffff864348a5 R09: ffff88800391f650
[  486.955887] R10: ffffffff88a00000 R11: ffffffff88a00539 R12: ffff88800391faf0
[  486.957305] R13: ffff88800648d020 R14: dffffc0000000000 R15: ffff8880063c46d0
[  486.957623] FS:  0000000001b34880(0000) GS:ffff888036100000(0000) knlGS:0000000000000000
[  486.959148] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  486.959438] CR2: 000055d6a8190d50 CR3: 00000000018f2000 CR4: 00000000000006e0
[  486.959806] Call Trace:
[  486.961343]  ? __kmalloc+0x144/0x250
[  486.961686]  ? ext4_xattr_block_set+0x77/0x3c50
[  486.963081]  ext4_xattr_block_set+0x38b/0x3c50
[  486.963448]  ? ext4_xattr_ibody_find+0x21b/0x9a0
[  486.963788]  ext4_xattr_set_handle+0xfc9/0x2160
[  486.965249]  ext4_xattr_set+0x1d8/0x310
[  486.965548]  ? ext4_xattr_user_get+0xf0/0xf0
[  486.965851]  __vfs_setxattr+0x3ac/0x3f0
[  486.967224]  __vfs_setxattr_noperm+0x11e/0x4c0
[  486.967594]  vfs_setxattr+0x17e/0x310
[  486.967879]  setxattr+0x122/0x230
[  486.969245]  ? finish_task_switch+0x2b7/0x620
[  486.969539]  ? __schedule+0xbfb/0x1180
[  486.969818]  ? _cond_resched+0x59/0x80
[  486.971180]  ? mnt_want_write+0x226/0x3c0
[  486.971476]  path_setxattr+0x109/0x1c0
[  486.971765]  __x64_sys_setxattr+0xb7/0xd0
[  486.973147]  do_syscall_64+0x33/0x40
[  486.973430]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  486.973801] RIP: 0033:0x453029
[  486.975399] Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[  486.977118] RSP: 002b:00007ffc5aaa2ea8 EFLAGS: 00000283 ORIG_RAX: 00000000000000bc
[  486.977512] RAX: ffffffffffffffda RBX: 0000000000400418 RCX: 0000000000453029
[  486.977809] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000200000c0
[  486.979180] RBP: 00007ffc5aaa2eb0 R08: 0000000000000000 R09: 0000000000407390
[  486.979487] R10: 0000000000000000 R11: 0000000000000283 R12: 0000000000407430
[  486.979778] R13: 0000000000000000 R14: 00000000006be018 R15: 0000000000000000
[  486.981281] ---[ end trace 7f5c731c1068f005 ]---
*/
```
Comment 1 Ammar Askar 2021-06-28 16:17:06 UTC 
Note: Can't recreate this on 5.12 but it does seem to occur on both 5.11 and 5.10