199301 – BUG() in ext4_mark_recovery_complete() can be triggered when mounting crafted image

Bug 199301 - BUG() in ext4_mark_recovery_complete() can be triggered when mounting crafted image

Summary: BUG() in ext4_mark_recovery_complete() can be triggered when mounting crafted...

Status:	RESOLVED UNREPRODUCIBLE

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	ext4 (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_ext4@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-04-06 01:44 UTC by Wen Xu
Modified:	2018-04-10 06:10 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.15.x
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The crafted image which causes kernel panic (2.00 MB, application/octet-stream) 2018-04-06 01:44 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-04-06 01:44:10 UTC

Created attachment 275115 [details]
The crafted image which causes kernel panic

- Overview
BUG_ON() in ext4_mark_recovery_complete() can be triggered when mounting crafted ext4 image

- Reproduce
# mkdir mnt
# mount -t ext4 20.img mnt

- Reason
The sb's journal feature bit can be inconsistent with its journal pointer. 

- Crash dump
[  345.621451] EXT4-fs (loop0): ext4_check_descriptors: Inode bitmap for group 0 overlaps superblock
[  345.633213] EXT4-fs error (device loop0): ext4_orphan_get:1256: comm mount: bad orphan inode 27
[  345.634421] ext4_test_bit(bit=26, block=1) = 0
[  345.634435] EXT4-fs (loop0): recovery complete
[  345.634441] ------------[ cut here ]------------
[  345.634442] kernel BUG at /build/linux-8h04gD/linux-4.13.0/fs/ext4/super.c:4794!
[  345.634471] invalid opcode: 0000 [#1] SMP
[  345.634481] Modules linked in: ppdev btusb btrtl vmw_balloon btbcm btintel coretemp intel_rapl_perf input_leds bluetooth uvcvideo joydev videobuf2_vmalloc serio_raw videobuf2_memops snd_ens1371 videobuf2_v4l2 videobuf2_core snd_ac97_codec videodev gameport snd_rawmidi snd_seq_device media ac97_bus ecdh_generic snd_pcm snd_timer snd soundcore parport_pc parport nfit mac_hid i2c_piix4 shpchp vmw_vsock_vmci_transport vsock vmw_vmci ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd
[  345.634716]  vmwgfx ttm psmouse drm_kms_helper syscopyarea sysfillrect sysimgblt mptspi fb_sys_fops mptscsih ahci mptbase drm e1000 libahci scsi_transport_spi pata_acpi
[  345.634764] CPU: 3 PID: 1766 Comm: mount Not tainted 4.13.0-21-generic #24-Ubuntu
[  345.634780] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[  345.634813] task: ffff8d79705e5d00 task.stack: ffffb131033c0000
[  345.634840] RIP: 0010:ext4_mark_recovery_complete.isra.197+0x6a/0x90
[  345.634864] RSP: 0018:ffffb131033c3c80 EFLAGS: 00010286
[  345.634876] RAX: ffff8d79741eb400 RBX: ffff8d79741eb400 RCX: 0000000000000006
[  345.634901] RDX: 0000000000000000 RSI: 0000000000000092 RDI: ffff8d796ec9c000
[  345.634916] RBP: ffffb131033c3c90 R08: 0000000000000001 R09: 000000000000065f
[  345.634930] R10: ffff8d79741eb700 R11: 0000000000000000 R12: ffff8d796ec9d000
[  345.634945] R13: 0000000000000000 R14: ffff8d796ec98000 R15: 0000000000000000
[  345.634971] FS:  00007f2e47072fc0(0000) GS:ffff8d79796c0000(0000) knlGS:0000000000000000
[  345.634988] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  345.635010] CR2: 000055c457ac80d8 CR3: 00000001340b8000 CR4: 00000000001406e0
[  345.635078] Call Trace:
[  345.635088]  ext4_fill_super+0x24e3/0x38f0
[  345.635100]  ? snprintf+0x45/0x70
[  345.635670]  mount_bdev+0x245/0x290
[  345.636174]  ? mount_bdev+0x245/0x290
[  345.636654]  ? ext4_calculate_overhead+0x490/0x490
[  345.637124]  ext4_mount+0x15/0x20
[  345.637567]  mount_fs+0x32/0x150
[  345.638048]  ? alloc_vfsmnt+0x1b3/0x230
[  345.638452]  vfs_kern_mount.part.20+0x5d/0x110
[  345.638851]  do_mount+0x1f3/0xce0
[  345.639254]  ? __check_object_size+0xaf/0x1b0
[  345.639669]  ? memdup_user+0x4f/0x80
[  345.640044]  SyS_mount+0x98/0xe0
[  345.640407]  entry_SYSCALL_64_fastpath+0x1e/0xa9
[  345.640805] RIP: 0033:0x7f2e4693d4ba
[  345.641150] RSP: 002b:00007ffcd8908b38 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[  345.641498] RAX: ffffffffffffffda RBX: 00007f2e46c4748f RCX: 00007f2e4693d4ba
[  345.641839] RDX: 000055c457abaaa0 RSI: 000055c457abc7c0 RDI: 000055c457ac3e30
[  345.642173] RBP: 00007f2e46e58864 R08: 0000000000000000 R09: 000055c457abaac0
[  345.642496] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055c457aba980
[  345.642810] R13: 00007ffcd8908e58 R14: 000055c4575c34a0 R15: 00000000ffffffff
[  345.643118] Code: 01 00 85 c0 78 18 48 8b 83 00 04 00 00 48 8b 50 68 8b 42 60 a8 04 74 06 f6 43 50 01 75 0f 4c 89 e7 e8 9b f1 00 00 5b 41 5c 5d c3 <0f> 0b 83 e0 fb be 01 00 00 00 48 89 df 89 42 60 e8 e1 fb ff ff
[  345.644115] RIP: ext4_mark_recovery_complete.isra.197+0x6a/0x90 RSP: ffffb131033c3c80
[  345.644616] ---[ end trace bb74428aee8363f9 ]---

- Reporter
Wen Xu from SSLab, Gatech

Comment 1 Wen Xu 2018-04-10 05:51:42 UTC

This is not reproducible on latest ext4 development branch.

Note You need to log in before you can comment on or make changes to this bug.