199333 – use-after-free in ext4_group_desc_csum() when mounting and operating on a crafted ext4 image

Bug 199333 - use-after-free in ext4_group_desc_csum() when mounting and operating on a crafted ext4 image

Summary: use-after-free in ext4_group_desc_csum() when mounting and operating on a cra...

Status:	RESOLVED UNREPRODUCIBLE

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	ext4 (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_ext4@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-04-10 03:30 UTC by Wen Xu
Modified:	2018-04-13 21:31 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.15.x
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The crafted image which causes kernel panic (2.00 MB, application/octet-stream) 2018-04-10 03:30 UTC, Wen Xu	Details
poc.c (3.18 KB, text/plain) 2018-04-10 03:31 UTC, Wen Xu	Details
another test case to refer (2.00 MB, application/octet-stream) 2018-04-10 03:31 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-04-10 03:30:53 UTC

Created attachment 275253 [details]
The crafted image which causes kernel panic

- Overview
Use-After-Free triggered in crc16() at ext4_group_desc_csum() when mounting and operating on a crafted ext4 image

- Reproduce (multiple cores)
# mkdir mnt
# mount -t ext4 269.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- Kernel Log (KASAN report)
Note that this log is generated on the kernel after applying patch in https://bugzilla.kernel.org/show_bug.cgi?id=199181

[  345.549928] ==================================================================
[  345.550011] BUG: KASAN: use-after-free in crc16+0x26/0x60
[  345.550072] Read of size 1 at addr ffff8800b85fc000 by task poc/1231

[  345.550161] CPU: 1 PID: 1231 Comm: poc Tainted: G        W        4.15.15 #4
[  345.550162] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[  345.550163] Call Trace:
[  345.550169]  dump_stack+0xaf/0x121
[  345.550173]  ? _atomic_dec_and_lock+0xff/0xff
[  345.550176]  print_address_description+0x6a/0x270
[  345.550179]  kasan_report+0x277/0x360
[  345.550181]  ? crc16+0x26/0x60
[  345.550183]  crc16+0x26/0x60
[  345.550187]  ext4_group_desc_csum+0x514/0x5f0
[  345.550190]  ? rcu_sched_qs.part.64+0x50/0x50
[  345.550194]  ? trace_event_raw_event_ext4_ext_convert_to_initialized_fastpath+0x2c0/0x2c0
[  345.550196]  ? __kernel_text_address+0xe/0x30
[  345.550199]  ? unwind_get_return_address+0x2f/0x50
[  345.550202]  ? _cond_resched+0x16/0x50
[  345.550205]  ? invalid_op+0x1b/0x40
[  345.550209]  ? ext4_block_bitmap_csum_set+0xb1/0x200
[  345.550212]  ? ext4_block_bitmap_csum_set+0x1f3/0x200
[  345.550216]  ? generic_perform_write+0x1d8/0x3b0
[  345.550218]  ? __generic_file_write_iter+0x264/0x2a0
[  345.550220]  ? ext4_file_write_iter+0x2a3/0x820
[  345.550223]  ? ext4_block_bitmap_csum_verify+0x230/0x230
[  345.550225]  ? _raw_write_lock_irqsave+0x30/0x30
[  345.550228]  ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  345.550231]  ext4_group_desc_csum_set+0x70/0x90
[  345.550235]  ext4_read_block_bitmap_nowait+0x83e/0xc30
[  345.550239]  ? ext4_free_clusters_after_init+0x450/0x450
[  345.550242]  ? memcg_kmem_put_cache+0x6c/0x130
[  345.550245]  ? kasan_unpoison_shadow+0x30/0x40
[  345.550248]  ? kasan_kmalloc+0xa0/0xd0
[  345.550250]  ? __kmalloc+0x104/0x210
[  345.550253]  ext4_mb_init_cache+0x338/0xda0
[  345.550257]  ? ext4_mb_generate_from_pa+0x200/0x200
[  345.550261]  ? pagecache_get_page+0x258/0x560
[  345.550264]  ? add_to_page_cache_lru+0x2d0/0x2d0
[  345.550267]  ? deref_stack_reg+0xa1/0xe0
[  345.550270]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[  345.550273]  ? __orc_find+0x6b/0xc0
[  345.550276]  ? unwind_next_frame+0x38e/0x9b0
[  345.550279]  ? __save_stack_trace+0x5e/0x100
[  345.550283]  ? trace_raw_output_xdp_redirect_map_err+0x170/0x170
[  345.550285]  ? deref_stack_reg+0xa1/0xe0
[  345.550288]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[  345.550291]  ? rcu_sched_qs.part.64+0x50/0x50
[  345.550293]  ? wake_up_page_bit+0x2a0/0x2a0
[  345.550296]  ? __is_insn_slot_addr+0x9a/0x150
[  345.550299]  ? __free_insn_slot+0x240/0x240
[  345.550301]  ext4_mb_init_group+0x436/0x5c0
[  345.550305]  ? ext4_mb_init_cache+0xda0/0xda0
[  345.550307]  ? __kernel_text_address+0xe/0x30
[  345.550310]  ? unwind_get_return_address+0x2f/0x50
[  345.550312]  ? __save_stack_trace+0x92/0x100
[  345.550315]  ? ext4_mb_find_by_goal+0x17a/0x7f0
[  345.550318]  ? ext4_mb_use_best_found+0x340/0x340
[  345.550320]  ? save_stack+0x89/0xb0
[  345.550323]  ? kasan_kmalloc+0xa0/0xd0
[  345.550325]  ? kmem_cache_alloc+0xb6/0x1c0
[  345.550327]  ? ext4_mb_new_blocks+0x37a/0x1ab0
[  345.550329]  ? ext4_ext_map_blocks+0xfc5/0x1a70
[  345.550332]  ? ext4_map_blocks+0x63f/0xa10
[  345.550334]  ? _ext4_get_block+0x128/0x2a0
[  345.550336]  ? ext4_block_write_begin+0x2df/0x840
[  345.550339]  ext4_mb_good_group+0x234/0x250
[  345.550342]  ext4_mb_regular_allocator+0x469/0x820
[  345.550346]  ? ext4_mb_complex_scan_group+0x4e0/0x4e0
[  345.550349]  ? __dquot_alloc_space+0x206/0x3e0
[  345.550352]  ? memcg_kmem_put_cache+0x6c/0x130
[  345.550355]  ? kasan_unpoison_shadow+0x30/0x40
[  345.550358]  ? kasan_kmalloc+0xa0/0xd0
[  345.550361]  ext4_mb_new_blocks+0x1013/0x1ab0
[  345.550364]  ? ftrace_ops_trampoline+0xf1/0x170
[  345.550367]  ? __is_insn_slot_addr+0x9a/0x150
[  345.550370]  ? __free_insn_slot+0x240/0x240
[  345.550373]  ? unwind_next_frame+0x38e/0x9b0
[  345.550375]  ? rcu_is_watching+0x81/0xc0
[  345.550377]  ? ext4_discard_preallocations+0xa90/0xa90
[  345.550380]  ? is_bpf_text_address+0xa/0x20
[  345.550382]  ? kernel_text_address+0xec/0x100
[  345.550384]  ? rcu_is_watching+0x81/0xc0
[  345.550386]  ? __kernel_text_address+0xe/0x30
[  345.550389]  ? unwind_get_return_address+0x2f/0x50
[  345.550391]  ? __save_stack_trace+0x92/0x100
[  345.550394]  ? depot_save_stack+0x3b7/0x480
[  345.550398]  ? save_stack+0x89/0xb0
[  345.550400]  ? kasan_kmalloc+0xa0/0xd0
[  345.550402]  ? __kmalloc+0x104/0x210
[  345.550404]  ? ext4_find_extent+0x36b/0x400
[  345.550406]  ? ext4_ext_map_blocks+0x16e/0x1a70
[  345.550409]  ? ext4_map_blocks+0x63f/0xa10
[  345.550411]  ? _ext4_get_block+0x128/0x2a0
[  345.550413]  ? ext4_block_write_begin+0x2df/0x840
[  345.550416]  ? ext4_write_begin+0x33a/0x930
[  345.550419]  ? generic_perform_write+0x1d8/0x3b0
[  345.550421]  ? __generic_file_write_iter+0x264/0x2a0
[  345.550423]  ? ext4_file_write_iter+0x2a3/0x820
[  345.550425]  ? __vfs_write+0x2ac/0x3d0
[  345.550427]  ? vfs_write+0xe9/0x240
[  345.550429]  ? SyS_write+0xb0/0x140
[  345.550431]  ? do_syscall_64+0x17a/0x330
[  345.550434]  ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  345.550437]  ? kasan_slab_free+0x71/0xc0
[  345.550439]  ? kfree+0x8d/0x190
[  345.550441]  ? ext4_ext_map_blocks+0xac5/0x1a70
[  345.550443]  ? ext4_map_blocks+0x6ac/0xa10
[  345.550445]  ? _ext4_get_block+0x128/0x2a0
[  345.550448]  ? ext4_block_write_begin+0x2df/0x840
[  345.550450]  ? ext4_write_begin+0x33a/0x930
[  345.550453]  ? generic_perform_write+0x1d8/0x3b0
[  345.550455]  ? __generic_file_write_iter+0x264/0x2a0
[  345.550457]  ? ext4_file_write_iter+0x2a3/0x820
[  345.550459]  ? __vfs_write+0x2ac/0x3d0
[  345.550461]  ? vfs_write+0xe9/0x240
[  345.550463]  ? SyS_write+0xb0/0x140
[  345.550465]  ? do_syscall_64+0x17a/0x330
[  345.550467]  ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  345.550470]  ? ext4_es_find_delayed_extent_range+0x380/0x380
[  345.550472]  ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  345.550475]  ? __es_tree_search+0x14/0xb0
[  345.550477]  ? ext4_es_find_delayed_extent_range+0x137/0x380
[  345.550479]  ? ext4_es_init_tree+0x30/0x30
[  345.550481]  ? is_bpf_text_address+0xa/0x20
[  345.550483]  ? kernel_text_address+0xe0/0x100
[  345.550486]  ? memcg_kmem_put_cache+0x6c/0x130
[  345.550489]  ? kasan_unpoison_shadow+0x30/0x40
[  345.550492]  ? kasan_kmalloc+0xa0/0xd0
[  345.550494]  ? __kmalloc+0x104/0x210
[  345.550496]  ? ext4_find_extent+0x36b/0x400
[  345.550499]  ? ext4_ext_search_right+0x66/0x480
[  345.550502]  ext4_ext_map_blocks+0xfc5/0x1a70
[  345.550506]  ? ext4_find_delalloc_cluster+0x60/0x60
[  345.550509]  ? unwind_next_frame+0x38e/0x9b0
[  345.550511]  ? __save_stack_trace+0x5e/0x100
[  345.550515]  ? trace_raw_output_xdp_redirect_map_err+0x170/0x170
[  345.550517]  ? deref_stack_reg+0xa1/0xe0
[  345.550520]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[  345.550523]  ? memcg_kmem_put_cache+0x6c/0x130
[  345.550525]  ? memcg_kmem_get_cache+0x4c0/0x4c0
[  345.550528]  ? kasan_unpoison_shadow+0x30/0x40
[  345.550531]  ? rcu_sched_qs.part.64+0x50/0x50
[  345.550534]  ? ext4_es_lookup_extent+0x168/0x3e0
[  345.550536]  ? ext4_es_cache_extent+0x260/0x260
[  345.550538]  ? _cond_resched+0x16/0x50
[  345.550540]  ? down_write+0x9d/0xd0
[  345.550542]  ? down_read+0xe0/0xe0
[  345.550545]  ? alloc_page_buffers+0x75/0x120
[  345.550548]  ext4_map_blocks+0x63f/0xa10
[  345.550552]  ? ext4_issue_zeroout+0xb0/0xb0
[  345.550554]  ? jbd2_journal_free_reserved+0x60/0x60
[  345.550556]  ? ext4_write_begin+0x256/0x930
[  345.550559]  ? generic_perform_write+0x1d8/0x3b0
[  345.550561]  ? __generic_file_write_iter+0x264/0x2a0
[  345.550563]  ? vfs_write+0xe9/0x240
[  345.550565]  ? SyS_write+0xb0/0x140
[  345.550568]  ? do_syscall_64+0x17a/0x330
[  345.550570]  ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  345.550573]  _ext4_get_block+0x128/0x2a0
[  345.550577]  ? ext4_map_blocks+0xa10/0xa10
[  345.550580]  ? try_to_release_page+0x1b0/0x1b0
[  345.550583]  ext4_block_write_begin+0x2df/0x840
[  345.550587]  ? _ext4_get_block+0x2a0/0x2a0
[  345.550590]  ? __check_block_validity.constprop.77+0xd0/0xd0
[  345.550593]  ? jbd2__journal_start+0x128/0x3b0
[  345.550595]  ? jbd2__journal_start+0x252/0x3b0
[  345.550598]  ? rcu_sched_qs.part.64+0x50/0x50
[  345.550600]  ? jbd2_write_access_granted.part.9+0x130/0x130
[  345.550603]  ? fsnotify+0x158/0xae0
[  345.550607]  ? __ext4_journal_start_sb+0xdc/0x210
[  345.550610]  ? ext4_write_begin+0x256/0x930
[  345.550613]  ? wait_for_stable_page+0xc7/0x190
[  345.550615]  ? wb_domain_writeout_inc.part.27+0x50/0x50
[  345.550619]  ext4_write_begin+0x33a/0x930
[  345.550624]  ? ext4_truncate+0x860/0x860
[  345.550626]  ? rcu_sched_qs.part.64+0x50/0x50
[  345.550629]  ? rcu_sched_qs.part.64+0x50/0x50
[  345.550631]  ? ext4_xattr_ibody_get+0x91/0x2d0
[  345.550633]  ? ext4_xattr_block_set+0x1c80/0x1c80
[  345.550635]  ? _cond_resched+0x16/0x50
[  345.550637]  ? down_read+0x7a/0xe0
[  345.550639]  ? __down_interruptible+0x3a0/0x3a0
[  345.550642]  ? iov_iter_fault_in_readable+0xb7/0x220
[  345.550645]  ? copy_page_to_iter+0x690/0x690
[  345.550647]  ? ext4_xattr_get+0x10e/0x4b0
[  345.550650]  ? ext4_xattr_ibody_get+0x2d0/0x2d0
[  345.550653]  generic_perform_write+0x1d8/0x3b0
[  345.550658]  ? generic_write_checks+0x2b0/0x2b0
[  345.550660]  ? timespec_trunc+0x5c/0x90
[  345.550663]  ? file_update_time+0x210/0x240
[  345.550666]  ? current_time+0x70/0x70
[  345.550669]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[  345.550672]  ? page_endio+0x200/0x200
[  345.550674]  ? __is_insn_slot_addr+0x9a/0x150
[  345.550677]  __generic_file_write_iter+0x264/0x2a0
[  345.550680]  ext4_file_write_iter+0x2a3/0x820
[  345.550683]  ? is_bpf_text_address+0xa/0x20
[  345.550685]  ? ext4_file_mmap+0x150/0x150
[  345.550688]  ? unwind_get_return_address+0x2f/0x50
[  345.550691]  ? __save_stack_trace+0x92/0x100
[  345.550693]  ? memcmp+0x45/0x70
[  345.550695]  ? depot_save_stack+0x12d/0x480
[  345.550699]  ? save_stack+0x89/0xb0
[  345.550702]  ? kasan_slab_free+0x71/0xc0
[  345.550704]  ? kmem_cache_free+0x75/0x1e0
[  345.550706]  ? do_sys_open+0x1f0/0x380
[  345.550708]  ? do_syscall_64+0x17a/0x330
[  345.550711]  ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  345.550713]  ? __alloc_fd+0x2e0/0x380
[  345.550716]  __vfs_write+0x2ac/0x3d0
[  345.550719]  ? kernel_read+0xa0/0xa0
[  345.550721]  ? __fd_install+0x13a/0x260
[  345.550723]  ? get_unused_fd_flags+0x100/0x100
[  345.550727]  ? __fdget_pos+0xa7/0x100
[  345.550730]  vfs_write+0xe9/0x240
[  345.550733]  SyS_write+0xb0/0x140
[  345.550736]  ? SyS_read+0x140/0x140
[  345.550739]  ? SyS_read+0x140/0x140
[  345.550741]  do_syscall_64+0x17a/0x330
[  345.550744]  ? syscall_return_slowpath+0x1e0/0x1e0
[  345.550747]  ? page_fault+0x2f/0x50
[  345.550749]  ? do_page_fault+0x90/0x210
[  345.550751]  ? __do_page_fault+0x6d0/0x6d0
[  345.550754]  ? prepare_exit_to_usermode+0xe8/0x150
[  345.550757]  ? perf_trace_sys_enter+0x4e0/0x4e0
[  345.550759]  ? __put_user_4+0x1c/0x30
[  345.550762]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  345.550764] RIP: 0033:0x7fbed5e940c4
[  345.550765] RSP: 002b:00007ffcded713a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  345.550768] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbed5e940c4
[  345.550769] RDX: 0000000000000205 RSI: 000056047ca3f040 RDI: 0000000000000003
[  345.550770] RBP: 00007ffcded71510 R08: 0000000000000003 R09: 0000000000000000
[  345.550771] R10: 0000000000000000 R11: 0000000000000246 R12: 000056047c83dd30
[  345.550772] R13: 00007ffcded71610 R14: 0000000000000000 R15: 0000000000000000

[  345.550796] Allocated by task 1167:
[  345.550839]  kasan_kmalloc+0xa0/0xd0
[  345.550841]  kmem_cache_alloc+0xb6/0x1c0
[  345.550844]  get_empty_filp+0xd9/0x370
[  345.550846]  alloc_file+0x26/0x1c0
[  345.550849]  create_pipe_files+0x327/0x460
[  345.550851]  __do_pipe_flags+0x2c/0x100
[  345.550853]  SyS_pipe+0x7e/0x190
[  345.550855]  do_syscall_64+0x17a/0x330
[  345.550857]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2

[  345.550878] Freed by task 0:
[  345.550913]  kasan_slab_free+0x71/0xc0
[  345.550916]  kmem_cache_free+0x75/0x1e0
[  345.550918]  rcu_process_callbacks+0x57d/0x950
[  345.550921]  __do_softirq+0x196/0x495

[  345.550943] The buggy address belongs to the object at ffff8800b85fc000
                which belongs to the cache filp(154:user.slice) of size 256
[  345.551080] The buggy address is located 0 bytes inside of
                256-byte region [ffff8800b85fc000, ffff8800b85fc100)
[  345.551199] The buggy address belongs to the page:
[  345.551253] page:ffffea0002e17f00 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
[  345.551358] flags: 0xfffffc0008100(slab|head)
[  345.551409] raw: 000fffffc0008100 0000000000000000 0000000000000000 0000000100330033
[  345.551492] raw: dead000000000100 dead000000000200 ffff8800b1a96bc0 ffff88010482cc80
[  345.553461] page dumped because: kasan: bad access detected
[  345.555362] page->mem_cgroup:ffff88010482cc80

[  345.559625] Memory state around the buggy address:
[  345.561724]  ffff8800b85fbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  345.564092]  ffff8800b85fbf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  345.566783] >ffff8800b85fc000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  345.569544]                    ^
[  345.572283]  ffff8800b85fc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  345.575072]  ffff8800b85fc100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  345.578299] ==================================================================
[  345.579614] Disabling lock debugging due to kernel taint
[  345.580365] WARNING: CPU: 1 PID: 1231 at fs/ext4/ext4.h:2692 ext4_block_bitmap_csum_verify+0x200/0x230
[  345.580366] Modules linked in: snd_ens1371 coretemp snd_ac97_codec ac97_bus intel_rapl_perf vmw_balloon snd_pcm snd_timer btusb snd_rawmidi btrtl uvcvideo btbcm snd btintel joydev input_leds bluetooth videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core serio_raw videodev soundcore ecdh_generic gameport media shpchp i2c_piix4 mac_hid vmw_vsock_vmci_transport vsock vmw_vmci ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear vmwgfx drm_kms_helper crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc syscopyarea sysfillrect sysimgblt fb_sys_fops ttm aesni_intel
[  345.580416]  aes_x86_64 crypto_simd drm cryptd psmouse glue_helper ahci libahci e1000 mptspi scsi_transport_spi mptscsih mptbase pata_acpi hid_generic usbhid hid
[  345.580429] CPU: 1 PID: 1231 Comm: poc Tainted: G    B   W        4.15.15 #4
[  345.580430] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[  345.580433] RIP: 0010:ext4_block_bitmap_csum_verify+0x200/0x230
[  345.580434] RSP: 0018:ffff8800ba46df48 EFLAGS: 00010246
[  345.580436] RAX: 0000000000000000 RBX: ffff8800b7378000 RCX: ffffffff8d19019f
[  345.580437] RDX: dffffc0000000000 RSI: dffffc0000000000 RDI: ffff8800b73783a8
[  345.580438] RBP: 1ffff1001748dbec R08: ffffed001748dc10 R09: ffffed001748dc10
[  345.580439] R10: 0000000000000002 R11: ffffed001748dc0f R12: ffff8800b28e6d20
[  345.580440] R13: dffffc0000000000 R14: ffff8800b85fb800 R15: ffff8800b73783a8
[  345.580442] FS:  00007fbed638d500(0000) GS:ffff88010d240000(0000) knlGS:0000000000000000
[  345.580443] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  345.580444] CR2: 0000000001d7cda4 CR3: 00000000b82c2002 CR4: 00000000001606e0
[  345.580476] Call Trace:
[  345.580481]  ? unwind_get_return_address+0x2f/0x50
[  345.580484]  ? ext4_inode_bitmap_csum_set+0x1f0/0x1f0
[  345.580488]  ? _raw_write_lock_irqsave+0x30/0x30
[  345.580490]  ? _cond_resched+0x16/0x50
[  345.580493]  ext4_validate_block_bitmap+0x23d/0x780
[  345.580496]  ? __wake_up_bit+0xdb/0x150
[  345.580498]  ? ext4_has_free_clusters+0x2c0/0x2c0
[  345.580501]  ? ext4_file_write_iter+0x2a3/0x820
[  345.580503]  ? ext4_block_bitmap_csum_verify+0x230/0x230
[  345.580504]  ? _raw_write_lock_irqsave+0x30/0x30
[  345.580508]  ext4_read_block_bitmap_nowait+0x6e5/0xc30
[  345.580511]  ? ext4_free_clusters_after_init+0x450/0x450
[  345.580515]  ? memcg_kmem_put_cache+0x6c/0x130
[  345.580518]  ? kasan_unpoison_shadow+0x30/0x40
[  345.580520]  ? kasan_kmalloc+0xa0/0xd0
[  345.580522]  ? __kmalloc+0x104/0x210
[  345.580525]  ext4_mb_init_cache+0x338/0xda0
[  345.580528]  ? ext4_mb_generate_from_pa+0x200/0x200
[  345.580532]  ? pagecache_get_page+0x258/0x560
[  345.580534]  ? add_to_page_cache_lru+0x2d0/0x2d0
[  345.580536]  ? deref_stack_reg+0xa1/0xe0
[  345.580538]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[  345.580540]  ? __orc_find+0x6b/0xc0
[  345.580543]  ? unwind_next_frame+0x38e/0x9b0
[  345.580545]  ? __save_stack_trace+0x5e/0x100
[  345.580549]  ? trace_raw_output_xdp_redirect_map_err+0x170/0x170
[  345.580551]  ? deref_stack_reg+0xa1/0xe0
[  345.580553]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[  345.580556]  ? rcu_sched_qs.part.64+0x50/0x50
[  345.580558]  ? wake_up_page_bit+0x2a0/0x2a0
[  345.580562]  ? __is_insn_slot_addr+0x9a/0x150
[  345.580564]  ? __free_insn_slot+0x240/0x240
[  345.580565]  ext4_mb_init_group+0x436/0x5c0
[  345.580568]  ? ext4_mb_init_cache+0xda0/0xda0
[  345.580571]  ? __kernel_text_address+0xe/0x30
[  345.580573]  ? unwind_get_return_address+0x2f/0x50
[  345.580575]  ? __save_stack_trace+0x92/0x100
[  345.580576]  ? ext4_mb_find_by_goal+0x17a/0x7f0
[  345.580578]  ? ext4_mb_use_best_found+0x340/0x340
[  345.580580]  ? save_stack+0x89/0xb0
[  345.580582]  ? kasan_kmalloc+0xa0/0xd0
[  345.580584]  ? kmem_cache_alloc+0xb6/0x1c0
[  345.580585]  ? ext4_mb_new_blocks+0x37a/0x1ab0
[  345.580587]  ? ext4_ext_map_blocks+0xfc5/0x1a70
[  345.580589]  ? ext4_map_blocks+0x63f/0xa10
[  345.580591]  ? _ext4_get_block+0x128/0x2a0
[  345.580593]  ? ext4_block_write_begin+0x2df/0x840
[  345.580595]  ext4_mb_good_group+0x234/0x250
[  345.580597]  ext4_mb_regular_allocator+0x469/0x820
[  345.580600]  ? ext4_mb_complex_scan_group+0x4e0/0x4e0
[  345.580603]  ? __dquot_alloc_space+0x206/0x3e0
[  345.580605]  ? memcg_kmem_put_cache+0x6c/0x130
[  345.580607]  ? kasan_unpoison_shadow+0x30/0x40
[  345.580611]  ? kasan_kmalloc+0xa0/0xd0
[  345.580613]  ext4_mb_new_blocks+0x1013/0x1ab0
[  345.580617]  ? ftrace_ops_trampoline+0xf1/0x170
[  345.580618]  ? __is_insn_slot_addr+0x9a/0x150
[  345.580620]  ? __free_insn_slot+0x240/0x240
[  345.580622]  ? unwind_next_frame+0x38e/0x9b0
[  345.580624]  ? rcu_is_watching+0x81/0xc0
[  345.580626]  ? ext4_discard_preallocations+0xa90/0xa90
[  345.580628]  ? is_bpf_text_address+0xa/0x20
[  345.580630]  ? kernel_text_address+0xec/0x100
[  345.580631]  ? rcu_is_watching+0x81/0xc0
[  345.580633]  ? __kernel_text_address+0xe/0x30
[  345.580635]  ? unwind_get_return_address+0x2f/0x50
[  345.580636]  ? __save_stack_trace+0x92/0x100
[  345.580639]  ? depot_save_stack+0x3b7/0x480
[  345.580642]  ? save_stack+0x89/0xb0
[  345.580644]  ? kasan_kmalloc+0xa0/0xd0
[  345.580645]  ? __kmalloc+0x104/0x210
[  345.580647]  ? ext4_find_extent+0x36b/0x400
[  345.580648]  ? ext4_ext_map_blocks+0x16e/0x1a70
[  345.580650]  ? ext4_map_blocks+0x63f/0xa10
[  345.580651]  ? _ext4_get_block+0x128/0x2a0
[  345.580653]  ? ext4_block_write_begin+0x2df/0x840
[  345.580655]  ? ext4_write_begin+0x33a/0x930
[  345.580657]  ? generic_perform_write+0x1d8/0x3b0
[  345.580658]  ? __generic_file_write_iter+0x264/0x2a0
[  345.580660]  ? ext4_file_write_iter+0x2a3/0x820
[  345.580662]  ? __vfs_write+0x2ac/0x3d0
[  345.580664]  ? vfs_write+0xe9/0x240
[  345.580665]  ? SyS_write+0xb0/0x140
[  345.580668]  ? do_syscall_64+0x17a/0x330
[  345.580670]  ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  345.580672]  ? kasan_slab_free+0x71/0xc0
[  345.580673]  ? kfree+0x8d/0x190
[  345.580674]  ? ext4_ext_map_blocks+0xac5/0x1a70
[  345.580676]  ? ext4_map_blocks+0x6ac/0xa10
[  345.580678]  ? _ext4_get_block+0x128/0x2a0
[  345.580679]  ? ext4_block_write_begin+0x2df/0x840
[  345.580681]  ? ext4_write_begin+0x33a/0x930
[  345.580683]  ? generic_perform_write+0x1d8/0x3b0
[  345.580684]  ? __generic_file_write_iter+0x264/0x2a0
[  345.580686]  ? ext4_file_write_iter+0x2a3/0x820
[  345.580687]  ? __vfs_write+0x2ac/0x3d0
[  345.580688]  ? vfs_write+0xe9/0x240
[  345.580690]  ? SyS_write+0xb0/0x140
[  345.580691]  ? do_syscall_64+0x17a/0x330
[  345.580693]  ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  345.580695]  ? ext4_es_find_delayed_extent_range+0x380/0x380
[  345.580697]  ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  345.580698]  ? __es_tree_search+0x14/0xb0
[  345.580700]  ? ext4_es_find_delayed_extent_range+0x137/0x380
[  345.580702]  ? ext4_es_init_tree+0x30/0x30
[  345.580703]  ? is_bpf_text_address+0xa/0x20
[  345.580704]  ? kernel_text_address+0xe0/0x100
[  345.580706]  ? memcg_kmem_put_cache+0x6c/0x130
[  345.580719]  ? kasan_unpoison_shadow+0x30/0x40
[  345.580722]  ? kasan_kmalloc+0xa0/0xd0
[  345.580725]  ? __kmalloc+0x104/0x210
[  345.580727]  ? ext4_find_extent+0x36b/0x400
[  345.580730]  ? ext4_ext_search_right+0x66/0x480
[  345.580733]  ext4_ext_map_blocks+0xfc5/0x1a70
[  345.580739]  ? ext4_find_delalloc_cluster+0x60/0x60
[  345.580742]  ? unwind_next_frame+0x38e/0x9b0
[  345.580745]  ? __save_stack_trace+0x5e/0x100
[  345.580748]  ? trace_raw_output_xdp_redirect_map_err+0x170/0x170
[  345.580751]  ? deref_stack_reg+0xa1/0xe0
[  345.580754]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[  345.580757]  ? memcg_kmem_put_cache+0x6c/0x130
[  345.580760]  ? memcg_kmem_get_cache+0x4c0/0x4c0
[  345.580763]  ? kasan_unpoison_shadow+0x30/0x40
[  345.580797]  ? rcu_sched_qs.part.64+0x50/0x50
[  345.580801]  ? ext4_es_lookup_extent+0x168/0x3e0
[  345.580803]  ? ext4_es_cache_extent+0x260/0x260
[  345.580806]  ? _cond_resched+0x16/0x50
[  345.580808]  ? down_write+0x9d/0xd0
[  345.580810]  ? down_read+0xe0/0xe0
[  345.580814]  ? alloc_page_buffers+0x75/0x120
[  345.580818]  ext4_map_blocks+0x63f/0xa10
[  345.580822]  ? ext4_issue_zeroout+0xb0/0xb0
[  345.580826]  ? jbd2_journal_free_reserved+0x60/0x60
[  345.580829]  ? ext4_write_begin+0x256/0x930
[  345.580832]  ? generic_perform_write+0x1d8/0x3b0
[  345.580834]  ? __generic_file_write_iter+0x264/0x2a0
[  345.580837]  ? vfs_write+0xe9/0x240
[  345.580839]  ? SyS_write+0xb0/0x140
[  345.580842]  ? do_syscall_64+0x17a/0x330
[  345.580845]  ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  345.580849]  _ext4_get_block+0x128/0x2a0
[  345.580853]  ? ext4_map_blocks+0xa10/0xa10
[  345.580857]  ? try_to_release_page+0x1b0/0x1b0
[  345.580860]  ext4_block_write_begin+0x2df/0x840
[  345.580865]  ? _ext4_get_block+0x2a0/0x2a0
[  345.580869]  ? __check_block_validity.constprop.77+0xd0/0xd0
[  345.580872]  ? jbd2__journal_start+0x128/0x3b0
[  345.580875]  ? jbd2__journal_start+0x252/0x3b0
[  345.580878]  ? rcu_sched_qs.part.64+0x50/0x50
[  345.580881]  ? jbd2_write_access_granted.part.9+0x130/0x130
[  345.580884]  ? fsnotify+0x158/0xae0
[  345.580889]  ? __ext4_journal_start_sb+0xdc/0x210
[  345.580892]  ? ext4_write_begin+0x256/0x930
[  345.580895]  ? wait_for_stable_page+0xc7/0x190
[  345.580898]  ? wb_domain_writeout_inc.part.27+0x50/0x50
[  345.580903]  ext4_write_begin+0x33a/0x930
[  345.580909]  ? ext4_truncate+0x860/0x860
[  345.580912]  ? rcu_sched_qs.part.64+0x50/0x50
[  345.580914]  ? rcu_sched_qs.part.64+0x50/0x50
[  345.580917]  ? ext4_xattr_ibody_get+0x91/0x2d0
[  345.580920]  ? ext4_xattr_block_set+0x1c80/0x1c80
[  345.580923]  ? _cond_resched+0x16/0x50
[  345.580925]  ? down_read+0x7a/0xe0
[  345.580928]  ? __down_interruptible+0x3a0/0x3a0
[  345.580933]  ? iov_iter_fault_in_readable+0xb7/0x220
[  345.580935]  ? copy_page_to_iter+0x690/0x690
[  345.580938]  ? ext4_xattr_get+0x10e/0x4b0
[  345.580942]  ? ext4_xattr_ibody_get+0x2d0/0x2d0
[  345.580945]  generic_perform_write+0x1d8/0x3b0
[  345.580952]  ? generic_write_checks+0x2b0/0x2b0
[  345.580955]  ? timespec_trunc+0x5c/0x90
[  345.580959]  ? file_update_time+0x210/0x240
[  345.580962]  ? current_time+0x70/0x70
[  345.580965]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[  345.580969]  ? page_endio+0x200/0x200
[  345.580972]  ? __is_insn_slot_addr+0x9a/0x150
[  345.580975]  __generic_file_write_iter+0x264/0x2a0
[  345.580979]  ext4_file_write_iter+0x2a3/0x820
[  345.580982]  ? is_bpf_text_address+0xa/0x20
[  345.580985]  ? ext4_file_mmap+0x150/0x150
[  345.580988]  ? unwind_get_return_address+0x2f/0x50
[  345.580991]  ? __save_stack_trace+0x92/0x100
[  345.580995]  ? memcmp+0x45/0x70
[  345.580998]  ? depot_save_stack+0x12d/0x480
[  345.581002]  ? save_stack+0x89/0xb0
[  345.581005]  ? kasan_slab_free+0x71/0xc0
[  345.581007]  ? kmem_cache_free+0x75/0x1e0
[  345.581010]  ? do_sys_open+0x1f0/0x380
[  345.581012]  ? do_syscall_64+0x17a/0x330
[  345.581016]  ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  345.581019]  ? __alloc_fd+0x2e0/0x380
[  345.581023]  __vfs_write+0x2ac/0x3d0
[  345.581026]  ? kernel_read+0xa0/0xa0
[  345.581027]  ? __fd_install+0x13a/0x260
[  345.581029]  ? get_unused_fd_flags+0x100/0x100
[  345.581032]  ? __fdget_pos+0xa7/0x100
[  345.581034]  vfs_write+0xe9/0x240
[  345.581036]  SyS_write+0xb0/0x140
[  345.581038]  ? SyS_read+0x140/0x140
[  345.581040]  ? SyS_read+0x140/0x140
[  345.581042]  do_syscall_64+0x17a/0x330
[  345.581045]  ? syscall_return_slowpath+0x1e0/0x1e0
[  345.581047]  ? page_fault+0x2f/0x50
[  345.581049]  ? do_page_fault+0x90/0x210
[  345.581050]  ? __do_page_fault+0x6d0/0x6d0
[  345.581053]  ? prepare_exit_to_usermode+0xe8/0x150
[  345.581054]  ? perf_trace_sys_enter+0x4e0/0x4e0
[  345.581056]  ? __put_user_4+0x1c/0x30
[  345.581059]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[  345.581061] RIP: 0033:0x7fbed5e940c4
[  345.581062] RSP: 002b:00007ffcded713a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  345.581064] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbed5e940c4
[  345.581065] RDX: 0000000000000205 RSI: 000056047ca3f040 RDI: 0000000000000003
[  345.581066] RBP: 00007ffcded71510 R08: 0000000000000003 R09: 0000000000000000
[  345.581066] R10: 0000000000000000 R11: 0000000000000246 R12: 000056047c83dd30
[  345.581067] R13: 00007ffcded71610 R14: 0000000000000000 R15: 0000000000000000
[  345.581069] Code: fc ff df 48 c7 44 15 00 00 00 00 00 48 8b 74 24 70 65 48 33 34 25 28 00 00 00 75 33 48 83 c4 78 5b 5d 41 5c 41 5d 41 5e 41 5f c3 <0f> 0b b8 01 00 00 00 eb c5 49 8d 7e 38 e8 9e 45 e9 ff 41 0f b7
[  345.581095] ---[ end trace b1414c96bc917095 ]---

Reported by Wen Xu from SSLab, Gatech

Comment 1 Wen Xu 2018-04-10 03:31:17 UTC

Created attachment 275255 [details]
poc.c

Comment 2 Wen Xu 2018-04-10 03:31:45 UTC

Created attachment 275257 [details]
another test case to refer

Comment 3 Wen Xu 2018-04-10 06:12:04 UTC

This bug is not reproducible on latest ext4 development branch.

Note You need to log in before you can comment on or make changes to this bug.