199335 – BUG() in ext4_mb_normalize_request when mounting and operating on a crafted ext4 image

Bug 199335 - BUG() in ext4_mb_normalize_request when mounting and operating on a crafted ext4 image

Summary: BUG() in ext4_mb_normalize_request when mounting and operating on a crafted e...

Status:	RESOLVED UNREPRODUCIBLE

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	ext4 (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_ext4@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-04-10 03:41 UTC by Wen Xu
Modified:	2018-04-10 06:11 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.4.x
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The crafted image which causes kernel panic (2.00 MB, application/octet-stream) 2018-04-10 03:41 UTC, Wen Xu	Details
poc.c (3.18 KB, text/plain) 2018-04-10 03:41 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-04-10 03:41:04 UTC

Created attachment 275259 [details]
The crafted image which causes kernel panic

- Overview
BUG() is triggered in ext4_mb_normalize_request() when mounting and operating on a crafted ext4 image

- Reproduce
# mkdir mnt
# mount -t ext4 9.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- Location
https://elixir.bootlin.com/linux/v4.4.124/source/fs/ext4/mballoc.c#L3159

- Kernel Dump
[  283.633619] EXT4-fs (loop0): feature flags set on rev 0 fs, running e2fsck is recommended
[  283.633623] EXT4-fs (loop0): Couldn't mount because of unsupported optional features (4400)
[  583.745647] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null)
[  588.049508] EXT4-fs error (device loop0): ext4_init_inode_table:1337: comm ext4lazyinit: Something is wrong with group 15: used itable blocks: -8159; itable unused count: 65535
[  590.162854] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 5, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[  590.162970] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 24, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[  590.163023] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 25, block bitmap and bg descriptor inconsistent: 32 vs 256 free clusters
[  590.163076] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 28, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[  590.163128] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 29, block bitmap and bg descriptor inconsistent: 32 vs 20 free clusters
[  590.163356] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 42, block bitmap and bg descriptor inconsistent: 32 vs 4 free clusters
[  590.163444] EXT4-fs error (device loop0): ext4_mb_complex_scan_group:1972: group 43, 32 free clusters as per group info. But got 512 blocks
[  590.163498] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 62, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[  590.163699] ------------[ cut here ]------------
[  590.163718] kernel BUG at fs/ext4/mballoc.c:3159!
[  590.163737] invalid opcode: 0000 [#1] SMP
[  590.163756] Modules linked in: vmw_vsock_vmci_transport vsock snd_ens1371 snd_ac97_codec vmw_balloon ac97_bus uvcvideo snd_pcm coretemp gameport videobuf2_vmalloc snd_timer videobuf2_memops snd_rawmidi btusb videobuf2_v4l2 btrtl btbcm btintel snd_seq_device videobuf2_core bluetooth joydev v4l2_common snd input_leds serio_raw videodev media soundcore vmw_vmci shpchp i2c_piix4 8250_fintek mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear hid_generic usbhid hid vmwgfx drm_kms_helper syscopyarea sysfillrect crct10dif_pclmul sysimgblt crc32_pclmul ghash_clmulni_intel fb_sys_fops ttm aesni_intel aes_x86_64
[  590.169012]  glue_helper lrw gf128mul ablk_helper drm cryptd e1000 mptspi psmouse scsi_transport_spi mptscsih ahci libahci pata_acpi mptbase fjes
[  590.170490] CPU: 0 PID: 32509 Comm: poc Not tainted 4.4.124 #4
[  590.171195] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[  590.172573] task: ffff880033af4600 ti: ffff880081064000 task.ti: ffff880081064000
[  590.173249] RIP: 0010:[<ffffffff892cf59a>]  [<ffffffff892cf59a>] ext4_mb_normalize_request.constprop.29+0x25a/0x4d0
[  590.174630] RSP: 0018:ffff880081067770  EFLAGS: 00010246
[  590.175298] RAX: 0000000000000020 RBX: ffff8801261013d8 RCX: 0000000000000020
[  590.175940] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000020
[  590.176591] RBP: ffff8800810677c0 R08: 000000000000000a R09: 0000000000000001
[  590.177310] R10: 0000000000000001 R11: ffffea00028f8700 R12: ffff8800ba95e000
[  590.177980] R13: ffff8800b959e410 R14: 0000000000000000 R15: ffff8800b959e440
[  590.178607] FS:  00007f6258042700(0000) GS:ffff880139600000(0000) knlGS:0000000000000000
[  590.179255] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  590.179934] CR2: 00000000006fd158 CR3: 0000000034528000 CR4: 0000000000160670
[  590.180632] Stack:
[  590.181297]  ffff8800810678e8 ffff880126101188 ffffffff892cef42 ffff8800ba3ac800
[  590.181966]  00000020948cd7fc ffff8800ba3ac800 ffff8800810678e4 ffff8800ba3a8800
[  590.182871]  ffff8800810678e8 ffff8800ba95e000 ffff880081067870 ffffffff892d5b7e
[  590.183472] Call Trace:
[  590.184024]  [<ffffffff892cef42>] ? ext4_mb_initialize_context+0x82/0x1b0
[  590.184573]  [<ffffffff892d5b7e>] ext4_mb_new_blocks+0x5de/0xad0
[  590.185124]  [<ffffffff8924478a>] ? __find_get_block+0xaa/0x120
[  590.185703]  [<ffffffff89244acb>] ? __getblk_gfp+0x2b/0x60
[  590.186239]  [<ffffffff892da07c>] ? ext4_get_branch+0xbc/0x130
[  590.186757]  [<ffffffff892db65a>] ext4_ind_map_blocks+0xbba/0xbf0
[  590.187315]  [<ffffffff891ae71c>] ? zone_statistics+0x7c/0xa0
[  590.187828]  [<ffffffff891957a8>] ? free_hot_cold_page_list+0x48/0xb0
[  590.188352]  [<ffffffff8929a3d4>] ext4_map_blocks+0x2c4/0x570
[  590.188845]  [<ffffffff891ebb9c>] ? kmem_cache_alloc+0x1cc/0x1f0
[  590.189324]  [<ffffffff8929a73e>] _ext4_get_block+0xbe/0x220
[  590.189833]  [<ffffffff8929a8b6>] ext4_get_block+0x16/0x20
[  590.190287]  [<ffffffff89245e82>] __block_write_begin+0x172/0x480
[  590.190730]  [<ffffffff8929a8a0>] ? _ext4_get_block+0x220/0x220
[  590.191163]  [<ffffffff892cd2cd>] ? __ext4_journal_start_sb+0x6d/0x120
[  590.191587]  [<ffffffff8929ea5a>] ext4_write_begin+0x19a/0x440
[  590.192033]  [<ffffffff8929ef9e>] ext4_da_write_begin+0x29e/0x340
[  590.192453]  [<ffffffff8929fad7>] ? ext4_da_write_end+0x267/0x2c0
[  590.192871]  [<ffffffff8918defe>] generic_perform_write+0xce/0x1d0
[  590.193286]  [<ffffffff8918fc92>] __generic_file_write_iter+0x1a2/0x1e0
[  590.193922]  [<ffffffff8922990e>] ? atime_needs_update+0x4e/0xc0
[  590.194329]  [<ffffffff89293a22>] ext4_file_write_iter+0x102/0x470
[  590.194975]  [<ffffffff8921d4d5>] ? do_filp_open+0xa5/0x100
[  590.195730]  [<ffffffff8920ca42>] __vfs_write+0xd2/0x120
[  590.196366]  [<ffffffff8920d0c9>] vfs_write+0xa9/0x1a0
[  590.196871]  [<ffffffff8920dd85>] SyS_write+0x55/0xc0
[  590.197559]  [<ffffffff897fb4e5>] entry_SYSCALL_64_fastpath+0x22/0x99
[  590.198059] Code: 00 00 8b 49 54 d3 e0 89 c1 01 f1 39 f9 76 08 39 fe 0f 86 e3 01 00 00 41 39 ce 73 25 3b 75 d4 73 20 41 39 f6 72 07 3b 4d d4 72 02 <0f> 0b 39 f9 0f 87 52 01 00 00 41 39 ce 0f 87 af 01 00 00 41 89
[  590.199920] RIP  [<ffffffff892cf59a>] ext4_mb_normalize_request.constprop.29+0x25a/0x4d0
[  590.200456]  RSP <ffff880081067770>
[  590.201039] ---[ end trace 994aa9e5cf950be0 ]---

Reported by Wen Xu from SSLab, Gatech

Comment 1 Wen Xu 2018-04-10 03:41:31 UTC

Created attachment 275261 [details]
poc.c

Comment 2 Wen Xu 2018-04-10 05:54:09 UTC

This is no longer reproducible on latest ext4 development branch.

Note You need to log in before you can comment on or make changes to this bug.