199337 – BUG() in ext4_mb_mark_diskspace_used() when mounting and operating on a crafted ext4 image

Bug 199337 - BUG() in ext4_mb_mark_diskspace_used() when mounting and operating on a crafted ext4 image

Summary: BUG() in ext4_mb_mark_diskspace_used() when mounting and operating on a craft...

Status:	RESOLVED UNREPRODUCIBLE

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	ext4 (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_ext4@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-04-10 03:46 UTC by Wen Xu
Modified:	2018-04-10 06:11 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.4.x / 4.15.x
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The crafted image which causes kernel panic (2.00 MB, application/octet-stream) 2018-04-10 03:46 UTC, Wen Xu	Details
poc.c (3.18 KB, text/plain) 2018-04-10 03:47 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-04-10 03:46:44 UTC

Created attachment 275263 [details]
The crafted image which causes kernel panic

- Overview
BUG() is triggered at ext4_mb_mark_diskspace_used() when mounting and operating on a crafted ext4 image

- Reproduce
# mkdir mnt
# mount -t ext4 231.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- Location
https://elixir.bootlin.com/linux/v4.4.124/source/fs/ext4/mballoc.c#L2907

- Kernel Dump
[   29.639629] EXT4-fs (loop0): mounted filesystem without journal. Opts: (null)
[   33.642045] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 4, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[   33.642115] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 5, block bitmap and bg descriptor inconsistent: 32 vs 61696 free clusters
[   33.642173] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 17, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[   33.642227] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 21, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[   33.642294] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 24, block bitmap and bg descriptor inconsistent: 20 vs 0 free clusters
[   33.642347] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 25, block bitmap and bg descriptor inconsistent: 20 vs 256 free clusters
[   33.642755] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 42, block bitmap and bg descriptor inconsistent: 32 vs 4 free clusters
[   33.642813] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 43, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters
[   33.642870] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 62, block bitmap and bg descriptor inconsistent: 20 vs 0 free clusters
[   33.642922] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 63, block bitmap and bg descriptor inconsistent: 20 vs 32 free clusters
[   33.643035] ------------[ cut here ]------------
[   33.643054] kernel BUG at fs/ext4/mballoc.c:2907!
[   33.643073] invalid opcode: 0000 [#1] SMP
[   33.643092] Modules linked in: vmw_vsock_vmci_transport vsock uvcvideo snd_ens1371 snd_ac97_codec btusb btrtl btbcm ac97_bus btintel snd_pcm bluetooth videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core vmw_balloon gameport v4l2_common snd_timer videodev snd_rawmidi snd_seq_device coretemp snd joydev input_leds serio_raw vmw_vmci media soundcore i2c_piix4 shpchp 8250_fintek mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear hid_generic usbhid hid vmwgfx crct10dif_pclmul crc32_pclmul ghash_clmulni_intel drm_kms_helper aesni_intel syscopyarea sysfillrect psmouse sysimgblt aes_x86_64
[   33.643467]  fb_sys_fops ttm glue_helper lrw gf128mul drm ablk_helper cryptd mptspi scsi_transport_spi e1000 mptscsih mptbase ahci pata_acpi libahci fjes
[   33.643542] CPU: 0 PID: 1510 Comm: poc Not tainted 4.4.124 #4
[   33.644464] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[   33.646170] task: ffff880135d31c00 ti: ffff8800b5144000 task.ti: ffff8800b5144000
[   33.647050] RIP: 0010:[<ffffffff962d4357>]  [<ffffffff962d4357>] ext4_mb_mark_diskspace_used+0x2a7/0x4a0
[   33.648661] RSP: 0018:ffff8800b5147938  EFLAGS: 00010246
[   33.649410] RAX: 0000000000000000 RBX: ffff8800ba5ff800 RCX: ffff8800347bd148
[   33.650166] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8800b94e6000
[   33.650837] RBP: ffff8800b5147990 R08: ffff8800b94e6038 R09: ffff8800b94e6034
[   33.651494] R10: ffff8800b53cb650 R11: 0000000000000230 R12: ffff8800b5147ab4
[   33.652151] R13: ffff8800ba5fc800 R14: ffff8800b5147ab8 R15: ffff8800b94e6000
[   33.652762] FS:  00007fbd17057700(0000) GS:ffff880139600000(0000) knlGS:0000000000000000
[   33.653362] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   33.653950] CR2: 0000000001577158 CR3: 00000000b9ac4000 CR4: 0000000000160670
[   33.654568] Stack:
[   33.655161]  ffff8800ba5ff800 ffff8800347bd138 ffff8800b5147990 ffffffff962d043a
[   33.655740]  ffff88003464e990 828c4939e340e542 ffff8800ba5ff800 ffff8800b5147ab4
[   33.656337]  ffff8800ba5fc800 ffff8800b5147ab8 ffff8800b94e6000 ffff8800b5147a40
[   33.656880] Call Trace:
[   33.657475]  [<ffffffff962d043a>] ? ext4_mb_new_inode_pa+0x27a/0x3b0
[   33.658003]  [<ffffffff962d58d7>] ext4_mb_new_blocks+0x337/0xad0
[   33.658520]  [<ffffffff9624478a>] ? __find_get_block+0xaa/0x120
[   33.659025]  [<ffffffff96244acb>] ? __getblk_gfp+0x2b/0x60
[   33.659568]  [<ffffffff962da07c>] ? ext4_get_branch+0xbc/0x130
[   33.660093]  [<ffffffff962db65a>] ext4_ind_map_blocks+0xbba/0xbf0
[   33.660672]  [<ffffffff962991d3>] ? mpage_prepare_extent_to_map+0x243/0x2f0
[   33.661211]  [<ffffffff9629a3d4>] ext4_map_blocks+0x2c4/0x570
[   33.661768]  [<ffffffff962cd132>] ? ext4_journal_check_start+0x12/0x80
[   33.662325]  [<ffffffff9629d7f4>] ext4_writepages+0x634/0xce0
[   33.662906]  [<ffffffff9622990e>] ? atime_needs_update+0x4e/0xc0
[   33.663425]  [<ffffffff9619c131>] do_writepages+0x21/0x30
[   33.663913]  [<ffffffff9618f146>] __filemap_fdatawrite_range+0xc6/0x100
[   33.664460]  [<ffffffff9618f28a>] filemap_write_and_wait_range+0x2a/0x70
[   33.664960]  [<ffffffff96234ef7>] __generic_file_fsync+0x27/0x90
[   33.665399]  [<ffffffff96234f79>] generic_file_fsync+0x19/0x40
[   33.665817]  [<ffffffff962946fc>] ext4_sync_file+0x1ec/0x340
[   33.666230]  [<ffffffff962411de>] vfs_fsync_range+0x4e/0xb0
[   33.666649]  [<ffffffff9624129d>] do_fsync+0x3d/0x70
[   33.667080]  [<ffffffff96241563>] SyS_fdatasync+0x13/0x20
[   33.667492]  [<ffffffff967fb4e5>] entry_SYSCALL_64_fastpath+0x22/0x99
[   33.667895] Code: ff ff 85 c0 0f 85 f9 fd ff ff 4c 8b 45 c8 31 c9 4c 89 e2 be b8 0b 00 00 48 c7 c7 90 68 a3 96 e8 b0 94 ff ff e9 da fd ff ff 0f 0b <0f> 0b 4c 63 4d b0 4c 8b 45 a8 48 c7 c1 30 15 cc 96 ba 7e 0b 00
[   33.669230] RIP  [<ffffffff962d4357>] ext4_mb_mark_diskspace_used+0x2a7/0x4a0
[   33.669657]  RSP <ffff8800b5147938>
[   33.670300] ---[ end trace 842e5cb6ac86b18d ]---
[   33.670734] ------------[ cut here ]------------
[   33.671160] WARNING: CPU: 0 PID: 1510 at kernel/exit.c:661 do_exit+0x5f/0xb00()
[   33.671629] Modules linked in: vmw_vsock_vmci_transport vsock uvcvideo snd_ens1371 snd_ac97_codec btusb btrtl btbcm ac97_bus btintel snd_pcm bluetooth videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core vmw_balloon gameport v4l2_common snd_timer videodev snd_rawmidi snd_seq_device coretemp snd joydev input_leds serio_raw vmw_vmci media soundcore i2c_piix4 shpchp 8250_fintek mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear hid_generic usbhid hid vmwgfx crct10dif_pclmul crc32_pclmul ghash_clmulni_intel drm_kms_helper aesni_intel syscopyarea sysfillrect psmouse sysimgblt aes_x86_64
[   33.676423]  fb_sys_fops ttm glue_helper lrw gf128mul drm ablk_helper cryptd mptspi scsi_transport_spi e1000 mptscsih mptbase ahci pata_acpi libahci fjes
[   33.677367] CPU: 0 PID: 1510 Comm: poc Tainted: G      D         4.4.124 #4
[   33.677841] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[   33.678904]  0000000000000286 828c4939e340e542 ffff8800b5147640 ffffffff963d8d23
[   33.679411]  0000000000000000 ffffffff96ca89f6 ffff8800b5147678 ffffffff96081e72
[   33.679917]  ffff880135d31c00 000000000000000b ffff8800b5147888 0000000000000000
[   33.680482] Call Trace:
[   33.680982]  [<ffffffff963d8d23>] dump_stack+0x63/0x90
[   33.681485]  [<ffffffff96081e72>] warn_slowpath_common+0x82/0xc0
[   33.681988]  [<ffffffff96081fba>] warn_slowpath_null+0x1a/0x20
[   33.682487]  [<ffffffff960848af>] do_exit+0x5f/0xb00
[   33.682995]  [<ffffffff9601acd1>] oops_end+0xa1/0xd0
[   33.683486]  [<ffffffff9601b18b>] die+0x4b/0x70
[   33.684023]  [<ffffffff96018131>] do_trap+0xb1/0x140
[   33.684525]  [<ffffffff960184b9>] do_error_trap+0x89/0x110
[   33.685012]  [<ffffffff962d4357>] ? ext4_mb_mark_diskspace_used+0x2a7/0x4a0
[   33.685507]  [<ffffffff962d3029>] ? mb_mark_used+0x289/0x320
[   33.686003]  [<ffffffff96018a20>] do_invalid_op+0x20/0x30
[   33.686750]  [<ffffffff967fd28e>] invalid_op+0x1e/0x30
[   33.687719]  [<ffffffff962d4357>] ? ext4_mb_mark_diskspace_used+0x2a7/0x4a0
[   33.688763]  [<ffffffff962d043a>] ? ext4_mb_new_inode_pa+0x27a/0x3b0
[   33.689685]  [<ffffffff962d58d7>] ext4_mb_new_blocks+0x337/0xad0
[   33.690415]  [<ffffffff9624478a>] ? __find_get_block+0xaa/0x120
[   33.691262]  [<ffffffff96244acb>] ? __getblk_gfp+0x2b/0x60
[   33.692246]  [<ffffffff962da07c>] ? ext4_get_branch+0xbc/0x130
[   33.693136]  [<ffffffff962db65a>] ext4_ind_map_blocks+0xbba/0xbf0
[   33.693930]  [<ffffffff962991d3>] ? mpage_prepare_extent_to_map+0x243/0x2f0
[   33.694600]  [<ffffffff9629a3d4>] ext4_map_blocks+0x2c4/0x570
[   33.695526]  [<ffffffff962cd132>] ? ext4_journal_check_start+0x12/0x80
[   33.696304]  [<ffffffff9629d7f4>] ext4_writepages+0x634/0xce0
[   33.696838]  [<ffffffff9622990e>] ? atime_needs_update+0x4e/0xc0
[   33.697308]  [<ffffffff9619c131>] do_writepages+0x21/0x30
[   33.697759]  [<ffffffff9618f146>] __filemap_fdatawrite_range+0xc6/0x100
[   33.698261]  [<ffffffff9618f28a>] filemap_write_and_wait_range+0x2a/0x70
[   33.698694]  [<ffffffff96234ef7>] __generic_file_fsync+0x27/0x90
[   33.699117]  [<ffffffff96234f79>] generic_file_fsync+0x19/0x40
[   33.699559]  [<ffffffff962946fc>] ext4_sync_file+0x1ec/0x340
[   33.699945]  [<ffffffff962411de>] vfs_fsync_range+0x4e/0xb0
[   33.700415]  [<ffffffff9624129d>] do_fsync+0x3d/0x70
[   33.701025]  [<ffffffff96241563>] SyS_fdatasync+0x13/0x20
[   33.701421]  [<ffffffff967fb4e5>] entry_SYSCALL_64_fastpath+0x22/0x99
[   33.701834] ---[ end trace 842e5cb6ac86b18e ]---

Reported by Wen Xu from SSLab, Gatech

Comment 1 Wen Xu 2018-04-10 03:47:10 UTC

Created attachment 275265 [details]
poc.c

Comment 2 Wen Xu 2018-04-10 05:58:16 UTC

This is not reproducible on latest ext4 development branch.

Note You need to log in before you can comment on or make changes to this bug.