Created attachment 275303 [details] The (compressed) crafted image which causes crash - Overview Uninitialized function pointer (lookup) triggered when mounting and operating a crafted xfs image - Reproduce # mkdir mnt # mount -t xfs 5.img mnt # gcc -o poc poc.c # ./poc ./mnt - Reason https://elixir.bootlin.com/linux/v4.15/source/fs/namei.c#L1625 XFS does not properly initialize an image's lookup() operator. - Crash dump [ 62.197531] XFS (loop0): Mounting V4 Filesystem [ 62.204072] XFS (loop0): Ending clean mount [ 66.091635] XFS (loop0): Metadata corruption detected at xfs_attr_shortform_verify+0xb5/0xf0, inode 0x6c2 attr fork [ 66.093297] XFS (loop0): Unmount and run xfs_repair [ 66.094125] XFS (loop0): Metadata corruption detected at xfs_attr_shortform_verify+0xb5/0xf0, inode 0x6c2 attr fork [ 66.095742] XFS (loop0): Unmount and run xfs_repair [ 66.096742] XFS (loop0): Metadata corruption detected at xfs_attr_shortform_verify+0xb5/0xf0, inode 0x6c2 attr fork [ 66.102112] XFS (loop0): Unmount and run xfs_repair [ 66.102928] XFS (loop0): Metadata corruption detected at xfs_attr_shortform_verify+0xb5/0xf0, inode 0x6c2 attr fork [ 66.104585] XFS (loop0): Unmount and run xfs_repair [ 66.105399] XFS (loop0): Metadata corruption detected at xfs_attr_shortform_verify+0xb5/0xf0, inode 0x6c2 attr fork [ 66.107035] XFS (loop0): Unmount and run xfs_repair [ 66.107893] BUG: unable to handle kernel NULL pointer dereference at (null) [ 66.109121] IP: (null) [ 66.109654] PGD 800000013938f067 P4D 800000013938f067 PUD 133bb7067 PMD 0 [ 66.110727] Oops: 0010 [#1] SMP PTI [ 66.111289] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul 8139too qxl aesni_intel drm_kms_helper aes_x86_64 crypto_simd syscopyarea cryptd sysfillrect sysimgblt fb_sys_fops glue_helper ttm drm 8139cp mii floppy pata_acpi [ 66.118963] CPU: 1 PID: 1362 Comm: poc Not tainted 4.16.0-rc1+ #2 [ 66.119910] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 66.121366] RIP: 0010: (null) [ 66.121963] RSP: 0018:ffffba76c0aabca0 EFLAGS: 00010206 [ 66.122794] RAX: 0000000000000000 RBX: ffff9c473943c180 RCX: 0000000000000000 [ 66.123899] RDX: 0000000000000001 RSI: ffff9c473943c180 RDI: ffff9c4738dc44f8 [ 66.124999] RBP: ffff9c4738dc45a0 R08: 0000000000000002 R09: 0000000000000005 [ 66.126124] R10: 000000004cbf3f44 R11: 000000004cbf3f44 R12: ffff9c473943ca80 [ 66.127234] R13: 0000000000000001 R14: ffffba76c0aabde0 R15: ffff9c4738dc44f8 [ 66.128339] FS: 00007ff5c2e51700(0000) GS:ffff9c473fd00000(0000) knlGS:0000000000000000 [ 66.129601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 66.130496] CR2: 0000000000000000 CR3: 0000000138730000 CR4: 00000000000006e0 [ 66.131601] Call Trace: [ 66.132024] ? lookup_slow+0xa9/0x170 [ 66.132618] ? walk_component+0x1c6/0x350 [ 66.133258] ? path_lookupat+0x76/0x230 [ 66.134002] ? filename_lookup+0xb8/0x1a0 [ 66.134662] ? _cond_resched+0x16/0x40 [ 66.135264] ? kmem_cache_alloc+0xd9/0x1b0 [ 66.135929] ? path_listxattr+0x41/0xa0 [ 66.136545] ? path_listxattr+0x41/0xa0 [ 66.137170] ? do_syscall_64+0x71/0x120 [ 66.137795] ? entry_SYSCALL_64_after_hwframe+0x21/0x86 [ 66.138615] Code: Bad RIP value. [ 66.139154] RIP: (null) RSP: ffffba76c0aabca0 [ 66.139975] CR2: 0000000000000000 [ 66.140538] ---[ end trace 8491db2208736519 ]--- - Credit Reported by Wen Xu at SSLab, Gatech
Created attachment 275305 [details] poc.c
If you're going to be running the fuzzer script for a while, it would be super to compile your kernel w/ frame pointers so that the backtraces you provide are more useful: CONFIG_FRAME_POINTER=y For that matter, please include your entire kernel config, because this specific bug does not reproduce on my 4.16 kernel. Thanks, -Eric
Oh, really...md5sum(5.img) = f839e50539770fa2faab324fa5d34564 Let me first paste the message of latest Ubuntu 18.04 I also test on which uses 4.15.0-12-generic; [ 1081.146990] XFS (loop0): Mounting V4 Filesystem [ 1081.149756] XFS (loop0): Ending clean mount [ 1087.546113] XFS (loop0): corrupt inode 1730 (bad attr fork size 0). [ 1087.546150] 00000000d07ef4d1: 49 4e 81 a4 02 02 00 00 00 00 00 00 00 00 00 00 IN.............. [ 1087.546187] 00000000c038e632: 00 00 00 00 ff ff dd 00 00 00 00 00 00 00 00 01 ................ [ 1087.546213] 00000000600bcf94: 5a b2 9b 71 07 03 42 1b 5a b2 9b 71 07 03 42 1b Z..q..B.Z..q..B. [ 1087.546239] 000000006ff0297d: 5a b2 9b 71 07 03 42 1b 00 00 00 00 00 00 00 00 Z..q..B......... [ 1087.549984] XFS (loop0): Internal error xfs_iformat(8) at line 218 of file /build/linux-LL9XfP/linux-4.15.0/fs/xfs/libxfs/xfs_inode_fork.c. Caller xfs_iread+0x1fd/0x220 [xfs] [ 1087.550161] CPU: 0 PID: 52410 Comm: poc Not tainted 4.15.0-12-generic #13-Ubuntu [ 1087.550163] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 [ 1087.550164] Call Trace: [ 1087.551789] dump_stack+0x63/0x8b [ 1087.551844] xfs_corruption_error+0x87/0x90 [xfs] [ 1087.551866] ? xfs_iread+0x1fd/0x220 [xfs] [ 1087.551886] xfs_iformat_fork+0x61c/0x630 [xfs] [ 1087.551904] ? xfs_iread+0x1fd/0x220 [xfs] [ 1087.551922] ? xfs_inode_from_disk+0x35/0x230 [xfs] [ 1087.551940] xfs_iread+0x1fd/0x220 [xfs] [ 1087.551963] xfs_iget+0x2b1/0x930 [xfs] [ 1087.551981] ? xfs_da_compname+0x1f/0x30 [xfs] [ 1087.552005] xfs_lookup+0xe1/0x120 [xfs] [ 1087.552026] xfs_vn_lookup+0x70/0xb0 [xfs] [ 1087.552678] path_openat+0xcab/0x16c0 [ 1087.552729] ? xfs_trans_free_items+0x87/0xb0 [xfs] [ 1087.552734] do_filp_open+0x9b/0x110 [ 1087.552910] ? __check_object_size+0xaf/0x1b0 [ 1087.552948] ? __alloc_fd+0x46/0x170 [ 1087.552985] do_sys_open+0x1bb/0x2c0 [ 1087.552988] ? do_sys_open+0x1bb/0x2c0 [ 1087.553025] ? _cond_resched+0x19/0x40 [ 1087.553028] SyS_openat+0x14/0x20 [ 1087.553153] do_syscall_64+0x73/0x130 [ 1087.553157] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 1087.553222] RIP: 0033:0x7fa7faecfc8e [ 1087.553226] RSP: 002b:00007ffcb19b4bf0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 1087.553228] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa7faecfc8e [ 1087.553229] RDX: 0000000000000000 RSI: 0000561f966992d0 RDI: 00000000ffffff9c [ 1087.553230] RBP: 00007ffcb19b4dc0 R08: 0000000000000078 R09: 0000000000000000 [ 1087.553230] R10: 0000000000000000 R11: 0000000000000246 R12: 0000561f9544ed30 [ 1087.553231] R13: 00007ffcb19b4ec0 R14: 0000000000000000 R15: 0000000000000000 [ 1087.553269] XFS (loop0): Corruption detected. Unmount and run xfs_repair [ 1087.554820] XFS (loop0): corrupt inode 1730 (bad attr fork size 0). [ 1087.554823] 00000000d07ef4d1: 49 4e 81 a4 02 02 00 00 00 00 00 00 00 00 00 00 IN.............. [ 1087.554854] 00000000c038e632: 00 00 00 00 ff ff dd 00 00 00 00 00 00 00 00 01 ................ [ 1087.554880] 00000000600bcf94: 5a b2 9b 71 07 03 42 1b 5a b2 9b 71 07 03 42 1b Z..q..B.Z..q..B. [ 1087.554907] 000000006ff0297d: 5a b2 9b 71 07 03 42 1b 00 00 00 00 00 00 00 00 Z..q..B......... [ 1087.554990] XFS (loop0): Internal error xfs_iformat(8) at line 218 of file /build/linux-LL9XfP/linux-4.15.0/fs/xfs/libxfs/xfs_inode_fork.c. Caller xfs_iread+0x1fd/0x220 [xfs] [ 1087.555038] CPU: 0 PID: 52410 Comm: poc Not tainted 4.15.0-12-generic #13-Ubuntu [ 1087.555103] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 [ 1087.555105] Call Trace: [ 1087.555110] dump_stack+0x63/0x8b [ 1087.555136] xfs_corruption_error+0x87/0x90 [xfs] [ 1087.555156] ? xfs_iread+0x1fd/0x220 [xfs] [ 1087.555176] xfs_iformat_fork+0x61c/0x630 [xfs] [ 1087.555194] ? xfs_iread+0x1fd/0x220 [xfs] [ 1087.555212] ? xfs_inode_from_disk+0x35/0x230 [xfs] [ 1087.555230] xfs_iread+0x1fd/0x220 [xfs] [ 1087.555253] xfs_iget+0x2b1/0x930 [xfs] [ 1087.555271] ? xfs_da_compname+0x1f/0x30 [xfs] [ 1087.555295] xfs_lookup+0xe1/0x120 [xfs] [ 1087.555316] xfs_vn_lookup+0x70/0xb0 [xfs] [ 1087.555318] path_openat+0xcab/0x16c0 [ 1087.555320] do_filp_open+0x9b/0x110 [ 1087.555322] ? __check_object_size+0xaf/0x1b0 [ 1087.555324] ? __alloc_fd+0x46/0x170 [ 1087.555326] do_sys_open+0x1bb/0x2c0 [ 1087.555328] ? do_sys_open+0x1bb/0x2c0 [ 1087.555330] ? _cond_resched+0x19/0x40 [ 1087.555332] SyS_openat+0x14/0x20 [ 1087.555334] do_syscall_64+0x73/0x130 [ 1087.555336] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 1087.555338] RIP: 0033:0x7fa7faecfc8e [ 1087.555339] RSP: 002b:00007ffcb19b4bf0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 1087.555341] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa7faecfc8e [ 1087.555341] RDX: 0000000000000202 RSI: 0000561f966992d0 RDI: 00000000ffffff9c [ 1087.555342] RBP: 00007ffcb19b4dc0 R08: 0000000000000078 R09: 0000000000000000 [ 1087.555343] R10: 0000000000000000 R11: 0000000000000246 R12: 0000561f9544ed30 [ 1087.555344] R13: 00007ffcb19b4ec0 R14: 0000000000000000 R15: 0000000000000000 [ 1087.555346] XFS (loop0): Corruption detected. Unmount and run xfs_repair [ 1087.557979] XFS (loop0): corrupt inode 1730 (bad attr fork size 0). [ 1087.557981] 00000000d07ef4d1: 49 4e 81 a4 02 02 00 00 00 00 00 00 00 00 00 00 IN.............. [ 1087.558008] 00000000c038e632: 00 00 00 00 ff ff dd 00 00 00 00 00 00 00 00 01 ................ [ 1087.558031] 00000000600bcf94: 5a b2 9b 71 07 03 42 1b 5a b2 9b 71 07 03 42 1b Z..q..B.Z..q..B. [ 1087.558054] 000000006ff0297d: 5a b2 9b 71 07 03 42 1b 00 00 00 00 00 00 00 00 Z..q..B......... [ 1087.558113] XFS (loop0): Internal error xfs_iformat(8) at line 218 of file /build/linux-LL9XfP/linux-4.15.0/fs/xfs/libxfs/xfs_inode_fork.c. Caller xfs_iread+0x1fd/0x220 [xfs] [ 1087.558190] CPU: 0 PID: 52410 Comm: poc Not tainted 4.15.0-12-generic #13-Ubuntu [ 1087.558191] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 [ 1087.558191] Call Trace: [ 1087.558195] dump_stack+0x63/0x8b [ 1087.558229] xfs_corruption_error+0x87/0x90 [xfs] [ 1087.558247] ? xfs_iread+0x1fd/0x220 [xfs] [ 1087.558263] xfs_iformat_fork+0x61c/0x630 [xfs] [ 1087.558277] ? xfs_iread+0x1fd/0x220 [xfs] [ 1087.558291] ? xfs_inode_from_disk+0x35/0x230 [xfs] [ 1087.558304] xfs_iread+0x1fd/0x220 [xfs] [ 1087.558323] xfs_iget+0x2b1/0x930 [xfs] [ 1087.558338] ? xfs_da_compname+0x1f/0x30 [xfs] [ 1087.558357] xfs_lookup+0xe1/0x120 [xfs] [ 1087.558375] xfs_vn_lookup+0x70/0xb0 [xfs] [ 1087.558377] path_openat+0xcab/0x16c0 [ 1087.558379] do_filp_open+0x9b/0x110 [ 1087.558381] ? __check_object_size+0xaf/0x1b0 [ 1087.558383] ? __alloc_fd+0x46/0x170 [ 1087.558385] do_sys_open+0x1bb/0x2c0 [ 1087.558386] ? do_sys_open+0x1bb/0x2c0 [ 1087.558388] ? _cond_resched+0x19/0x40 [ 1087.558389] SyS_openat+0x14/0x20 [ 1087.558391] do_syscall_64+0x73/0x130 [ 1087.558393] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 1087.558394] RIP: 0033:0x7fa7faecfc8e [ 1087.558395] RSP: 002b:00007ffcb19b4bf0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 1087.558397] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa7faecfc8e [ 1087.558398] RDX: 0000000000000202 RSI: 0000561f966992d0 RDI: 00000000ffffff9c [ 1087.558398] RBP: 00007ffcb19b4dc0 R08: 0000000000000078 R09: 0000000000000000 [ 1087.558399] R10: 0000000000000000 R11: 0000000000000246 R12: 0000561f9544ed30 [ 1087.558452] R13: 00007ffcb19b4ec0 R14: 0000000000000000 R15: 0000000000000000 [ 1087.558476] XFS (loop0): Corruption detected. Unmount and run xfs_repair [ 1087.558851] XFS (loop0): corrupt inode 1730 (bad attr fork size 0). [ 1087.558853] 00000000d07ef4d1: 49 4e 81 a4 02 02 00 00 00 00 00 00 00 00 00 00 IN.............. [ 1087.558876] 00000000c038e632: 00 00 00 00 ff ff dd 00 00 00 00 00 00 00 00 01 ................ [ 1087.558897] 00000000600bcf94: 5a b2 9b 71 07 03 42 1b 5a b2 9b 71 07 03 42 1b Z..q..B.Z..q..B. [ 1087.558918] 000000006ff0297d: 5a b2 9b 71 07 03 42 1b 00 00 00 00 00 00 00 00 Z..q..B......... [ 1087.558956] XFS (loop0): Internal error xfs_iformat(8) at line 218 of file /build/linux-LL9XfP/linux-4.15.0/fs/xfs/libxfs/xfs_inode_fork.c. Caller xfs_iread+0x1fd/0x220 [xfs] [ 1087.558994] CPU: 0 PID: 52410 Comm: poc Not tainted 4.15.0-12-generic #13-Ubuntu [ 1087.558994] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 [ 1087.558995] Call Trace: [ 1087.559008] dump_stack+0x63/0x8b [ 1087.559026] xfs_corruption_error+0x87/0x90 [xfs] [ 1087.559040] ? xfs_iread+0x1fd/0x220 [xfs] [ 1087.559054] xfs_iformat_fork+0x61c/0x630 [xfs] [ 1087.559067] ? xfs_iread+0x1fd/0x220 [xfs] [ 1087.559090] ? xfs_inode_from_disk+0x35/0x230 [xfs] [ 1087.559105] xfs_iread+0x1fd/0x220 [xfs] [ 1087.559122] xfs_iget+0x2b1/0x930 [xfs] [ 1087.559136] ? xfs_da_compname+0x1f/0x30 [xfs] [ 1087.559153] xfs_lookup+0xe1/0x120 [xfs] [ 1087.559169] xfs_vn_lookup+0x70/0xb0 [xfs] [ 1087.559171] __lookup_hash+0x6a/0xa0 [ 1087.559173] SyS_rename+0x1fb/0x3c0 [ 1087.559175] do_syscall_64+0x73/0x130 [ 1087.559177] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 1087.559178] RIP: 0033:0x7fa7fae3bd37 [ 1087.559178] RSP: 002b:00007ffcb19b4c58 EFLAGS: 00000286 ORIG_RAX: 0000000000000052 [ 1087.559180] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa7fae3bd37 [ 1087.559180] RDX: 0000561f966992f0 RSI: 0000561f966992f0 RDI: 0000561f966992d0 [ 1087.559181] RBP: 00007ffcb19b4dc0 R08: 0000000000000078 R09: 0000000000000000 [ 1087.559181] R10: 0000000000000000 R11: 0000000000000286 R12: 0000561f9544ed30 [ 1087.559182] R13: 00007ffcb19b4ec0 R14: 0000000000000000 R15: 0000000000000000 [ 1087.559205] XFS (loop0): Corruption detected. Unmount and run xfs_repair [ 1087.561587] XFS (loop0): corrupt inode 1730 (bad attr fork size 0). [ 1087.561591] 00000000d07ef4d1: 49 4e 81 a4 02 02 00 00 00 00 00 00 00 00 00 00 IN.............. [ 1087.562100] 00000000c038e632: 00 00 00 00 ff ff dd 00 00 00 00 00 00 00 00 01 ................ [ 1087.562547] 00000000600bcf94: 5a b2 9b 71 07 03 42 1b 5a b2 9b 71 07 03 42 1b Z..q..B.Z..q..B. [ 1087.563000] 000000006ff0297d: 5a b2 9b 71 07 03 42 1b 00 00 00 00 00 00 00 00 Z..q..B......... [ 1087.563506] XFS (loop0): Internal error xfs_iformat(8) at line 218 of file /build/linux-LL9XfP/linux-4.15.0/fs/xfs/libxfs/xfs_inode_fork.c. Caller xfs_iread+0x1fd/0x220 [xfs] [ 1087.564471] CPU: 0 PID: 52410 Comm: poc Not tainted 4.15.0-12-generic #13-Ubuntu [ 1087.564471] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 [ 1087.564472] Call Trace: [ 1087.564478] dump_stack+0x63/0x8b [ 1087.564504] xfs_corruption_error+0x87/0x90 [xfs] [ 1087.564517] ? xfs_iread+0x1fd/0x220 [xfs] [ 1087.564529] xfs_iformat_fork+0x61c/0x630 [xfs] [ 1087.564541] ? xfs_iread+0x1fd/0x220 [xfs] [ 1087.564552] ? xfs_inode_from_disk+0x35/0x230 [xfs] [ 1087.564567] xfs_iread+0x1fd/0x220 [xfs] [ 1087.564581] xfs_iget+0x2b1/0x930 [xfs] [ 1087.564593] ? xfs_da_compname+0x1f/0x30 [xfs] [ 1087.564608] xfs_lookup+0xe1/0x120 [xfs] [ 1087.564622] xfs_vn_lookup+0x70/0xb0 [xfs] [ 1087.564625] __lookup_hash+0x6a/0xa0 [ 1087.564626] do_unlinkat+0x137/0x320 [ 1087.564627] SyS_unlink+0x1f/0x30 [ 1087.564630] do_syscall_64+0x73/0x130 [ 1087.564632] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 1087.564634] RIP: 0033:0x7fa7faed1d47 [ 1087.564634] RSP: 002b:00007ffcb19b4c58 EFLAGS: 00000286 ORIG_RAX: 0000000000000057 [ 1087.564698] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa7faed1d47 [ 1087.564698] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000561f966992d0 [ 1087.564699] RBP: 00007ffcb19b4dc0 R08: 0000000000000078 R09: 0000000000000000 [ 1087.564699] R10: 0000000000000000 R11: 0000000000000286 R12: 0000561f9544ed30 [ 1087.564700] R13: 00007ffcb19b4ec0 R14: 0000000000000000 R15: 0000000000000000 [ 1087.564737] XFS (loop0): Corruption detected. Unmount and run xfs_repair [ 1087.568680] BUG: unable to handle kernel NULL pointer dereference at (null) [ 1087.569170] IP: (null) [ 1087.569639] PGD 0 P4D 0 [ 1087.570095] Oops: 0010 [#1] SMP PTI [ 1087.570624] Modules linked in: ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs vmw_balloon coretemp intel_rapl_perf input_leds joydev serio_raw snd_ens1371 btusb snd_ac97_codec uvcvideo btrtl videobuf2_vmalloc btbcm btintel gameport snd_rawmidi videobuf2_memops bluetooth videobuf2_v4l2 videobuf2_core snd_seq_device ac97_bus snd_pcm videodev media ecdh_generic snd_timer snd soundcore shpchp mac_hid vmw_vsock_vmci_transport vsock vmw_vmci sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 [ 1087.577770] crypto_simd glue_helper cryptd vmwgfx psmouse ttm drm_kms_helper mptspi mptscsih ahci libahci e1000 mptbase scsi_transport_spi syscopyarea sysfillrect sysimgblt fb_sys_fops drm i2c_piix4 pata_acpi [ 1087.579878] CPU: 0 PID: 52410 Comm: poc Not tainted 4.15.0-12-generic #13-Ubuntu [ 1087.580479] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 [ 1087.581694] RIP: 0010: (null) [ 1087.582306] RSP: 0018:ffffb9074151fc40 EFLAGS: 00010206 [ 1087.582898] RAX: 0000000000000000 RBX: ffff8b4b8e9001e0 RCX: 0000000000000000 [ 1087.583500] RDX: 0000000000000001 RSI: ffff8b4bb8d3dec0 RDI: ffff8b4b8e900138 [ 1087.584059] RBP: ffffb9074151fca0 R08: 0000000000000000 R09: ffff8b4bb8d3dec0 [ 1087.584511] R10: ffff8b4bb5ac702a R11: 14077336e65e3568 R12: ffff8b4bb8d3d440 [ 1087.584961] R13: 0000000000000001 R14: ffff8b4b8e900138 R15: ffff8b4bb8d3dec0 [ 1087.585414] FS: 00007fa7fb3ce540(0000) GS:ffff8b4bbc600000(0000) knlGS:0000000000000000 [ 1087.585862] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1087.586301] CR2: 0000000000000000 CR3: 000000003a242006 CR4: 00000000001606f0 [ 1087.586774] Call Trace: [ 1087.587211] ? lookup_slow+0xab/0x170 [ 1087.587650] walk_component+0x1c3/0x350 [ 1087.588184] ? __xfs_trans_commit+0xa0/0x260 [xfs] [ 1087.588676] path_lookupat+0x84/0x1f0 [ 1087.589731] ? __cgroup_account_cputime+0x28/0x30 [ 1087.590341] filename_lookup+0xb6/0x190 [ 1087.590995] ? __check_object_size+0xaf/0x1b0 [ 1087.591921] ? strncpy_from_user+0x4d/0x170 [ 1087.592413] user_path_at_empty+0x36/0x40 [ 1087.592897] ? user_path_at_empty+0x36/0x40 [ 1087.593384] path_listxattr+0x4b/0xb0 [ 1087.593807] SyS_listxattr+0x13/0x20 [ 1087.594246] do_syscall_64+0x73/0x130 [ 1087.594916] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 1087.595314] RIP: 0033:0x7fa7faedf907 [ 1087.595675] RSP: 002b:00007ffcb19b4c58 EFLAGS: 00000283 ORIG_RAX: 00000000000000c2 [ 1087.596038] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa7faedf907 [ 1087.596394] RDX: 0000000000000071 RSI: 00007ffcb19b4d40 RDI: 0000561f96699310 [ 1087.596740] RBP: 00007ffcb19b4dc0 R08: 0000561f966992f0 R09: 0000000000000000 [ 1087.597152] R10: 0000000000000000 R11: 0000000000000283 R12: 0000561f9544ed30 [ 1087.597483] R13: 00007ffcb19b4ec0 R14: 0000000000000000 R15: 0000000000000000 [ 1087.597804] Code: Bad RIP value. [ 1087.598119] RIP: (null) RSP: ffffb9074151fc40 [ 1087.598477] CR2: 0000000000000000 [ 1087.598813] ---[ end trace 1ecf08f3cdf242f0 ]---
For 4.16, I uses commit 7928b2cbe55b2a410a0f5c1f154610059c57b1b2 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Sun Feb 11 15:04:29 2018 -0800 Linux 4.16-rc1 Here is the config: test@ubuntu:~/ext4$ cat /boot/config-4.16.0-rc1+ | grep XFS CONFIG_XFS_FS=y CONFIG_XFS_QUOTA=y CONFIG_XFS_POSIX_ACL=y CONFIG_XFS_RT=y CONFIG_XFS_ONLINE_SCRUB=y # CONFIG_XFS_WARN is not set # CONFIG_XFS_DEBUG is not set # CONFIG_VXFS_FS is not set If you want to check others, I will dump for you!
Sorry! The md5sum of the image is c467a649a12c5ea5d5e93c487a71131e.
That's not your kernel config; that is only a tiny portion of your config. Attaching your actual, full config to these bugs may be helpful, so that the problems you encounter can be reliably reproduced. Based on what I see, it looks like your test kernel may not have list debugging enabled. Please attach your full kernel config for reference.
Created attachment 275331 [details] config-4.16.0-rc1+ I see, here it is.
This doesn't reproduce on a TOT kernel because it detects other corruptions in the inode buffer and so prevents teh code from exercising whatever is being tripped over here. Can you please reproduce this on a TOT kernel and attach new images and POC code. The corruption verifiers and hardening code is a quickly moving target in XFS at the moment, so you really need to be fuzzing the bleeding edge dev kernels to catch stuff before other XFS developers do.... -Dave.
Created attachment 275345 [details] The (compressed) crafted image which causes crash Hi Dave, could you please try this image? # mkdir mnt # mount -t xfs 53.img mnt # gcc -o poc poc.c # ./poc ./mnt I uses this version to reproduce: commit 16e205cf42da1f497b10a4a24f563e6c0d574eec Merge: affb028 a10beab Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Thu Apr 12 20:56:10 2018 -0700 Merge tag 'drm-fixes-for-v4.17-rc1' of git://people.freedesktop.org/~airlied/linux Kernel message: [ 154.995063] XFS (loop0): Mounting V4 Filesystem [ 154.997133] XFS (loop0): Ending clean mount [ 160.384068] XFS (loop0): Metadata corruption detected at xfs_buf_ioend+0x56/0x1d0, xfs_inode block 0x1b00 xfs_inode_buf_verify [ 160.385875] XFS (loop0): Unmount and run xfs_repair [ 160.386641] XFS (loop0): First 128 bytes of corrupted metadata buffer: [ 160.387687] 000000006691f35a: 49 4e 41 ed 02 01 00 00 00 00 00 00 00 00 00 00 INA............. [ 160.389072] 000000006bd52143: 15 00 00 02 00 00 00 00 00 00 00 00 00 00 00 01 ................ [ 160.391452] 000000000a915b74: 5a b2 9b 71 07 03 42 1b 5a b2 9b 71 07 7d 54 6d Z..q..B.Z..q.}Tm [ 160.392850] 00000000ca4be198: 5a b2 9b 71 07 7d 54 6d 00 00 00 00 00 00 00 59 Z..q.}Tm.......Y [ 160.394216] 000000009412a18a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 160.395587] 00000000fcedee95: 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 160.396982] 0000000006278573: ff 00 ff ff 07 00 00 00 06 bf 03 00 30 62 61 7a ............0baz [ 160.398345] 000000003e07be63: 01 00 00 06 c1 05 00 40 78 61 74 74 72 01 00 00 .......@xattr... [ 160.399727] XFS (loop0): metadata I/O error in "xfs_trans_read_buf_map" at daddr 0x1b00 len 16 error 117 [ 160.401958] XFS (loop0): xfs_imap_to_bp: xfs_trans_read_buf() returned error -117. [ 160.402491] XFS (loop0): Metadata corruption detected at xfs_buf_ioend+0x56/0x1d0, xfs_inode block 0x1b00 xfs_inode_buf_verify [ 160.404367] XFS (loop0): Unmount and run xfs_repair [ 160.405797] XFS (loop0): First 128 bytes of corrupted metadata buffer: [ 160.407188] 00000000da1e6dc6: 49 4e 41 ed 02 01 00 00 00 00 00 00 00 00 00 00 INA............. [ 160.408601] 000000008e853d8c: 15 00 00 02 00 00 00 00 00 00 00 00 00 00 00 01 ................ [ 160.409969] 00000000ae81435b: 5a b2 9b 71 07 03 42 1b 5a b2 9b 71 07 7d 54 6d Z..q..B.Z..q.}Tm [ 160.412162] 000000001b28b3ab: 5a b2 9b 71 07 7d 54 6d 00 00 00 00 00 00 00 59 Z..q.}Tm.......Y [ 160.413641] 000000007f4a8866: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 160.415060] 00000000dc7dadb8: 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 160.416895] 0000000020e200d7: ff 00 ff ff 07 00 00 00 06 bf 03 00 30 62 61 7a ............0baz [ 160.418310] 000000009fa38e58: 01 00 00 06 c1 05 00 40 78 61 74 74 72 01 00 00 .......@xattr... [ 160.419916] XFS (loop0): metadata I/O error in "xfs_trans_read_buf_map" at daddr 0x1b00 len 16 error 117 [ 160.421579] XFS (loop0): xfs_imap_to_bp: xfs_trans_read_buf() returned error -117. [ 160.423367] XFS (loop0): Metadata corruption detected at xfs_buf_ioend+0x56/0x1d0, xfs_inode block 0x1b00 xfs_inode_buf_verify [ 160.425311] XFS (loop0): Unmount and run xfs_repair [ 160.426075] XFS (loop0): First 128 bytes of corrupted metadata buffer: [ 160.427056] 000000006691f35a: 49 4e 41 ed 02 01 00 00 00 00 00 00 00 00 00 00 INA............. [ 160.428573] 000000006bd52143: 15 00 00 02 00 00 00 00 00 00 00 00 00 00 00 01 ................ [ 160.430032] 000000000a915b74: 5a b2 9b 71 07 03 42 1b 5a b2 9b 71 07 7d 54 6d Z..q..B.Z..q.}Tm [ 160.440711] 00000000ca4be198: 5a b2 9b 71 07 7d 54 6d 00 00 00 00 00 00 00 59 Z..q.}Tm.......Y [ 160.442076] 000000009412a18a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 160.443457] 00000000fcedee95: 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 160.444829] 0000000006278573: ff 00 ff ff 07 00 00 00 06 bf 03 00 30 62 61 7a ............0baz [ 160.446188] 000000003e07be63: 01 00 00 06 c1 05 00 40 78 61 74 74 72 01 00 00 .......@xattr... [ 160.447609] XFS (loop0): metadata I/O error in "xfs_trans_read_buf_map" at daddr 0x1b00 len 16 error 117 [ 160.449167] XFS (loop0): xfs_imap_to_bp: xfs_trans_read_buf() returned error -117. [ 160.450058] XFS (loop0): Metadata corruption detected at xfs_buf_ioend+0x56/0x1d0, xfs_inode block 0x1b00 xfs_inode_buf_verify [ 160.451907] XFS (loop0): Unmount and run xfs_repair [ 160.452717] XFS (loop0): First 128 bytes of corrupted metadata buffer: [ 160.453739] 00000000da1e6dc6: 49 4e 41 ed 02 01 00 00 00 00 00 00 00 00 00 00 INA............. [ 160.455078] 000000008e853d8c: 15 00 00 02 00 00 00 00 00 00 00 00 00 00 00 01 ................ [ 160.456465] 00000000ae81435b: 5a b2 9b 71 07 03 42 1b 5a b2 9b 71 07 7d 54 6d Z..q..B.Z..q.}Tm [ 160.457822] 000000001b28b3ab: 5a b2 9b 71 07 7d 54 6d 00 00 00 00 00 00 00 59 Z..q.}Tm.......Y [ 160.459182] 000000007f4a8866: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 160.460572] 00000000dc7dadb8: 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 160.461938] 0000000020e200d7: ff 00 ff ff 07 00 00 00 06 bf 03 00 30 62 61 7a ............0baz [ 160.463299] 000000009fa38e58: 01 00 00 06 c1 05 00 40 78 61 74 74 72 01 00 00 .......@xattr... [ 160.464698] XFS (loop0): metadata I/O error in "xfs_trans_read_buf_map" at daddr 0x1b00 len 16 error 117 [ 160.466180] XFS (loop0): xfs_imap_to_bp: xfs_trans_read_buf() returned error -117. [ 160.466478] XFS (loop0): Metadata corruption detected at xfs_buf_ioend+0x56/0x1d0, xfs_inode block 0x1b00 xfs_inode_buf_verify [ 160.468310] XFS (loop0): Unmount and run xfs_repair [ 160.469091] XFS (loop0): First 128 bytes of corrupted metadata buffer: [ 160.470126] 000000006691f35a: 49 4e 41 ed 02 01 00 00 00 00 00 00 00 00 00 00 INA............. [ 160.471500] 000000006bd52143: 15 00 00 02 00 00 00 00 00 00 00 00 00 00 00 01 ................ [ 160.472891] 000000000a915b74: 5a b2 9b 71 07 03 42 1b 5a b2 9b 71 07 7d 54 6d Z..q..B.Z..q.}Tm [ 160.474255] 00000000ca4be198: 5a b2 9b 71 07 7d 54 6d 00 00 00 00 00 00 00 59 Z..q.}Tm.......Y [ 160.475623] 000000009412a18a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 160.477010] 00000000fcedee95: 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 160.478366] 0000000006278573: ff 00 ff ff 07 00 00 00 06 bf 03 00 30 62 61 7a ............0baz [ 160.479728] 000000003e07be63: 01 00 00 06 c1 05 00 40 78 61 74 74 72 01 00 00 .......@xattr... [ 160.481123] XFS (loop0): metadata I/O error in "xfs_trans_read_buf_map" at daddr 0x1b00 len 16 error 117 [ 160.482628] XFS (loop0): xfs_imap_to_bp: xfs_trans_read_buf() returned error -117. [ 160.482809] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 [ 160.484073] PGD 80000002330a2067 P4D 80000002330a2067 PUD 233853067 PMD 0 [ 160.485148] Oops: 0010 [#1] SMP PTI [ 160.485717] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crct10dif_pclmul crc32_pclmul 8139too aesni_intel aes_x86_64 crypto_simd cryptd glue_helper floppy 8139cp mii pata_acpi [ 160.493367] CPU: 1 PID: 1482 Comm: poc Not tainted 4.16.0+ #1 [ 160.494269] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 160.495757] RIP: 0010: (null) [ 160.496352] RSP: 0018:ffffa0f901663c10 EFLAGS: 00010206 [ 160.497173] RAX: 0000000000000000 RBX: ffff8bd2b36ff540 RCX: 0000000000000000 [ 160.498285] RDX: 0000000000000011 RSI: ffff8bd2b36ff540 RDI: ffff8bd2b36684f8 [ 160.499414] RBP: ffff8bd2b36684f8 R08: ffffc0f8ffc69f80 R09: 0000000000000000 [ 160.500528] R10: 61c8864680b583eb R11: 00000000e34ee8a9 R12: ffff8bd2b3fefd80 [ 160.501644] R13: ffffa0f901663de0 R14: 0000000000000011 R15: 0000000000000000 [ 160.502756] FS: 00007f486d655700(0000) GS:ffff8bd2bfc40000(0000) knlGS:0000000000000000 [ 160.504029] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 160.504951] CR2: 0000000000000000 CR3: 0000000233a22000 CR4: 00000000000006e0 [ 160.506101] Call Trace: [ 160.506542] ? __lookup_slow+0x97/0x150 [ 160.507177] ? lookup_slow+0x35/0x50 [ 160.507750] ? walk_component+0x1c6/0x350 [ 160.508389] ? link_path_walk+0x184/0x510 [ 160.509038] ? __xfs_trans_commit+0x9a/0x250 [ 160.509718] ? path_lookupat+0x9c/0x230 [ 160.510331] ? filename_lookup+0xb8/0x1a0 [ 160.510971] ? iput+0x6f/0x1f0 [ 160.511497] ? _cond_resched+0x16/0x40 [ 160.512111] ? kmem_cache_alloc+0x160/0x1d0 [ 160.512791] ? path_listxattr+0x41/0xa0 [ 160.513404] ? path_listxattr+0x41/0xa0 [ 160.514035] ? do_syscall_64+0x6e/0x120 [ 160.514659] ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 160.515493] Code: Bad RIP value. [ 160.516041] RIP: (null) RSP: ffffa0f901663c10 [ 160.516856] CR2: 0000000000000000 [ 160.517422] ---[ end trace 990c8b847d277377 ]---
Created attachment 275379 [details] Simplified poc for 53.img to trigger the bug Here is a simplified poc to reproduce the bug with mounted 53.img.
Does this still reproduce in for-next? I think Dave's series to inspect newly allocated inode records for signs that the inode isn't really free fixes this. https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit/?h=for-next&id=afca6c5b2595fc44383919fba740c194b0b76aff
(In reply to Darrick J. Wong from comment #11) > Does this still reproduce in for-next? I think Dave's series to inspect > newly allocated inode records for signs that the inode isn't really free > fixes this. > > https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit/?h=for- > next&id=afca6c5b2595fc44383919fba740c194b0b76aff I see, sorry for that I did not follow the recent commit.