Created attachment 275419 [details] The (compressed) crafted image which causes crash - Overview Invalid pointer dereference triggered in xfs_bmapi_write() when mounting and operating a crafted xfs image - Reproduce (4.17/4.16) # mkdir mnt # mount -t xfs 91.img mnt # gcc -o poc poc.c # ./poc ./mnt - Location https://elixir.bootlin.com/linux/latest/source/fs/xfs/libxfs/xfs_bmap.c#L4311 ifp->if_broot can be NULL - Kernel Message [ 140.484390] XFS (loop0): Mounting V4 Filesystem [ 140.489148] XFS (loop0): Ending clean mount [ 146.282828] XFS (loop0): Metadata corruption detected at xfs_agf_verify+0x3f/0x240, xfs_agf block 0x1 [ 146.284321] XFS (loop0): Unmount and run xfs_repair [ 146.285097] XFS (loop0): First 128 bytes of corrupted metadata buffer: [ 146.286105] 00000000d6c493ab: 58 41 47 46 00 20 00 01 00 00 00 00 00 00 10 00 XAGF. .......... [ 146.287411] 000000003ba15879: 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 01 ................ [ 146.288756] 00000000c77d12a0: 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 03 ................ [ 146.292162] 000000002a3fa47c: 00 00 00 04 00 00 0c 80 00 00 0c 80 00 00 00 00 ................ [ 146.293540] 000000006d1fa685: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 146.294851] 00000000307ee9c1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 146.296154] 000000001facf664: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 146.297498] 00000000c2a6f52a: 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 146.298880] XFS (loop0): metadata I/O error in "xfs_trans_read_buf_map" at daddr 0x1 len 1 error 117 [ 146.300343] XFS (loop0): page discard on page 0000000058c10cfb, inode 0x6c1, offset 0. [ 146.301953] XFS (loop0): Metadata corruption detected at xfs_agf_verify+0x3f/0x240, xfs_agf block 0x1 [ 146.303363] XFS (loop0): Unmount and run xfs_repair [ 146.304111] XFS (loop0): First 128 bytes of corrupted metadata buffer: [ 146.305150] 00000000d6c493ab: 58 41 47 46 00 20 00 01 00 00 00 00 00 00 10 00 XAGF. .......... [ 146.306481] 000000003ba15879: 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 01 ................ [ 146.307798] 00000000c77d12a0: 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 03 ................ [ 146.309148] 000000002a3fa47c: 00 00 00 04 00 00 0c 80 00 00 0c 80 00 00 00 00 ................ [ 146.310470] 000000006d1fa685: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 146.311784] 00000000307ee9c1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 146.313136] 000000001facf664: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 146.314465] 00000000c2a6f52a: 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 146.315788] XFS (loop0): metadata I/O error in "xfs_trans_read_buf_map" at daddr 0x1 len 1 error 117 [ 146.317232] XFS (loop0): page discard unable to remove delalloc mapping. [ 146.318460] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 [ 146.319661] PGD 800000023065c067 P4D 800000023065c067 PUD 22f5f4067 PMD 0 [ 146.320721] Oops: 0000 [#1] SMP PTI [ 146.321296] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear qxl crct10dif_pclmul crc32_pclmul drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139too floppy 8139cp pata_acpi mii [ 146.328673] CPU: 0 PID: 1301 Comm: p Not tainted 4.17.0-rc1 #3 [ 146.329570] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 146.331004] RIP: 0010:xfs_bmapi_write+0x9b2/0xcc0 [ 146.331724] RSP: 0018:ffffb35641237768 EFLAGS: 00010202 [ 146.332521] RAX: 0000000000000000 RBX: 0000000000000400 RCX: 0000000000000000 [ 146.333602] RDX: 0000000000000000 RSI: ffff8b0ff434cf00 RDI: ffff8b0ff567c000 [ 146.334670] RBP: ffffb356412378e0 R08: 0000000000000400 R09: ffffb35641237950 [ 146.335739] R10: ffffb356412378f0 R11: ffff8b0ff5623b58 R12: 0000000000000004 [ 146.336810] R13: 0000000000000000 R14: ffffb35641237960 R15: ffffb356412377f8 [ 146.337887] FS: 00007f1786da2700(0000) GS:ffff8b0fffc00000(0000) knlGS:0000000000000000 [ 146.339100] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 146.339967] CR2: 0000000000000004 CR3: 0000000234e40000 CR4: 00000000000006f0 [ 146.341057] Call Trace: [ 146.341476] ? kmem_zone_alloc+0x8f/0x110 [ 146.342101] xfs_iomap_write_allocate+0x19f/0x3c0 [ 146.342830] xfs_map_blocks+0x208/0x280 [ 146.343426] xfs_do_writepage+0x26e/0x6a0 [ 146.344066] ? clear_page_dirty_for_io+0x217/0x2a0 [ 146.344801] write_cache_pages+0x225/0x4b0 [ 146.345449] ? xfs_add_to_ioend+0x250/0x250 [ 146.346116] ? generic_write_end+0x82/0xb0 [ 146.346750] xfs_vm_writepages+0x6b/0xa0 [ 146.347356] do_writepages+0x1f/0x70 [ 146.347921] __filemap_fdatawrite_range+0xc6/0x100 [ 146.348654] file_write_and_wait_range+0x5a/0xb0 [ 146.349376] xfs_file_fsync+0x67/0x230 [ 146.349960] vfs_fsync_range+0x48/0x80 [ 146.350541] xfs_file_write_iter+0x126/0x150 [ 146.351213] __vfs_write+0xfc/0x170 [ 146.351756] vfs_write+0xb8/0x1b0 [ 146.352273] ksys_write+0x55/0xc0 [ 146.352791] __x64_sys_write+0x1a/0x20 [ 146.353399] do_syscall_64+0x5a/0x110 [ 146.353988] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 146.354779] RIP: 0033:0x7f17868b42c0 [ 146.355330] RSP: 002b:00007ffd51a76568 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 146.356470] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f17868b42c0 [ 146.357553] RDX: 0000000000008000 RSI: 00000000006010a0 RDI: 0000000000000003 [ 146.358626] RBP: 00007ffd51a765a0 R08: 00000000011fc010 R09: 0000000000000000 [ 146.359697] R10: 000000000000086f R11: 0000000000000246 R12: 0000000000400610 [ 146.360770] R13: 00007ffd51a766a0 R14: 0000000000000000 R15: 0000000000000000 [ 146.361848] Code: 45 85 ed 74 71 83 bd bc fe ff ff 01 0f 84 b2 02 00 00 83 b8 34 01 00 00 03 0f 94 c0 84 c0 74 64 48 8b 85 e0 fe ff ff 48 8b 40 08 <0f> b7 40 04 66 c1 c0 08 0f b7 c0 83 c0 01 89 45 b8 e9 d3 f7 ff [ 146.364693] RIP: xfs_bmapi_write+0x9b2/0xcc0 RSP: ffffb35641237768 [ 146.365638] CR2: 0000000000000004 [ 146.366215] ---[ end trace 44b40574f882ce7c ]--- Reported by Wen Xu at SSlab, Gatech
Created attachment 275421 [details] poc.c
Created attachment 275423 [details] Kernel config
[PATCH] xfs: set format back to extents if xfs_bmap_extents_to_btree fails
If xfs_bmap_extents_to_btree fails in a mode where we call xfs_iroot_realloc(-1) to de-allocate the root, set the format back to extents. Otherwise we can assume we can dereference ifp->if_broot based on the XFS_DINODE_FMT_BTREE format, and crash.