200071 – BUG() in jbd2_journal_dirty_metadata() that kernel cannot handle when mounting and operating a crafted ext4 image

Bug 200071 - BUG() in jbd2_journal_dirty_metadata() that kernel cannot handle when mounting and operating a crafted ext4 image

Summary: BUG() in jbd2_journal_dirty_metadata() that kernel cannot handle when mountin...

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	ext4 (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_ext4@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-06-14 04:04 UTC by Wen Xu
Modified:	2018-07-02 16:10 UTC (History)
CC List:	2 users (show)

See Also:
Kernel Version:	4.17
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (9.38 KB, application/zip) 2018-06-14 04:04 UTC, Wen Xu	Details
poc.c (3.18 KB, text/plain) 2018-06-14 04:04 UTC, Wen Xu	Details
A (compressed) simplified image (12.17 KB, application/zip) 2018-06-15 13:48 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-06-14 04:04:21 UTC

This is also an issue finally triggered in the code path of JBD2 when operating an ext4 image.

- Reproduce
# mkdir mnt
# mount -t ext4 0.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

I reproduce on both dev branch of ext4.git and also upstream kernel.

- Kernel message
[  919.113698] EXT4-fs: ext4_mb_mark_diskspace_used:3044: aborting transaction: error 28 in __ext4_handle_dirty_metadata
[  919.115977] EXT4: jbd2_journal_dirty_metadata failed: handle type 1 started at line 867, credits 1/0, errcode -28
[  919.116014] EXT4-fs error (device loop0) in ext4_do_update_inode:5273: Readonly filesystem
[  919.176196] EXT4-fs error (device loop0) in ext4_dirty_inode:5984: error 28
[  919.208726] EXT4-fs error (device loop0) in ext4_do_update_inode:5273: Readonly filesystem
[  919.239194] EXT4-fs error (device loop0) in ext4_da_write_inline_data_begin:893: error 28
[  919.260225] kernel BUG at fs/jbd2/transaction.c:1365!
[  919.261385] invalid opcode: 0000 [#1] SMP KASAN PTI
[  919.262367] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect crct10dif_pclmul sysimgblt fb_sys_fops ttm crc32_pclmul drm aesni_intel aes_x86_64 crypto_simd cryptd glue_helper pata_acpi 8139cp floppy mii
[  919.272919] CPU: 1 PID: 28962 Comm: poc Tainted: G        W         4.17.0-rc4+ #5
[  919.274408] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  919.276301] RIP: 0010:jbd2_journal_dirty_metadata+0x4b6/0x4d0
[  919.277437] RSP: 0018:ffff8801de9574d8 EFLAGS: 00010206
[  919.278479] RAX: 0000000000000000 RBX: ffff880187b2d2a0 RCX: ffffffff865603ca
[  919.279874] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffff8801dbc5700c
[  919.281280] RBP: ffff8801de957528 R08: ffff880187b2d2a0 R09: ffffed003dac53b5
[  919.282681] R10: 0000000000000001 R11: ffffed003dac53b4 R12: ffff8801dbc57000
[  919.284096] R13: ffff8801953dca00 R14: ffff8801dbc5700c R15: ffff8801e11b8000
[  919.285501] FS:  00007f41395dc700(0000) GS:ffff8801f7100000(0000) knlGS:0000000000000000
[  919.287109] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  919.288282] CR2: 00007f819decd624 CR3: 00000001e7d24000 CR4: 00000000000006e0
[  919.289706] Call Trace:
[  919.290220]  ? ext4_mb_good_group+0x206/0x260
[  919.291104]  __ext4_handle_dirty_metadata+0x61/0x2a0
[  919.292107]  ext4_mb_mark_diskspace_used+0x4ee/0x6d0
[  919.293096]  ? ext4_mb_regular_allocator+0x840/0x840
[  919.294089]  ext4_mb_new_blocks+0x59d/0x15e0
[  919.294959]  ? __kmalloc+0x11f/0x240
[  919.295690]  ? ext4_find_extent+0x3cf/0x450
[  919.296532]  ext4_ext_map_blocks+0x1285/0x1f60
[  919.297419]  ? ext4_find_delalloc_cluster+0x60/0x60
[  919.298395]  ? __put_compound_page+0x50/0x50
[  919.299252]  ? mpage_process_page_bufs+0x211/0x270
[  919.300215]  ? __pagevec_release+0x55/0x60
[  919.301033]  ? mpage_prepare_extent_to_map+0x56f/0x590
[  919.302051]  ? kasan_check_write+0x14/0x20
[  919.302873]  ? ext4_es_lookup_extent+0x276/0x310
[  919.303808]  ext4_map_blocks+0x246/0xa50
[  919.304597]  ? memcg_kmem_put_cache+0x1b/0xa0
[  919.305472]  ? ext4_issue_zeroout+0xa0/0xa0
[  919.306308]  ? __ext4_journal_start_sb+0x89/0x180
[  919.307249]  ext4_writepages+0xcd5/0x1500
[  919.308072]  ? ext4_mark_inode_dirty+0x3d0/0x3d0
[  919.309010]  ? aa_path_link+0x210/0x210
[  919.309786]  ? kasan_slab_free+0xe/0x10
[  919.310559]  ? kmem_cache_free+0x89/0x1e0
[  919.311362]  ? putname+0x80/0x90
[  919.312033]  ? do_sys_open+0x22e/0x2c0
[  919.312788]  ? __x64_sys_open+0x4c/0x60
[  919.313575]  ? iov_iter_init+0x82/0xc0
[  919.314330]  do_writepages+0x37/0xb0
[  919.315056]  ? ext4_mark_inode_dirty+0x3d0/0x3d0
[  919.315998]  ? do_writepages+0x37/0xb0
[  919.316763]  __filemap_fdatawrite_range+0x19a/0x1f0
[  919.317731]  ? delete_from_page_cache_batch+0x4e0/0x4e0
[  919.318775]  ? fsnotify+0x695/0x720
[  919.319478]  ? __fsnotify_inode_delete+0x20/0x20
[  919.320415]  file_write_and_wait_range+0x66/0xb0
[  919.321337]  ext4_sync_file+0x1e3/0x670
[  919.322114]  ? ext4_getfsmap+0x4d0/0x4d0
[  919.322909]  vfs_fsync_range+0x68/0x100
[  919.323698]  ? __fget_light+0xc9/0xe0
[  919.324437]  do_fsync+0x3d/0x70
[  919.325074]  __x64_sys_fdatasync+0x24/0x30
[  919.325899]  do_syscall_64+0x78/0x170
[  919.326651]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  919.327662] RIP: 0033:0x7f41390f4800
[  919.328379] RSP: 002b:00007fff8fe02e78 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
[  919.329863] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f41390f4800
[  919.331257] RDX: 0000000000008000 RSI: 0000000000602140 RDI: 0000000000000003
[  919.332665] RBP: 00007fff8fe02fe0 R08: 0000000000000003 R09: 0000000000000000
[  919.334058] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400c20
[  919.335449] R13: 00007fff8fe030e0 R14: 0000000000000000 R15: 0000000000000000
[  919.336851] Code: 2a fd ff ff 31 c0 e9 e0 fe ff ff c7 45 c8 00 00 00 00 e9 b6 fe ff ff 4c 89 f7 e8 a6 2b e3 ff 41 83 7c 24 0c 01 0f 84 4f fe ff ff <0f> 0b 0f 0b 45 31 f6 e9 71 ff ff ff 0f 1f 40 00 66 2e 0f 1f 84
[  919.340550] RIP: jbd2_journal_dirty_metadata+0x4b6/0x4d0 RSP: ffff8801de9574d8
[  919.342119] ---[ end trace 9f703e0d0e15b355 ]---
[  919.342994] ==================================================================
[  919.344683] BUG: KASAN: stack-out-of-bounds in arch_tlb_gather_mmu+0x21/0x170
[  919.346144] Write of size 8 at addr ffff8801de957bc8 by task poc/28962
[  919.347461]
[  919.347820] CPU: 1 PID: 28962 Comm: poc Tainted: G      D W         4.17.0-rc4+ #5
[  919.349341] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  919.351211] Call Trace:
[  919.351734]  dump_stack+0x7b/0xb5
[  919.352418]  print_address_description+0x70/0x290
[  919.353368]  kasan_report+0x291/0x390
[  919.354112]  ? arch_tlb_gather_mmu+0x21/0x170
[  919.354992]  __asan_store8+0x57/0x90
[  919.355731]  arch_tlb_gather_mmu+0x21/0x170
[  919.356575]  tlb_gather_mmu+0x12/0x40
[  919.357325]  free_ldt_pgtables.part.2+0x90/0x110
[  919.358261]  ? map_ldt_struct+0x430/0x430
[  919.359098]  ? compat_start_thread+0x60/0x60
[  919.359996]  ? finish_task_switch+0x94/0x330
[  919.360857]  ? switch_mm_irqs_off+0x28d/0x510
[  919.361726]  ? __schedule+0x6dc/0xd80
[  919.362465]  free_ldt_pgtables+0x13/0x20
[  919.363257]  ldt_arch_exit_mmap+0xe/0x10
[  919.364061]  exit_mmap+0xcd/0x280
[  919.364736]  ? __ia32_sys_munmap+0x50/0x50
[  919.365559]  ? exit_aio+0x98/0x230
[  919.366254]  ? __x32_compat_sys_io_submit+0x100/0x100
[  919.367270]  ? taskstats_exit+0x1f4/0x640
[  919.368086]  ? kasan_check_read+0x11/0x20
[  919.368899]  ? mm_update_next_owner+0x322/0x380
[  919.369806]  mmput+0x8b/0x1d0
[  919.370411]  do_exit+0x43a/0x1390
[  919.371084]  ? file_write_and_wait_range+0x66/0xb0
[  919.372057]  ? mm_update_next_owner+0x380/0x380
[  919.372969]  ? ext4_getfsmap+0x4d0/0x4d0
[  919.373761]  ? vfs_fsync_range+0x68/0x100
[  919.374570]  ? __fget_light+0xc9/0xe0
[  919.375314]  ? do_fsync+0x3d/0x70
[  919.376012]  ? __x64_sys_fdatasync+0x24/0x30
[  919.376873]  rewind_stack_do_exit+0x17/0x20
[  919.377714] RIP: 0033:0x7f41390f4800
[  919.378456] RSP: 002b:00007fff8fe02e78 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
[  919.379982] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f41390f4800
[  919.381399] RDX: 0000000000008000 RSI: 0000000000602140 RDI: 0000000000000003
[  919.382812] RBP: 00007fff8fe02fe0 R08: 0000000000000003 R09: 0000000000000000
[  919.384246] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400c20
[  919.385663] R13: 00007fff8fe030e0 R14: 0000000000000000 R15: 0000000000000000
[  919.387075]
[  919.387394] The buggy address belongs to the page:
[  919.395943] page:ffffea00077a55c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[  919.397528] flags: 0x2ffff0000000000()
[  919.398302] raw: 02ffff0000000000 0000000000000000 0000000000000000 00000000ffffffff
[  919.399852] raw: 0000000000000000 dead000000000200 0000000000000000 0000000000000000
[  919.401379] page dumped because: kasan: bad access detected
[  919.402481]
[  919.402799] Memory state around the buggy address:
[  919.403768]  ffff8801de957a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  919.405192]  ffff8801de957b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
[  919.406616] >ffff8801de957b80: f1 f1 00 00 00 f1 f1 f1 f1 f4 f2 00 00 00 00 00
[  919.408046]                                               ^
[  919.409155]  ffff8801de957c00: 00 00 00 00 00 00 00 00 00 00 f4 f4 f4 f3 f3 f3
[  919.410581]  ffff8801de957c80: f3 f3 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
[  919.412015] ==================================================================
[  919.414859] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[  919.416424] BUG: unable to handle kernel paging request at ffff88018c306ec1
[  919.417829] PGD 4ff40067 P4D 4ff40067 PUD 4ff46067 PMD 800000018c2000e3
[  919.419180] Oops: 0011 [#2] SMP KASAN PTI
[  919.419997] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect crct10dif_pclmul sysimgblt fb_sys_fops ttm crc32_pclmul drm aesni_intel aes_x86_64 crypto_simd cryptd glue_helper pata_acpi 8139cp floppy mii
[  919.430926] CPU: 1 PID: 28962 Comm: poc Tainted: G    B D W         4.17.0-rc4+ #5
[  919.432524] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  919.434371] RIP: 0010:0xffff88018c306ec1
[  919.435162] RSP: 0018:ffff8801de957538 EFLAGS: 00010246
[  919.436214] RAX: 0000000000000000 RBX: ffff8801de9575c8 RCX: ffffffff8680273c
[  919.437631] RDX: ffff88018c306ec1 RSI: 0000000000000001 RDI: ffff880194f05e80
[  919.439058] RBP: ffff8801de957630 R08: fffffbfff0fc16c7 R09: fffffbfff0fc16c7
[  919.440499] R10: 0000000000000001 R11: fffffbfff0fc16c6 R12: ffff880194f05d08
[  919.441930] R13: ffff8801de957608 R14: ffff8801de9575c8 R15: ffff880194f05e80
[  919.443359] FS:  00007f41395dc700(0000) GS:ffff8801f7100000(0000) knlGS:0000000000000000
[  919.444972] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  919.446115] CR2: ffff88018c306ec1 CR3: 00000001ef71a000 CR4: 00000000000006e0
[  919.447526] Call Trace:
[  919.448050]  ? blk_flush_plug_list+0x20e/0x4d0
[  919.448951]  ? blk_init_request_from_bio+0x160/0x160
[  919.449955]  ? unwind_get_return_address+0x36/0x50
[  919.450924]  ? kasan_check_write+0x14/0x20
[  919.451762]  ? _raw_spin_lock_irqsave+0x2a/0x60
[  919.452671]  ? radix_tree_next_chunk+0xc0/0x4a0
[  919.453593]  io_schedule_prepare+0x66/0x70
[  919.454421]  io_schedule+0x1a/0x50
[  919.455118]  __lock_page+0x1c9/0x240
[  919.455856]  ? __lock_page_killable+0x280/0x280
[  919.456882]  ? find_get_entries_tag+0x3d0/0x3d0
[  919.457860]  ? ext4_release_file+0x13d/0x150
[  919.458731]  ? page_cache_tree_insert+0x1d0/0x1d0
[  919.459692]  mpage_prepare_extent_to_map+0x545/0x590
[  919.460734]  ? __ext4_get_inode_loc+0x680/0x680
[  919.461671]  ? save_stack_trace+0x1f/0x30
[  919.462486]  ? save_stack_trace+0x1f/0x30
[  919.463297]  ? memcg_kmem_put_cache+0x1b/0xa0
[  919.464276]  ? kmem_cache_alloc+0x17c/0x1e0
[  919.465121]  ? ext4_init_io_end+0x21/0x80
[  919.465938]  ext4_writepages+0x78a/0x1500
[  919.466750]  ? ext4_mark_inode_dirty+0x3d0/0x3d0
[  919.467693]  ? kasan_check_write+0x14/0x20
[  919.468533]  ? _raw_spin_lock_irqsave+0x2a/0x60
[  919.469452]  ? depot_save_stack+0x2cd/0x470
[  919.470300]  ? free_fs_struct+0x3a/0x40
[  919.471083]  ? save_stack+0x46/0xd0
[  919.471807]  ? __kasan_slab_free+0x13c/0x1a0
[  919.472671]  ? kasan_slab_free+0xe/0x10
[  919.473446]  ? kmem_cache_free+0x89/0x1e0
[  919.474256]  ? free_fs_struct+0x3a/0x40
[  919.475036]  do_writepages+0x37/0xb0
[  919.475780]  ? ext4_mark_inode_dirty+0x3d0/0x3d0
[  919.476712]  ? do_writepages+0x37/0xb0
[  919.477476]  __filemap_fdatawrite_range+0x19a/0x1f0
[  919.478457]  ? delete_from_page_cache_batch+0x4e0/0x4e0
[  919.479510]  ? locks_remove_file+0x9f/0x2a0
[  919.480366]  filemap_flush+0x1c/0x20
[  919.481095]  ext4_alloc_da_blocks+0x41/0xc0
[  919.481948]  ext4_release_file+0x13d/0x150
[  919.482781]  __fput+0x17a/0x380
[  919.483426]  ____fput+0xe/0x10
[  919.484154]  task_work_run+0xc8/0xf0
[  919.484885]  do_exit+0x4a4/0x1390
[  919.485564]  ? file_write_and_wait_range+0x66/0xb0
[  919.486532]  ? mm_update_next_owner+0x380/0x380
[  919.487445]  ? ext4_getfsmap+0x4d0/0x4d0
[  919.488257]  ? vfs_fsync_range+0x68/0x100
[  919.489071]  ? __fget_light+0xc9/0xe0
[  919.489815]  ? do_fsync+0x3d/0x70
[  919.490493]  ? __x64_sys_fdatasync+0x24/0x30
[  919.491356]  rewind_stack_do_exit+0x17/0x20
[  919.492213] RIP: 0033:0x7f41390f4800
[  919.492934] RSP: 002b:00007fff8fe02e78 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
[  919.494429] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f41390f4800
[  919.502043] RDX: 0000000000008000 RSI: 0000000000602140 RDI: 0000000000000003
[  919.503471] RBP: 00007fff8fe02fe0 R08: 0000000000000003 R09: 0000000000000000
[  919.504976] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400c20
[  919.506395] R13: 00007fff8fe030e0 R14: 0000000000000000 R15: 0000000000000000
[  919.507826] Code: 00 00 00 8c bd 8b 01 88 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 6e 30 8c 01 88 ff ff 00 <00> 09 00 00 00 00 00 00 00 00 00 00 00 00 00 88 5e f0 94 01 88
[  919.511560] RIP: 0xffff88018c306ec1 RSP: ffff8801de957538
[  919.512644] CR2: ffff88018c306ec1
[  919.513312] ---[ end trace 9f703e0d0e15b356 ]---
[  919.514260] WARNING: CPU: 1 PID: 28962 at kernel/exit.c:771 do_exit+0xd2/0x1390
[  919.515712] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect crct10dif_pclmul sysimgblt fb_sys_fops ttm crc32_pclmul drm aesni_intel aes_x86_64 crypto_simd cryptd glue_helper pata_acpi 8139cp floppy mii
[  919.526225] CPU: 1 PID: 28962 Comm: poc Tainted: G    B D W         4.17.0-rc4+ #5
[  919.527755] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  919.529625] RIP: 0010:do_exit+0xd2/0x1390
[  919.530432] RSP: 0018:ffff8801de957df8 EFLAGS: 00010087
[  919.531480] RAX: ffffffff864f0a00 RBX: ffff88018a252880 RCX: ffffffff860d3ec5
[  919.532907] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff8801de957b90
[  919.534323] RBP: ffff8801de957f48 R08: 0000000000000000 R09: ffffed003ee23ebb
[  919.535748] R10: 0000000000000001 R11: ffffed003ee23eba R12: 0000000000000009
[  919.537164] R13: ffff8801de957b90 R14: 0000000000000046 R15: 0000000000000011
[  919.538580] FS:  00007f41395dc700(0000) GS:ffff8801f7100000(0000) knlGS:0000000000000000
[  919.540187] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  919.541351] CR2: ffff88018c306ec1 CR3: 00000001ef71a000 CR4: 00000000000006e0
[  919.542778] Call Trace:
[  919.543288]  ? file_write_and_wait_range+0x66/0xb0
[  919.544270]  ? mm_update_next_owner+0x380/0x380
[  919.545192]  ? ext4_getfsmap+0x4d0/0x4d0
[  919.545990]  ? vfs_fsync_range+0x68/0x100
[  919.546807]  ? __fget_light+0xc9/0xe0
[  919.547555]  ? do_fsync+0x3d/0x70
[  919.548248]  ? __x64_sys_fdatasync+0x24/0x30
[  919.549119]  rewind_stack_do_exit+0x17/0x20
[  919.549970] RIP: 0033:0x7f41390f4800
[  919.550697] RSP: 002b:00007fff8fe02e78 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
[  919.552209] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f41390f4800
[  919.553622] RDX: 0000000000008000 RSI: 0000000000602140 RDI: 0000000000000003
[  919.555030] RBP: 00007fff8fe02fe0 R08: 0000000000000003 R09: 0000000000000000
[  919.556454] R10: 00000000000002e8 R11: 0000000000000246 R12: 0000000000400c20
[  919.557870] R13: 00007fff8fe030e0 R14: 0000000000000000 R15: 0000000000000000
[  919.559282] Code: bb 60 07 00 00 e8 bf f1 2b 00 4c 8b ab 60 07 00 00 4d 85 ed 74 17 4c 89 ef e8 ab f1 2b 00 49 8b 45 00 49 39 c5 0f 84 ea 0c 00 00 <0f> 0b 65 8b 05 b5 ac f4 79 25 00 ff 1f 00 89 85 d0 fe ff ff 0f
[  919.563037] ---[ end trace 9f703e0d0e15b357 ]---
[  919.563980] Fixing recursive fault but reboot is needed!

- Location
https://elixir.bootlin.com/linux/latest/source/fs/jbd2/transaction.c#L1366
			J_ASSERT_JH(jh, jh->b_transaction != transaction ||
					jh->b_jlist == BJ_Metadata);
It seems that kernel cannot recover from this critical fault and requires reboot.

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.

Comment 1 Wen Xu 2018-06-14 04:04:44 UTC

Created attachment 276543 [details]
The (compressed) crafted image which causes crash

Comment 2 Wen Xu 2018-06-14 04:04:58 UTC

Created attachment 276545 [details]
poc.c

Comment 3 Wen Xu 2018-06-15 13:48:06 UTC

Created attachment 276573 [details]
A (compressed) simplified image

Comment 4 Theodore Tso 2018-06-18 12:52:29 UTC

This bug is addressed by these two commits:

jbd2: don't mark block as modified if the handle is out of credits
     http://patchwork.ozlabs.org/patch/930638/

ext4: avoid running out of journal credits when appending to an inline file
     http://patchwork.ozlabs.org/patch/930641/

This bug can be triggered without needing a specially crafted file system (although, of course, the inline_data feature has to be enabled in the file system --- which is currently not enabled by the default).

Comment 5 Theodore Tso 2018-07-02 16:10:16 UTC

This has been assigned CVE-2018-10883

Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1596846

Note You need to log in before you can comment on or make changes to this bug.