Bug 200093 - JBD2 unexpected failure when mounting and operating a crafted ext4 image
Summary: JBD2 unexpected failure when mounting and operating a crafted ext4 image
Status: RESOLVED UNREPRODUCIBLE
Alias: None
Product: File System
Classification: Unclassified
Component: ext4 (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: fs_ext4@kernel-bugs.osdl.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-16 15:54 UTC by Wen Xu
Modified: 2018-06-17 17:43 UTC (History)
2 users (show)

See Also:
Kernel Version: 4.17
Subsystem:
Regression: No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (24.57 KB, application/zip)
2018-06-16 15:54 UTC, Wen Xu 		Details
poc.c (3.18 KB, text/plain)
2018-06-16 15:55 UTC, Wen Xu 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-06-16 15:54:50 UTC 
Created attachment 276601 [details]
The (compressed) crafted image which causes crash

- Reproduce
# mkdir mnt
# mount -t ext4 274.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- Kernel message
[  122.880706] EXT4-fs error (device loop0): ext4_orphan_get:1249: comm mount: bad orphan inode 1263225600
[  122.906475] EXT4-fs (loop0): recovery complete
[  122.906491] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null)
[  126.432320] EXT4-fs error (device loop0): ext4_init_inode_table:1393: comm ext4lazyinit: Something is wrong with group 0: used itable blocks: -467; itable unused count: 1935
[  126.833478] EXT4-fs error (device loop0): htree_dirblock_to_tree:1006: inode #2: block 35: comm a.out: bad entry in directory: inode out of bounds - offset=152(152), inode=32767, rec_len=12, name_len=1
[  126.955839] EXT4-fs error (device loop0): ext4_map_blocks:592: inode #14: block 16768512: comm a.out: lblock 0 mapped to illegal pblock 16768512 (length 1)
[  126.978875] EXT4-fs error (device loop0): ext4_clear_blocks:849: inode #14: comm a.out: attempt to clear invalid blocks 16768512 len 1
[  127.001293] EXT4-fs error (device loop0): ext4_mb_generate_buddy:746: group 1, block bitmap and bg descriptor inconsistent: 512 vs 28 free clusters
[  127.004406] EXT4-fs error (device loop0): ext4_free_data:972: inode #14: comm a.out: circular indirect block detected at block 19
[  127.037615] JBD2 unexpected failure: jbd2_journal_revoke: !buffer_revoked(bh); <--
[  127.039074] inconsistent data on disk <--
[  127.039823] EXT4-fs: ext4_free_blocks:4805: aborting transaction: IO failure in __ext4_forget
[  127.066117] EXT4-fs error (device loop0): ext4_free_blocks:4805: error -5 when attempting revoke
[  127.067876] EXT4-fs (loop0): Remounting filesystem read-only
[  127.069081] Aborting journal on device loop0-8.
[  127.120840] EXT4-fs error (device loop0): ext4_mb_free_metadata:4684: group 0, block 19:Block already on to-be-freed list
[  127.123048] EXT4-fs error (device loop0) in ext4_free_blocks:4962: Journal has aborted
[  127.144847] EXT4-fs error (device loop0) in ext4_orphan_del:2899: Journal has aborted
[  127.165785] EXT4-fs error (device loop0) in ext4_do_update_inode:5273: Journal has aborted

- Location
https://elixir.bootlin.com/linux/latest/source/fs/jbd2/revoke.c#L374

Reported by Wen Xu from SSLab at Gatech.
Comment 1 Wen Xu 2018-06-16 15:55:08 UTC 
Created attachment 276603 [details]
poc.c
Comment 2 Theodore Tso 2018-06-17 17:43:35 UTC 
I can't reproduce a crash on v4.17-rc4 or the tip of the ext4.git tree.
Note You need to log in before you can comment on or make changes to this bug.