https://bugzilla.kernel.org/show_bug.cgi?id=199335 Bug ID: 199335 Summary: BUG() in ext4_mb_normalize_request when mounting and operating on a crafted ext4 image Product: File System Version: 2.5 Kernel Version: 4.4.x Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ext4 Assignee: fs_ext4@xxxxxxxxxxxxxxxxxxxx Reporter: wen.xu@xxxxxxxxxx Regression: No Created attachment 275259 --> https://bugzilla.kernel.org/attachment.cgi?id=275259&action=edit The crafted image which causes kernel panic - Overview BUG() is triggered in ext4_mb_normalize_request() when mounting and operating on a crafted ext4 image - Reproduce # mkdir mnt # mount -t ext4 9.img mnt # gcc -o poc poc.c # ./poc ./mnt - Location https://elixir.bootlin.com/linux/v4.4.124/source/fs/ext4/mballoc.c#L3159 - Kernel Dump [ 283.633619] EXT4-fs (loop0): feature flags set on rev 0 fs, running e2fsck is recommended [ 283.633623] EXT4-fs (loop0): Couldn't mount because of unsupported optional features (4400) [ 583.745647] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null) [ 588.049508] EXT4-fs error (device loop0): ext4_init_inode_table:1337: comm ext4lazyinit: Something is wrong with group 15: used itable blocks: -8159; itable unused count: 65535 [ 590.162854] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 5, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters [ 590.162970] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 24, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters [ 590.163023] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 25, block bitmap and bg descriptor inconsistent: 32 vs 256 free clusters [ 590.163076] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 28, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters [ 590.163128] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 29, block bitmap and bg descriptor inconsistent: 32 vs 20 free clusters [ 590.163356] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 42, block bitmap and bg descriptor inconsistent: 32 vs 4 free clusters [ 590.163444] EXT4-fs error (device loop0): ext4_mb_complex_scan_group:1972: group 43, 32 free clusters as per group info. But got 512 blocks [ 590.163498] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 62, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters [ 590.163699] ------------[ cut here ]------------ [ 590.163718] kernel BUG at fs/ext4/mballoc.c:3159! [ 590.163737] invalid opcode: 0000 [#1] SMP [ 590.163756] Modules linked in: vmw_vsock_vmci_transport vsock snd_ens1371 snd_ac97_codec vmw_balloon ac97_bus uvcvideo snd_pcm coretemp gameport videobuf2_vmalloc snd_timer videobuf2_memops snd_rawmidi btusb videobuf2_v4l2 btrtl btbcm btintel snd_seq_device videobuf2_core bluetooth joydev v4l2_common snd input_leds serio_raw videodev media soundcore vmw_vmci shpchp i2c_piix4 8250_fintek mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear hid_generic usbhid hid vmwgfx drm_kms_helper syscopyarea sysfillrect crct10dif_pclmul sysimgblt crc32_pclmul ghash_clmulni_intel fb_sys_fops ttm aesni_intel aes_x86_64 [ 590.169012] glue_helper lrw gf128mul ablk_helper drm cryptd e1000 mptspi psmouse scsi_transport_spi mptscsih ahci libahci pata_acpi mptbase fjes [ 590.170490] CPU: 0 PID: 32509 Comm: poc Not tainted 4.4.124 #4 [ 590.171195] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 [ 590.172573] task: ffff880033af4600 ti: ffff880081064000 task.ti: ffff880081064000 [ 590.173249] RIP: 0010:[<ffffffff892cf59a>] [<ffffffff892cf59a>] ext4_mb_normalize_request.constprop.29+0x25a/0x4d0 [ 590.174630] RSP: 0018:ffff880081067770 EFLAGS: 00010246 [ 590.175298] RAX: 0000000000000020 RBX: ffff8801261013d8 RCX: 0000000000000020 [ 590.175940] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000020 [ 590.176591] RBP: ffff8800810677c0 R08: 000000000000000a R09: 0000000000000001 [ 590.177310] R10: 0000000000000001 R11: ffffea00028f8700 R12: ffff8800ba95e000 [ 590.177980] R13: ffff8800b959e410 R14: 0000000000000000 R15: ffff8800b959e440 [ 590.178607] FS: 00007f6258042700(0000) GS:ffff880139600000(0000) knlGS:0000000000000000 [ 590.179255] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 590.179934] CR2: 00000000006fd158 CR3: 0000000034528000 CR4: 0000000000160670 [ 590.180632] Stack: [ 590.181297] ffff8800810678e8 ffff880126101188 ffffffff892cef42 ffff8800ba3ac800 [ 590.181966] 00000020948cd7fc ffff8800ba3ac800 ffff8800810678e4 ffff8800ba3a8800 [ 590.182871] ffff8800810678e8 ffff8800ba95e000 ffff880081067870 ffffffff892d5b7e [ 590.183472] Call Trace: [ 590.184024] [<ffffffff892cef42>] ? ext4_mb_initialize_context+0x82/0x1b0 [ 590.184573] [<ffffffff892d5b7e>] ext4_mb_new_blocks+0x5de/0xad0 [ 590.185124] [<ffffffff8924478a>] ? __find_get_block+0xaa/0x120 [ 590.185703] [<ffffffff89244acb>] ? __getblk_gfp+0x2b/0x60 [ 590.186239] [<ffffffff892da07c>] ? ext4_get_branch+0xbc/0x130 [ 590.186757] [<ffffffff892db65a>] ext4_ind_map_blocks+0xbba/0xbf0 [ 590.187315] [<ffffffff891ae71c>] ? zone_statistics+0x7c/0xa0 [ 590.187828] [<ffffffff891957a8>] ? free_hot_cold_page_list+0x48/0xb0 [ 590.188352] [<ffffffff8929a3d4>] ext4_map_blocks+0x2c4/0x570 [ 590.188845] [<ffffffff891ebb9c>] ? kmem_cache_alloc+0x1cc/0x1f0 [ 590.189324] [<ffffffff8929a73e>] _ext4_get_block+0xbe/0x220 [ 590.189833] [<ffffffff8929a8b6>] ext4_get_block+0x16/0x20 [ 590.190287] [<ffffffff89245e82>] __block_write_begin+0x172/0x480 [ 590.190730] [<ffffffff8929a8a0>] ? _ext4_get_block+0x220/0x220 [ 590.191163] [<ffffffff892cd2cd>] ? __ext4_journal_start_sb+0x6d/0x120 [ 590.191587] [<ffffffff8929ea5a>] ext4_write_begin+0x19a/0x440 [ 590.192033] [<ffffffff8929ef9e>] ext4_da_write_begin+0x29e/0x340 [ 590.192453] [<ffffffff8929fad7>] ? ext4_da_write_end+0x267/0x2c0 [ 590.192871] [<ffffffff8918defe>] generic_perform_write+0xce/0x1d0 [ 590.193286] [<ffffffff8918fc92>] __generic_file_write_iter+0x1a2/0x1e0 [ 590.193922] [<ffffffff8922990e>] ? atime_needs_update+0x4e/0xc0 [ 590.194329] [<ffffffff89293a22>] ext4_file_write_iter+0x102/0x470 [ 590.194975] [<ffffffff8921d4d5>] ? do_filp_open+0xa5/0x100 [ 590.195730] [<ffffffff8920ca42>] __vfs_write+0xd2/0x120 [ 590.196366] [<ffffffff8920d0c9>] vfs_write+0xa9/0x1a0 [ 590.196871] [<ffffffff8920dd85>] SyS_write+0x55/0xc0 [ 590.197559] [<ffffffff897fb4e5>] entry_SYSCALL_64_fastpath+0x22/0x99 [ 590.198059] Code: 00 00 8b 49 54 d3 e0 89 c1 01 f1 39 f9 76 08 39 fe 0f 86 e3 01 00 00 41 39 ce 73 25 3b 75 d4 73 20 41 39 f6 72 07 3b 4d d4 72 02 <0f> 0b 39 f9 0f 87 52 01 00 00 41 39 ce 0f 87 af 01 00 00 41 89 [ 590.199920] RIP [<ffffffff892cf59a>] ext4_mb_normalize_request.constprop.29+0x25a/0x4d0 [ 590.200456] RSP <ffff880081067770> [ 590.201039] ---[ end trace 994aa9e5cf950be0 ]--- Reported by Wen Xu from SSLab, Gatech -- You are receiving this mail because: You are watching the assignee of the bug.
