https://bugzilla.kernel.org/show_bug.cgi?id=199337 Bug ID: 199337 Summary: BUG() in ext4_mb_mark_diskspace_used() when mounting and operating on a crafted ext4 image Product: File System Version: 2.5 Kernel Version: 4.4.x Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ext4 Assignee: fs_ext4@xxxxxxxxxxxxxxxxxxxx Reporter: wen.xu@xxxxxxxxxx Regression: No Created attachment 275263 --> https://bugzilla.kernel.org/attachment.cgi?id=275263&action=edit The crafted image which causes kernel panic - Overview BUG() is triggered at ext4_mb_mark_diskspace_used() when mounting and operating on a crafted ext4 image - Reproduce # mkdir mnt # mount -t ext4 231.img mnt # gcc -o poc poc.c # ./poc ./mnt - Location https://elixir.bootlin.com/linux/v4.4.124/source/fs/ext4/mballoc.c#L2907 - Kernel Dump [ 29.639629] EXT4-fs (loop0): mounted filesystem without journal. Opts: (null) [ 33.642045] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 4, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters [ 33.642115] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 5, block bitmap and bg descriptor inconsistent: 32 vs 61696 free clusters [ 33.642173] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 17, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters [ 33.642227] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 21, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters [ 33.642294] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 24, block bitmap and bg descriptor inconsistent: 20 vs 0 free clusters [ 33.642347] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 25, block bitmap and bg descriptor inconsistent: 20 vs 256 free clusters [ 33.642755] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 42, block bitmap and bg descriptor inconsistent: 32 vs 4 free clusters [ 33.642813] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 43, block bitmap and bg descriptor inconsistent: 32 vs 0 free clusters [ 33.642870] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 62, block bitmap and bg descriptor inconsistent: 20 vs 0 free clusters [ 33.642922] EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 63, block bitmap and bg descriptor inconsistent: 20 vs 32 free clusters [ 33.643035] ------------[ cut here ]------------ [ 33.643054] kernel BUG at fs/ext4/mballoc.c:2907! [ 33.643073] invalid opcode: 0000 [#1] SMP [ 33.643092] Modules linked in: vmw_vsock_vmci_transport vsock uvcvideo snd_ens1371 snd_ac97_codec btusb btrtl btbcm ac97_bus btintel snd_pcm bluetooth videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core vmw_balloon gameport v4l2_common snd_timer videodev snd_rawmidi snd_seq_device coretemp snd joydev input_leds serio_raw vmw_vmci media soundcore i2c_piix4 shpchp 8250_fintek mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear hid_generic usbhid hid vmwgfx crct10dif_pclmul crc32_pclmul ghash_clmulni_intel drm_kms_helper aesni_intel syscopyarea sysfillrect psmouse sysimgblt aes_x86_64 [ 33.643467] fb_sys_fops ttm glue_helper lrw gf128mul drm ablk_helper cryptd mptspi scsi_transport_spi e1000 mptscsih mptbase ahci pata_acpi libahci fjes [ 33.643542] CPU: 0 PID: 1510 Comm: poc Not tainted 4.4.124 #4 [ 33.644464] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 [ 33.646170] task: ffff880135d31c00 ti: ffff8800b5144000 task.ti: ffff8800b5144000 [ 33.647050] RIP: 0010:[<ffffffff962d4357>] [<ffffffff962d4357>] ext4_mb_mark_diskspace_used+0x2a7/0x4a0 [ 33.648661] RSP: 0018:ffff8800b5147938 EFLAGS: 00010246 [ 33.649410] RAX: 0000000000000000 RBX: ffff8800ba5ff800 RCX: ffff8800347bd148 [ 33.650166] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8800b94e6000 [ 33.650837] RBP: ffff8800b5147990 R08: ffff8800b94e6038 R09: ffff8800b94e6034 [ 33.651494] R10: ffff8800b53cb650 R11: 0000000000000230 R12: ffff8800b5147ab4 [ 33.652151] R13: ffff8800ba5fc800 R14: ffff8800b5147ab8 R15: ffff8800b94e6000 [ 33.652762] FS: 00007fbd17057700(0000) GS:ffff880139600000(0000) knlGS:0000000000000000 [ 33.653362] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 33.653950] CR2: 0000000001577158 CR3: 00000000b9ac4000 CR4: 0000000000160670 [ 33.654568] Stack: [ 33.655161] ffff8800ba5ff800 ffff8800347bd138 ffff8800b5147990 ffffffff962d043a [ 33.655740] ffff88003464e990 828c4939e340e542 ffff8800ba5ff800 ffff8800b5147ab4 [ 33.656337] ffff8800ba5fc800 ffff8800b5147ab8 ffff8800b94e6000 ffff8800b5147a40 [ 33.656880] Call Trace: [ 33.657475] [<ffffffff962d043a>] ? ext4_mb_new_inode_pa+0x27a/0x3b0 [ 33.658003] [<ffffffff962d58d7>] ext4_mb_new_blocks+0x337/0xad0 [ 33.658520] [<ffffffff9624478a>] ? __find_get_block+0xaa/0x120 [ 33.659025] [<ffffffff96244acb>] ? __getblk_gfp+0x2b/0x60 [ 33.659568] [<ffffffff962da07c>] ? ext4_get_branch+0xbc/0x130 [ 33.660093] [<ffffffff962db65a>] ext4_ind_map_blocks+0xbba/0xbf0 [ 33.660672] [<ffffffff962991d3>] ? mpage_prepare_extent_to_map+0x243/0x2f0 [ 33.661211] [<ffffffff9629a3d4>] ext4_map_blocks+0x2c4/0x570 [ 33.661768] [<ffffffff962cd132>] ? ext4_journal_check_start+0x12/0x80 [ 33.662325] [<ffffffff9629d7f4>] ext4_writepages+0x634/0xce0 [ 33.662906] [<ffffffff9622990e>] ? atime_needs_update+0x4e/0xc0 [ 33.663425] [<ffffffff9619c131>] do_writepages+0x21/0x30 [ 33.663913] [<ffffffff9618f146>] __filemap_fdatawrite_range+0xc6/0x100 [ 33.664460] [<ffffffff9618f28a>] filemap_write_and_wait_range+0x2a/0x70 [ 33.664960] [<ffffffff96234ef7>] __generic_file_fsync+0x27/0x90 [ 33.665399] [<ffffffff96234f79>] generic_file_fsync+0x19/0x40 [ 33.665817] [<ffffffff962946fc>] ext4_sync_file+0x1ec/0x340 [ 33.666230] [<ffffffff962411de>] vfs_fsync_range+0x4e/0xb0 [ 33.666649] [<ffffffff9624129d>] do_fsync+0x3d/0x70 [ 33.667080] [<ffffffff96241563>] SyS_fdatasync+0x13/0x20 [ 33.667492] [<ffffffff967fb4e5>] entry_SYSCALL_64_fastpath+0x22/0x99 [ 33.667895] Code: ff ff 85 c0 0f 85 f9 fd ff ff 4c 8b 45 c8 31 c9 4c 89 e2 be b8 0b 00 00 48 c7 c7 90 68 a3 96 e8 b0 94 ff ff e9 da fd ff ff 0f 0b <0f> 0b 4c 63 4d b0 4c 8b 45 a8 48 c7 c1 30 15 cc 96 ba 7e 0b 00 [ 33.669230] RIP [<ffffffff962d4357>] ext4_mb_mark_diskspace_used+0x2a7/0x4a0 [ 33.669657] RSP <ffff8800b5147938> [ 33.670300] ---[ end trace 842e5cb6ac86b18d ]--- [ 33.670734] ------------[ cut here ]------------ [ 33.671160] WARNING: CPU: 0 PID: 1510 at kernel/exit.c:661 do_exit+0x5f/0xb00() [ 33.671629] Modules linked in: vmw_vsock_vmci_transport vsock uvcvideo snd_ens1371 snd_ac97_codec btusb btrtl btbcm ac97_bus btintel snd_pcm bluetooth videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core vmw_balloon gameport v4l2_common snd_timer videodev snd_rawmidi snd_seq_device coretemp snd joydev input_leds serio_raw vmw_vmci media soundcore i2c_piix4 shpchp 8250_fintek mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear hid_generic usbhid hid vmwgfx crct10dif_pclmul crc32_pclmul ghash_clmulni_intel drm_kms_helper aesni_intel syscopyarea sysfillrect psmouse sysimgblt aes_x86_64 [ 33.676423] fb_sys_fops ttm glue_helper lrw gf128mul drm ablk_helper cryptd mptspi scsi_transport_spi e1000 mptscsih mptbase ahci pata_acpi libahci fjes [ 33.677367] CPU: 0 PID: 1510 Comm: poc Tainted: G D 4.4.124 #4 [ 33.677841] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 [ 33.678904] 0000000000000286 828c4939e340e542 ffff8800b5147640 ffffffff963d8d23 [ 33.679411] 0000000000000000 ffffffff96ca89f6 ffff8800b5147678 ffffffff96081e72 [ 33.679917] ffff880135d31c00 000000000000000b ffff8800b5147888 0000000000000000 [ 33.680482] Call Trace: [ 33.680982] [<ffffffff963d8d23>] dump_stack+0x63/0x90 [ 33.681485] [<ffffffff96081e72>] warn_slowpath_common+0x82/0xc0 [ 33.681988] [<ffffffff96081fba>] warn_slowpath_null+0x1a/0x20 [ 33.682487] [<ffffffff960848af>] do_exit+0x5f/0xb00 [ 33.682995] [<ffffffff9601acd1>] oops_end+0xa1/0xd0 [ 33.683486] [<ffffffff9601b18b>] die+0x4b/0x70 [ 33.684023] [<ffffffff96018131>] do_trap+0xb1/0x140 [ 33.684525] [<ffffffff960184b9>] do_error_trap+0x89/0x110 [ 33.685012] [<ffffffff962d4357>] ? ext4_mb_mark_diskspace_used+0x2a7/0x4a0 [ 33.685507] [<ffffffff962d3029>] ? mb_mark_used+0x289/0x320 [ 33.686003] [<ffffffff96018a20>] do_invalid_op+0x20/0x30 [ 33.686750] [<ffffffff967fd28e>] invalid_op+0x1e/0x30 [ 33.687719] [<ffffffff962d4357>] ? ext4_mb_mark_diskspace_used+0x2a7/0x4a0 [ 33.688763] [<ffffffff962d043a>] ? ext4_mb_new_inode_pa+0x27a/0x3b0 [ 33.689685] [<ffffffff962d58d7>] ext4_mb_new_blocks+0x337/0xad0 [ 33.690415] [<ffffffff9624478a>] ? __find_get_block+0xaa/0x120 [ 33.691262] [<ffffffff96244acb>] ? __getblk_gfp+0x2b/0x60 [ 33.692246] [<ffffffff962da07c>] ? ext4_get_branch+0xbc/0x130 [ 33.693136] [<ffffffff962db65a>] ext4_ind_map_blocks+0xbba/0xbf0 [ 33.693930] [<ffffffff962991d3>] ? mpage_prepare_extent_to_map+0x243/0x2f0 [ 33.694600] [<ffffffff9629a3d4>] ext4_map_blocks+0x2c4/0x570 [ 33.695526] [<ffffffff962cd132>] ? ext4_journal_check_start+0x12/0x80 [ 33.696304] [<ffffffff9629d7f4>] ext4_writepages+0x634/0xce0 [ 33.696838] [<ffffffff9622990e>] ? atime_needs_update+0x4e/0xc0 [ 33.697308] [<ffffffff9619c131>] do_writepages+0x21/0x30 [ 33.697759] [<ffffffff9618f146>] __filemap_fdatawrite_range+0xc6/0x100 [ 33.698261] [<ffffffff9618f28a>] filemap_write_and_wait_range+0x2a/0x70 [ 33.698694] [<ffffffff96234ef7>] __generic_file_fsync+0x27/0x90 [ 33.699117] [<ffffffff96234f79>] generic_file_fsync+0x19/0x40 [ 33.699559] [<ffffffff962946fc>] ext4_sync_file+0x1ec/0x340 [ 33.699945] [<ffffffff962411de>] vfs_fsync_range+0x4e/0xb0 [ 33.700415] [<ffffffff9624129d>] do_fsync+0x3d/0x70 [ 33.701025] [<ffffffff96241563>] SyS_fdatasync+0x13/0x20 [ 33.701421] [<ffffffff967fb4e5>] entry_SYSCALL_64_fastpath+0x22/0x99 [ 33.701834] ---[ end trace 842e5cb6ac86b18e ]--- Reported by Wen Xu from SSLab, Gatech -- You are receiving this mail because: You are watching the assignee of the bug.
