https://bugzilla.kernel.org/show_bug.cgi?id=200093 Bug ID: 200093 Summary: JBD2 unexpected failure when mounting and operating a crafted ext4 image Product: File System Version: 2.5 Kernel Version: 4.17 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ext4 Assignee: fs_ext4@xxxxxxxxxxxxxxxxxxxx Reporter: wen.xu@xxxxxxxxxx Regression: No Created attachment 276601 --> https://bugzilla.kernel.org/attachment.cgi?id=276601&action=edit The (compressed) crafted image which causes crash - Reproduce # mkdir mnt # mount -t ext4 274.img mnt # gcc -o poc poc.c # ./poc ./mnt - Kernel message [ 122.880706] EXT4-fs error (device loop0): ext4_orphan_get:1249: comm mount: bad orphan inode 1263225600 [ 122.906475] EXT4-fs (loop0): recovery complete [ 122.906491] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null) [ 126.432320] EXT4-fs error (device loop0): ext4_init_inode_table:1393: comm ext4lazyinit: Something is wrong with group 0: used itable blocks: -467; itable unused count: 1935 [ 126.833478] EXT4-fs error (device loop0): htree_dirblock_to_tree:1006: inode #2: block 35: comm a.out: bad entry in directory: inode out of bounds - offset=152(152), inode=32767, rec_len=12, name_len=1 [ 126.955839] EXT4-fs error (device loop0): ext4_map_blocks:592: inode #14: block 16768512: comm a.out: lblock 0 mapped to illegal pblock 16768512 (length 1) [ 126.978875] EXT4-fs error (device loop0): ext4_clear_blocks:849: inode #14: comm a.out: attempt to clear invalid blocks 16768512 len 1 [ 127.001293] EXT4-fs error (device loop0): ext4_mb_generate_buddy:746: group 1, block bitmap and bg descriptor inconsistent: 512 vs 28 free clusters [ 127.004406] EXT4-fs error (device loop0): ext4_free_data:972: inode #14: comm a.out: circular indirect block detected at block 19 [ 127.037615] JBD2 unexpected failure: jbd2_journal_revoke: !buffer_revoked(bh); <-- [ 127.039074] inconsistent data on disk <-- [ 127.039823] EXT4-fs: ext4_free_blocks:4805: aborting transaction: IO failure in __ext4_forget [ 127.066117] EXT4-fs error (device loop0): ext4_free_blocks:4805: error -5 when attempting revoke [ 127.067876] EXT4-fs (loop0): Remounting filesystem read-only [ 127.069081] Aborting journal on device loop0-8. [ 127.120840] EXT4-fs error (device loop0): ext4_mb_free_metadata:4684: group 0, block 19:Block already on to-be-freed list [ 127.123048] EXT4-fs error (device loop0) in ext4_free_blocks:4962: Journal has aborted [ 127.144847] EXT4-fs error (device loop0) in ext4_orphan_del:2899: Journal has aborted [ 127.165785] EXT4-fs error (device loop0) in ext4_do_update_inode:5273: Journal has aborted - Location https://elixir.bootlin.com/linux/latest/source/fs/jbd2/revoke.c#L374 Reported by Wen Xu from SSLab at Gatech. -- You are receiving this mail because: You are watching the assignee of the bug.
