https://bugzilla.kernel.org/show_bug.cgi?id=216283 Bug ID: 216283 Summary: FUZZ: BUG() triggered in fs/ext4/extent.c:ext4_ext_insert_extent() when mount and operate on crafted image Product: File System Version: 2.5 Kernel Version: 5.15-5.19-rc8 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ext4 Assignee: fs_ext4@xxxxxxxxxxxxxxxxxxxx Reporter: wenqingliu0120@xxxxxxxxx Regression: No Created attachment 301487 --> https://bugzilla.kernel.org/attachment.cgi?id=301487&action=edit poc and .config - Overview FUZZ: BUG() triggered in fs/ext4/extent.c:ext4_ext_insert_extent()when mount and operate on crafted image - Reproduce Tested on kernel 5.15.57, 5.19-rc8 # mkdir test_crash # cd test_crash # unzip tmp15.zip # mkdir mnt # ./single_test.sh ext4 15 -Kernel dump [ 1524.446966] loop5: detected capacity change from 0 to 32768 [ 1524.536425] EXT4-fs (loop5): recovery complete [ 1524.542174] EXT4-fs (loop5): mounted filesystem with ordered data mode. Quota mode: none. [ 1524.542850] ext4 filesystem being mounted at /home/wq/test_crashes/mnt supports timestamps until 2038 (0x7fffffff) [ 1524.849072] ------------[ cut here ]------------ [ 1524.849076] kernel BUG at fs/ext4/extents.c:1006! [ 1524.849141] invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 1524.849167] CPU: 0 PID: 1186 Comm: tmp15 Not tainted 5.19.0-rc8 #1 [ 1524.849193] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 1524.849228] RIP: 0010:ext4_ext_insert_extent+0x3b8e/0x43d0 [ 1524.849259] Code: df ba f7 03 00 00 48 c7 c6 e0 9b f8 8d 41 be 8b ff ff ff e8 e4 20 12 00 e9 da f5 ff ff 4c 89 ff e8 a7 91 cf ff e9 a0 f4 ff ff <0f> 0b e8 1b 91 cf ff e9 49 f4 ff ff 44 0f b7 fa 50 49 c7 c1 e0 8f [ 1524.849330] RSP: 0018:ffff88812689f5f8 EFLAGS: 00010286 [ 1524.849353] RAX: 00000000ffffffff RBX: ffff888105227aa8 RCX: 0000000000000000 [ 1524.849381] RDX: ffffffffffffffff RSI: 0000000000017ef8 RDI: ffff888173197004 [ 1524.849410] RBP: ffff888105227986 R08: 0000000000000001 R09: ffffed1020af02a9 [ 1524.849438] R10: ffff888105781547 R11: ffffed1020af02a8 R12: 0000000000001013 [ 1524.849466] R13: ffff888103723c58 R14: ffff888173197000 R15: ffff888173197018 [ 1524.849494] FS: 00007f653cb8b540(0000) GS:ffff888293600000(0000) knlGS:0000000000000000 [ 1524.849526] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1524.849549] CR2: 000055c5c050c008 CR3: 000000011caae004 CR4: 0000000000370ef0 [ 1524.849579] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1524.849610] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 1524.849638] Call Trace: [ 1524.849650] <TASK> [ 1524.849661] ? ext4_discard_preallocations+0xd70/0xd70 [ 1524.849686] ? ext4_ext_shift_extents+0xc50/0xc50 [ 1524.849707] ? ext4_ext_search_right+0x822/0xc20 [ 1524.849728] ? _raw_spin_unlock_irqrestore+0x23/0x40 [ 1524.849750] ext4_ext_map_blocks+0xc86/0x3710 [ 1524.849771] ? ext4_ext_release+0x10/0x10 [ 1524.849789] ? do_writepages+0x170/0x590 [ 1524.849819] ? __filemap_fdatawrite_range+0xa7/0xe0 [ 1524.849859] ? ext4_sync_file+0x18a/0x9b0 [ 1524.849895] ? do_fsync+0x38/0x70 [ 1524.849928] ? __x64_sys_fdatasync+0x32/0x50 [ 1524.849965] ? mpage_process_page_bufs+0xe8/0x5b0 [ 1524.850005] ? __pagevec_release+0x7f/0x110 [ 1524.850042] ? down_write_killable+0x130/0x130 [ 1524.850080] ? ext4_es_lookup_extent+0x3ae/0x960 [ 1524.850104] ext4_map_blocks+0x600/0x1460 [ 1524.850123] ? ext4_issue_zeroout+0x190/0x190 [ 1524.850142] ? __kasan_slab_alloc+0x90/0xc0 [ 1524.850163] ext4_writepages+0xffa/0x25e0 [ 1524.850182] ? __ext4_mark_inode_dirty+0x5f0/0x5f0 [ 1524.850204] ? __stack_depot_save+0x34/0x540 [ 1524.850223] ? _raw_spin_lock+0x87/0xda [ 1524.850245] ? _raw_spin_lock_irqsave+0xf0/0xf0 [ 1524.850283] ? kmem_cache_free+0xd3/0x3b0 [ 1524.850320] ? do_syscall_64+0x38/0x90 [ 1524.851019] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 1524.851716] do_writepages+0x170/0x590 [ 1524.852415] ? page_writeback_cpu_online+0x20/0x20 [ 1524.853162] ? avc_has_extended_perms+0xe70/0xe70 [ 1524.853848] ? may_linkat+0x310/0x310 [ 1524.854524] ? _raw_spin_lock+0x87/0xda [ 1524.855182] ? _raw_spin_lock_irqsave+0xf0/0xf0 [ 1524.855824] ? wbc_attach_and_unlock_inode+0x21/0x590 [ 1524.856449] filemap_fdatawrite_wbc+0x11d/0x190 [ 1524.857095] __filemap_fdatawrite_range+0xa7/0xe0 [ 1524.857686] ? delete_from_page_cache_batch+0x950/0x950 [ 1524.858274] ? do_faccessat+0x1d2/0x630 [ 1524.858855] ? kmem_cache_free+0xd3/0x3b0 [ 1524.859434] file_write_and_wait_range+0x92/0x100 [ 1524.860013] ext4_sync_file+0x18a/0x9b0 [ 1524.860587] do_fsync+0x38/0x70 [ 1524.861193] __x64_sys_fdatasync+0x32/0x50 [ 1524.861744] do_syscall_64+0x38/0x90 [ 1524.862284] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 1524.862832] RIP: 0033:0x7f653cab073d [ 1524.863388] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 23 37 0d 00 f7 d8 64 89 01 48 [ 1524.864581] RSP: 002b:00007ffe69164218 EFLAGS: 00000217 ORIG_RAX: 000000000000004b [ 1524.865245] RAX: ffffffffffffffda RBX: 000055c5c050b720 RCX: 00007f653cab073d [ 1524.865868] RDX: 00007f653cab073d RSI: ffffffffffffff80 RDI: 0000000000000004 [ 1524.866499] RBP: 00007ffe69168b80 R08: 00007ffe69168c78 R09: 00007ffe69168c78 [ 1524.867134] R10: 00007ffe69168c78 R11: 0000000000000217 R12: 000055c5c050b0a0 [ 1524.867770] R13: 00007ffe69168c70 R14: 0000000000000000 R15: 0000000000000000 [ 1524.868404] </TASK> [ 1524.869048] Modules linked in: input_leds joydev serio_raw qemu_fw_cfg xfs autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear qxl drm_ttm_helper ttm drm_kms_helper hid_generic usbhid syscopyarea sysfillrect sysimgblt fb_sys_fops hid drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel psmouse crypto_simd cryptd [ 1524.871971] ---[ end trace 0000000000000000 ]--- [ 1524.872717] RIP: 0010:ext4_ext_insert_extent+0x3b8e/0x43d0 [ 1524.873715] Code: df ba f7 03 00 00 48 c7 c6 e0 9b f8 8d 41 be 8b ff ff ff e8 e4 20 12 00 e9 da f5 ff ff 4c 89 ff e8 a7 91 cf ff e9 a0 f4 ff ff <0f> 0b e8 1b 91 cf ff e9 49 f4 ff ff 44 0f b7 fa 50 49 c7 c1 e0 8f [ 1524.875375] RSP: 0018:ffff88812689f5f8 EFLAGS: 00010286 [ 1524.876222] RAX: 00000000ffffffff RBX: ffff888105227aa8 RCX: 0000000000000000 [ 1524.877110] RDX: ffffffffffffffff RSI: 0000000000017ef8 RDI: ffff888173197004 [ 1524.877964] RBP: ffff888105227986 R08: 0000000000000001 R09: ffffed1020af02a9 [ 1524.878829] R10: ffff888105781547 R11: ffffed1020af02a8 R12: 0000000000001013 [ 1524.879684] R13: ffff888103723c58 R14: ffff888173197000 R15: ffff888173197018 [ 1524.880561] FS: 00007f653cb8b540(0000) GS:ffff888293600000(0000) knlGS:0000000000000000 [ 1524.881491] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1524.882372] CR2: 000055c5c050c008 CR3: 000000011caae004 CR4: 0000000000370ef0 [ 1524.883270] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1524.884182] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 1524.885084] ------------[ cut here ]------------ [ 1524.885972] WARNING: CPU: 0 PID: 1186 at kernel/exit.c:741 do_exit+0x1798/0x2740 [ 1524.886885] Modules linked in: input_leds joydev serio_raw qemu_fw_cfg xfs autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear qxl drm_ttm_helper ttm drm_kms_helper hid_generic usbhid syscopyarea sysfillrect sysimgblt fb_sys_fops hid drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel psmouse crypto_simd cryptd [ 1524.890831] CPU: 0 PID: 1186 Comm: tmp15 Tainted: G D 5.19.0-rc8 #1 [ 1524.891858] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 1524.892918] RIP: 0010:do_exit+0x1798/0x2740 [ 1524.893959] Code: c0 74 08 3c 03 0f 8e cc 0c 00 00 8b 83 48 13 00 00 65 01 05 7a 59 aa 74 e9 92 fc ff ff 48 89 df e8 fd 77 28 00 e9 ec ee ff ff <0f> 0b e9 fa e8 ff ff 4c 89 e6 bf 05 06 00 00 e8 d4 72 02 00 e9 b2 [ 1524.896142] RSP: 0018:ffff88812689fe48 EFLAGS: 00010286 [ 1524.897245] RAX: 1ffff11024d12815 RBX: ffff888126893400 RCX: 0000000000000000 [ 1524.898357] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff8881268940a8 [ 1524.899473] RBP: ffff888126893400 R08: 0000000000000041 R09: ffffed1024d13000 [ 1524.900604] R10: ffff88829362848b R11: ffffed10526c5091 R12: 000000000000000b [ 1524.901737] R13: ffffffff8de22ac0 R14: ffff888126893400 R15: 0000000000000000 [ 1524.902863] FS: 00007f653cb8b540(0000) GS:ffff888293600000(0000) knlGS:0000000000000000 [ 1524.904014] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1524.905156] CR2: 000055c5c050c008 CR3: 000000011caae004 CR4: 0000000000370ef0 [ 1524.906287] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1524.907395] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 1524.908495] Call Trace: [ 1524.909570] <TASK> [ 1524.910628] ? file_write_and_wait_range+0x92/0x100 [ 1524.911697] ? mm_update_next_owner+0x6e0/0x6e0 [ 1524.912777] ? ext4_sync_file+0x18a/0x9b0 [ 1524.913849] make_task_dead+0xb0/0xc0 [ 1524.914904] rewind_stack_and_make_dead+0x17/0x17 [ 1524.915952] RIP: 0033:0x7f653cab073d [ 1524.916963] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 23 37 0d 00 f7 d8 64 89 01 48 [ 1524.918998] RSP: 002b:00007ffe69164218 EFLAGS: 00000217 ORIG_RAX: 000000000000004b [ 1524.920032] RAX: ffffffffffffffda RBX: 000055c5c050b720 RCX: 00007f653cab073d [ 1524.921062] RDX: 00007f653cab073d RSI: ffffffffffffff80 RDI: 0000000000000004 [ 1524.922070] RBP: 00007ffe69168b80 R08: 00007ffe69168c78 R09: 00007ffe69168c78 [ 1524.923061] R10: 00007ffe69168c78 R11: 0000000000000217 R12: 000055c5c050b0a0 [ 1524.924051] R13: 00007ffe69168c70 R14: 0000000000000000 R15: 0000000000000000 [ 1524.925023] </TASK> [ 1524.925975] ---[ end trace 0000000000000000 ]--- -- You may reply to this email to add a comment. You are receiving this mail because: You are watching the assignee of the bug.