On 13/01/2025 15:54, Kun Hu wrote:
32generated_program.c memory maps the filesystem image, mounts it, and
then modifies it through the memory map. It's those modifications that
cause gfs2 to crash, so the test case is invalid.
Is disabling CONFIG_BLK_DEV_WRITE_MOUNTED supposed to prevent that? If
so, then it doesn't seem to be working.
Thanks,
Andreas
We have reproduced the crash with CONFIG_BLK_DEV_WRITE_MOUNTED disabled to obtain the same crash log. The new crash log, along with C and Syzlang reproducers are provided below:
Crash log: https://drive.google.com/file/d/1FiCgo05oPheAt4sDQzRYTQwl0-CY6rvi/view?usp=sharing
C reproducer: https://drive.google.com/file/d/1TTR9cquaJcMYER6vtYUGh3gOn_mROME4/view?usp=sharing
Syzlang reproducer: https://drive.google.com/file/d/1R9QDUP2r7MI4kYMiT_yn-tzm6NqmcEW-/view?usp=sharing
Hi Andreas,
As per Jan's suggestion, we’ve successfully reproduced the crash with CONFIG_BLK_DEV_WRITE_MOUNTED disabled. Should you require us to test this issue again, we are happy to do so.
FWIW the reproducer boils down to
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <linux/fs.h>
/*
mkfs.gfs2 -b 2048 -p lock_nolock $DEV
mount $DEV $MNT
cd $MNT
/path/to/this_test
*/
int main(void)
{
unsigned flag = FS_JOURNAL_DATA_FL;
char buf[4102] = {0};
int fd;
/* Error checking omitted for clarity */
fd = open("f", O_CREAT|O_RDWR);
write(fd, buf, sizeof(buf));
ioctl(fd, FS_IOC_SETFLAGS, &flag);
write(fd, buf, sizeof(buf)); /* boom */
close(fd);
return 0;
}
So it's switching the file to journaled data mode between two writes.
The size of the writes seems to be relevant and the fs needs to be
created with a 2K block size (I'm guessing it could reproduce with other
combinations).
Andy
