logfs tries to mount corrupted ext2 (with mount -t auto), crashes

Sami Liedes <sami.liedes@xxxxxx> · Sat, 5 May 2012 01:32:22 +0300

Hi,

It seems the logfs filesystem needs some more sanity checks.

I have a corrupted (intentionally, using the Berserker toolkit) 10 MiB
ext2 filesystem which is not recognized as ext2 and which logfs tries
to mount with mount -t auto, leading to a crash on a vanilla 3.3.4
running in kvm x86-64. The corrupted ext2 filesystem actually differs
from an excellently working, clean ext2 filesystem by a single bit:

------------------------------------------------------------
$ diff -u <(hd testimg.ext2) <(hd testimg.ext2.89.min)

--- /dev/fd/63 2012-05-05 01:24:33.184116801 +0300
+++ /dev/fd/62 2012-05-05 01:24:33.184116801 +0300
@@ -3,7 +3,7 @@
 00000400  00 0a 00 00 00 28 00 00  00 02 00 00 1d 23 00 00  |.....(.......#..|
 00000410  9d 04 00 00 01 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000420  00 20 00 00 00 20 00 00  00 05 00 00 fc 12 ac 48  |. ... .........H|
-00000430  66 4f a4 4f 00 00 26 00  53 ef 01 00 01 00 00 00  |fO.O..&.S.......|
+00000430  66 4f a4 4f 00 00 26 00  53 ed 01 00 01 00 00 00  |fO.O..&.S.......|
 00000440  66 4f a4 4f 00 4e ed 00  00 00 00 00 01 00 00 00  |fO.O.N..........|
 00000450  00 00 00 00 0b 00 00 00  80 00 00 00 38 00 00 00  |............8...|
 00000460  02 00 00 00 01 00 00 00  17 ca c1 08 7d a3 42 47  |............}.BG|
------------------------------------------------------------

You can get the offending filesystem image at

   http://sli.dy.fi/~sliedes/berserker/testcases/testimg.ext2.89.crash-logfs

and the crash can be reproduced simply by mounting the filesystem with

   mount $path_to_filesystem /mnt -o errors=continue

	Sami


------------------------------------------------------------
REISERFS warning (device vdb): super-6506 reiserfs_getopt: bad value "continue" for option "errors"

EXT3-fs (vdb): error: can't find ext3 filesystem on dev vdb.
EXT2-fs (vdb): error: can't find an ext2 filesystem on dev vdb.
EXT4-fs (vdb): VFS: Can't find ext4 filesystem
cramfs: wrong magic
SQUASHFS error: Can't find a SQUASHFS superblock on vdb
VFS: Can't find a Minix filesystem V1 | V2 | V3 on device vdb.
FAT-fs (vdb): bogus number of reserved sectors
FAT-fs (vdb): Can't find a valid FAT filesystem
FAT-fs (vdb): bogus number of reserved sectors
FAT-fs (vdb): Can't find a valid FAT filesystem
BFS-fs: bfs_fill_super(): No BFS filesystem on vdb (magic=00000000)
hfs: unable to parse mount options
hfs: unable to parse mount options.
vxfs: WRONG superblock magic
VFS: unable to find oldfs superblock on device vdb
VFS: could not find a valid V7 on vdb.
HPFS: Bad magic ... probably not HPFS
NTFS-fs error (device vdb): read_ntfs_boot_sector(): Primary boot sector is invalid.
NTFS-fs error (device vdb): read_ntfs_boot_sector(): Mount option errors=recover not used. Aborting without trying to recover.
NTFS-fs error (device vdb): ntfs_fill_super(): Not an NTFS volume.
UFS-fs: Invalid option: "errors=continue" or missing value
wrong mount options
INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
Pid: 1419, comm: mount Not tainted 3.3.4 #2
Call Trace:
 [<ffffffff81074d35>] __lock_acquire+0x8b5/0x1ba0
 [<ffffffff8107660d>] ? trace_hardirqs_on+0xd/0x10
 [<ffffffff8172b41b>] ? _raw_spin_unlock_irq+0x2b/0x40
 [<ffffffff8172a072>] ? wait_for_common+0x122/0x160
 [<ffffffff8105e140>] ? try_to_wake_up+0x160/0x160
 [<ffffffff812b421d>] ? logfs_get_wblocks+0x3d/0x90
 [<ffffffff81077821>] lock_acquire+0xa1/0x140
 [<ffffffff812b421d>] ? logfs_get_wblocks+0x3d/0x90
 [<ffffffff81728a4a>] mutex_lock_nested+0x3a/0x2f0
 [<ffffffff812b421d>] ? logfs_get_wblocks+0x3d/0x90
 [<ffffffff812b421d>] logfs_get_wblocks+0x3d/0x90
 [<ffffffff812b0ec8>] logfs_sync_fs+0x18/0x40
 [<ffffffff8111896e>] __sync_filesystem+0x5e/0x90
 [<ffffffff811189f2>] sync_filesystem+0x32/0x60
 [<ffffffff812b85a7>] logfs_kill_sb+0x27/0xe0
 [<ffffffff810eedd5>] deactivate_locked_super+0x45/0x80
 [<ffffffff812b8f85>] logfs_mount+0x255/0x710
 [<ffffffff810f06ab>] mount_fs+0x1b/0xd0
 [<ffffffff8110a0fd>] vfs_kern_mount+0x6d/0x110
 [<ffffffff8172b636>] ? _raw_read_unlock+0x26/0x30
 [<ffffffff8110a21f>] do_kern_mount+0x4f/0x100
 [<ffffffff8110b88a>] do_mount+0x53a/0x840
 [<ffffffff810bafc2>] ? __get_free_pages+0x12/0x50
 [<ffffffff8110b1d5>] ? copy_mount_options+0x35/0x170
 [<ffffffff811374ef>] compat_sys_mount+0xdf/0x260
 [<ffffffff8172d531>] sysenter_dispatch+0x7/0x2a
 [<ffffffff8156295e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
BUG: unable to handle kernel NULL pointer dereference at           (null)
IP: [<ffffffff81728adb>] mutex_lock_nested+0xcb/0x2f0
PGD 6a52067 PUD 5657067 PMD 0
Oops: 0002 [#1]
CPU 0
Pid: 1419, comm: mount Not tainted 3.3.4 #2 Bochs Bochs
RIP: 0010:[<ffffffff81728adb>]  [<ffffffff81728adb>] mutex_lock_nested+0xcb/0x2f0
RSP: 0018:ffff880005639c08  EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff880006a3ce10 RCX: 0000000000000002
RDX: 00000000ffffffff RSI: ffff880005639c28 RDI: ffff880006a3ce10
RBP: ffff880005639c78 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: ffff880006a5a040
R13: 0000000000000246 R14: ffff880005639c28 R15: ffff880006a3ce50
FS:  0000000000000000(0000) GS:ffffffff81c1d000(0063) knlGS:00000000f7562750
CS:  0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 0000000000000000 CR3: 0000000006a7e000 CR4: 00000000000006b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process mount (pid: 1419, threadinfo ffff880005638000, task ffff880006a5a040)
Stack:
 ffffffff812b421d ffff880005639bb8 0000000000001383 ffff8800069dc800
 ffff880006a3ce50 0000000000000000 1111111111111111 ffff880005639c28
 ffff880005639c40 ffff8800069dc800 0000000000000000 0000000000000400
Call Trace:
 [<ffffffff812b421d>] ? logfs_get_wblocks+0x3d/0x90
 [<ffffffff812b421d>] logfs_get_wblocks+0x3d/0x90
 [<ffffffff812b0ec8>] logfs_sync_fs+0x18/0x40
 [<ffffffff8111896e>] __sync_filesystem+0x5e/0x90
 [<ffffffff811189f2>] sync_filesystem+0x32/0x60
 [<ffffffff812b85a7>] logfs_kill_sb+0x27/0xe0
 [<ffffffff810eedd5>] deactivate_locked_super+0x45/0x80
 [<ffffffff812b8f85>] logfs_mount+0x255/0x710
 [<ffffffff810f06ab>] mount_fs+0x1b/0xd0
 [<ffffffff8110a0fd>] vfs_kern_mount+0x6d/0x110
 [<ffffffff8172b636>] ? _raw_read_unlock+0x26/0x30
 [<ffffffff8110a21f>] do_kern_mount+0x4f/0x100
 [<ffffffff8110b88a>] do_mount+0x53a/0x840
 [<ffffffff810bafc2>] ? __get_free_pages+0x12/0x50
 [<ffffffff8110b1d5>] ? copy_mount_options+0x35/0x170
 [<ffffffff811374ef>] compat_sys_mount+0xdf/0x260
 [<ffffffff8172d531>] sysenter_dispatch+0x7/0x2a
 [<ffffffff8156295e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
Code: f6 e8 aa 8e 94 ff 49 8b 54 24 08 4c 89 f6 48 89 df e8 fa 8f 94 ff 48 8b 43 48 ba ff ff ff ff 4c 89 73 48 4c 89 7d b0 48 89 45 b8 <4c> 89 30 89 d0 4c 89 65 c0 87 03 83 f8 01 0f 84 f9 00 00 00 48
RIP  [<ffffffff81728adb>] mutex_lock_nested+0xcb/0x2f0
 RSP <ffff880005639c08>
CR2: 0000000000000000
---[ end trace 30712c04b91b8fd0 ]---
Kernel panic - not syncing: Fatal exception
Rebooting in 1 seconds..
------------------------------------------------------------
Attachment:
signature.asc

Description: Digital signature




