Re: NULL pointer dereference in xfs_bmap_extents_to_btree() when mounting and operating a crafted image

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Dave,

Very strange.

I checkout v4.17-rc7 of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
and merge with for-next of
https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/ to make the
kernel build.
d1dabff17081af94c9604c5fdddd0de7  20.img
mounting 20.img and running poc.c on mounted folder still gives me
nullptr access.

[ 1381.524410] XFS (loop0): Mounting V4 Filesystem
[ 1381.524484] XFS (loop0): Log size 864 blocks too small, minimum
size is 942 blocks
[ 1381.524487] XFS (loop0): Log size out of supported range.
[ 1381.525728] XFS (loop0): Continuing onwards, but if log hangs are
experienced then please report this message in the bug report.
[ 1381.533754] XFS (loop0): Ending clean mount
[ 1388.369552] XFS (loop0): xfs_buf_find: daddr 0x7fb28 out of range,
EOFS 0x8000
[ 1388.371251] WARNING: CPU: 0 PID: 1490 at fs/xfs/xfs_buf.c:602
xfs_buf_find.isra.27+0x463/0x5e0
[ 1388.371253] Modules linked in: snd_hda_codec_generic snd_hda_intel
snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore
i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp
libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456
async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0
multipath linear qxl drm_kms_helper syscopyarea sysfillrect sysimgblt
fb_sys_fops ttm drm 8139too crct10dif_pclmul crc32_pclmul aesni_intel
aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[ 1388.371619] CPU: 0 PID: 1490 Comm: poc Not tainted 4.17.0-rc7-no-kasan+ #1
[ 1388.371620] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1388.371623] RIP: 0010:xfs_buf_find.isra.27+0x463/0x5e0
[ 1388.371625] RSP: 0018:ffffc09142433450 EFLAGS: 00010282
[ 1388.371627] RAX: 0000000000000000 RBX: ffff9dc7a3d21240 RCX: 0000000000000000
[ 1388.371629] RDX: 00000000ffffffc0 RSI: 000000000000000a RDI: ffffffffb42fdecb
[ 1388.371630] RBP: ffffc091424334d8 R08: 0000000000000000 R09: 0000000000000000
[ 1388.371631] R10: 000000000007fb28 R11: f000000000000000 R12: ffff9dc7a3d21258
[ 1388.371633] R13: ffffc091424334f0 R14: 0000000000000001 R15: ffff9dc7a3d21258
[ 1388.371635] FS:  00007f64ba986700(0000) GS:ffff9dc7af200000(0000)
knlGS:0000000000000000
[ 1388.371637] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1388.371638] CR2: 00007f64ba40c360 CR3: 000000042aaa2000 CR4: 00000000000006f0
[ 1388.371645] Call Trace:
[ 1388.371652]  xfs_buf_get_map+0x44/0x2c0
[ 1388.371657]  xfs_trans_get_buf_map+0x11a/0x1a0
[ 1388.371662]  xfs_btree_get_bufl+0x79/0x90
[ 1388.371667]  xfs_bmap_extents_to_btree+0x224/0x570
[ 1388.371672]  xfs_bmap_add_extent_hole_real+0x804/0x930
[ 1388.371676]  xfs_bmapi_write+0x94a/0xcc0
[ 1388.371680]  xfs_da_grow_inode_int+0x1db/0x310
[ 1388.371686]  ? _cond_resched+0x1a/0x50
[ 1388.371691]  ? __kmalloc+0x187/0x230
[ 1388.371694]  xfs_dir2_grow_inode+0x68/0x140
[ 1388.371697]  xfs_dir2_sf_to_block+0xa5/0x6e0
[ 1388.371700]  ? kmem_zone_alloc+0x8f/0x110
[ 1388.371702]  ? kmem_zone_alloc+0x8f/0x110
[ 1388.371705]  xfs_dir2_sf_addname+0xd5/0x6a0
[ 1388.371707]  xfs_dir_createname+0x197/0x1e0
[ 1388.371712]  xfs_rename+0x887/0xb00
[ 1388.371715]  xfs_vn_rename+0xd4/0x150
[ 1388.371720]  ? generic_permission+0xca/0x190
[ 1388.371723]  vfs_rename+0x6a5/0x8c0
[ 1388.371726]  do_renameat2+0x519/0x5a0
[ 1388.371728]  __x64_sys_rename+0x20/0x30
[ 1388.371734]  do_syscall_64+0x5a/0x110
[ 1388.371738]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1388.371740] RIP: 0033:0x7f64ba40c367
[ 1388.371741] RSP: 002b:00007fff49e3a1a8 EFLAGS: 00000202 ORIG_RAX:
0000000000000052
[ 1388.371743] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f64ba40c367
[ 1388.371745] RDX: 00000000016e50a0 RSI: 00000000016e50a0 RDI: 00000000016e5080
[ 1388.371746] RBP: 00007fff49e3a310 R08: 0000000000000003 R09: 0000000000000000
[ 1388.371747] R10: 0000000000000640 R11: 0000000000000202 R12: 0000000000400c20
[ 1388.371748] R13: 00007fff49e3a410 R14: 0000000000000000 R15: 0000000000000000
[ 1388.371750] Code: 0f 85 99 01 00 00 48 83 c4 60 5b 41 5c 41 5d 41
5e 41 5f 5d c3 48 89 c1 48 c7 c2 b0 a3 04 b4 48 c7 c6 b0 c2 31 b4 e8
1d 8e 01 00 <0f> 0b c7 45 98 8b ff ff ff eb ba 65 8b 05 6b ce c1 4c 89
c0 48
[ 1388.371784] ---[ end trace 2bb9bb2f4b3674b4 ]---
[ 1388.371810] BUG: unable to handle kernel NULL pointer dereference
at 0000000000000090
[ 1388.373444] PGD 800000042b1ae067 P4D 800000042b1ae067 PUD 42b0f8067 PMD 0
[ 1388.374845] Oops: 0000 [#1] SMP PTI
[ 1388.375571] Modules linked in: snd_hda_codec_generic snd_hda_intel
snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd soundcore
i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp
libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456
async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0
multipath linear qxl drm_kms_helper syscopyarea sysfillrect sysimgblt
fb_sys_fops ttm drm 8139too crct10dif_pclmul crc32_pclmul aesni_intel
aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[ 1388.385115] CPU: 0 PID: 1490 Comm: poc Tainted: G        W
4.17.0-rc7-no-kasan+ #1
[ 1388.386772] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1388.388673] RIP: 0010:xfs_bmap_extents_to_btree+0x224/0x570
[ 1388.389798] RSP: 0018:ffffc091424335a0 EFLAGS: 00010246
[ 1388.390854] RAX: 0000000000000000 RBX: ffff9dc7a9800780 RCX: 0000000000000000
[ 1388.392299] RDX: 00000000ffffffc0 RSI: 0000000000000000 RDI: ffffffffb42fdecb
[ 1388.393730] RBP: ffffc091424336d0 R08: 0000000000000000 R09: 0000000000000000
[ 1388.395162] R10: 000000000007fb28 R11: f000000000000000 R12: 000ffffffffe0000
[ 1388.396608] R13: ffff9dc7a3b4d000 R14: ffff9dc7a522c0e0 R15: ffff9dc7a98007c8
[ 1388.398045] FS:  00007f64ba986700(0000) GS:ffff9dc7af200000(0000)
knlGS:0000000000000000
[ 1388.399677] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1388.400840] CR2: 0000000000000090 CR3: 000000042aaa2000 CR4: 00000000000006f0
[ 1388.402279] Call Trace:
[ 1388.402793]  xfs_bmap_add_extent_hole_real+0x804/0x930
[ 1388.403846]  xfs_bmapi_write+0x94a/0xcc0
[ 1388.404653]  xfs_da_grow_inode_int+0x1db/0x310
[ 1388.405558]  ? _cond_resched+0x1a/0x50
[ 1388.406327]  ? __kmalloc+0x187/0x230
[ 1388.407058]  xfs_dir2_grow_inode+0x68/0x140
[ 1388.407921]  xfs_dir2_sf_to_block+0xa5/0x6e0
[ 1388.408792]  ? kmem_zone_alloc+0x8f/0x110
[ 1388.409609]  ? kmem_zone_alloc+0x8f/0x110
[ 1388.410431]  xfs_dir2_sf_addname+0xd5/0x6a0
[ 1388.411294]  xfs_dir_createname+0x197/0x1e0
[ 1388.412146]  xfs_rename+0x887/0xb00
[ 1388.412862]  xfs_vn_rename+0xd4/0x150
[ 1388.413611]  ? generic_permission+0xca/0x190
[ 1388.414478]  vfs_rename+0x6a5/0x8c0
[ 1388.415192]  do_renameat2+0x519/0x5a0
[ 1388.415954]  __x64_sys_rename+0x20/0x30
[ 1388.416739]  do_syscall_64+0x5a/0x110
[ 1388.417488]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1388.418511] RIP: 0033:0x7f64ba40c367
[ 1388.419248] RSP: 002b:00007fff49e3a1a8 EFLAGS: 00000202 ORIG_RAX:
0000000000000052
[ 1388.420774] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f64ba40c367
[ 1388.422206] RDX: 00000000016e50a0 RSI: 00000000016e50a0 RDI: 00000000016e5080
[ 1388.423648] RBP: 00007fff49e3a310 R08: 0000000000000003 R09: 0000000000000000
[ 1388.425083] R10: 0000000000000640 R11: 0000000000000202 R12: 0000000000400c20
[ 1388.426517] R13: 00007fff49e3a410 R14: 0000000000000000 R15: 0000000000000000
[ 1388.427957] Code: 49 bc 00 00 fe ff ff ff 0f 00 48 83 83 f8 00 00
00 01 e8 60 0e 08 00 48 8b 95 58 ff ff ff 4c 89 f6 31 c9 4c 89 ef e8
4c dc 00 00 <4c> 8b b0 90 00 00 00 48 8b 50 08 45 31 c9 48 c7 80 68 01
00 00
[ 1388.431752] RIP: xfs_bmap_extents_to_btree+0x224/0x570 RSP: ffffc091424335a0
[ 1388.433172] CR2: 0000000000000090
[ 1388.433893] ---[ end trace 2bb9bb2f4b3674b5 ]---

I attached my kernel config. Could you please check? I do not enable
CONFIG_XFS_WARN or CONFIG_XFS_DEBUG in my build.

Thanks,
Wen

On Sun, Jun 3, 2018 at 7:31 PM, Dave Chinner <david@xxxxxxxxxxxxx> wrote:
> On Mon, Jun 04, 2018 at 09:03:41AM +1000, Dave Chinner wrote:
>> On Mon, Jun 04, 2018 at 08:34:35AM +1000, Dave Chinner wrote:
>> > On Sun, Jun 03, 2018 at 06:19:54PM -0400, Wen Xu wrote:
>> > > Hi XFS developers and maintainers,
>> > > Please check: https://bugzilla.kernel.org/show_bug.cgi?id=199915
>> >
>> > Please report bugs straight to this list - it's much easier to
>> > track and faster to discuss bugs through email than it is through
>> > bugzilla.
>>
>> Image log size is too small for the filesystem config. If this was
>> a v5 filesystem, then the image would refuse to mount right there.
>>
>> As it is, a CONFIG_XFS_DEBUG=y kernel assert fails at mount in
>> xfs_check_agi_unlinked().
>
> FWIW, with this check commented out, I can't reproduce the problem
> reported in the bugzilla on a current 4.17-rc7 + xfs-for-next tree.
> The POC dumps this in the log:
>
> [  262.021574] XFS (loop0): Mounting V4 Filesystem
> [  262.022689] XFS (loop0): Log size 864 blocks too small, minimum size is 942 blocks
> [  262.024173] XFS (loop0): Log size out of supported range.
> [  262.025107] XFS (loop0): Continuing onwards, but if log hangs are experienced then please report this message in the bug report.
> [  262.028529] XFS (loop0): Ending clean mount
> [  263.448565] XFS (loop0): bad inode magic/vsn daddr 7008 #1 (magic=ffe2)
> [  263.450389] XFS (loop0): Metadata corruption detected at xfs_buf_ioend+0x64/0x170, xfs_inode block 0x1b60 xfs_inode_buf_verify
> [  263.453309] XFS (loop0): Unmount and run xfs_repair
> [  263.454605] XFS (loop0): First 128 bytes of corrupted metadata buffer:
> [  263.456301] 00000000d3db45c2: ff e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [  263.458496] 0000000025677d6d: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [  263.460528] 0000000082376c33: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [  263.462534] 000000002e73e1fc: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [  263.464469] 00000000dfbbb4d7: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64  ...............d
> [  263.466457] 00000000a9156d94: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [  263.468383] 00000000f55f3544: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [  263.470227] 00000000c0d68803: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [  263.472029] XFS (loop0): metadata I/O error in "xfs_trans_read_buf_map" at daddr 0x1b60 len 16 error 117
> [  263.474049] XFS (loop0): xfs_imap_to_bp: xfs_trans_read_buf() returned error -117.
>
> And does nothing else.
>
> Can you confirm this?
>
> Cheers,
>
> Dave.
> --
> Dave Chinner
> david@xxxxxxxxxxxxx

Attachment: config-4.17.0-rc7-no-kasan+
Description: Binary data

[Index of Archives]     [XFS Filesystem Development (older mail)]     [Linux Filesystem Development]     [Linux Audio Users]     [Yosemite Trails]     [Linux Kernel]     [Linux RAID]     [Linux SCSI]

  Powered by Linux