kernel BUG in erofs_iget

kernel BUG in erofs_iget

[Sanan Hasanov]

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel Branch: 6.3.0-next-20230426
Kernel Config: https://drive.google.com/file/d/1rGIKWTEfoMed0JL5jWFws4GJ0VNSVgw8/view?usp=sharing
Reproducer: https://drive.google.com/file/d/1ceAFcx9hhevq_ivDNPkXmEGYsr26yB4N/view?usp=sharing
Thank you!

Best regards,
Sanan Hasanov

loop3: detected capacity change from 0 to 131072
erofs: (device loop7): erofs_read_inode: bogus i_mode (0) @ nid 9
------------[ cut here ]------------
F2FS-fs (loop3): Unrecognized mount option "����" or missing value
kernel BUG at fs/erofs/inode.c:201!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 3 PID: 24832 Comm: syz-executor.7 Not tainted 6.3.0-next-20230426 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:erofs_iget+0x13de/0x2890
Code: 00 0f 85 16 13 00 00 49 8b 7c 24 28 49 89 d8 44 89 e9 48 c7 c2 a0 ee e4 88 48 c7 c6 40 f1 e4 88 e8 47 b1 ff ff e8 e2 9f 35 fe <0f> 0b 66 41 81 fe 00 10 0f 84 15 ff ff ff e9 5f ff ff ff e8 ca 9f
RSP: 0018:ffff888057de7a00 EFLAGS: 00010216
RAX: 000000000000170a RBX: 0000000000000009 RCX: ffffc90006921000
kobject: 'loop0' (0000000010c34f99): kobject_uevent_env
RDX: 0000000000040000 RSI: ffffffff8353cb7e RDI: ffffffff816ca711
RBP: ffff888057de7b48 R08: 0000000000000005 R09: 0000000000000000
kobject: 'loop0' (0000000010c34f99): kobject_uevent_env: uevent_suppress caused the event to drop!
R10: 0000000080000000 R11: 00000000007b8f58 R12: ffff888045def590
loop0: detected capacity change from 0 to 512
kobject: 'loop5' (00000000977c5d56): kobject_uevent_env
kobject: 'loop5' (00000000977c5d56): fill_kobj_path: path = '/devices/virtual/block/loop5'
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
kobject: 'loop0' (0000000010c34f99): kobject_uevent_env
FS:  00007fb77f852700(0000) GS:ffff88811a380000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kobject: 'loop0' (0000000010c34f99): kobject_uevent_env: uevent_suppress caused the event to drop!
CR2: 00007fb77e661c40 CR3: 0000000057695000 CR4: 0000000000350ee0
kobject: 'loop4' (00000000ab59ead6): kobject_uevent_env
Call Trace:
kobject: 'loop4' (00000000ab59ead6): fill_kobj_path: path = '/devices/virtual/block/loop4'
 <TASK>
 erofs_fc_fill_super+0x14e5/0x28e0
 get_tree_bdev+0x447/0x770
 erofs_fc_get_tree+0x21/0x30
 vfs_get_tree+0x97/0x370
 path_mount+0x6d3/0x1fb0
 __x64_sys_mount+0x2b2/0x340
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7fb77e69176e
Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb77f851a08 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000080 RCX: 00007fb77e69176e
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fb77f851a60
RBP: 00007fb77f851aa0 R08: 00007fb77f851aa0 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000
R13: 0000000020000100 R14: 00007fb77f851a60 R15: 0000000020000040
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:erofs_iget+0x13de/0x2890
Code: 00 0f 85 16 13 00 00 49 8b 7c 24 28 49 89 d8 44 89 e9 48 c7 c2 a0 ee e4 88 48 c7 c6 40 f1 e4 88 e8 47 b1 ff ff e8 e2 9f 35 fe <0f> 0b 66 41 81 fe 00 10 0f 84 15 ff ff ff e9 5f ff ff ff e8 ca 9f
RSP: 0018:ffff888057de7a00 EFLAGS: 00010216
RAX: 000000000000170a RBX: 0000000000000009 RCX: ffffc90006921000
RDX: 0000000000040000 RSI: ffffffff8353cb7e RDI: ffffffff816ca711
RBP: ffff888057de7b48 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 00000000007b8f58 R12: ffff888045def590
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  00007fb77f852700(0000) GS:ffff88811a380000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb77e661c40 CR3: 0000000057695000 CR4: 0000000000350ee0

Re: kernel BUG in erofs_iget

[Gao Xiang]

On 2023/9/13 07:02, Sanan Hasanov wrote:
> Good day, dear maintainers,
> 
> We found a bug using a modified kernel configuration file used by syzbot.
> 
> We enhanced the coverage of the configuration file using our tool, klocalizer.

1) Please don't enable CONFIG_EROFS_FS_DEBUG=y when fuzzing.  This configuration
    is just for developper debugging, not for daily use or fuzzing.

2) Please don't use random -next version, I don't even find this version in
    https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/refs/tags
    now.  Although it seems

198 bogusimode:
199 	erofs_err(inode->i_sb, "bogus i_mode (%o) @ nid %llu",
200 		  inode->i_mode, vi->nid);
201 	err = -EFSCORRUPTED;
202 err_out:
203>	DBG_BUGON(1);
204 	kfree(copied);
205 	erofs_put_metabuf(buf);
206 	return ERR_PTR(err);

    when I check Linux v6.3 source code.  Please use upstream or latest tree for
    fuzzing, thanks!

Thanks,
Gao Xiang

> 
> Kernel Branch: 6.3.0-next-20230426
> Kernel Config: https://drive.google.com/file/d/1rGIKWTEfoMed0JL5jWFws4GJ0VNSVgw8/view?usp=sharing
> Reproducer: https://drive.google.com/file/d/1ceAFcx9hhevq_ivDNPkXmEGYsr26yB4N/view?usp=sharing
> Thank you!
> 
> Best regards,
> Sanan Hasanov
>